From 1d994713551ffaa8dbc8027fb29bb97c9bb48597 Mon Sep 17 00:00:00 2001 From: Brian Smith Date: Fri, 26 Jul 2019 10:15:58 -1000 Subject: [PATCH] Improve encapsulation of key material during TLS 1.3 key schedule. --- Cargo.toml | 2 +- src/cipher.rs | 14 +++---- src/client/hs.rs | 9 ++--- src/client/tls13.rs | 91 +++++++++++++++++++++++--------------------- src/key_schedule.rs | 65 +++++++++++++++++--------------- src/quic.rs | 31 ++++++++------- src/server/tls13.rs | 92 +++++++++++++++++++++++---------------------- src/session.rs | 10 ++--- tests/api.rs | 4 +- 9 files changed, 165 insertions(+), 153 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index 9bedec46..7d4b917a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -13,7 +13,7 @@ categories = ["network-programming", "cryptography"] [dependencies] base64 = "0.10" log = { version = "0.4.4", optional = true } -ring = "0.16.4" +ring = "0.16.5" sct = "0.6.0" webpki = "0.21.0" diff --git a/src/cipher.rs b/src/cipher.rs index e9879e4b..74d76bb1 100644 --- a/src/cipher.rs +++ b/src/cipher.rs @@ -122,19 +122,17 @@ pub fn new_tls12(scs: &'static SupportedCipherSuite, } pub fn new_tls13_read(scs: &'static SupportedCipherSuite, - secret: &[u8]) -> Box { - let secret = hkdf::Prk::new_less_safe(scs.hkdf_algorithm, secret); - let key = derive_traffic_key(&secret, scs.get_aead_alg()); - let iv = derive_traffic_iv(&secret); + secret: &hkdf::Prk) -> Box { + let key = derive_traffic_key(secret, scs.get_aead_alg()); + let iv = derive_traffic_iv(secret); Box::new(TLS13MessageDecrypter::new(key, iv)) } pub fn new_tls13_write(scs: &'static SupportedCipherSuite, - secret: &[u8]) -> Box { - let secret = hkdf::Prk::new_less_safe(scs.hkdf_algorithm, secret); - let key = derive_traffic_key(&secret, scs.get_aead_alg()); - let iv = derive_traffic_iv(&secret); + secret: &hkdf::Prk) -> Box { + let key = derive_traffic_key(secret, scs.get_aead_alg()); + let iv = derive_traffic_iv(secret); Box::new(TLS13MessageEncrypter::new(key, iv)) } diff --git a/src/client/hs.rs b/src/client/hs.rs index 28429c9f..b60fe358 100644 --- a/src/client/hs.rs +++ b/src/client/hs.rs @@ -330,15 +330,14 @@ fn emit_client_hello_for_retry(sess: &mut ClientSessionImpl, let client_hello_hash = handshake.transcript.get_hash_given(resuming_suite.get_hash(), &[]); let client_early_traffic_secret = sess.common .get_key_schedule() - .derive_bytes(SecretKind::ClientEarlyTrafficSecret, &client_hello_hash); + .derive_logged_secret(SecretKind::ClientEarlyTrafficSecret, &client_hello_hash, + &*sess.config.key_log, + sess.common.protocol.labels().client_early_traffic_secret, + &handshake.randoms.client); // Set early data encryption key sess.common .set_message_encrypter(cipher::new_tls13_write(resuming_suite, &client_early_traffic_secret)); - sess.config.key_log.log(sess.common.protocol.labels().client_early_traffic_secret, - &handshake.randoms.client, - &client_early_traffic_secret); - #[cfg(feature = "quic")] { sess.common.quic.early_secret = Some(client_early_traffic_secret); diff --git a/src/client/tls13.rs b/src/client/tls13.rs index 0e2aefdd..49330bee 100644 --- a/src/client/tls13.rs +++ b/src/client/tls13.rs @@ -211,31 +211,32 @@ pub fn start_handshake_traffic(sess: &mut ClientSessionImpl, if !sess.early_data.is_enabled() { // Set the client encryption key for handshakes if early data is not used let write_key = sess.common.get_key_schedule() - .derive_bytes(SecretKind::ClientHandshakeTrafficSecret, - &handshake.hash_at_client_recvd_server_hello); + .derive_logged_secret(SecretKind::ClientHandshakeTrafficSecret, + &handshake.hash_at_client_recvd_server_hello, + &*sess.config.key_log, + sess.common.protocol.labels().client_handshake_traffic_secret, + &handshake.randoms.client); sess.common.set_message_encrypter(cipher::new_tls13_write(suite, &write_key)); - sess.config.key_log.log(sess.common.protocol.labels().client_handshake_traffic_secret, - &handshake.randoms.client, - &write_key); - sess.common.get_mut_key_schedule().current_client_traffic_secret = write_key; + sess.common.get_mut_key_schedule().current_client_traffic_secret = Some(write_key); } let read_key = sess.common.get_key_schedule() - .derive_bytes(SecretKind::ServerHandshakeTrafficSecret, - &handshake.hash_at_client_recvd_server_hello); + .derive_logged_secret(SecretKind::ServerHandshakeTrafficSecret, + &handshake.hash_at_client_recvd_server_hello, + &*sess.config.key_log, + sess.common.protocol.labels().server_handshake_traffic_secret, + &handshake.randoms.client); sess.common.set_message_decrypter(cipher::new_tls13_read(suite, &read_key)); - sess.config.key_log.log(sess.common.protocol.labels().server_handshake_traffic_secret, - &handshake.randoms.client, - &read_key); - sess.common.get_mut_key_schedule().current_server_traffic_secret = read_key; + sess.common.get_mut_key_schedule().current_server_traffic_secret = Some(read_key); #[cfg(feature = "quic")] { let key_schedule = sess.common.key_schedule.as_ref().unwrap(); let client = if sess.early_data.is_enabled() { // Traffic secret wasn't computed and stored above, so do it here. - sess.common.get_key_schedule() - .derive_bytes(SecretKind::ClientHandshakeTrafficSecret, - &handshake.hash_at_client_recvd_server_hello) + Some(sess.common.get_key_schedule().derive( + sess.common.get_key_schedule().algorithm(), + SecretKind::ClientHandshakeTrafficSecret, + &handshake.hash_at_client_recvd_server_hello)) } else { key_schedule.current_client_traffic_secret.clone() }; @@ -400,14 +401,15 @@ impl hs::State for ExpectEncryptedExtensions { // If no early traffic, set the encryption key for handshakes let suite = sess.common.get_suite_assert(); let write_key = sess.common.get_key_schedule() - .derive_bytes(SecretKind::ClientHandshakeTrafficSecret, - &self.handshake.hash_at_client_recvd_server_hello); + .derive_logged_secret( + SecretKind::ClientHandshakeTrafficSecret, + &self.handshake.hash_at_client_recvd_server_hello, + &*sess.config.key_log, + sess.common.protocol.labels().client_handshake_traffic_secret, + &self.handshake.randoms.client); sess.common.set_message_encrypter(cipher::new_tls13_write(suite, &write_key)); - sess.config.key_log.log(sess.common.protocol.labels().client_handshake_traffic_secret, - &self.handshake.randoms.client, - &write_key); sess.common.get_mut_key_schedule() - .current_client_traffic_secret = write_key; + .current_client_traffic_secret = Some(write_key); } let certv = verify::ServerCertVerified::assertion(); let sigv = verify::HandshakeSignatureValid::assertion(); @@ -827,8 +829,12 @@ impl hs::State for ExpectFinished { /* Derive the client-to-server encryption key before key schedule update */ let key = sess.common .get_key_schedule() - .derive_bytes(SecretKind::ClientHandshakeTrafficSecret, - &st.handshake.hash_at_client_recvd_server_hello); + .derive_logged_secret( + SecretKind::ClientHandshakeTrafficSecret, + &st.handshake.hash_at_client_recvd_server_hello, + &*sess.config.key_log, + sess.common.protocol.labels().client_handshake_traffic_secret, + &st.handshake.randoms.client); Some(key) } else { None @@ -843,24 +849,27 @@ impl hs::State for ExpectFinished { let handshake_hash = st.handshake.transcript.get_current_hash(); let read_key = sess.common .get_key_schedule() - .derive_bytes(SecretKind::ServerApplicationTrafficSecret, &handshake_hash); - sess.config.key_log.log(sess.common.protocol.labels().server_traffic_secret_0, - &st.handshake.randoms.client, - &read_key); + .derive_logged_secret( + SecretKind::ServerApplicationTrafficSecret, + &handshake_hash, + &*sess.config.key_log, + sess.common.protocol.labels().server_traffic_secret_0, + &st.handshake.randoms.client); sess.common.set_message_decrypter(cipher::new_tls13_read(suite, &read_key)); sess.common .get_mut_key_schedule() - .current_server_traffic_secret = read_key; + .current_server_traffic_secret = Some(read_key); let exporter_secret = sess.common .get_key_schedule() - .derive_bytes(SecretKind::ExporterMasterSecret, &handshake_hash); - sess.config.key_log.log(sess.common.protocol.labels().exporter_secret, - &st.handshake.randoms.client, - &exporter_secret); + .derive_logged_secret(SecretKind::ExporterMasterSecret, + &handshake_hash, + &*sess.config.key_log, + sess.common.protocol.labels().exporter_secret, + &st.handshake.randoms.client); sess.common .get_mut_key_schedule() - .current_exporter_secret = exporter_secret; + .current_exporter_secret = Some(exporter_secret); /* The EndOfEarlyData message to server is still encrypted with early data keys, * but appears in the transcript after the server Finished. */ @@ -869,10 +878,7 @@ impl hs::State for ExpectFinished { sess.common.early_traffic = false; sess.early_data.finished(); sess.common.set_message_encrypter(cipher::new_tls13_write(suite, &write_key)); - sess.config.key_log.log(sess.common.protocol.labels().client_handshake_traffic_secret, - &st.handshake.randoms.client, - &write_key); - sess.common.get_mut_key_schedule().current_client_traffic_secret = write_key; + sess.common.get_mut_key_schedule().current_client_traffic_secret = Some(write_key); } /* Send our authentication/finished messages. These are still encrypted @@ -892,14 +898,15 @@ impl hs::State for ExpectFinished { hs::check_aligned_handshake(sess)?; let write_key = sess.common .get_key_schedule() - .derive_bytes(SecretKind::ClientApplicationTrafficSecret, &handshake_hash); - sess.config.key_log.log(sess.common.protocol.labels().client_traffic_secret_0, - &st.handshake.randoms.client, - &write_key); + .derive_logged_secret(SecretKind::ClientApplicationTrafficSecret, + &handshake_hash, + &*sess.config.key_log, + sess.common.protocol.labels().client_traffic_secret_0, + &st.handshake.randoms.client); sess.common.set_message_encrypter(cipher::new_tls13_write(suite, &write_key)); sess.common .get_mut_key_schedule() - .current_client_traffic_secret = write_key; + .current_client_traffic_secret = Some(write_key); sess.common.we_now_encrypting(); sess.common.start_traffic(); diff --git a/src/key_schedule.rs b/src/key_schedule.rs index 4924f3c7..6b314994 100644 --- a/src/key_schedule.rs +++ b/src/key_schedule.rs @@ -4,6 +4,7 @@ use ring::{aead, hkdf::{self, KeyType as _}, hmac, digest}; use crate::error::TLSError; use crate::cipher::{Iv, IvLen}; use crate::msgs::base::PayloadU8; +use crate::KeyLog; /// The kinds of secret we can extract from `KeySchedule`. #[derive(Debug, Clone, Copy, PartialEq)] @@ -41,9 +42,9 @@ impl SecretKind { pub struct KeySchedule { current: hkdf::Prk, algorithm: ring::hkdf::Algorithm, - pub current_client_traffic_secret: Vec, - pub current_server_traffic_secret: Vec, - pub current_exporter_secret: Vec, + pub current_client_traffic_secret: Option, + pub current_server_traffic_secret: Option, + pub current_exporter_secret: Option, } impl KeySchedule { @@ -54,9 +55,9 @@ impl KeySchedule { KeySchedule { current: salt.extract(secret), algorithm, - current_server_traffic_secret: Vec::new(), - current_client_traffic_secret: Vec::new(), - current_exporter_secret: Vec::new(), + current_server_traffic_secret: None, + current_client_traffic_secret: None, + current_exporter_secret: None, } } @@ -89,10 +90,14 @@ impl KeySchedule { hkdf_expand(&self.current, key_type, kind.to_bytes(), hs_hash) } - pub fn derive_bytes(&self, kind: SecretKind, hs_hash: &[u8]) -> Vec { - let payload: PayloadU8 = - self.derive(PayloadU8Len(self.algorithm.len()), kind, hs_hash); - payload.into_inner() + pub fn derive_logged_secret(&self, kind: SecretKind, hs_hash: &[u8], + key_log: &dyn KeyLog, log_label: &str, client_random: &[u8; 32]) + -> hkdf::Prk + { + let secret = self.derive::(PayloadU8Len(self.algorithm.len()), kind, hs_hash) + .into_inner(); + key_log.log(log_label, client_random, &secret); + hkdf::Prk::new_less_safe(self.algorithm, &secret) } /// Derive a secret of given `kind` using the hash of the empty string @@ -109,13 +114,15 @@ impl KeySchedule { } /// Return the current traffic secret, of given `kind`. - fn current_traffic_secret(&self, kind: SecretKind) -> &[u8] { + fn current_traffic_secret(&self, kind: SecretKind) -> &hkdf::Prk { match kind { SecretKind::ServerHandshakeTrafficSecret | - SecretKind::ServerApplicationTrafficSecret => &self.current_server_traffic_secret, + SecretKind::ServerApplicationTrafficSecret => + &self.current_server_traffic_secret.as_ref().unwrap(), SecretKind::ClientEarlyTrafficSecret | SecretKind::ClientHandshakeTrafficSecret | - SecretKind::ClientApplicationTrafficSecret => &self.current_client_traffic_secret, + SecretKind::ClientApplicationTrafficSecret => + &self.current_client_traffic_secret.as_ref().unwrap(), _ => unreachable!(), } } @@ -124,8 +131,7 @@ impl KeySchedule { /// traffic secret. pub fn sign_finish(&self, kind: SecretKind, hs_hash: &[u8]) -> Vec { let base_key = self.current_traffic_secret(kind); - let base_key = hkdf::Prk::new_less_safe(self.algorithm, base_key); - self.sign_verify_data(&base_key, hs_hash) + self.sign_verify_data(base_key, hs_hash) } /// Sign the finished message consisting of `hs_hash` using the key material @@ -140,12 +146,9 @@ impl KeySchedule { /// Derive the next application traffic secret of given `kind`, returning /// it. - pub fn derive_next(&self, kind: SecretKind) -> Vec { + pub fn derive_next(&self, kind: SecretKind) -> hkdf::Prk { let base_key = self.current_traffic_secret(kind); - let base_key = hkdf::Prk::new_less_safe(self.algorithm, &base_key); - let payload: PayloadU8 = - hkdf_expand(&base_key, PayloadU8Len(self.algorithm.len()), b"traffic upd", &[]); - payload.into_inner() + hkdf_expand(&base_key, self.algorithm, b"traffic upd", &[]) } /// Derive the PSK to use given a resumption_master_secret and @@ -158,17 +161,13 @@ impl KeySchedule { pub fn export_keying_material(&self, out: &mut [u8], label: &[u8], context: Option<&[u8]>) -> Result<(), TLSError> { - if self.current_exporter_secret.is_empty() { - return Err(TLSError::HandshakeNotComplete); - } - + let current_exporter_secret = + self.current_exporter_secret.as_ref().ok_or(TLSError::HandshakeNotComplete)?; let digest_alg = self.algorithm.hmac_algorithm().digest_algorithm(); let h_empty = digest::digest(digest_alg, &[]); - let current_exporter_secret = - hkdf::Prk::new_less_safe(self.algorithm, &self.current_exporter_secret); let secret: hkdf::Prk = - hkdf_expand(¤t_exporter_secret, self.algorithm, label, h_empty.as_ref()); + hkdf_expand(current_exporter_secret, self.algorithm, label, h_empty.as_ref()); let h_context = digest::digest(digest_alg, context.unwrap_or(&[])); @@ -232,6 +231,7 @@ pub(crate) fn derive_traffic_iv(secret: &hkdf::Prk) -> Iv { mod test { use super::{KeySchedule, SecretKind, derive_traffic_key, derive_traffic_iv}; use ring::{aead, hkdf}; + use crate::KeyLog; #[test] fn test_vectors() { @@ -361,9 +361,14 @@ mod test { expected_key: &[u8], expected_iv: &[u8], ) { - let traffic_secret = ks.derive_bytes(kind, &hash); - assert_eq!(expected_traffic_secret, &traffic_secret[..]); - let traffic_secret = hkdf::Prk::new_less_safe(ks.algorithm(), &traffic_secret); + struct Log<'a>(&'a [u8]); + impl KeyLog for Log<'_> { + fn log(&self, _label: &str, _client_random: &[u8], secret: &[u8]) { + assert_eq!(self.0, secret); + } + } + let log = Log(expected_traffic_secret); + let traffic_secret = ks.derive_logged_secret(kind, &hash, &log, "", &[0; 32]); // Since we can't test key equality, we test the output of sealing with the key instead. let aead_alg = &aead::AES_128_GCM; diff --git a/src/quic.rs b/src/quic.rs index 2912f9d1..2a5ae9b2 100644 --- a/src/quic.rs +++ b/src/quic.rs @@ -9,17 +9,16 @@ use crate::key_schedule; use crate::session::{SessionCommon, Protocol}; use std::sync::Arc; -use ring::hkdf::{self, KeyType as _}; +use ring::hkdf; use webpki; -use crate::msgs::base::PayloadU8; /// Secrets used to encrypt/decrypt traffic -#[derive(Debug, Clone, Eq, PartialEq)] +#[derive(Clone, Debug)] pub struct Secrets { /// Secret used to encrypt packets transmitted by the client - pub client: Vec, + pub client: Option, /// Secret used to encrypt packets transmitted by the server - pub server: Vec, + pub server: Option, } /// Generic methods for QUIC sessions @@ -28,7 +27,7 @@ pub trait QuicExt { fn get_quic_transport_parameters(&self) -> Option<&[u8]>; /// Return the early traffic secret, used to encrypt 0-RTT data. - fn get_early_secret(&self) -> Option<&[u8]>; + fn get_early_secret(&self) -> Option<&hkdf::Prk>; /// Consume unencrypted TLS handshake data. /// @@ -55,8 +54,8 @@ impl QuicExt for ClientSession { self.imp.common.quic.params.as_ref().map(|v| v.as_ref()) } - fn get_early_secret(&self) -> Option<&[u8]> { - self.imp.common.quic.early_secret.as_ref().map(|x| &x[..]) + fn get_early_secret(&self) -> Option<&hkdf::Prk> { + self.imp.common.quic.early_secret.as_ref() } fn read_hs(&mut self, plaintext: &[u8]) -> Result<(), TLSError> { @@ -75,8 +74,8 @@ impl QuicExt for ServerSession { self.imp.common.quic.params.as_ref().map(|v| v.as_ref()) } - fn get_early_secret(&self) -> Option<&[u8]> { - self.imp.common.quic.early_secret.as_ref().map(|x| &x[..]) + fn get_early_secret(&self) -> Option<&hkdf::Prk> { + self.imp.common.quic.early_secret.as_ref() } fn read_hs(&mut self, plaintext: &[u8]) -> Result<(), TLSError> { @@ -126,20 +125,20 @@ fn write_hs(this: &mut SessionCommon, buf: &mut Vec) -> Option { fn update_secrets(this: &SessionCommon, client: &[u8], server: &[u8]) -> Secrets { let hkdf_alg= this.get_suite_assert().hkdf_algorithm; - let client: PayloadU8 = key_schedule::hkdf_expand( + let client = key_schedule::hkdf_expand( &hkdf::Prk::new_less_safe(hkdf_alg, client), - key_schedule::PayloadU8Len(hkdf_alg.len()), + hkdf_alg, b"traffic upd", &[]); - let server: PayloadU8 = key_schedule::hkdf_expand( + let server = key_schedule::hkdf_expand( &hkdf::Prk::new_less_safe(hkdf_alg, server), - key_schedule::PayloadU8Len(hkdf_alg.len()), + hkdf_alg, b"traffic upd", &[]); Secrets { - client: client.into_inner(), - server: server.into_inner(), + client: Some(client), + server: Some(server), } } diff --git a/src/server/tls13.rs b/src/server/tls13.rs index cce4dca7..1c1aaa99 100644 --- a/src/server/tls13.rs +++ b/src/server/tls13.rs @@ -160,10 +160,12 @@ impl CompleteClientHelloHandling { #[cfg(feature = "quic")] { if sess.common.protocol == Protocol::Quic { let client_early_traffic_secret = key_schedule - .derive_bytes(SecretKind::ClientEarlyTrafficSecret, &client_hello_hash); - sess.config.key_log.log(sess.common.protocol.labels().client_early_traffic_secret, - &self.handshake.randoms.client, - &client_early_traffic_secret); + .derive_logged_secret( + SecretKind::ClientEarlyTrafficSecret, + &client_hello_hash, + &*sess.config.key_log, + sess.common.protocol.labels().client_early_traffic_secret, + &self.handshake.randoms.client); // If 0-RTT should be rejected, this will be clobbered by ExtensionProcessing // before the application can see. sess.common.quic.early_secret = Some(client_early_traffic_secret); @@ -175,26 +177,31 @@ impl CompleteClientHelloHandling { key_schedule.input_secret(&kxr.premaster_secret); let handshake_hash = self.handshake.transcript.get_current_hash(); - let write_key = key_schedule.derive_bytes(SecretKind::ServerHandshakeTrafficSecret, &handshake_hash); - let read_key = key_schedule.derive_bytes(SecretKind::ClientHandshakeTrafficSecret, &handshake_hash); + let write_key = key_schedule.derive_logged_secret( + SecretKind::ServerHandshakeTrafficSecret, + &handshake_hash, + &*sess.config.key_log, + sess.common.protocol.labels().server_handshake_traffic_secret, + &self.handshake.randoms.client); sess.common.set_message_encrypter(cipher::new_tls13_write(suite, &write_key)); + + let read_key = key_schedule.derive_logged_secret( + SecretKind::ClientHandshakeTrafficSecret, + &handshake_hash, + &*sess.config.key_log, + sess.common.protocol.labels().client_handshake_traffic_secret, + &self.handshake.randoms.client); sess.common.set_message_decrypter(cipher::new_tls13_read(suite, &read_key)); - sess.config.key_log.log(sess.common.protocol.labels().server_handshake_traffic_secret, - &self.handshake.randoms.client, - &write_key); - sess.config.key_log.log(sess.common.protocol.labels().client_handshake_traffic_secret, - &self.handshake.randoms.client, - &read_key); #[cfg(feature = "quic")] { sess.common.quic.hs_secrets = Some(quic::Secrets { - client: read_key.clone(), - server: write_key.clone(), + client: Some(write_key.clone()), + server: Some(read_key.clone()), }); } - key_schedule.current_client_traffic_secret = read_key; - key_schedule.current_server_traffic_secret = write_key; + key_schedule.current_client_traffic_secret = Some(read_key); + key_schedule.current_server_traffic_secret = Some(write_key); sess.common.set_key_schedule(key_schedule); Ok(()) @@ -406,40 +413,37 @@ impl CompleteClientHelloHandling { sess.common.get_mut_key_schedule().input_empty(); let write_key = sess.common .get_key_schedule() - .derive_bytes(SecretKind::ServerApplicationTrafficSecret, - &self.handshake.hash_at_server_fin); + .derive_logged_secret(SecretKind::ServerApplicationTrafficSecret, + &self.handshake.hash_at_server_fin, + &*sess.config.key_log, + sess.common.protocol.labels().server_traffic_secret_0, + &self.handshake.randoms.client); let suite = sess.common.get_suite_assert(); sess.common.set_message_encrypter(cipher::new_tls13_write(suite, &write_key)); - sess.config.key_log.log(sess.common.protocol.labels().server_traffic_secret_0, - &self.handshake.randoms.client, - &write_key); #[cfg(feature = "quic")] { - let read_key = sess.common - .get_key_schedule() - .derive_bytes(SecretKind::ClientApplicationTrafficSecret, - &self.handshake.hash_at_server_fin); + let read_key = sess.common.get_key_schedule() + .derive(sess.common.get_key_schedule().algorithm(), + SecretKind::ClientApplicationTrafficSecret, + &self.handshake.hash_at_server_fin); sess.common.quic.traffic_secrets = Some(quic::Secrets { - client: read_key, - server: write_key.clone(), + client: Some(read_key), + server: Some(write_key.clone()), }); } - sess.common - .get_mut_key_schedule() - .current_server_traffic_secret = write_key; - - + sess.common.get_mut_key_schedule() + .current_server_traffic_secret = Some(write_key); let exporter_secret = sess.common .get_key_schedule() - .derive_bytes(SecretKind::ExporterMasterSecret, - &self.handshake.hash_at_server_fin); - sess.config.key_log.log(sess.common.protocol.labels().exporter_secret, - &self.handshake.randoms.client, - &exporter_secret); + .derive_logged_secret(SecretKind::ExporterMasterSecret, + &self.handshake.hash_at_server_fin, + &*sess.config.key_log, + sess.common.protocol.labels().exporter_secret, + &self.handshake.randoms.client); sess.common .get_mut_key_schedule() - .current_exporter_secret = exporter_secret; + .current_exporter_secret = Some(exporter_secret); } fn attempt_tls13_ticket_decryption(&mut self, @@ -842,18 +846,18 @@ impl hs::State for ExpectFinished { // Server traffic is already done. let read_key = sess.common .get_key_schedule() - .derive_bytes(SecretKind::ClientApplicationTrafficSecret, - &self.handshake.hash_at_server_fin); - sess.config.key_log.log(sess.common.protocol.labels().client_traffic_secret_0, - &self.handshake.randoms.client, - &read_key); + .derive_logged_secret(SecretKind::ClientApplicationTrafficSecret, + &self.handshake.hash_at_server_fin, + &*sess.config.key_log, + sess.common.protocol.labels().client_traffic_secret_0, + &self.handshake.randoms.client); let suite = sess.common.get_suite_assert(); hs::check_aligned_handshake(sess)?; sess.common.set_message_decrypter(cipher::new_tls13_read(suite, &read_key)); sess.common .get_mut_key_schedule() - .current_client_traffic_secret = read_key; + .current_client_traffic_secret = Some(read_key); if self.send_ticket { if sess.config.ticketer.enabled() { diff --git a/src/session.rs b/src/session.rs index e904adce..1e1bbe58 100644 --- a/src/session.rs +++ b/src/session.rs @@ -628,9 +628,9 @@ impl SessionCommon { self.set_message_encrypter(cipher::new_tls13_write(scs, &write_key)); if self.is_client { - self.get_mut_key_schedule().current_client_traffic_secret = write_key; + self.get_mut_key_schedule().current_client_traffic_secret = Some(write_key); } else { - self.get_mut_key_schedule().current_server_traffic_secret = write_key; + self.get_mut_key_schedule().current_server_traffic_secret = Some(write_key); } } @@ -898,9 +898,9 @@ impl SessionCommon { self.set_message_decrypter(cipher::new_tls13_read(suite, &new_read_key)); if read_kind == SecretKind::ServerApplicationTrafficSecret { - self.get_mut_key_schedule().current_server_traffic_secret = new_read_key; + self.get_mut_key_schedule().current_server_traffic_secret = Some(new_read_key); } else { - self.get_mut_key_schedule().current_client_traffic_secret = new_read_key; + self.get_mut_key_schedule().current_client_traffic_secret = Some(new_read_key); } Ok(()) @@ -941,7 +941,7 @@ pub(crate) struct Quic { pub params: Option>, pub alert: Option, pub hs_queue: VecDeque<(bool, Vec)>, - pub early_secret: Option>, + pub early_secret: Option, pub hs_secrets: Option, pub traffic_secrets: Option, } diff --git a/tests/api.rs b/tests/api.rs index a703cd9c..2c484428 100644 --- a/tests/api.rs +++ b/tests/api.rs @@ -1952,6 +1952,6 @@ fn assert_lt(left: usize, right: usize) { #[test] fn session_types_are_not_huge() { // Arbitrary sizes - assert_lt(mem::size_of::(), 1536); - assert_lt(mem::size_of::(), 1536); + assert_lt(mem::size_of::(), 2300); + assert_lt(mem::size_of::(), 2300); }