Fix calculation of draft-13 ECH confirmation signal.

Apparently both we and Go flipped the parameter order for HKDF-Extract relative to the HKDF spec. (The spec orders the salt before the key.) Not sure how that happened. Found doing interop testing with Stephen Farrell's implementation. https://pkg.go.dev/golang.org/x/crypto/hkdf#Extract https://datatracker.ietf.org/doc/html/rfc5869#section-2.2 https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-13#section-7.2 Bug: 275 Change-Id: I40a7d53b45cb548e93e6a7ae235e98e55dec4a7a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49185 Reviewed-by: Adam Langley <agl@google.com>
3 years ago · 19fe7943ce
parent 18b6836b2f
commit 19fe7943ce
3 changed files with 8 additions and 4 deletions
--- a/include/openssl/hkdf.h
+++ b/include/openssl/hkdf.h
@ -41,6 +41,10 @@ OPENSSL_EXPORT int HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest,
 // keying material |secret| and salt |salt| using |digest|, and outputs
 // |out_len| bytes to |out_key|. The maximum output size is |EVP_MAX_MD_SIZE|.
 // It returns one on success and zero on error.
+//
+// WARNING: This function orders the inputs differently from RFC 5869
+// specification. Double-check which parameter is the secret/IKM and which is
+// the salt when using.
 OPENSSL_EXPORT int HKDF_extract(uint8_t *out_key, size_t *out_len,
                                const EVP_MD *digest, const uint8_t *secret,
                                size_t secret_len, const uint8_t *salt,
--- a/ssl/test/runner/prf.go
+++ b/ssl/test/runner/prf.go
@ -410,7 +410,7 @@ func (h *finishedHash) deriveSecret(label []byte) []byte {
 // sections 7.2 and 7.2.1 of draft-ietf-tls-esni-13. The transcript hash is
 // computed by concatenating |h| with |extraMessages|.
 func (h *finishedHash) echAcceptConfirmation(clientRandom, label, extraMessages []byte) []byte {
-	secret := hkdf.Extract(h.suite.hash().New, h.zeroSecret(), clientRandom)
+	secret := hkdf.Extract(h.suite.hash().New, clientRandom, h.zeroSecret())
 	hashCopy := copyHash(h.hash, h.suite.hash())
 	hashCopy.Write(extraMessages)
 	return hkdfExpandLabel(h.suite.hash(), secret, label, hashCopy.Sum(nil), echAcceptConfirmationLength)
--- a/ssl/tls13_enc.cc
+++ b/ssl/tls13_enc.cc
@ -565,9 +565,9 @@ bool ssl_ech_accept_confirmation(const SSL_HANDSHAKE *hs, Span<uint8_t> out,

  uint8_t secret[EVP_MAX_MD_SIZE];
  size_t secret_len;
-  if (!HKDF_extract(secret, &secret_len, transcript.Digest(), kZeros,
-                    transcript.DigestLen(), client_random.data(),
-                    client_random.size())) {
+  if (!HKDF_extract(secret, &secret_len, transcript.Digest(),
+                    client_random.data(), client_random.size(), kZeros,
+                    transcript.DigestLen())) {
    return false;
  }