Fix TLS 1.3 Export Keying Material

peterdettman · peterdettman · commit 4a626409d493 · 2022-03-28T16:49:48.000+07:00
- see #1133
diff --git a/tls/src/main/java/org/bouncycastle/tls/AbstractTlsContext.java b/tls/src/main/java/org/bouncycastle/tls/AbstractTlsContext.java
@@ -4,6 +4,7 @@
 
 import org.bouncycastle.tls.crypto.TlsCrypto;
 import org.bouncycastle.tls.crypto.TlsCryptoUtils;
+import org.bouncycastle.tls.crypto.TlsHash;
 import org.bouncycastle.tls.crypto.TlsNonceGenerator;
 import org.bouncycastle.tls.crypto.TlsSecret;
 import org.bouncycastle.util.Arrays;
@@ -280,7 +281,21 @@ else if (!TlsUtils.isValidUint16(context.length))
 
         try
         {
-            return TlsCryptoUtils.hkdfExpandLabel(secret, cryptoHashAlgorithm, asciiLabel, context, length).extract();
+            TlsHash exporterHash = getCrypto().createHash(cryptoHashAlgorithm);
+            byte[] emptyTranscriptHash = exporterHash.calculateHash();
+
+            TlsSecret exporterSecret = TlsUtils.deriveSecret(getSecurityParametersConnection(), secret, asciiLabel,
+                emptyTranscriptHash);
+
+            byte[] exporterContext = emptyTranscriptHash;
+            if (context.length > 0)
+            {
+                exporterHash.update(context, 0, context.length);
+                exporterContext = exporterHash.calculateHash();
+            }
+
+            return TlsCryptoUtils
+                .hkdfExpandLabel(exporterSecret, cryptoHashAlgorithm, "exporter", exporterContext, length).extract();
         }
         catch (IOException e)
         {
diff --git a/tls/src/test/java/org/bouncycastle/tls/test/TlsTestCase.java b/tls/src/test/java/org/bouncycastle/tls/test/TlsTestCase.java
@@ -119,6 +119,8 @@ protected void runTest() throws Throwable
             assertEquals(count, data.length);
             assertTrue(Arrays.areEqual(data, echo));
 
+            assertTrue(Arrays.areEqual(clientImpl.tlsKeyingMaterial1, serverImpl.tlsKeyingMaterial1));
+            assertTrue(Arrays.areEqual(clientImpl.tlsKeyingMaterial2, serverImpl.tlsKeyingMaterial2));
             assertTrue(Arrays.areEqual(clientImpl.tlsServerEndPoint, serverImpl.tlsServerEndPoint));
 
             if (!TlsUtils.isTLSv13(clientImpl.negotiatedVersion))
diff --git a/tls/src/test/java/org/bouncycastle/tls/test/TlsTestClientImpl.java b/tls/src/test/java/org/bouncycastle/tls/test/TlsTestClientImpl.java
@@ -21,6 +21,7 @@
 import org.bouncycastle.tls.ConnectionEnd;
 import org.bouncycastle.tls.DefaultTlsClient;
 import org.bouncycastle.tls.ProtocolVersion;
+import org.bouncycastle.tls.SecurityParameters;
 import org.bouncycastle.tls.SignatureAlgorithm;
 import org.bouncycastle.tls.SignatureAndHashAlgorithm;
 import org.bouncycastle.tls.TlsAuthentication;
@@ -72,6 +73,8 @@ class TlsTestClientImpl
     protected short firstFatalAlertDescription = -1;
 
     ProtocolVersion negotiatedVersion = null;
+    byte[] tlsKeyingMaterial1 = null;
+    byte[] tlsKeyingMaterial2 = null;
     byte[] tlsServerEndPoint = null;
     byte[] tlsUnique = null;
 
@@ -170,6 +173,13 @@ public void notifyHandshakeComplete() throws IOException
     {
         super.notifyHandshakeComplete();
 
+        SecurityParameters securityParameters = context.getSecurityParametersConnection();
+        if (securityParameters.isExtendedMasterSecret())
+        {
+            tlsKeyingMaterial1 = context.exportKeyingMaterial("BC_TLS_TESTS_1", null, 16);
+            tlsKeyingMaterial2 = context.exportKeyingMaterial("BC_TLS_TESTS_2", new byte[8], 16);
+        }
+
         tlsServerEndPoint = context.exportChannelBinding(ChannelBinding.tls_server_end_point);
         tlsUnique = context.exportChannelBinding(ChannelBinding.tls_unique);
 
diff --git a/tls/src/test/java/org/bouncycastle/tls/test/TlsTestServerImpl.java b/tls/src/test/java/org/bouncycastle/tls/test/TlsTestServerImpl.java
@@ -15,6 +15,7 @@
 import org.bouncycastle.tls.ConnectionEnd;
 import org.bouncycastle.tls.DefaultTlsServer;
 import org.bouncycastle.tls.ProtocolVersion;
+import org.bouncycastle.tls.SecurityParameters;
 import org.bouncycastle.tls.SignatureAlgorithm;
 import org.bouncycastle.tls.TlsCredentialedDecryptor;
 import org.bouncycastle.tls.TlsCredentialedSigner;
@@ -66,6 +67,8 @@ class TlsTestServerImpl
     protected int firstFatalAlertConnectionEnd = -1;
     protected short firstFatalAlertDescription = -1;
 
+    byte[] tlsKeyingMaterial1 = null;
+    byte[] tlsKeyingMaterial2 = null;
     byte[] tlsServerEndPoint = null;
     byte[] tlsUnique = null;
 
@@ -144,6 +147,13 @@ public void notifyHandshakeComplete() throws IOException
     {
         super.notifyHandshakeComplete();
 
+        SecurityParameters securityParameters = context.getSecurityParametersConnection();
+        if (securityParameters.isExtendedMasterSecret())
+        {
+            tlsKeyingMaterial1 = context.exportKeyingMaterial("BC_TLS_TESTS_1", null, 16);
+            tlsKeyingMaterial2 = context.exportKeyingMaterial("BC_TLS_TESTS_2", new byte[8], 16);
+        }
+
         tlsServerEndPoint = context.exportChannelBinding(ChannelBinding.tls_server_end_point);
         tlsUnique = context.exportChannelBinding(ChannelBinding.tls_unique);
 
