ssl: Correct TLS-1.3 refactor so prf function works properly

closes #7911

Author: IngelaAndin

lib/ssl/src/tls_client_connection_1_3.erl

@@ -463,9 +463,11 @@ wait_finished(internal,
         State8 = tls_handshake_1_3:forget_master_secret(State7),
         %% Configure traffic keys
         State9 = ssl_record:step_encryption_state(State8),
-        {Record, State} = ssl_gen_statem:prepare_connection(State9,
-                                                            tls_gen_connection),
-        tls_gen_connection:next_event(connection, Record, State,
+        {Record, #state{protocol_specific = PS} = State} = ssl_gen_statem:prepare_connection(State9,
+                                                                                             tls_gen_connection),
+        ExporterSecret = tls_handshake_1_3:calculate_exporter_secret(State),
+        tls_gen_connection:next_event(connection, Record,
+                                      State#state{protocol_specific = PS#{exporter_secret => ExporterSecret}},
                                       [{{timeout, handshake}, cancel}])
     catch
         {Ref, #alert{} = Alert} ->
@@ -505,6 +507,7 @@ handle_exlusive_1_3_hello_or_hello_retry_request(ServerHello, State0) ->
 
 do_handle_exlusive_1_3_hello_or_hello_retry_request(
   #server_hello{cipher_suite = SelectedCipherSuite,
+                random = Random,
                 session_id = SessionId,
                 extensions = Extensions},
   #state{static_env = #static_env{host = Host,
@@ -575,7 +578,8 @@ do_handle_exlusive_1_3_hello_or_hello_retry_request(
                                                  #{cipher => SelectedCipherSuite,
                                                    key_share => ClientKeyShare,
                                                    session_id => SessionId,
-                                                   group => SelectedGroup}),
+                                                   group => SelectedGroup,
+                                                   random => Random}),
 
         %% Replace ClientHello1 with a special synthetic handshake message
         State2 = tls_handshake_1_3:replace_ch1_with_message_hash(State1),
@@ -627,8 +631,9 @@ do_handle_exlusive_1_3_hello_or_hello_retry_request(
     end.
 
 handle_server_hello(#server_hello{cipher_suite = SelectedCipherSuite,
-                         session_id = SessionId,
-                         extensions = Extensions} = ServerHello,
+                                  random = Random,
+                                  session_id = SessionId,
+                                  extensions = Extensions} = ServerHello,
            #state{key_share = ClientKeyShare,
                   ssl_options = #{ciphers := ClientCiphers,
                                   supported_groups := ClientGroups0,
@@ -664,7 +669,8 @@ handle_server_hello(#server_hello{cipher_suite = SelectedCipherSuite,
                                      key_share => ClientKeyShare,
                                      session_id => SessionId,
                                      group => SelectedGroup,
-                                     peer_public_key => ServerPublicKey}),
+                                     peer_public_key => ServerPublicKey,
+                                     random => Random}),
 
         #state{connection_states = ConnectionStates} = State2,
         #{security_parameters := SecParamsR} =

lib/ssl/src/tls_dtls_connection.erl

@@ -48,7 +48,8 @@
 
 %% Help functions for tls|dtls_connection.erl
 -export([handle_session/7,
-         handle_sni_extension/2]).
+         handle_sni_extension/2,
+         handle_call/4]).
 
 %% General state handlingfor TLS-1.0 to TLS-1.2 and gen_handshake that wraps
 %% handling of common state handling for handshake messages for error handling

lib/ssl/src/tls_gen_connection_1_3.erl

@@ -160,6 +160,33 @@ connection({call, From}, negotiated_protocol,
                State) ->
     ssl_gen_statem:hibernate_after(?FUNCTION_NAME, State,
                     [{reply, From, {ok, SelectedProtocol}}]);
+connection({call, From}, {prf, _, Label, Context0, WantedLength},
+           #state{connection_states = ConnectionStates,
+                  protocol_specific = PS} = State) ->
+    #{security_parameters := SecParams} =
+	ssl_record:current_connection_state(ConnectionStates, read),
+    #security_parameters{prf_algorithm = PRFAlgorithm,
+                         client_random = ClientRandom,
+                         server_random = ServerRandom} = SecParams,
+
+    Context0Size = erlang:iolist_size(Context0),
+    Context = case Context0 of
+                  [client_random, server_random | Rest] ->
+                      erlang:iolist_to_binary([ClientRandom, SecParams, ?unit16(Context0), Context0]);
+                  _ ->
+                      erlang:iolist_to_binary([?unit16(Context0), Context0])
+              end,
+
+    ExporterMasterSecret = maps:get(exporter_secret, PS),
+
+    %% TLS-Exporter(label, context_value, key_length) =
+    %%       HKDF-Expand-Label(Derive-Secret(ExporterSecret, label, ""),
+    %%                         "exporter", Hash(context_value), key_length)
+    ExporterSecret = tls_v1:derive_secret(ExporterMasterSecret, Label, <<>>, PRFAlgorithm),
+    HashContext = tls_v1:transcript_hash(Context, PRFAlgorithm),
+    Exporter = tls_v1:hkdf_expand_label(ExporterSecret, <<"exporter">>, HashContext,
+                                        WantedLength, PRFAlgorithm),
+    {next_state, ?FUNCTION_NAME, State, [{reply, From, {ok, Exporter}}]};
 connection(Type, Event, State) ->
     ssl_gen_statem:?FUNCTION_NAME(Type, Event, State).
 

lib/ssl/src/tls_handshake_1_3.erl

@@ -58,6 +58,7 @@
 -export([process_certificate_request/2,
          process_certificate/2,
          calculate_handshake_secrets/5,
+         calculate_exporter_secret/1,
          verify_certificate_verify/2,
          validate_finished/2,
          maybe_calculate_resumption_master_secret/1,
@@ -1089,9 +1090,6 @@ calculate_traffic_secrets(#state{
                                      ReadKey, ReadIV, undefined,
                                      WriteKey, WriteIV, undefined).
 
-
-
-
 %% X25519, X448
 calculate_shared_secret(OthersKey, MyKey, Group)
   when is_binary(OthersKey) andalso is_binary(MyKey) andalso
@@ -1117,8 +1115,8 @@ maybe_calculate_resumption_master_secret(#state{
                              ssl_options = #{session_tickets := SessionTickets},
                              connection_states = ConnectionStates,
                              handshake_env =
-                                 #handshake_env{
-                                    tls_handshake_history = HHistory}} = State)
+                                                #handshake_env{
+                                                   tls_handshake_history = HHistory}} = State)
   when SessionTickets =/= disabled  ->
     #{security_parameters := SecParamsR} =
         ssl_record:pending_connection_state(ConnectionStates, read),
@@ -1128,6 +1126,18 @@ maybe_calculate_resumption_master_secret(#state{
     RMS = tls_v1:resumption_master_secret(HKDFAlgo, MasterSecret, lists:reverse(Messages0)),
     update_resumption_master_secret(State, RMS).
 
+calculate_exporter_secret(#state{
+                             static_env = #static_env{role = Role},
+                             connection_states = ConnectionStates,
+                             handshake_env =
+                                 #handshake_env{
+                                    tls_handshake_history = HHistory}}) ->
+    #{security_parameters := SecParamsR} =
+        ssl_record:pending_connection_state(ConnectionStates, read),
+    #security_parameters{prf_algorithm = HKDFAlgo,
+                         master_secret = MasterSecret} = SecParamsR,
+    Messages = get_handshake_context(Role, HHistory),
+    tls_v1:exporter_master_secret(HKDFAlgo, MasterSecret, lists:reverse(Messages)).
 
 forget_master_secret(#state{connection_states =
                                 #{pending_read := PendingRead,
@@ -1232,22 +1242,28 @@ update_start_state(State, Map) ->
     SelectedSignAlg = maps:get(sign_alg, Map, undefined),
     PeerPublicKey = maps:get(peer_public_key, Map, undefined),
     ALPNProtocol = maps:get(alpn, Map, undefined),
+    Random = maps:get(random, Map),
     update_start_state(State, Cipher, KeyShare, SessionId,
                        Group, SelectedSignAlg, PeerPublicKey,
-                       ALPNProtocol).
+                       ALPNProtocol, Random).
 %%
 update_start_state(#state{connection_states = ConnectionStates0,
                           handshake_env = #handshake_env{} = HsEnv,
+                          static_env = #static_env{role = Role},
                           connection_env = CEnv,
                           session = Session} = State,
                    Cipher, KeyShare, SessionId,
-                   Group, SelectedSignAlg, PeerPublicKey, ALPNProtocol) ->
+                   Group, SelectedSignAlg, PeerPublicKey, ALPNProtocol, Random) ->
     #{security_parameters := SecParamsR0} = PendingRead =
         maps:get(pending_read, ConnectionStates0),
     #{security_parameters := SecParamsW0} = PendingWrite =
         maps:get(pending_write, ConnectionStates0),
-    SecParamsR = ssl_cipher:security_parameters_1_3(SecParamsR0, Cipher),
-    SecParamsW = ssl_cipher:security_parameters_1_3(SecParamsW0, Cipher),
+    SecParamsR1 = ssl_cipher:security_parameters_1_3(SecParamsR0, Cipher),
+    SecParamsW1 = ssl_cipher:security_parameters_1_3(SecParamsW0, Cipher),
+
+    SecParamsR = update_random(Role, SecParamsR1, Random),
+    SecParamsW = update_random(Role, SecParamsW1, Random),
+
     ConnectionStates =
         ConnectionStates0#{pending_read => PendingRead#{security_parameters => SecParamsR},
                            pending_write => PendingWrite#{security_parameters => SecParamsW}},
@@ -1261,6 +1277,10 @@ update_start_state(#state{connection_states = ConnectionStates0,
                                           cipher_suite = Cipher},
                 connection_env = CEnv#connection_env{negotiated_version = ?TLS_1_3}}.
 
+update_random(server, SParams, Random) ->
+    SParams#security_parameters{client_random = Random};
+update_random(client, SParams, Random) ->
+    SParams#security_parameters{server_random = Random}.
 
 update_resumption_master_secret(#state{connection_states = ConnectionStates0} = State,
                                 ResumptionMasterSecret) ->

lib/ssl/src/tls_server_connection_1_3.erl

@@ -313,14 +313,15 @@ wait_finished(internal,
         State1 = tls_handshake_1_3:calculate_traffic_secrets(State0),
         State2 = tls_handshake_1_3:maybe_calculate_resumption_master_secret(State1),
         State3 = tls_handshake_1_3:forget_master_secret(State2),
-
         %% Configure traffic keys
         State4 = ssl_record:step_encryption_state(State3),
 
         State5 = maybe_send_session_ticket(State4),
 
-        {Record, State} = ssl_gen_statem:prepare_connection(State5, tls_gen_connection),
-        tls_gen_connection:next_event(connection, Record, State,
+        {Record, #state{protocol_specific = PS} = State} = ssl_gen_statem:prepare_connection(State5, tls_gen_connection),
+        ExporterSecret = tls_handshake_1_3:calculate_exporter_secret(State),
+        tls_gen_connection:next_event(connection, Record,
+                                      State#state{protocol_specific = PS#{exporter_secret => ExporterSecret}},
                                       [{{timeout, handshake}, cancel}])
     catch
         {Ref, #alert{} = Alert} ->
@@ -387,14 +388,15 @@ handle_client_hello(ClientHello, State0) ->
     end.
 
 do_handle_client_hello(#client_hello{cipher_suites = ClientCiphers,
-                       session_id = SessionId,
-                       extensions = Extensions} = Hello,
-         #state{ssl_options = #{ciphers := ServerCiphers,
-                                signature_algs := ServerSignAlgs,
-                                supported_groups := ServerGroups0,
-                                alpn_preferred_protocols := ALPNPreferredProtocols,
-                                honor_cipher_order := HonorCipherOrder,
-                                early_data := EarlyDataEnabled} = Opts} = State0) ->
+                                     random = Random,
+                                     session_id = SessionId,
+                                     extensions = Extensions} = Hello,
+                       #state{ssl_options = #{ciphers := ServerCiphers,
+                                              signature_algs := ServerSignAlgs,
+                                              supported_groups := ServerGroups0,
+                                              alpn_preferred_protocols := ALPNPreferredProtocols,
+                                              honor_cipher_order := HonorCipherOrder,
+                                              early_data := EarlyDataEnabled} = Opts} = State0) ->
     SNI = maps:get(sni, Extensions, undefined),
     EarlyDataIndication = maps:get(early_data, Extensions, undefined),
     {Ref,Maybe} = tls_gen_connection_1_3:do_maybe(),
@@ -480,7 +482,8 @@ do_handle_client_hello(#client_hello{cipher_suites = ClientCiphers,
                                                         group => Group,
                                                         sign_alg => SelectedSignAlg,
                                                         peer_public_key => ClientPubKey,
-                                                        alpn => ALPNProtocol}),
+                                                        alpn => ALPNProtocol,
+                                                        random => Random}),
 
         %% 4.1.4.  Hello Retry Request
         %%

lib/ssl/src/tls_v1.erl

@@ -67,12 +67,13 @@
 
 -export([derive_secret/4,
          hkdf_expand_label/5,
+         hkdf_expand_label/6,
          hkdf_extract/3,
          hkdf_expand/4,
          key_length/1,
          key_schedule/3,
          key_schedule/4,
-         create_info/3,
+         create_info/4,
          external_binder_key/2,
          resumption_binder_key/2,
          client_early_traffic_secret/3,
@@ -121,18 +122,26 @@ derive_secret(Secret, Label, Messages, Algo) ->
                         Context::binary(), Length::integer(),
                         Algo::ssl:hash()) -> KeyingMaterial::binary().
 hkdf_expand_label(Secret, Label0, Context, Length, Algo) ->
-    HkdfLabel = create_info(Label0, Context, Length),
+    HkdfLabel = create_info(Label0, Context, Length, <<"tls13 ">>),
     hkdf_expand(Secret, HkdfLabel, Length, Algo).
 
+-spec hkdf_expand_label(Secret::binary(), Label0::binary(),
+                        Context::binary(), Length::integer(),
+                        Algo::ssl:hash(), Prefix::binary()) -> KeyingMaterial::binary().
+hkdf_expand_label(Secret, Label0, Context, Length, Algo , Prefix) ->
+    HkdfLabel = create_info(Label0, Context, Length, Prefix),
+    hkdf_expand(Secret, HkdfLabel, Length, Algo).
+
+
 %% Create info parameter for HKDF-Expand:
 %% HKDF-Expand(PRK, info, L) -> OKM
-create_info(Label0, Context0, Length) ->
+create_info(Label0, Context0, Length, Prefix) ->
     %% struct {
     %%     uint16 length = Length;
     %%     opaque label<7..255> = "tls13 " + Label;
     %%     opaque context<0..255> = Context;
     %% } HkdfLabel;
-    Label1 = << <<"tls13 ">>/binary, Label0/binary>>,
+    Label1 = <<Prefix/binary, Label0/binary>>,
     LabelLen = byte_size(Label1),
     Label = <<?BYTE(LabelLen), Label1/binary>>,
     ContextLen = byte_size(Context0),

lib/ssl/test/ssl_api_SUITE.erl

@@ -3665,10 +3665,12 @@ check_srp_in_connection_information(Socket, Username, server) ->
 
 %% In TLS 1.3 the master_secret field is used to store multiple secrets from the key schedule and it is a tuple.
 %% client_random and server_random are not used in the TLS 1.3 key schedule.
-check_connection_info('tlsv1.3', [{client_random, ClientRand}, {master_secret, {master_secret, MasterSecret}}]) ->
-    is_binary(ClientRand) andalso is_binary(MasterSecret);
-check_connection_info('tlsv1.3', [{server_random, ServerRand}, {master_secret, {master_secret, MasterSecret}}]) ->
-    is_binary(ServerRand) andalso is_binary(MasterSecret);
+check_connection_info('tlsv1.3', [{client_random, ClientRand}, {serer_random, ServerRand},
+                                  {master_secret, {master_secret, MasterSecret}}]) ->
+    is_binary(ClientRand) andalso is_binary(ServerRand) andalso is_binary(MasterSecret);
+check_connection_info('tlsv1.3', [{client_random, ClientRand},{server_random, ServerRand},
+                                  {master_secret, {master_secret, MasterSecret}}]) ->
+    is_binary(ClientRand) andalso is_binary(ServerRand) andalso is_binary(MasterSecret);
 check_connection_info(_, [{client_random, ClientRand}, {server_random, ServerRand}, {master_secret, MasterSecret}]) ->
     is_binary(ClientRand) andalso is_binary(ServerRand) andalso is_binary(MasterSecret);
 check_connection_info(_, _) ->