We don't set the service indicator in this package but we delegate that to the underlying functions because the TLS 1.3 KDF does not have a standard of its own. ExpandLabel implements HKDF-Expand-Label from RFC 8446, Section 7.1.
(hash func() H, secret []byte, label string, context []byte, length int)
| 18 | |
| 19 | // ExpandLabel implements HKDF-Expand-Label from RFC 8446, Section 7.1. |
| 20 | func ExpandLabel[H hash.Hash](hash func() H, secret []byte, label string, context []byte, length int) []byte { |
| 21 | if len("tls13 ")+len(label) > 255 || len(context) > 255 { |
| 22 | // It should be impossible for this to panic: labels are fixed strings, |
| 23 | // and context is either a fixed-length computed hash, or parsed from a |
| 24 | // field which has the same length limitation. |
| 25 | // |
| 26 | // Another reasonable approach might be to return a randomized slice if |
| 27 | // we encounter an error, which would break the connection, but avoid |
| 28 | // panicking. This would perhaps be safer but significantly more |
| 29 | // confusing to users. |
| 30 | panic("tls13: label or context too long") |
| 31 | } |
| 32 | hkdfLabel := make([]byte, 0, 2+1+len("tls13 ")+len(label)+1+len(context)) |
| 33 | hkdfLabel = binary.BigEndian.AppendUint16(hkdfLabel, uint16(length)) |
| 34 | hkdfLabel = append(hkdfLabel, byte(len("tls13 ")+len(label))) |
| 35 | hkdfLabel = append(hkdfLabel, "tls13 "...) |
| 36 | hkdfLabel = append(hkdfLabel, label...) |
| 37 | hkdfLabel = append(hkdfLabel, byte(len(context))) |
| 38 | hkdfLabel = append(hkdfLabel, context...) |
| 39 | b, _ := hkdf.Expand(hash, secret, string(hkdfLabel), length) |
| 40 | return b |
| 41 | } |
| 42 | |
| 43 | func extract[H hash.Hash](hash func() H, newSecret, currentSecret []byte) []byte { |
| 44 | if newSecret == nil { |
no outgoing calls
no test coverage detected
searching dependent graphs…