crypto/tls: use crypto/hkdf

For consistency, prefer crypto/hkdf over crypto/internal/fips140/hkdf.
Both should have the same behavior given the constrained use of HKDF
in TLS.

Change-Id: Ia982b9f7a6ea66537d748eb5ecae1ac1eade68a5
Reviewed-on: https://go-review.googlesource.com/c/go/+/658217
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go
index fadca22e60eecf61cd3d4bdac9bad90b2bd8480a..66dc76f72d6e6fc624b63dd473ce6488b584d1f9 100644 (file)
--- a/src/crypto/tls/handshake_client_tls13.go
+++ b/src/crypto/tls/handshake_client_tls13.go
@@ -8,8 +8,8 @@ import (
        "bytes"
        "context"
        "crypto"
+       "crypto/hkdf"
        "crypto/hmac"
-       "crypto/internal/fips140/hkdf"
        "crypto/internal/fips140/mlkem"
        "crypto/internal/fips140/tls13"
        "crypto/rsa"
@@ -90,12 +90,13 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
                confTranscript.Write(hs.serverHello.original[:30])
                confTranscript.Write(make([]byte, 8))
                confTranscript.Write(hs.serverHello.original[38:])
-               acceptConfirmation := tls13.ExpandLabel(hs.suite.hash.New,
-                       hkdf.Extract(hs.suite.hash.New, hs.echContext.innerHello.random, nil),
-                       "ech accept confirmation",
-                       confTranscript.Sum(nil),
-                       8,
-               )
+               h := hs.suite.hash.New
+               prk, err := hkdf.Extract(h, hs.echContext.innerHello.random, nil)
+               if err != nil {
+                       c.sendAlert(alertInternalError)
+                       return err
+               }
+               acceptConfirmation := tls13.ExpandLabel(h, prk, "ech accept confirmation", confTranscript.Sum(nil), 8)
                if subtle.ConstantTimeCompare(acceptConfirmation, hs.serverHello.random[len(hs.serverHello.random)-8:]) == 1 {
                        hs.hello = hs.echContext.innerHello
                        c.serverName = c.config.ServerName
@@ -264,12 +265,13 @@ func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
                        copy(hrrHello, hs.serverHello.original)
                        hrrHello = bytes.Replace(hrrHello, hs.serverHello.encryptedClientHello, make([]byte, 8), 1)
                        confTranscript.Write(hrrHello)
-                       acceptConfirmation := tls13.ExpandLabel(hs.suite.hash.New,
-                               hkdf.Extract(hs.suite.hash.New, hs.echContext.innerHello.random, nil),
-                               "hrr ech accept confirmation",
-                               confTranscript.Sum(nil),
-                               8,
-                       )
+                       h := hs.suite.hash.New
+                       prk, err := hkdf.Extract(h, hs.echContext.innerHello.random, nil)
+                       if err != nil {
+                               c.sendAlert(alertInternalError)
+                               return err
+                       }
+                       acceptConfirmation := tls13.ExpandLabel(h, prk, "hrr ech accept confirmation", confTranscript.Sum(nil), 8)
                        if subtle.ConstantTimeCompare(acceptConfirmation, hs.serverHello.encryptedClientHello) == 1 {
                                hello = hs.echContext.innerHello
                                c.serverName = c.config.ServerName

diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
index 1796052a3f1f1ab1fc52b24d91563c7fc5cbef40..929d865dd403efc90819d482fa11a87839b03a7f 100644 (file)
--- a/src/crypto/tls/handshake_server_tls13.go
+++ b/src/crypto/tls/handshake_server_tls13.go
@@ -8,8 +8,8 @@ import (
        "bytes"
        "context"
        "crypto"
+       "crypto/hkdf"
        "crypto/hmac"
-       "crypto/internal/fips140/hkdf"
        "crypto/internal/fips140/mlkem"
        "crypto/internal/fips140/tls13"
        "crypto/internal/hpke"
@@ -572,12 +572,13 @@ func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID)
                if err := transcriptMsg(helloRetryRequest, confTranscript); err != nil {
                        return nil, err
                }
-               acceptConfirmation := tls13.ExpandLabel(hs.suite.hash.New,
-                       hkdf.Extract(hs.suite.hash.New, hs.clientHello.random, nil),
-                       "hrr ech accept confirmation",
-                       confTranscript.Sum(nil),
-                       8,
-               )
+               h := hs.suite.hash.New
+               prf, err := hkdf.Extract(h, hs.clientHello.random, nil)
+               if err != nil {
+                       c.sendAlert(alertInternalError)
+                       return nil, err
+               }
+               acceptConfirmation := tls13.ExpandLabel(h, prf, "hrr ech accept confirmation", confTranscript.Sum(nil), 8)
                helloRetryRequest.encryptedClientHello = acceptConfirmation
        }
 
@@ -735,12 +736,13 @@ func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
                        return err
                }
                // compute the acceptance message
-               acceptConfirmation := tls13.ExpandLabel(hs.suite.hash.New,
-                       hkdf.Extract(hs.suite.hash.New, hs.clientHello.random, nil),
-                       "ech accept confirmation",
-                       echTranscript.Sum(nil),
-                       8,
-               )
+               h := hs.suite.hash.New
+               prk, err := hkdf.Extract(h, hs.clientHello.random, nil)
+               if err != nil {
+                       c.sendAlert(alertInternalError)
+                       return err
+               }
+               acceptConfirmation := tls13.ExpandLabel(h, prk, "ech accept confirmation", echTranscript.Sum(nil), 8)
                copy(hs.hello.random[32-8:], acceptConfirmation)
        }