From 51cf1f5a4659b049ef3571f32ee349f22f88329d Mon Sep 17 00:00:00 2001
From: Peter Dettman <peter.dettman@bouncycastle.org>
Date: Tue, 27 Jul 2021 01:36:50 +0700
Subject: Use PSK early secret when negotiated

---
 crypto/src/tls/SecurityParameters.cs |  7 -------
 crypto/src/tls/TlsClientProtocol.cs  |  5 ++++-
 crypto/src/tls/TlsServerProtocol.cs  |  6 +++++-
 crypto/src/tls/TlsUtilities.cs       | 14 ++++++--------
 4 files changed, 15 insertions(+), 17 deletions(-)

diff --git a/crypto/src/tls/SecurityParameters.cs b/crypto/src/tls/SecurityParameters.cs
index 1f63f6f33..23a83a65f 100644
--- a/crypto/src/tls/SecurityParameters.cs
+++ b/crypto/src/tls/SecurityParameters.cs
@@ -22,7 +22,6 @@ namespace Org.BouncyCastle.Tls
         internal TlsSecret m_exporterMasterSecret = null;
         internal TlsSecret m_handshakeSecret = null;
         internal TlsSecret m_masterSecret = null;
-        internal TlsSecret m_preSharedKey = null;
         internal TlsSecret m_sharedSecret = null;
         internal TlsSecret m_trafficSecretClient = null;
         internal TlsSecret m_trafficSecretServer = null;
@@ -79,7 +78,6 @@ namespace Org.BouncyCastle.Tls
             this.m_exporterMasterSecret = ClearSecret(m_exporterMasterSecret);
             this.m_handshakeSecret = ClearSecret(m_handshakeSecret);
             this.m_masterSecret = ClearSecret(m_masterSecret);
-            this.m_preSharedKey = null;
             this.m_sharedSecret = ClearSecret(m_sharedSecret);
         }
 
@@ -228,11 +226,6 @@ namespace Org.BouncyCastle.Tls
             get { return m_peerVerifyData; }
         }
 
-        public TlsSecret PreSharedKey
-        {
-            get { return m_preSharedKey; }
-        }
-
         public int PrfAlgorithm
         {
             get { return m_prfAlgorithm; }
diff --git a/crypto/src/tls/TlsClientProtocol.cs b/crypto/src/tls/TlsClientProtocol.cs
index 8fb1a39b7..190a1927f 100644
--- a/crypto/src/tls/TlsClientProtocol.cs
+++ b/crypto/src/tls/TlsClientProtocol.cs
@@ -954,7 +954,10 @@ namespace Org.BouncyCastle.Tls
                 agreement.ReceivePeerValue(keyShareEntry.KeyExchange);
                 securityParameters.m_sharedSecret = agreement.CalculateSecret();
 
-                TlsUtilities.Establish13PhaseSecrets(m_tlsClientContext);
+                // TODO[tls13-psk] Use PSK early secret if negotiated
+                TlsSecret pskEarlySecret = null;
+
+                TlsUtilities.Establish13PhaseSecrets(m_tlsClientContext, pskEarlySecret);
             }
 
             {
diff --git a/crypto/src/tls/TlsServerProtocol.cs b/crypto/src/tls/TlsServerProtocol.cs
index a7e0e0120..2afb625a8 100644
--- a/crypto/src/tls/TlsServerProtocol.cs
+++ b/crypto/src/tls/TlsServerProtocol.cs
@@ -332,7 +332,11 @@ namespace Org.BouncyCastle.Tls
 
                 agreement.ReceivePeerValue(clientShare.KeyExchange);
                 securityParameters.m_sharedSecret = agreement.CalculateSecret();
-                TlsUtilities.Establish13PhaseSecrets(m_tlsServerContext);
+
+                // TODO[tls13-psk] Use PSK early secret if negotiated
+                TlsSecret pskEarlySecret = null;
+
+                TlsUtilities.Establish13PhaseSecrets(m_tlsServerContext, pskEarlySecret);
             }
 
             this.m_serverExtensions = serverEncryptedExtensions;
diff --git a/crypto/src/tls/TlsUtilities.cs b/crypto/src/tls/TlsUtilities.cs
index e48a44452..a80e6da32 100644
--- a/crypto/src/tls/TlsUtilities.cs
+++ b/crypto/src/tls/TlsUtilities.cs
@@ -1559,7 +1559,7 @@ namespace Org.BouncyCastle.Tls
             return Prf(securityParameters, master_secret, asciiLabel, prfHash, verify_data_length).Extract();
         }
 
-        internal static void Establish13PhaseSecrets(TlsContext context)
+        internal static void Establish13PhaseSecrets(TlsContext context, TlsSecret pskEarlySecret)
         {
             TlsCrypto crypto = context.Crypto;
             SecurityParameters securityParameters = context.SecurityParameters;
@@ -1567,15 +1567,14 @@ namespace Org.BouncyCastle.Tls
             TlsSecret zeros = crypto.HkdfInit(cryptoHashAlgorithm);
             byte[] emptyTranscriptHash = crypto.CreateHash(cryptoHashAlgorithm).CalculateHash();
 
-            TlsSecret preSharedKey = securityParameters.PreSharedKey;
-            if (null == preSharedKey)
+            TlsSecret earlySecret = pskEarlySecret;
+            if (null == earlySecret)
             {
-                preSharedKey = zeros;
+                earlySecret = crypto
+                    .HkdfInit(cryptoHashAlgorithm)
+                    .HkdfExtract(cryptoHashAlgorithm, zeros);
             }
 
-            TlsSecret earlySecret = crypto.HkdfInit(cryptoHashAlgorithm)
-                .HkdfExtract(cryptoHashAlgorithm, preSharedKey);
-
             TlsSecret sharedSecret = securityParameters.SharedSecret;
             if (null == sharedSecret)
             {
@@ -1596,7 +1595,6 @@ namespace Org.BouncyCastle.Tls
             securityParameters.m_earlySecret = earlySecret;
             securityParameters.m_handshakeSecret = handshakeSecret;
             securityParameters.m_masterSecret = masterSecret;
-            securityParameters.m_preSharedKey = null;
             securityParameters.m_sharedSecret = null;
         }
 
-- 
cgit 1.4.1