ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

tls-crypto: Generate MSK for TLS 1.3 

We generate material for both MSK and EMSK even though we only need the
former.  Because HKDF-Expand-Label(), on which the export functionality
is based, encodes the requested key length, we have to allocate the same
number of bytes as e.g. FreeRADIUS does (i.e. if we only request 64
bytes, those won't be the same as the first 64 bytes after requesting
128 bytes).

Unfortunately, key derivation for TLS-based methods is currently not
standardized for TLS 1.3.  There is a draft [1], which defines a scheme
that's different from previous versions (instead of individual label
strings it uses a single one and passes the EAP type/code as context
value to TLS-Export()).  The current code is compatible to FreeRADIUS
3.0.x, which doesn't implement it according to that draft yet (there are
unreleased changes for EAP-TLS, not for the other methods, but these only
switch the label, no context value is passed).  In a separate draft
for EAP-TLS [2] there is an altogether different scheme defined in the
latest version (label combined with EAP method, no context and separate
derivation for MSK and EMSK).

So this is a mess and we will have to change this later with the inevitable
compatibility issues (we should definitely disable TLS 1.3 by default).

[1] https://tools.ietf.org/html/draft-ietf-emu-tls-eap-types
[2] https://tools.ietf.org/html/draft-ietf-emu-eap-tls13
This commit is contained in:
Tobias Brunner 2020-09-01 18:51:32 +02:00
parent d2fe921cf5
commit 121ac4b9e3
1 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/libtls/tls_crypto.c
View File

@ -2086,8 +2086,26 @@ METHOD(tls_crypto_t, derive_handshake_keys, bool,
METHOD(tls_crypto_t, derive_app_keys, bool,
private_tls_crypto_t *this)
{
return derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
TLS_HKDF_S_AP_TRAFFIC);
if (!derive_labeled_keys(this, TLS_HKDF_C_AP_TRAFFIC,
TLS_HKDF_S_AP_TRAFFIC))
{
return FALSE;
}
/* EAP-MSK */
if (this->msk_label)
{
/* because the length is encoded when expanding key material, we
* request the same number of bytes as FreeRADIUS (the first 64 for
* the MSK, the next for the EMSK, which we just ignore) */
if (!this->hkdf->export(this->hkdf, this->msk_label, chunk_empty,
this->handshake, 128, &this->msk))
{
return FALSE;
}
this->msk.len = 64;
}
return TRUE;
}
METHOD(tls_crypto_t, update_app_keys, bool,