rustls/crypto/
tls13.rs

1use alloc::boxed::Box;
2use alloc::vec::Vec;
3
4use zeroize::Zeroize;
5
6use super::hmac;
7use super::kx::ActiveKeyExchange;
8use crate::enums::ProtocolVersion;
9use crate::error::Error;
10
11/// Implementation of `HkdfExpander` via `hmac::Key`.
12pub struct HkdfExpanderUsingHmac(Box<dyn hmac::Key>);
13
14impl HkdfExpanderUsingHmac {
15    fn expand_unchecked(&self, info: &[&[u8]], output: &mut [u8]) {
16        let mut term = hmac::Tag::new(b"");
17
18        for (n, chunk) in output
19            .chunks_mut(self.0.tag_len())
20            .enumerate()
21        {
22            term = self
23                .0
24                .sign_concat(term.as_ref(), info, &[(n + 1) as u8]);
25            chunk.copy_from_slice(&term.as_ref()[..chunk.len()]);
26        }
27    }
28}
29
30impl HkdfExpander for HkdfExpanderUsingHmac {
31    fn expand_slice(&self, info: &[&[u8]], output: &mut [u8]) -> Result<(), OutputLengthError> {
32        if output.len() > 255 * self.0.tag_len() {
33            return Err(OutputLengthError);
34        }
35
36        self.expand_unchecked(info, output);
37        Ok(())
38    }
39
40    fn expand_block(&self, info: &[&[u8]]) -> OkmBlock {
41        let mut tag = [0u8; hmac::Tag::MAX_LEN];
42        let reduced_tag = &mut tag[..self.0.tag_len()];
43        self.expand_unchecked(info, reduced_tag);
44        OkmBlock::new(reduced_tag)
45    }
46
47    fn hash_len(&self) -> usize {
48        self.0.tag_len()
49    }
50}
51
52/// Implementation of `Hkdf` (and thence `HkdfExpander`) via `hmac::Hmac`.
53#[expect(clippy::exhaustive_structs)]
54pub struct HkdfUsingHmac<'a>(pub &'a dyn hmac::Hmac);
55
56impl Hkdf for HkdfUsingHmac<'_> {
57    fn extract_from_zero_ikm(&self, salt: Option<&[u8]>) -> Box<dyn HkdfExpander> {
58        let zeroes = [0u8; hmac::Tag::MAX_LEN];
59        Box::new(HkdfExpanderUsingHmac(self.0.with_key(
60            &self.extract_prk_from_secret(salt, &zeroes[..self.0.hash_output_len()]),
61        )))
62    }
63
64    fn extract_from_secret(&self, salt: Option<&[u8]>, secret: &[u8]) -> Box<dyn HkdfExpander> {
65        Box::new(HkdfExpanderUsingHmac(
66            self.0
67                .with_key(&self.extract_prk_from_secret(salt, secret)),
68        ))
69    }
70
71    fn expander_for_okm(&self, okm: &OkmBlock) -> Box<dyn HkdfExpander> {
72        Box::new(HkdfExpanderUsingHmac(self.0.with_key(okm.as_ref())))
73    }
74
75    fn hmac_sign(&self, key: &OkmBlock, message: &[u8]) -> hmac::Tag {
76        self.0
77            .with_key(key.as_ref())
78            .sign(&[message])
79    }
80}
81
82impl HkdfPrkExtract for HkdfUsingHmac<'_> {
83    fn extract_prk_from_secret(&self, salt: Option<&[u8]>, secret: &[u8]) -> Vec<u8> {
84        let zeroes = [0u8; hmac::Tag::MAX_LEN];
85        let salt = match salt {
86            Some(salt) => salt,
87            None => &zeroes[..self.0.hash_output_len()],
88        };
89        self.0
90            .with_key(salt)
91            .sign(&[secret])
92            .as_ref()
93            .to_vec()
94    }
95}
96
97/// Implementation of `HKDF-Expand` with an implicitly stored and immutable `PRK`.
98pub trait HkdfExpander: Send + Sync {
99    /// `HKDF-Expand(PRK, info, L)` into a slice.
100    ///
101    /// Where:
102    ///
103    /// - `PRK` is the implicit key material represented by this instance.
104    /// - `L` is `output.len()`.
105    /// - `info` is a slice of byte slices, which should be processed sequentially
106    ///   (or concatenated if that is not possible).
107    ///
108    /// Returns `Err(OutputLengthError)` if `L` is larger than `255 * HashLen`.
109    /// Otherwise, writes to `output`.
110    fn expand_slice(&self, info: &[&[u8]], output: &mut [u8]) -> Result<(), OutputLengthError>;
111
112    /// `HKDF-Expand(PRK, info, L=HashLen)` returned as a value.
113    ///
114    /// - `PRK` is the implicit key material represented by this instance.
115    /// - `L := HashLen`.
116    /// - `info` is a slice of byte slices, which should be processed sequentially
117    ///   (or concatenated if that is not possible).
118    ///
119    /// This is infallible, because by definition `OkmBlock` is always exactly
120    /// `HashLen` bytes long.
121    fn expand_block(&self, info: &[&[u8]]) -> OkmBlock;
122
123    /// Return what `HashLen` is for this instance.
124    ///
125    /// This must be no larger than [`OkmBlock::MAX_LEN`].
126    fn hash_len(&self) -> usize;
127}
128
129/// A HKDF implementation oriented to the needs of TLS1.3.
130///
131/// See [RFC5869](https://datatracker.ietf.org/doc/html/rfc5869) for the terminology
132/// used in this definition.
133///
134/// You can use [`HkdfUsingHmac`] which implements this trait on top of an implementation
135/// of [`hmac::Hmac`].
136pub trait Hkdf: Send + Sync {
137    /// `HKDF-Extract(salt, 0_HashLen)`
138    ///
139    /// `0_HashLen` is a string of `HashLen` zero bytes.
140    ///
141    /// A `salt` of `None` should be treated as a sequence of `HashLen` zero bytes.
142    fn extract_from_zero_ikm(&self, salt: Option<&[u8]>) -> Box<dyn HkdfExpander>;
143
144    /// `HKDF-Extract(salt, secret)`
145    ///
146    /// A `salt` of `None` should be treated as a sequence of `HashLen` zero bytes.
147    fn extract_from_secret(&self, salt: Option<&[u8]>, secret: &[u8]) -> Box<dyn HkdfExpander>;
148
149    /// `HKDF-Extract(salt, shared_secret)` where `shared_secret` is the result of a key exchange.
150    ///
151    /// Custom implementations should complete the key exchange by calling
152    /// `kx.complete(peer_pub_key)` and then using this as the input keying material to
153    /// `HKDF-Extract`.
154    ///
155    /// A `salt` of `None` should be treated as a sequence of `HashLen` zero bytes.
156    fn extract_from_kx_shared_secret(
157        &self,
158        salt: Option<&[u8]>,
159        kx: Box<dyn ActiveKeyExchange>,
160        peer_pub_key: &[u8],
161    ) -> Result<Box<dyn HkdfExpander>, Error> {
162        Ok(self.extract_from_secret(
163            salt,
164            kx.complete_for_tls_version(peer_pub_key, ProtocolVersion::TLSv1_3)?
165                .secret_bytes(),
166        ))
167    }
168
169    /// Build a `HkdfExpander` using `okm` as the secret PRK.
170    fn expander_for_okm(&self, okm: &OkmBlock) -> Box<dyn HkdfExpander>;
171
172    /// Signs `message` using `key` viewed as a HMAC key.
173    ///
174    /// This should use the same hash function as the HKDF functions in this
175    /// trait.
176    ///
177    /// See [RFC2104](https://datatracker.ietf.org/doc/html/rfc2104) for the
178    /// definition of HMAC.
179    fn hmac_sign(&self, key: &OkmBlock, message: &[u8]) -> hmac::Tag;
180
181    /// Return `true` if this is backed by a FIPS-approved implementation.
182    fn fips(&self) -> bool {
183        false
184    }
185}
186
187/// An extended HKDF implementation that supports directly extracting a pseudo-random key (PRK).
188///
189/// The base [`Hkdf`] trait is tailored to the needs of TLS 1.3, where all extracted PRKs
190/// are expanded as-is, and so can be safely encapsulated without exposing the caller
191/// to the key material.
192///
193/// In other contexts (for example, hybrid public key encryption (HPKE)) it may be necessary
194/// to use the extracted PRK directly for purposes other than an immediate expansion.
195/// This trait can be implemented to offer this functionality when it is required.
196pub(crate) trait HkdfPrkExtract: Hkdf {
197    /// `HKDF-Extract(salt, secret)`
198    ///
199    /// A `salt` of `None` should be treated as a sequence of `HashLen` zero bytes.
200    ///
201    /// In most cases you should prefer [`Hkdf::extract_from_secret`] and using the
202    /// returned [HkdfExpander] instead of handling the PRK directly.
203    fn extract_prk_from_secret(&self, salt: Option<&[u8]>, secret: &[u8]) -> Vec<u8>;
204}
205
206/// `HKDF-Expand(PRK, info, L)` to construct any type from a byte array.
207///
208/// - `PRK` is the implicit key material represented by this instance.
209/// - `L := N`; N is the size of the byte array.
210/// - `info` is a slice of byte slices, which should be processed sequentially
211///   (or concatenated if that is not possible).
212///
213/// This is infallible, because the set of types (and therefore their length) is known
214/// at compile time.
215pub fn expand<T, const N: usize>(expander: &dyn HkdfExpander, info: &[&[u8]]) -> T
216where
217    T: From<[u8; N]>,
218{
219    let mut output = [0u8; N];
220    expander
221        .expand_slice(info, &mut output)
222        .expect("expand type parameter T is too large");
223    T::from(output)
224}
225
226/// Output key material from HKDF, as a value type.
227#[derive(Clone)]
228pub struct OkmBlock {
229    buf: [u8; Self::MAX_LEN],
230    used: usize,
231}
232
233impl OkmBlock {
234    /// Build a single OKM block by copying a byte slice.
235    ///
236    /// The slice can be up to [`OkmBlock::MAX_LEN`] bytes in length.
237    pub fn new(bytes: &[u8]) -> Self {
238        let mut tag = Self {
239            buf: [0u8; Self::MAX_LEN],
240            used: bytes.len(),
241        };
242        tag.buf[..bytes.len()].copy_from_slice(bytes);
243        tag
244    }
245
246    /// Maximum supported HMAC tag size: supports up to SHA512.
247    pub const MAX_LEN: usize = 64;
248}
249
250impl Drop for OkmBlock {
251    fn drop(&mut self) {
252        self.buf.zeroize();
253    }
254}
255
256impl AsRef<[u8]> for OkmBlock {
257    fn as_ref(&self) -> &[u8] {
258        &self.buf[..self.used]
259    }
260}
261
262/// An error type used for `HkdfExpander::expand_slice` when
263/// the slice exceeds the maximum HKDF output length.
264#[expect(clippy::exhaustive_structs)]
265#[derive(Debug)]
266pub struct OutputLengthError;