ddn.net.tls.keyschedule
TLS 1.3 key schedule (RFC 8446 §7.1).
Implements HKDF-Expand-Label, Derive-Secret, and the full TLS 1.3 key derivation hierarchy from early secret through application traffic secrets.
Also provides TLS 1.2 PRF support for TLS 1.2 handshake.
struct Tls13TrafficKeys
Types 5
structTls13TrafficKeys
TLS 1.3 traffic key material.
Contains the AEAD key and IV derived from a traffic secret.
Fields
ubyte[] keyubyte[] ivsize_t keyLengthsize_t ivLengthclassTls13KeySchedule
TLS 1.3 key schedule state.
Tracks the evolving secret through the handshake phases and derives traffic keys as needed.
Fields
HKDF hkdf_size_t hashLen_ubyte[] earlySecret_ubyte[] handshakeSecret_ubyte[] masterSecret_ubyte[] clientHandshakeTrafficSecret_ubyte[] serverHandshakeTrafficSecret_ubyte[] clientAppTrafficSecret_ubyte[] serverAppTrafficSecret_ubyte[] serializeKey_ubyte[] clientWriteKey_ubyte[] serverWriteKey_Methods
void setCipherSuite(ushort cipherSuite)Reconfigures the hash algorithm based on the negotiated cipher suite.void computeEarlySecret(const(ubyte)[] psk = null)Computes the early secret from a PSK (or zeros if no PSK).ubyte[] deriveEarlyTrafficSecret(const(ubyte)[] transcriptHash)Derives the client early traffic secret for 0-RTT.void computeHandshakeSecret(const(ubyte)[] sharedSecret)Computes the handshake secret from the shared secret.void deriveHandshakeTrafficSecrets(const(ubyte)[] transcriptHash)Derives the handshake traffic secrets from the transcript hash.void computeMasterSecret()Computes the master secret.void deriveApplicationTrafficSecrets(const(ubyte)[] transcriptHash)Derives the application traffic secrets.private
ubyte[] deriveSecret(const(ubyte)[] secret, string label,
const(ubyte)[] transcriptHash)Derives a secret using HKDF-Expand-Label per RFC 8446 §7.1.Tls13TrafficKeys deriveTrafficKeys(const(ubyte)[] secret, size_t keyLen, size_t ivLen)Derives traffic keys (AEAD key + IV) from a traffic secret.const(ubyte)[] clientHandshakeTrafficSecret() @property constReturns: The client handshake traffic secret.const(ubyte)[] serverHandshakeTrafficSecret() @property constReturns: The server handshake traffic secret.const(ubyte)[] clientApplicationTrafficSecret() @property constReturns: The client application traffic secret.const(ubyte)[] serverApplicationTrafficSecret() @property constReturns: The server application traffic secret.size_t hashLength() @property constReturns: The hash output length in bytes (32 for SHA-256, 48 for SHA-384).ubyte[] deriveResumptionPsk(const(ubyte)[] transcriptHash)Derives a resumption PSK from the master secret and transcript.ubyte[] deriveFinishedKey(const(ubyte)[] baseKey)Derives the finished key for HMAC verification.ubyte[] computeFinishedVerifyData(const(ubyte)[] finishedKey, const(ubyte)[] transcriptHash)Computes the verify_data for a Finished message.ubyte[] hkdfExpandLabel(const(ubyte)[] secret, string label,
const(ubyte)[] context, size_t length)HKDF-Expand-Label as defined in RFC 8446 §7.1.Constructors
this()Constructs a TLS 1.3 key schedule.classTranscriptHash
Computes a transcript hash from accumulated handshake bytes. Accumulates TLS handshake messages and computes transcript hashes.
The transcript hash is SHA-256 of all handshake messages concatenated together. Calling current() does not consume the accumulated data.
Fields
ubyte[] data_ubyte[] frozen_size_t hashLen_Methods
void setHashLength(size_t len)Sets the hash length for SHA-384 mode.void update(const(ubyte)[] data)Appends handshake message data to the transcript.ubyte[] current()Returns: The current transcript hash. Does not consume accumulated data.void freeze()Freezes the transcript hash. Further update() calls are no-ops.void resetWithMessageHash(const(ubyte)[] hashValue)Resets the transcript and replaces it with a synthetic message_hash message per RFC 8446 §4.4.1.ubyte[] emptyHash(size_t hashLen)Returns the hash of an empty string for the current hash algorithm.Constructors
this()Constructs a TranscriptHash using SHA-256.classTlsAead
AEAD encrypt/decrypt helper for TLS records.
Wraps either AES-GCM or ChaCha20-Poly1305 with sequence number-based nonce construction per RFC 8446 §5.3.
Methods
ubyte[] encrypt(const(ubyte)[] plaintext, const(ubyte)[] aad)Encrypts a TLS record fragment.ubyte[] decrypt(const(ubyte)[] ciphertext, const(ubyte)[] aad)Decrypts a TLS record fragment.ubyte[] decryptWithNonce(const(ubyte)[] ciphertext, const(ubyte)[] aad,
const(ubyte)[] explicitNonce)Decrypts a TLS 1.2 record using an explicit nonce.ubyte[] encryptWithNonce(const(ubyte)[] plaintext, const(ubyte)[] aad,
const(ubyte)[] explicitNonce)Encrypts a TLS 1.2 record using an explicit nonce.ubyte[] getExplicitNonce()Returns the explicit nonce for TLS 1.2 GCM encryption.Constructors
this(Tls13TrafficKeys keys, ushort cipherSuiteId)Constructs a TlsAead with the given traffic keys.classTls12Prf
TLS 1.2 PRF (Pseudorandom Function) per RFC 5246 §5.
Uses HMAC-SHA256 as the core hash. Produces arbitrary-length pseudorandom output from a secret, label, and seed.
Fields
Hash function() _hashCtorMethods
void setCipherSuite(ushort cipherSuite)Reconfigures the hash algorithm based on the negotiated cipher suite.ubyte[] compute(const(ubyte)[] secret, string label,
const(ubyte)[] seed, size_t length)Computes the TLS 1.2 PRF output.private
ubyte[] hmac(const(ubyte)[] key, const(ubyte)[] data)ubyte[] deriveMasterSecret(const(ubyte)[] preMasterSecret,
const(ubyte)[] clientRandom, const(ubyte)[] serverRandom)Derives the master secret from the pre-master secret.ubyte[] deriveKeyBlock(const(ubyte)[] masterSecret,
const(ubyte)[] serverRandom, const(ubyte)[] clientRandom,
size_t length)Derives key material from the master secret.ubyte[] deriveFinished(const(ubyte)[] masterSecret, string label,
const(ubyte)[] handshakeHash)Derives the finished verify data.Constructors
this()Constructs a TLS 1.2 PRF using SHA-256 HMAC.