};
static char *hkdf_labels[] = {
- "tls13 ext binder",
- "tls13 res binder",
- "tls13 c e traffic",
- "tls13 e exp master",
- "tls13 c hs traffic",
- "tls13 s hs traffic",
- "tls13 c ap traffic",
- "tls13 s ap traffic",
- "tls13 exp master",
- "tls13 res master",
+ "ext binder",
+ "res binder",
+ "c e traffic",
+ "e exp master",
+ "c hs traffic",
+ "s hs traffic",
+ "c ap traffic",
+ "s ap traffic",
+ "exp master",
+ "res master",
};
/**
{
bool success;
- if (label.len < 7 || label.len > 255 || context.len > 255)
+ if (!label.len || label.len > 249 || context.len > 255)
{
return FALSE;
}
/* HKDFLabel as defined in RFC 8446, section 7.1 */
bio_writer_t *writer = bio_writer_create(0);
writer->write_uint16(writer, length);
+ label = chunk_cata("cc", chunk_from_str("tls13 "), label);
writer->write_data8(writer, label);
writer->write_data8(writer, context);
*/
static bool move_to_phase_2(private_tls_hkdf_t *this)
{
- chunk_t derived, okm;
+ chunk_t okm;
switch (this->phase)
{
}
/* fall-through */
case HKDF_PHASE_1:
- derived = chunk_from_str("tls13 derived");
- if (!derive_secret(this, this->prk, derived, chunk_empty, &okm))
+ if (!derive_secret(this, this->prk, chunk_from_str("derived"),
+ chunk_empty, &okm))
{
DBG1(DBG_TLS, "unable to derive secret");
return FALSE;
*/
static bool move_to_phase_3(private_tls_hkdf_t *this)
{
- chunk_t derived, okm, ikm_zero;
+ chunk_t okm, ikm_zero;
switch (this->phase)
{
/* fall-through */
case HKDF_PHASE_2:
/* prepare okm for next extract */
- derived = chunk_from_str("tls13 derived");
- if (!derive_secret(this, this->prk, derived, chunk_empty, &okm))
+ if (!derive_secret(this, this->prk, chunk_from_str("derived"),
+ chunk_empty, &okm))
{
DBG1(DBG_TLS, "unable to derive secret");
return FALSE;
previous = this->server_traffic_secret;
}
- if (!expand_label(this, previous, chunk_from_str("tls13 traffic upd"),
+ if (!expand_label(this, previous, chunk_from_str("traffic upd"),
chunk_empty, this->hasher->get_hash_size(this->hasher),
&okm))
{
METHOD(tls_hkdf_t, derive_key, bool,
private_tls_hkdf_t *this, bool is_server, size_t length, chunk_t *key)
{
- return get_shared_label_keys(this, chunk_from_str("tls13 key"), is_server,
+ return get_shared_label_keys(this, chunk_from_str("key"), is_server,
length, key);
}
METHOD(tls_hkdf_t, derive_iv, bool,
private_tls_hkdf_t *this, bool is_server, size_t length, chunk_t *iv)
{
- return get_shared_label_keys(this, chunk_from_str("tls13 iv"), is_server,
+ return get_shared_label_keys(this, chunk_from_str("iv"), is_server,
length, iv);
}
METHOD(tls_hkdf_t, derive_finished, bool,
private_tls_hkdf_t *this, bool is_server, chunk_t *finished)
{
- return get_shared_label_keys(this, chunk_from_str("tls13 finished"),
+ return get_shared_label_keys(this, chunk_from_str("finished"),
is_server,
this->hasher->get_hash_size(this->hasher),
finished);