Files

aho_corasick

packed

teddy

compile.rsmod.rsruntime.rs

api.rsmod.rspattern.rsrabinkarp.rsvector.rs

ahocorasick.rsautomaton.rsbuffer.rsbyte_frequencies.rsclasses.rsdfa.rserror.rslib.rsnfa.rsprefilter.rsstate_id.rs

ansi_term

ansi.rsdebug.rsdifference.rsdisplay.rslib.rsstyle.rswindows.rswrite.rs

arrayvec

array.rsarray_string.rschar.rserrors.rslib.rsmaybe_uninit_stable.rsrange.rs

atty

lib.rs

backtrace

backtrace

libunwind.rsmod.rs

symbolize

dladdr.rslibbacktrace.rsmod.rs

capture.rslib.rsprint.rstypes.rs

backtrace_sys

lib.rs

base64

write

encoder.rsmod.rs

chunked_encoder.rsdecode.rsdisplay.rsencode.rslib.rstables.rs

bincode

de

mod.rsread.rs

ser

mod.rs

config.rserror.rsinternal.rslib.rs

bitflags

lib.rs

byteorder

io.rslib.rs

bytes

buf

buf.rsbuf_mut.rschain.rsfrom_buf.rsinto_buf.rsiter.rsmod.rsreader.rstake.rsvec_deque.rswriter.rs

bytes.rsdebug.rslib.rs

c2_chacha

guts.rslib.rs

capnp

private

arena.rscapability.rsendian.rslayout.rsmask.rsmod.rsunits.rszero.rs

any_pointer.rsany_pointer_list.rscapability.rscapability_list.rsconstant.rsdata.rsdata_list.rsenum_list.rslib.rslist_list.rsmessage.rsprimitive_list.rsraw.rsserialize.rsserialize_packed.rsstruct_list.rstext.rstext_list.rstraits.rs

capnp_futures

lib.rsread_stream.rsserialize.rswrite_queue.rs

capnp_rpc

attach.rsbroken.rsforked_promise.rslib.rslocal.rsqueued.rsrpc.rssender_queue.rssplit.rstask_set.rstwoparty.rs

cfg_if

lib.rs

chrono

format

mod.rsparse.rsparsed.rsscan.rsstrftime.rs

naive

date.rsdatetime.rsinternals.rsisoweek.rstime.rs

offset

fixed.rslocal.rsmod.rsutc.rs

date.rsdatetime.rsdiv.rslib.rsround.rs

clap

app

help.rsmeta.rsmod.rsparser.rssettings.rsusage.rsvalidator.rs

args

arg_builder

base.rsflag.rsmod.rsoption.rspositional.rsswitched.rsvalued.rs

any_arg.rsarg.rsarg_matcher.rsarg_matches.rsgroup.rsmacros.rsmatched_arg.rsmod.rssettings.rssubcommand.rs

completions

bash.rselvish.rsfish.rsmacros.rsmod.rspowershell.rsshell.rszsh.rs

errors.rsfmt.rslib.rsmacros.rsmap.rsosstringext.rsstrext.rssuggestions.rsusage_parser.rs

crossbeam_deque

lib.rs

crossbeam_epoch

sync

list.rsmod.rsqueue.rs

atomic.rscollector.rsdefault.rsdeferred.rsepoch.rsguard.rsinternal.rslib.rs

crossbeam_queue

array_queue.rserr.rslib.rsseg_queue.rs

crossbeam_utils

atomic

atomic_cell.rsconsume.rsmod.rs

sync

mod.rsparker.rssharded_lock.rswait_group.rs

backoff.rscache_padded.rslib.rsthread.rs

ctrlc

platform

unix

mod.rs

mod.rs

error.rslib.rssignal.rs

daemon

daemon.rslib.rslinux.rssingleton.rs

failure

backtrace

internal.rsmod.rs

error

error_impl.rsmod.rs

as_fail.rsbox_std.rscompat.rscontext.rserror_message.rslib.rsmacros.rsresult_ext.rssync_failure.rs

failure_derive

lib.rs

flexi_logger

writers

file_log_writer.rslog_writer.rsmod.rs

flexi_error.rsflexi_logger.rsformats.rslib.rslog_specification.rslogger.rsprimary_writer.rsreconfiguration_handle.rs

fnv

lib.rs

futures

future

and_then.rscatch_unwind.rschain.rseither.rsempty.rsflatten.rsflatten_stream.rsfrom_err.rsfuse.rsinspect.rsinto_stream.rsjoin.rsjoin_all.rslazy.rsloop_fn.rsmap.rsmap_err.rsmod.rsoption.rsor_else.rspoll_fn.rsresult.rsselect.rsselect2.rsselect_all.rsselect_ok.rsshared.rsthen.rs

sink

buffer.rsfanout.rsflush.rsfrom_err.rsmap_err.rsmod.rssend.rssend_all.rswait.rswith.rswith_flat_map.rs

stream

and_then.rsbuffer_unordered.rsbuffered.rscatch_unwind.rschain.rschannel.rschunks.rscollect.rsconcat.rsempty.rsfilter.rsfilter_map.rsflatten.rsfold.rsfor_each.rsforward.rsfrom_err.rsfuse.rsfuture.rsfutures_ordered.rsfutures_unordered.rsinspect.rsinspect_err.rsiter.rsiter_ok.rsiter_result.rsmap.rsmap_err.rsmerge.rsmod.rsonce.rsor_else.rspeek.rspoll_fn.rsrepeat.rsselect.rsskip.rsskip_while.rssplit.rstake.rstake_while.rsthen.rsunfold.rswait.rszip.rs

sync

mpsc

mod.rsqueue.rs

bilock.rsmod.rsoneshot.rs

task_impl

std

data.rsmod.rstask_rc.rsunpark_mutex.rs

atomic_task.rscore.rsmod.rs

unsync

mod.rsmpsc.rsoneshot.rs

executor.rslib.rslock.rspoll.rsresultstream.rstask.rs

getrandom

error.rserror_impls.rslib.rslinux_android.rsuse_file.rsutil.rsutil_libc.rs

glob

lib.rs

hid_io

api

mod.rs

device

debug

mod.rs

hidusb

mod.rs

mod.rs

module

unicode

mod.rsx11.rs

mod.rs

protocol

hidio

mod.rs

mod.rs

lib.rs

hidapi

error.rsffi.rslib.rs

install_service

install_service.rs

iovec

sys

mod.rsunix.rs

lib.rsunix.rs

lazy_static

inline_lazy.rslib.rs

libc

unix

linux_like

linux

gnu

b64

x86_64

mod.rsnot_x32.rs

mod.rs

align.rsmod.rs

align.rsmod.rs

mod.rs

align.rsmod.rs

fixed_width_ints.rslib.rsmacros.rs

lock_api

lib.rsmutex.rsremutex.rsrwlock.rs

log

lib.rsmacros.rs

memchr

x86

avx.rsmod.rssse2.rs

fallback.rsiter.rslib.rsnaive.rs

memoffset

lib.rsoffset_of.rsspan_of.rs

mio

deprecated

event_loop.rshandler.rsio.rsmod.rsnotify.rsunix.rs

net

mod.rstcp.rsudp.rs

sys

unix

awakener.rsdlsym.rsepoll.rseventedfd.rsio.rsmod.rsready.rstcp.rsudp.rsuds.rsuio.rs

mod.rs

channel.rsevent_imp.rsio.rslazycell.rslib.rspoll.rstimer.rstoken.rsudp.rs

mio_uds

datagram.rslib.rslistener.rssocket.rsstream.rs

nanoid

alphabet.rsgenerator.rslib.rsrandom.rs

net2

sys

unix

impls.rsmod.rs

ext.rslib.rssocket.rstcp.rsudp.rsunix.rsutils.rs

nix

net

if_.rsmod.rs

sys

ioctl

linux.rsmod.rs

ptrace

linux.rsmod.rs

socket

addr.rsmod.rssockopt.rs

aio.rsepoll.rseventfd.rsinotify.rsmemfd.rsmman.rsmod.rspthread.rsquota.rsreboot.rsselect.rssendfile.rssignal.rssignalfd.rsstat.rsstatfs.rsstatvfs.rssysinfo.rstermios.rstime.rsuio.rsutsname.rswait.rs

dir.rserrno.rsfcntl.rsfeatures.rsifaddrs.rskmod.rslib.rsmacros.rsmount.rsmqueue.rspoll.rspty.rssched.rsucontext.rsunistd.rs

nodrop

lib.rs

num_cpus

lib.rs

num_integer

lib.rsroots.rs

num_traits

ops

checked.rsinv.rsmod.rsmul_add.rssaturating.rswrapping.rs

bounds.rscast.rsfloat.rsidentities.rsint.rslib.rsmacros.rspow.rssign.rs

open

lib.rs

parking_lot

condvar.rsdeadlock.rselision.rslib.rsmutex.rsonce.rsraw_mutex.rsraw_rwlock.rsremutex.rsrwlock.rsutil.rs

parking_lot_core

thread_parker

linux.rsmod.rs

lib.rsparking_lot.rsspinwait.rsutil.rsword_lock.rs

pem

errors.rslib.rs

ppv_lite86

x86_64

mod.rssse2.rs

lib.rssoft.rstypes.rs

proc_macro2

fallback.rslib.rsstrnom.rswrapper.rs

quote

ext.rsformat.rsident_fragment.rslib.rsruntime.rsspanned.rsto_tokens.rs

rand

distributions

weighted

alias_method.rsmod.rs

bernoulli.rsbinomial.rscauchy.rsdirichlet.rsexponential.rsfloat.rsgamma.rsinteger.rsmod.rsnormal.rsother.rspareto.rspoisson.rstriangular.rsuniform.rsunit_circle.rsunit_sphere.rsutils.rsweibull.rsziggurat_tables.rs

rngs

adapter

mod.rsread.rsreseeding.rs

entropy.rsmock.rsmod.rsstd.rsthread.rs

seq

index.rsmod.rs

lib.rsprelude.rs

rand_chacha

chacha.rslib.rs

rand_core

block.rserror.rsimpls.rsle.rslib.rsos.rs

rand_hc

hc128.rslib.rs

rand_isaac

isaac.rsisaac64.rsisaac_array.rslib.rs

rand_jitter

dummy_log.rserror.rslib.rsplatform.rs

rand_os

dummy_log.rslib.rslinux_android.rsrandom_device.rs

rand_pcg

lib.rspcg128.rspcg64.rs

rand_xorshift

lib.rs

rcgen

lib.rs

regex

literal

imp.rsmod.rs

backtrack.rscache.rscompile.rsdfa.rserror.rsexec.rsexpand.rsfind_byte.rsfreqs.rsinput.rslib.rspikevm.rsprog.rsre_builder.rsre_bytes.rsre_set.rsre_trait.rsre_unicode.rssparse.rsutf8.rs

regex_syntax

ast

mod.rsparse.rsprint.rsvisitor.rs

hir

literal

mod.rs

interval.rsmod.rsprint.rstranslate.rsvisitor.rs

unicode_tables

age.rscase_folding_simple.rsgeneral_category.rsgrapheme_cluster_break.rsmod.rsperl_word.rsproperty_bool.rsproperty_names.rsproperty_values.rsscript.rsscript_extension.rssentence_break.rsword_break.rs

either.rserror.rslib.rsparser.rsunicode.rsutf8.rs

remove_dir_all

lib.rs

ring

aead

aes.rsaes_gcm.rsblock.rschacha.rschacha20_poly1305.rschacha20_poly1305_openssh.rsgcm.rsnonce.rspoly1305.rsquic.rsshift.rs

arithmetic

bigint.rsconstant.rsmontgomery.rs

digest

sha1.rssha2.rs

ec

curve25519

ed25519

signing.rsverification.rs

ed25519.rsops.rsscalar.rsx25519.rs

suite_b

ecdsa

digest_scalar.rssigning.rsverification.rs

ops

elem.rsp256.rsp384.rs

curve.rsecdh.rsecdsa.rsops.rsprivate_key.rspublic_key.rs

curve25519.rskeys.rssuite_b.rs

io

der.rsder_writer.rspositive.rswriter.rs

polyfill

convert.rs

rsa

padding.rssigning.rsverification.rs

aead.rsagreement.rsarithmetic.rsbits.rsbssl.rsc.rsconstant_time.rscpu.rsdebug.rsdigest.rsec.rsendian.rserror.rshkdf.rshmac.rsio.rslib.rslimb.rspbkdf2.rspkcs8.rspolyfill.rsrand.rsrsa.rssignature.rstest.rs

rustc_demangle

legacy.rslib.rsv0.rs

rustls

client

common.rshandy.rshs.rsmod.rstls12.rstls13.rs

msgs

alert.rsbase.rsccs.rscodec.rsdeframer.rsenums.rsfragmenter.rshandshake.rshsjoiner.rsmacros.rsmessage.rsmod.rspersist.rs

server

common.rshandy.rshs.rsmod.rstls12.rstls13.rs

anchors.rsbs_debug.rscipher.rserror.rshandshake.rshash_hs.rskey.rskey_schedule.rskeylog.rslib.rspemfile.rsprf.rsrand.rssession.rssign.rsstream.rssuites.rsticketer.rsutil.rsvecbuf.rsverify.rsx509.rs

scoped_tls

lib.rs

scopeguard

lib.rs

sct

lib.rs

serde

de

from_primitive.rsignored_any.rsimpls.rsmod.rsutf8.rsvalue.rs

private

de.rsmacros.rsmod.rsser.rs

ser

impls.rsimpossible.rsmod.rs

export.rsinteger128.rslib.rsmacros.rs

slab

lib.rs

smallvec

lib.rs

spin

lib.rsmutex.rsonce.rsrw_lock.rs

stream_cancel

combinator.rslib.rswrapper.rs

strsim

lib.rs

syn

gen

gen_helper.rsvisit.rs

attr.rsbigint.rsbuffer.rscustom_keyword.rscustom_punctuation.rsdata.rsderive.rsdiscouraged.rserror.rsexport.rsexpr.rsext.rsfile.rsgenerics.rsgroup.rsident.rsitem.rslib.rslifetime.rslit.rslookahead.rsmac.rsmacros.rsop.rsparse.rsparse_macro_input.rsparse_quote.rspat.rspath.rsprint.rspunctuated.rssealed.rsspan.rsspanned.rsstmt.rsthread.rstoken.rstt.rsty.rs

synstructure

lib.rsmacros.rs

tempfile

file

imp

mod.rsunix.rs

mod.rs

dir.rserror.rslib.rsspooled.rsutil.rs

textwrap

indentation.rslib.rssplitting.rs

thread_local

lib.rsthread_id.rsunreachable.rs

time

display.rsduration.rslib.rsparse.rssys.rs

tokio

codec

length_delimited.rsmod.rs

executor

current_thread

mod.rs

mod.rs

reactor

mod.rspoll_evented.rs

runtime

current_thread

builder.rsmod.rsruntime.rs

threadpool

builder.rsmod.rsshutdown.rstask_executor.rs

mod.rs

util

enumerate.rsfuture.rsmod.rsstream.rs

clock.rsfs.rsio.rslib.rsnet.rsprelude.rssync.rstimer.rs

tokio_codec

bytes_codec.rslib.rslines_codec.rs

tokio_core

io

copy.rsflush.rsframe.rsmod.rsread.rsread_exact.rsread_to_end.rsread_until.rssplit.rswindow.rswrite_all.rs

net

udp

frame.rsmod.rs

mod.rstcp.rs

reactor

interval.rsmod.rspoll_evented.rspoll_evented2.rstimeout.rs

lib.rs

tokio_current_thread

lib.rsscheduler.rs

tokio_executor

enter.rserror.rsexecutor.rsglobal.rslib.rspark.rstyped.rs

tokio_fs

file

clone.rscreate.rsmetadata.rsmod.rsopen.rsopen_options.rsseek.rs

os

mod.rsunix.rs

create_dir.rscreate_dir_all.rshard_link.rslib.rsmetadata.rsread.rsread_dir.rsread_link.rsremove_dir.rsremove_file.rsrename.rsset_permissions.rsstderr.rsstdin.rsstdout.rssymlink_metadata.rswrite.rs

tokio_io

_tokio_codec

decoder.rsencoder.rsframed.rsframed_read.rsframed_write.rsmod.rs

codec

bytes_codec.rsdecoder.rsencoder.rslines_codec.rsmod.rs

io

copy.rsflush.rsmod.rsread.rsread_exact.rsread_to_end.rsread_until.rsshutdown.rswrite_all.rs

allow_std.rsasync_read.rsasync_write.rsframed.rsframed_read.rsframed_write.rslength_delimited.rslib.rslines.rssplit.rswindow.rs

tokio_reactor

background.rslib.rspoll_evented.rsregistration.rssharded_rwlock.rs

tokio_rustls

common

mod.rsvecbuf.rs

client.rslib.rsserver.rs

tokio_sync

mpsc

block.rsbounded.rschan.rslist.rsmod.rsunbounded.rs

task

atomic_task.rsmod.rs

lib.rslock.rsloom.rsoneshot.rssemaphore.rswatch.rs

tokio_tcp

incoming.rslib.rslistener.rsstream.rs

tokio_threadpool

park

boxed.rsdefault_park.rsmod.rs

pool

backup.rsbackup_stack.rsmod.rsstate.rs

task

blocking.rsblocking_state.rsmod.rsstate.rs

worker

entry.rsmod.rsstack.rsstate.rs

blocking.rsbuilder.rscallback.rsconfig.rslib.rsnotifier.rssender.rsshutdown.rsthread_pool.rs

tokio_timer

clock

clock.rsmod.rsnow.rs

timer

atomic_stack.rsentry.rshandle.rsmod.rsnow.rsregistration.rsstack.rs

wheel

level.rsmod.rsstack.rs

atomic.rsdeadline.rsdelay.rsdelay_queue.rserror.rsinterval.rslib.rsthrottle.rstimeout.rs

tokio_udp

frame.rslib.rsrecv_dgram.rssend_dgram.rssocket.rs

tokio_uds

datagram.rsframe.rsincoming.rslib.rslistener.rsrecv_dgram.rssend_dgram.rsstream.rsucred.rs

unicode_width

lib.rstables.rs

unicode_xid

lib.rstables.rs

untrusted

untrusted.rs

vec_map

lib.rs

void

lib.rs

webpki

calendar.rscert.rsder.rserror.rsname.rssigned_data.rstime.rstrust_anchor_util.rsverify_cert.rswebpki.rs

windows_service

lib.rs

x11

dpms.rsglx.rsinternal.rskeysym.rslib.rslink.rsxcursor.rsxf86vmode.rsxfixes.rsxft.rsxinerama.rsxinput.rsxinput2.rsxlib.rsxlib_xcb.rsxmd.rsxmu.rsxrandr.rsxrecord.rsxrender.rsxss.rsxt.rsxtest.rs

xcb

ffi

base.rsbig_requests.rsxc_misc.rsxkb.rsxproto.rs

base.rsbig_requests.rslib.rsxc_misc.rsxkb.rsxproto.rs

xkbcommon

xkb

x11

ffi.rsmod.rs

compose.rsffi.rskeysyms.rsmod.rs

lib.rs

yasna

deserializer

mod.rs

models

der.rsmod.rsoid.rstime.rs

reader

error.rsmod.rs

serializer

mod.rs

tags

mod.rs

writer

mod.rs

lib.rs

>

/// Key schedule maintenance for TLS1.3

use ring::{aead, hkdf::{self, KeyType as _}, hmac, digest};
use crate::error::TLSError;
use crate::cipher::{Iv, IvLen};
use crate::msgs::base::PayloadU8;
use crate::KeyLog;

/// The kinds of secret we can extract from `KeySchedule`.
#[derive(Debug, Clone, Copy, PartialEq)]
pub enum SecretKind {
    ResumptionPSKBinderKey,
    ClientEarlyTrafficSecret,
    ClientHandshakeTrafficSecret,
    ServerHandshakeTrafficSecret,
    ClientApplicationTrafficSecret,
    ServerApplicationTrafficSecret,
    ExporterMasterSecret,
    ResumptionMasterSecret,
    DerivedSecret,
}

impl SecretKind {
    fn to_bytes(self) -> &'static [u8] {
        match self {
            SecretKind::ResumptionPSKBinderKey => b"res binder",
            SecretKind::ClientEarlyTrafficSecret => b"c e traffic",
            SecretKind::ClientHandshakeTrafficSecret => b"c hs traffic",
            SecretKind::ServerHandshakeTrafficSecret => b"s hs traffic",
            SecretKind::ClientApplicationTrafficSecret => b"c ap traffic",
            SecretKind::ServerApplicationTrafficSecret => b"s ap traffic",
            SecretKind::ExporterMasterSecret => b"exp master",
            SecretKind::ResumptionMasterSecret => b"res master",
            SecretKind::DerivedSecret => b"derived",
        }
    }

    fn log_label(self) -> Option<&'static str> {
        use self::SecretKind::*;
        Some(match self {
            ClientEarlyTrafficSecret => "CLIENT_EARLY_TRAFFIC_SECRET",
            ClientHandshakeTrafficSecret => "CLIENT_HANDSHAKE_TRAFFIC_SECRET",
            ServerHandshakeTrafficSecret => "SERVER_HANDSHAKE_TRAFFIC_SECRET",
            ClientApplicationTrafficSecret => "CLIENT_TRAFFIC_SECRET_0",
            ServerApplicationTrafficSecret => "SERVER_TRAFFIC_SECRET_0",
            ExporterMasterSecret => "EXPORTER_SECRET",
            _ => { return None; }
        })
    }
}

/// This is the TLS1.3 key schedule.  It stores the current secret,
/// the type of hash, plus the two current traffic keys which form their
/// own lineage of keys over successive key updates.
pub struct KeySchedule {
    current: hkdf::Prk,
    algorithm: ring::hkdf::Algorithm,
    pub current_client_traffic_secret: Option<hkdf::Prk>,
    pub current_server_traffic_secret: Option<hkdf::Prk>,
    pub current_exporter_secret: Option<hkdf::Prk>,
}

impl KeySchedule {
    pub fn new(algorithm: hkdf::Algorithm, secret: &[u8]) -> KeySchedule {
        let zeroes = [0u8; digest::MAX_OUTPUT_LEN];
        let zeroes = &zeroes[..algorithm.len()];
        let salt = hkdf::Salt::new(algorithm, &zeroes);
        KeySchedule {
            current: salt.extract(secret),
            algorithm,
            current_server_traffic_secret: None,
            current_client_traffic_secret: None,
            current_exporter_secret: None,
        }
    }

    #[inline]
    pub fn algorithm(&self) -> hkdf::Algorithm { self.algorithm }

    pub fn new_with_empty_secret(algorithm: hkdf::Algorithm) -> KeySchedule {
        let zeroes = [0u8; digest::MAX_OUTPUT_LEN];
        Self::new(algorithm, &zeroes[..algorithm.len()])
    }

    /// Input the empty secret.
    pub fn input_empty(&mut self) {
        let zeroes = [0u8; digest::MAX_OUTPUT_LEN];
        self.input_secret(&zeroes[..self.algorithm.len()]);
    }

    /// Input the given secret.
    pub fn input_secret(&mut self, secret: &[u8]) {
        let salt: hkdf::Salt = self.derive_for_empty_hash(SecretKind::DerivedSecret);
        self.current = salt.extract(secret);
    }

    /// Derive a secret of given `kind`, using current handshake hash `hs_hash`.
    pub fn derive<T, L>(&self, key_type: L, kind: SecretKind, hs_hash: &[u8]) -> T
        where
            T: for <'a> From<hkdf::Okm<'a, L>>,
            L: hkdf::KeyType,
    {
        hkdf_expand(&self.current, key_type, kind.to_bytes(), hs_hash)
    }

    pub fn derive_logged_secret(&self, kind: SecretKind, hs_hash: &[u8],
                                key_log: &dyn KeyLog, client_random: &[u8; 32])
        -> hkdf::Prk
    {
        let log_label = kind.log_label().expect("not a loggable secret");
        if key_log.will_log(log_label) {
            let secret = self.derive::<PayloadU8, _>(PayloadU8Len(self.algorithm.len()), kind, hs_hash)
                .into_inner();
            key_log.log(log_label, client_random, &secret);
        }
        self.derive(self.algorithm, kind, hs_hash)
    }

    /// Derive a secret of given `kind` using the hash of the empty string
    /// for the handshake hash.  Useful only for
    /// `SecretKind::ResumptionPSKBinderKey` and
    /// `SecretKind::DerivedSecret`.
    pub fn derive_for_empty_hash<T>(&self, kind: SecretKind) -> T
        where
            T: for <'a> From<hkdf::Okm<'a, hkdf::Algorithm>>
    {
        let digest_alg = self.algorithm.hmac_algorithm().digest_algorithm();
        let empty_hash = digest::digest(digest_alg, &[]);
        self.derive(self.algorithm, kind, empty_hash.as_ref())
    }

    /// Return the current traffic secret, of given `kind`.
    fn current_traffic_secret(&self, kind: SecretKind) -> &hkdf::Prk {
        match kind {
            SecretKind::ServerHandshakeTrafficSecret |
            SecretKind::ServerApplicationTrafficSecret =>
                &self.current_server_traffic_secret.as_ref().unwrap(),
            SecretKind::ClientEarlyTrafficSecret |
            SecretKind::ClientHandshakeTrafficSecret |
            SecretKind::ClientApplicationTrafficSecret =>
                &self.current_client_traffic_secret.as_ref().unwrap(),
            _ => unreachable!(),
        }
    }

    /// Sign the finished message consisting of `hs_hash` using the current
    /// traffic secret.
    pub fn sign_finish(&self, kind: SecretKind, hs_hash: &[u8]) -> Vec<u8> {
        let base_key = self.current_traffic_secret(kind);
        self.sign_verify_data(base_key, hs_hash)
    }

    /// Sign the finished message consisting of `hs_hash` using the key material
    /// `base_key`.
    pub fn sign_verify_data(&self, base_key: &hkdf::Prk, hs_hash: &[u8]) -> Vec<u8> {
        let hmac_alg = self.algorithm.hmac_algorithm();
        let hmac_key = hkdf_expand(base_key, hmac_alg, b"finished", &[]);
        hmac::sign(&hmac_key, hs_hash)
            .as_ref()
            .to_vec()
    }

    /// Derive the next application traffic secret of given `kind`, returning
    /// it.
    pub fn derive_next(&self, kind: SecretKind) -> hkdf::Prk {
        let base_key = self.current_traffic_secret(kind);
        hkdf_expand(&base_key, self.algorithm, b"traffic upd", &[])
    }

    /// Derive the PSK to use given a resumption_master_secret and
    /// ticket_nonce.
    pub fn derive_ticket_psk(&self, rms: &hkdf::Prk, nonce: &[u8]) -> Vec<u8> {
        let payload: PayloadU8 = hkdf_expand(rms, PayloadU8Len(self.algorithm.len()), b"resumption", nonce);
        payload.into_inner()
    }

    pub fn export_keying_material(&self, out: &mut [u8],
                                  label: &[u8],
                                  context: Option<&[u8]>) -> Result<(), TLSError> {
        let current_exporter_secret =
            self.current_exporter_secret.as_ref().ok_or(TLSError::HandshakeNotComplete)?;
        let digest_alg = self.algorithm.hmac_algorithm().digest_algorithm();

        let h_empty = digest::digest(digest_alg, &[]);
        let secret: hkdf::Prk =
            hkdf_expand(current_exporter_secret, self.algorithm, label, h_empty.as_ref());

        let h_context = digest::digest(digest_alg, context.unwrap_or(&[]));

        // TODO: Test what happens when this fails
        hkdf_expand_info(&secret, PayloadU8Len(out.len()), b"exporter", h_context.as_ref(),
                         |okm| okm.fill(out))
            .map_err(|_| TLSError::General("exporting too much".to_string()))
    }
}

pub(crate) fn hkdf_expand<T, L>(secret: &hkdf::Prk, key_type: L, label: &[u8], context: &[u8]) -> T
    where
        T: for <'a> From<hkdf::Okm<'a, L>>,
        L: hkdf::KeyType,
{
    hkdf_expand_info(secret, key_type, label, context, |okm| okm.into())
}

fn hkdf_expand_info<F, T, L>(secret: &hkdf::Prk, key_type: L, label: &[u8], context: &[u8], f: F)
        -> T
    where
        F: for<'b> FnOnce(hkdf::Okm<'b, L>) -> T,
        L: hkdf::KeyType
{
    const LABEL_PREFIX: &[u8] = b"tls13 ";

    let output_len = u16::to_be_bytes(key_type.len() as u16);
    let label_len = u8::to_be_bytes((LABEL_PREFIX.len() + label.len()) as u8);
    let context_len = u8::to_be_bytes(context.len() as u8);

    let info = &[&output_len[..], &label_len[..], LABEL_PREFIX, label, &context_len[..], context];
    let okm = secret.expand(info, key_type).unwrap();

    f(okm)
}

pub(crate) struct PayloadU8Len(pub(crate) usize);
impl hkdf::KeyType for PayloadU8Len {
    fn len(&self) -> usize { self.0 }
}

impl From<hkdf::Okm<'_, PayloadU8Len>> for PayloadU8 {
    fn from(okm: hkdf::Okm<PayloadU8Len>) -> Self {
        let mut r = vec![0u8;okm.len().0];
        okm.fill(&mut r[..]).unwrap();
        PayloadU8::new(r)
    }
}

pub fn derive_traffic_key(secret: &hkdf::Prk, aead_algorithm: &'static aead::Algorithm)
    -> aead::UnboundKey
{
    hkdf_expand(secret, aead_algorithm, b"key", &[])
}

pub(crate) fn derive_traffic_iv(secret: &hkdf::Prk) -> Iv {
    hkdf_expand(secret, IvLen, b"iv", &[])
}

#[cfg(test)]
mod test {
    use super::{KeySchedule, SecretKind, derive_traffic_key, derive_traffic_iv};
    use ring::{aead, hkdf};
    use crate::KeyLog;

    #[test]
    fn test_vectors() {
        /* These test vectors generated with OpenSSL. */
        let hs_start_hash = [
            0xec, 0x14, 0x7a, 0x06, 0xde, 0xa3, 0xc8, 0x84, 0x6c, 0x02, 0xb2, 0x23, 0x8e,
            0x41, 0xbd, 0xdc, 0x9d, 0x89, 0xf9, 0xae, 0xa1, 0x7b, 0x5e, 0xfd, 0x4d, 0x74,
            0x82, 0xaf, 0x75, 0x88, 0x1c, 0x0a
        ];

        let hs_full_hash = [
            0x75, 0x1a, 0x3d, 0x4a, 0x14, 0xdf, 0xab, 0xeb, 0x68, 0xe9, 0x2c, 0xa5, 0x91,
            0x8e, 0x24, 0x08, 0xb9, 0xbc, 0xb0, 0x74, 0x89, 0x82, 0xec, 0x9c, 0x32, 0x30,
            0xac, 0x30, 0xbb, 0xeb, 0x23, 0xe2
        ];

        let ecdhe_secret = [
            0xe7, 0xb8, 0xfe, 0xf8, 0x90, 0x3b, 0x52, 0x0c, 0xb9, 0xa1, 0x89, 0x71, 0xb6,
            0x9d, 0xd4, 0x5d, 0xca, 0x53, 0xce, 0x2f, 0x12, 0xbf, 0x3b, 0xef, 0x93, 0x15,
            0xe3, 0x12, 0x71, 0xdf, 0x4b, 0x40
        ];

        let client_hts = [
            0x61, 0x7b, 0x35, 0x07, 0x6b, 0x9d, 0x0e, 0x08, 0xcf, 0x73, 0x1d, 0x94, 0xa8,
            0x66, 0x14, 0x78, 0x41, 0x09, 0xef, 0x25, 0x55, 0x51, 0x92, 0x1d, 0xd4, 0x6e,
            0x04, 0x01, 0x35, 0xcf, 0x46, 0xab
        ];

        let client_hts_key = [
            0x62, 0xd0, 0xdd, 0x00, 0xf6, 0x96, 0x19, 0xd3, 0xb8, 0x19, 0x3a, 0xb4, 0xa0,
            0x95, 0x85, 0xa7
        ];

        let client_hts_iv = [
            0xff, 0xf7, 0x5d, 0xf5, 0xad, 0x35, 0xd5, 0xcb, 0x3c, 0x53, 0xf3, 0xa9
        ];

        let server_hts = [
            0xfc, 0xf7, 0xdf, 0xe6, 0x4f, 0xa2, 0xc0, 0x4f, 0x62, 0x35, 0x38, 0x7f, 0x43,
            0x4e, 0x01, 0x42, 0x23, 0x36, 0xd9, 0xc0, 0x39, 0xde, 0x68, 0x47, 0xa0, 0xb9,
            0xdd, 0xcf, 0x29, 0xa8, 0x87, 0x59
        ];

        let server_hts_key = [
            0x04, 0x67, 0xf3, 0x16, 0xa8, 0x05, 0xb8, 0xc4, 0x97, 0xee, 0x67, 0x04, 0x7b,
            0xbc, 0xbc, 0x54
        ];

        let server_hts_iv = [
            0xde, 0x83, 0xa7, 0x3e, 0x9d, 0x81, 0x4b, 0x04, 0xc4, 0x8b, 0x78, 0x09
        ];

        let client_ats = [
            0xc1, 0x4a, 0x6d, 0x79, 0x76, 0xd8, 0x10, 0x2b, 0x5a, 0x0c, 0x99, 0x51, 0x49,
            0x3f, 0xee, 0x87, 0xdc, 0xaf, 0xf8, 0x2c, 0x24, 0xca, 0xb2, 0x14, 0xe8, 0xbe,
            0x71, 0xa8, 0x20, 0x6d, 0xbd, 0xa5
        ];

        let client_ats_key = [
            0xcc, 0x9f, 0x5f, 0x98, 0x0b, 0x5f, 0x10, 0x30, 0x6c, 0xba, 0xd7, 0xbe, 0x98,
            0xd7, 0x57, 0x2e
        ];

        let client_ats_iv = [
            0xb8, 0x09, 0x29, 0xe8, 0xd0, 0x2c, 0x70, 0xf6, 0x11, 0x62, 0xed, 0x6b
        ];

        let server_ats = [
            0x2c, 0x90, 0x77, 0x38, 0xd3, 0xf8, 0x37, 0x02, 0xd1, 0xe4, 0x59, 0x8f, 0x48,
            0x48, 0x53, 0x1d, 0x9f, 0x93, 0x65, 0x49, 0x1b, 0x9f, 0x7f, 0x52, 0xc8, 0x22,
            0x29, 0x0d, 0x4c, 0x23, 0x21, 0x92
        ];

        let server_ats_key = [
            0x0c, 0xb2, 0x95, 0x62, 0xd8, 0xd8, 0x8f, 0x48, 0xb0, 0x2c, 0xbf, 0xbe, 0xd7,
            0xe6, 0x2b, 0xb3
        ];

        let server_ats_iv = [
            0x0d, 0xb2, 0x8f, 0x98, 0x85, 0x86, 0xa1, 0xb7, 0xe4, 0xd5, 0xc6, 0x9c
        ];

        let hkdf = hkdf::HKDF_SHA256;
        let mut ks = KeySchedule::new_with_empty_secret(hkdf);
        ks.input_secret(&ecdhe_secret);

        assert_traffic_secret(
            &ks,
            SecretKind::ClientHandshakeTrafficSecret,
            &hs_start_hash,
            &client_hts,
            &client_hts_key,
        &client_hts_iv);

        assert_traffic_secret(
            &ks,
            SecretKind::ServerHandshakeTrafficSecret,
            &hs_start_hash,
            &server_hts,
            &server_hts_key,
            &server_hts_iv);

        ks.input_empty();

        assert_traffic_secret(
            &ks,
            SecretKind::ClientApplicationTrafficSecret,
            &hs_full_hash,
            &client_ats,
            &client_ats_key,
            &client_ats_iv);

        assert_traffic_secret(
            &ks,
            SecretKind::ServerApplicationTrafficSecret,
            &hs_full_hash,
            &server_ats,
            &server_ats_key,
            &server_ats_iv);
    }

    fn assert_traffic_secret(
        ks: &KeySchedule,
        kind: SecretKind,
        hash: &[u8],
        expected_traffic_secret: &[u8],
        expected_key: &[u8],
        expected_iv: &[u8],
    ) {
        struct Log<'a>(&'a [u8]);
        impl KeyLog for Log<'_> {
            fn log(&self, _label: &str, _client_random: &[u8], secret: &[u8]) {
                assert_eq!(self.0, secret);
            }
        }
        let log = Log(expected_traffic_secret);
        let traffic_secret = ks.derive_logged_secret(kind, &hash, &log, &[0; 32]);

        // Since we can't test key equality, we test the output of sealing with the key instead.
        let aead_alg = &aead::AES_128_GCM;
        let key = derive_traffic_key(&traffic_secret, aead_alg);
        let seal_output = seal_zeroes(key);
        let expected_key = aead::UnboundKey::new(aead_alg, expected_key).unwrap();
        let expected_seal_output = seal_zeroes(expected_key);
        assert_eq!(seal_output, expected_seal_output);
        assert!(seal_output.len() >= 48); // Sanity check.

        let iv = derive_traffic_iv(&traffic_secret);
        assert_eq!(iv.value(), expected_iv);
    }

    fn seal_zeroes(key: aead::UnboundKey) -> Vec<u8> {
        let key = aead::LessSafeKey::new(key);
        let mut seal_output = vec![0; 32];
        key.seal_in_place_append_tag(
            aead::Nonce::assume_unique_for_key([0; aead::NONCE_LEN]),
            aead::Aad::empty(),
            &mut seal_output)
            .unwrap();
        seal_output
    }
}