grpc 1.70.1 → 1.71.0

data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc

@@ -1,16 +1,16 @@
-/* Copyright 2016 The BoringSSL Authors
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+// Copyright 2016 The BoringSSL Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
 
 #include <openssl/ssl.h>
 
@@ -117,9 +117,8 @@ static bool parse_server_hello_tls13(const SSL_HANDSHAKE *hs,
   // 5). The client could have sent a session ID indicating its willingness to
   // resume a DTLS 1.2 session, so just checking that the session IDs match is
   // incorrect.
-  Span<const uint8_t> expected_session_id = SSL_is_dtls(hs->ssl)
-                                                ? Span<const uint8_t>()
-                                                : MakeConstSpan(hs->session_id);
+  Span<const uint8_t> expected_session_id =
+      SSL_is_dtls(hs->ssl) ? Span<const uint8_t>() : Span(hs->session_id);
 
   // RFC 8446 fixes some legacy values. Check them.
   if (out->legacy_version != expected_version ||  //
@@ -212,7 +211,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
       SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
       SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) ||
       !ssl_tls13_cipher_meets_policy(SSL_CIPHER_get_protocol_id(cipher),
-                                     ssl->config->tls13_cipher_policy)) {
+                                     ssl->config->compliance_policy)) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
     return ssl_hs_error;
@@ -252,7 +251,8 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
 
   // The ECH extension, if present, was already parsed by
   // |check_ech_confirmation|.
-  SSLExtension cookie(TLSEXT_TYPE_cookie), key_share(TLSEXT_TYPE_key_share),
+  SSLExtension cookie(TLSEXT_TYPE_cookie),
+      key_share(TLSEXT_TYPE_key_share, !hs->key_share_bytes.empty()),
       supported_versions(TLSEXT_TYPE_supported_versions),
       ech_unused(TLSEXT_TYPE_encrypted_client_hello,
                  hs->selected_ech_config || hs->config->ech_grease_enabled);
@@ -285,6 +285,10 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
   }
 
   if (key_share.present) {
+    // If offering PAKE, we won't send key_share extensions, in which case we
+    // would have rejected key_share from the peer.
+    assert(!hs->pake_prover);
+
     uint16_t group_id;
     if (!CBS_get_u16(&key_share.data, &group_id) ||
         CBS_len(&key_share.data) != 0) {
@@ -422,12 +426,14 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
       ssl_session_get_type(ssl->session.get()) ==
           SSLSessionType::kPreSharedKey &&
       ssl->s3->ech_status != ssl_ech_rejected;
-  SSLExtension key_share(TLSEXT_TYPE_key_share),
+  SSLExtension key_share(TLSEXT_TYPE_key_share, hs->key_shares[0] != nullptr),
+      pake_share(TLSEXT_TYPE_pake, hs->pake_prover != nullptr),
       pre_shared_key(TLSEXT_TYPE_pre_shared_key, pre_shared_key_allowed),
       supported_versions(TLSEXT_TYPE_supported_versions);
-  if (!ssl_parse_extensions(&server_hello.extensions, &alert,
-                            {&key_share, &pre_shared_key, &supported_versions},
-                            /*ignore_unknown=*/false)) {
+  if (!ssl_parse_extensions(
+          &server_hello.extensions, &alert,
+          {&key_share, &pre_shared_key, &supported_versions, &pake_share},
+          /*ignore_unknown=*/false)) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
     return ssl_hs_error;
   }
@@ -443,6 +449,39 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
 
+  // The combination of ServerHello extensions determines the kind of handshake
+  // that the server selected. Check for invalid combinations.
+
+  // pake replaces key_share and may not be used with pre_shared_key.
+  if (pake_share.present && (key_share.present || pre_shared_key.present)) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
+    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
+    return ssl_hs_error;
+  }
+  // In PAKE mode, we require a PAKE handshake and do not support resumption.
+  if (hs->pake_prover != nullptr && !pake_share.present) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
+    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
+    return ssl_hs_error;
+  }
+  // In non-PAKE modes, we require per-connection forward secrecy and do not
+  // support psk_ke.
+  if (hs->pake_prover == nullptr && !key_share.present) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
+    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
+    return ssl_hs_error;
+  }
+  // The above imples only one of three handshake forms will be allowed. The
+  // checks for unsolicited extensions ensure the server did not select
+  // something we cannot respond to.
+  assert(
+      // Full handshake
+      (key_share.present && !pake_share.present && !pre_shared_key.present) ||
+      // PSK/resumption handshake
+      (key_share.present && !pake_share.present && pre_shared_key.present) ||
+      // PAKE handshake
+      (!key_share.present && pake_share.present && !pre_shared_key.present));
+
   alert = SSL_AD_DECODE_ERROR;
   if (pre_shared_key.present) {
     if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,
@@ -496,29 +535,34 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
   size_t hash_len = EVP_MD_size(
       ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher));
   if (!tls13_init_key_schedule(hs, ssl->s3->session_reused
-                                       ? MakeConstSpan(hs->new_session->secret)
-                                       : MakeConstSpan(kZeroes, hash_len))) {
+                                       ? Span(hs->new_session->secret)
+                                       : Span(kZeroes, hash_len))) {
     return ssl_hs_error;
   }
 
-  if (!key_share.present) {
-    // We do not support psk_ke and thus always require a key share.
-    OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
-    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
-    return ssl_hs_error;
-  }
-
-  // Resolve ECDHE and incorporate it into the secret.
-  Array<uint8_t> dhe_secret;
+  // Resolve ECDHE or PAKE and incorporate it into the secret.
+  Array<uint8_t> shared_secret;
   alert = SSL_AD_DECODE_ERROR;
-  if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &alert,
-                                           &key_share.data)) {
-    ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
+  if (key_share.present) {
+    if (!ssl_ext_key_share_parse_serverhello(hs, &shared_secret, &alert,
+                                             &key_share.data)) {
+      ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
+      return ssl_hs_error;
+    }
+  } else if (pake_share.present) {
+    if (!ssl_ext_pake_parse_serverhello(hs, &shared_secret, &alert,
+                                        &pake_share.data)) {
+      ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
+      return ssl_hs_error;
+    }
+  } else {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
     return ssl_hs_error;
   }
 
-  if (!tls13_advance_key_schedule(hs, dhe_secret) ||  //
-      !ssl_hash_message(hs, msg) ||                   //
+  if (!tls13_advance_key_schedule(hs, shared_secret) ||  //
+      !ssl_hash_message(hs, msg) ||                      //
       !tls13_derive_handshake_secrets(hs)) {
     return ssl_hs_error;
   }
@@ -582,8 +626,7 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
       return ssl_hs_error;
     }
-    if (MakeConstSpan(hs->early_session->early_alpn) !=
-        ssl->s3->alpn_selected) {
+    if (Span(hs->early_session->early_alpn) != ssl->s3->alpn_selected) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);
       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
       return ssl_hs_error;
@@ -640,6 +683,11 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
     return ssl_hs_ok;
   }
 
+  if (hs->pake_prover) {
+    hs->tls13_state = state_read_server_finished;
+    return ssl_hs_ok;
+  }
+
   SSLMessage msg;
   if (!ssl->method->get_message(ssl, &msg)) {
     return ssl_hs_read_message;
@@ -651,7 +699,6 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
     return ssl_hs_ok;
   }
 
-
   SSLExtension sigalgs(TLSEXT_TYPE_signature_algorithms),
       ca(TLSEXT_TYPE_certificate_authorities);
   CBS body = msg.body, context, extensions, supported_signature_algorithms;
@@ -771,8 +818,8 @@ static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {
       !tls13_process_finished(hs, msg, false /* don't use saved value */) ||
       !ssl_hash_message(hs, msg) ||
       // Update the secret to the master secret and derive traffic keys.
-      !tls13_advance_key_schedule(
-          hs, MakeConstSpan(kZeroes, hs->transcript.DigestLen())) ||
+      !tls13_advance_key_schedule(hs,
+                                  Span(kZeroes, hs->transcript.DigestLen())) ||
       !tls13_derive_application_secrets(hs)) {
     return ssl_hs_error;
   }
@@ -905,6 +952,7 @@ static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
     }
     if (hs->credential == nullptr) {
       // The error from the last attempt is in the error queue.
+      assert(ERR_peek_error() != 0);
       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
       return ssl_hs_error;
     }

data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc

@@ -1,16 +1,16 @@
-/* Copyright 2016 The BoringSSL Authors
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+// Copyright 2016 The BoringSSL Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
 
 #include <openssl/ssl.h>
 
@@ -18,6 +18,7 @@
 #include <string.h>
 
 #include <algorithm>
+#include <string_view>
 #include <utility>
 
 #include <openssl/aead.h>
@@ -87,15 +88,11 @@ bool tls13_init_early_key_schedule(SSL_HANDSHAKE *hs,
          hkdf_extract_to_secret(hs, *transcript, session->secret);
 }
 
-static Span<const char> label_to_span(const char *label) {
-  return MakeConstSpan(label, strlen(label));
-}
-
 static bool hkdf_expand_label_with_prefix(Span<uint8_t> out,
                                           const EVP_MD *digest,
                                           Span<const uint8_t> secret,
-                                          Span<const uint8_t> label_prefix,
-                                          Span<const char> label,
+                                          std::string_view label_prefix,
+                                          std::string_view label,
                                           Span<const uint8_t> hash) {
   // This is a copy of CRYPTO_tls13_hkdf_expand_label, but modified to take an
   // arbitrary prefix for the label instead of using the hardcoded "tls13 "
@@ -108,7 +105,9 @@ static bool hkdf_expand_label_with_prefix(Span<uint8_t> out,
                 2 + 1 + label_prefix.size() + label.size() + 1 + hash.size()) ||
       !CBB_add_u16(&cbb, out.size()) ||
       !CBB_add_u8_length_prefixed(&cbb, &child) ||
-      !CBB_add_bytes(&child, label_prefix.data(), label_prefix.size()) ||
+      !CBB_add_bytes(&child,
+                     reinterpret_cast<const uint8_t *>(label_prefix.data()),
+                     label_prefix.size()) ||
       !CBB_add_bytes(&child, reinterpret_cast<const uint8_t *>(label.data()),
                      label.size()) ||
       !CBB_add_u8_length_prefixed(&cbb, &child) ||
@@ -126,14 +125,11 @@ static bool hkdf_expand_label_with_prefix(Span<uint8_t> out,
 
 static bool hkdf_expand_label(Span<uint8_t> out, const EVP_MD *digest,
                               Span<const uint8_t> secret,
-                              Span<const char> label, Span<const uint8_t> hash,
+                              std::string_view label, Span<const uint8_t> hash,
                               bool is_dtls) {
   if (is_dtls) {
-    static const uint8_t kDTLS13LabelPrefix[] = "dtls13";
-    return hkdf_expand_label_with_prefix(
-        out, digest, secret,
-        MakeConstSpan(kDTLS13LabelPrefix, sizeof(kDTLS13LabelPrefix) - 1),
-        label, hash);
+    return hkdf_expand_label_with_prefix(out, digest, secret, "dtls13", label,
+                                         hash);
   }
   return CRYPTO_tls13_hkdf_expand_label(
              out.data(), out.size(), digest, secret.data(), secret.size(),
@@ -148,9 +144,9 @@ bool tls13_advance_key_schedule(SSL_HANDSHAKE *hs, Span<const uint8_t> in) {
   unsigned derive_context_len;
   return EVP_Digest(nullptr, 0, derive_context, &derive_context_len,
                     hs->transcript.Digest(), nullptr) &&
-         hkdf_expand_label(MakeSpan(hs->secret), hs->transcript.Digest(),
-                           hs->secret, label_to_span(kTLS13LabelDerived),
-                           MakeConstSpan(derive_context, derive_context_len),
+         hkdf_expand_label(Span(hs->secret), hs->transcript.Digest(),
+                           hs->secret, kTLS13LabelDerived,
+                           Span(derive_context, derive_context_len),
                            SSL_is_dtls(hs->ssl)) &&
          hkdf_extract_to_secret(hs, hs->transcript, in);
 }
@@ -161,7 +157,7 @@ bool tls13_advance_key_schedule(SSL_HANDSHAKE *hs, Span<const uint8_t> in) {
 // success and false on error.
 static bool derive_secret_with_transcript(
     const SSL_HANDSHAKE *hs, InplaceVector<uint8_t, SSL_MAX_MD_SIZE> *out,
-    const SSLTranscript &transcript, Span<const char> label) {
+    const SSLTranscript &transcript, std::string_view label) {
   uint8_t context_hash[EVP_MAX_MD_SIZE];
   size_t context_hash_len;
   if (!transcript.GetHash(context_hash, &context_hash_len)) {
@@ -169,14 +165,14 @@ static bool derive_secret_with_transcript(
   }
 
   out->ResizeForOverwrite(transcript.DigestLen());
-  return hkdf_expand_label(MakeSpan(*out), transcript.Digest(), hs->secret,
-                           label, MakeConstSpan(context_hash, context_hash_len),
+  return hkdf_expand_label(Span(*out), transcript.Digest(), hs->secret, label,
+                           Span(context_hash, context_hash_len),
                            SSL_is_dtls(hs->ssl));
 }
 
 static bool derive_secret(SSL_HANDSHAKE *hs,
                           InplaceVector<uint8_t, SSL_MAX_MD_SIZE> *out,
-                          Span<const char> label) {
+                          std::string_view label) {
   return derive_secret_with_transcript(hs, out, hs->transcript, label);
 }
 
@@ -203,12 +199,10 @@ bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level,
 
     // Derive the key and IV.
     uint8_t key_buf[EVP_AEAD_MAX_KEY_LENGTH], iv_buf[EVP_AEAD_MAX_NONCE_LENGTH];
-    auto key = MakeSpan(key_buf).first(EVP_AEAD_key_length(aead));
-    auto iv = MakeSpan(iv_buf).first(EVP_AEAD_nonce_length(aead));
-    if (!hkdf_expand_label(key, digest, traffic_secret, label_to_span("key"),
-                           {}, is_dtls) ||
-        !hkdf_expand_label(iv, digest, traffic_secret, label_to_span("iv"), {},
-                           is_dtls)) {
+    auto key = Span(key_buf).first(EVP_AEAD_key_length(aead));
+    auto iv = Span(iv_buf).first(EVP_AEAD_nonce_length(aead));
+    if (!hkdf_expand_label(key, digest, traffic_secret, "key", {}, is_dtls) ||
+        !hkdf_expand_label(iv, digest, traffic_secret, "iv", {}, is_dtls)) {
       return false;
     }
 
@@ -338,9 +332,9 @@ UniquePtr<RecordNumberEncrypter> RecordNumberEncrypter::Create(
   }
 
   uint8_t rne_key_buf[RecordNumberEncrypter::kMaxKeySize];
-  auto rne_key = MakeSpan(rne_key_buf).first(ret->KeySize());
-  if (!hkdf_expand_label(rne_key, digest, traffic_secret, label_to_span("sn"),
-                         {}, /*is_dtls=*/true) ||
+  auto rne_key = Span(rne_key_buf).first(ret->KeySize());
+  if (!hkdf_expand_label(rne_key, digest, traffic_secret, "sn", {},
+                         /*is_dtls=*/true) ||
       !ret->SetKey(rne_key)) {
     return nullptr;
   }
@@ -362,9 +356,8 @@ bool tls13_derive_early_secret(SSL_HANDSHAKE *hs) {
   const SSLTranscript &transcript = (!ssl->server && hs->selected_ech_config)
                                         ? hs->inner_transcript
                                         : hs->transcript;
-  if (!derive_secret_with_transcript(
-          hs, &hs->early_traffic_secret, transcript,
-          label_to_span(kTLS13LabelClientEarlyTraffic)) ||
+  if (!derive_secret_with_transcript(hs, &hs->early_traffic_secret, transcript,
+                                     kTLS13LabelClientEarlyTraffic) ||
       !ssl_log_secret(ssl, "CLIENT_EARLY_TRAFFIC_SECRET",
                       hs->early_traffic_secret)) {
     return false;
@@ -375,11 +368,11 @@ bool tls13_derive_early_secret(SSL_HANDSHAKE *hs) {
 bool tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   if (!derive_secret(hs, &hs->client_handshake_secret,
-                     label_to_span(kTLS13LabelClientHandshakeTraffic)) ||
+                     kTLS13LabelClientHandshakeTraffic) ||
       !ssl_log_secret(ssl, "CLIENT_HANDSHAKE_TRAFFIC_SECRET",
                       hs->client_handshake_secret) ||
       !derive_secret(hs, &hs->server_handshake_secret,
-                     label_to_span(kTLS13LabelServerHandshakeTraffic)) ||
+                     kTLS13LabelServerHandshakeTraffic) ||
       !ssl_log_secret(ssl, "SERVER_HANDSHAKE_TRAFFIC_SECRET",
                       hs->server_handshake_secret)) {
     return false;
@@ -391,15 +384,14 @@ bool tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) {
 bool tls13_derive_application_secrets(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   if (!derive_secret(hs, &hs->client_traffic_secret_0,
-                     label_to_span(kTLS13LabelClientApplicationTraffic)) ||
+                     kTLS13LabelClientApplicationTraffic) ||
       !ssl_log_secret(ssl, "CLIENT_TRAFFIC_SECRET_0",
                       hs->client_traffic_secret_0) ||
       !derive_secret(hs, &hs->server_traffic_secret_0,
-                     label_to_span(kTLS13LabelServerApplicationTraffic)) ||
+                     kTLS13LabelServerApplicationTraffic) ||
       !ssl_log_secret(ssl, "SERVER_TRAFFIC_SECRET_0",
                       hs->server_traffic_secret_0) ||
-      !derive_secret(hs, &ssl->s3->exporter_secret,
-                     label_to_span(kTLS13LabelExporter)) ||
+      !derive_secret(hs, &ssl->s3->exporter_secret, kTLS13LabelExporter) ||
       !ssl_log_secret(ssl, "EXPORTER_SECRET", ssl->s3->exporter_secret)) {
     return false;
   }
@@ -411,13 +403,13 @@ static const char kTLS13LabelApplicationTraffic[] = "traffic upd";
 
 bool tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {
   Span<uint8_t> secret = direction == evp_aead_open
-                             ? MakeSpan(ssl->s3->read_traffic_secret)
-                             : MakeSpan(ssl->s3->write_traffic_secret);
+                             ? Span(ssl->s3->read_traffic_secret)
+                             : Span(ssl->s3->write_traffic_secret);
 
   const SSL_SESSION *session = SSL_get_session(ssl);
   const EVP_MD *digest = ssl_session_get_digest(session);
   return hkdf_expand_label(secret, digest, secret,
-                           label_to_span(kTLS13LabelApplicationTraffic), {},
+                           kTLS13LabelApplicationTraffic, {},
                            SSL_is_dtls(ssl)) &&
          tls13_set_traffic_key(ssl, ssl_encryption_application, direction,
                                session, secret);
@@ -426,8 +418,7 @@ bool tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {
 static const char kTLS13LabelResumption[] = "res master";
 
 bool tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) {
-  return derive_secret(hs, &hs->new_session->secret,
-                       label_to_span(kTLS13LabelResumption));
+  return derive_secret(hs, &hs->new_session->secret, kTLS13LabelResumption);
 }
 
 static const char kTLS13LabelFinished[] = "finished";
@@ -440,10 +431,10 @@ static bool tls13_verify_data(uint8_t *out, size_t *out_len,
                               Span<const uint8_t> secret,
                               Span<const uint8_t> context, bool is_dtls) {
   uint8_t key_buf[EVP_MAX_MD_SIZE];
-  auto key = MakeSpan(key_buf, EVP_MD_size(digest));
+  auto key = Span(key_buf, EVP_MD_size(digest));
   unsigned len;
-  if (!hkdf_expand_label(key, digest, secret,
-                         label_to_span(kTLS13LabelFinished), {}, is_dtls) ||
+  if (!hkdf_expand_label(key, digest, secret, kTLS13LabelFinished, {},
+                         is_dtls) ||
       HMAC(digest, key.data(), key.size(), context.data(), context.size(), out,
            &len) == nullptr) {
     return false;
@@ -462,7 +453,7 @@ bool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,
   if (!hs->transcript.GetHash(context_hash, &context_hash_len) ||
       !tls13_verify_data(out, out_len, hs->transcript.Digest(),
                          hs->ssl->s3->version, traffic_secret,
-                         MakeConstSpan(context_hash, context_hash_len),
+                         Span(context_hash, context_hash_len),
                          SSL_is_dtls(hs->ssl))) {
     return false;
   }
@@ -477,16 +468,15 @@ bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce,
   // The session initially stores the resumption_master_secret, which we
   // override with the PSK.
   assert(session->secret.size() == EVP_MD_size(digest));
-  return hkdf_expand_label(MakeSpan(session->secret), digest, session->secret,
-                           label_to_span(kTLS13LabelResumptionPSK), nonce,
-                           is_dtls);
+  return hkdf_expand_label(Span(session->secret), digest, session->secret,
+                           kTLS13LabelResumptionPSK, nonce, is_dtls);
 }
 
 static const char kTLS13LabelExportKeying[] = "exporter";
 
 bool tls13_export_keying_material(SSL *ssl, Span<uint8_t> out,
                                   Span<const uint8_t> secret,
-                                  Span<const char> label,
+                                  std::string_view label,
                                   Span<const uint8_t> context) {
   if (secret.empty()) {
     assert(0);
@@ -507,15 +497,14 @@ bool tls13_export_keying_material(SSL *ssl, Span<uint8_t> out,
     return false;
   }
 
-  auto hash = MakeConstSpan(hash_buf, hash_len);
-  auto export_context = MakeConstSpan(export_context_buf, export_context_len);
+  auto hash = Span(hash_buf, hash_len);
+  auto export_context = Span(export_context_buf, export_context_len);
   uint8_t derived_secret_buf[EVP_MAX_MD_SIZE];
-  auto derived_secret = MakeSpan(derived_secret_buf, EVP_MD_size(digest));
+  auto derived_secret = Span(derived_secret_buf, EVP_MD_size(digest));
   return hkdf_expand_label(derived_secret, digest, secret, label,
                            export_context, SSL_is_dtls(ssl)) &&
-         hkdf_expand_label(out, digest, derived_secret,
-                           label_to_span(kTLS13LabelExportKeying), hash,
-                           SSL_is_dtls(ssl));
+         hkdf_expand_label(out, digest, derived_secret, kTLS13LabelExportKeying,
+                           hash, SSL_is_dtls(ssl));
 }
 
 static const char kTLS13LabelPSKBinder[] = "res binder";
@@ -536,16 +525,16 @@ static bool tls13_psk_binder(uint8_t *out, size_t *out_len,
   uint8_t early_secret[EVP_MAX_MD_SIZE] = {0};
   size_t early_secret_len;
   uint8_t binder_key_buf[EVP_MAX_MD_SIZE] = {0};
-  auto binder_key = MakeSpan(binder_key_buf, EVP_MD_size(digest));
+  auto binder_key = Span(binder_key_buf, EVP_MD_size(digest));
   if (!EVP_Digest(nullptr, 0, binder_context, &binder_context_len, digest,
                   nullptr) ||
       !HKDF_extract(early_secret, &early_secret_len, digest,
                     session->secret.data(), session->secret.size(), nullptr,
                     0) ||
-      !hkdf_expand_label(
-          binder_key, digest, MakeConstSpan(early_secret, early_secret_len),
-          label_to_span(kTLS13LabelPSKBinder),
-          MakeConstSpan(binder_context, binder_context_len), is_dtls)) {
+      !hkdf_expand_label(binder_key, digest,
+                         Span(early_secret, early_secret_len),
+                         kTLS13LabelPSKBinder,
+                         Span(binder_context, binder_context_len), is_dtls)) {
     return false;
   }
 
@@ -584,7 +573,7 @@ static bool tls13_psk_binder(uint8_t *out, size_t *out_len,
   }
 
   if (!tls13_verify_data(out, out_len, digest, session->ssl_version, binder_key,
-                         MakeConstSpan(context, context_len), is_dtls)) {
+                         Span(context, context_len), is_dtls)) {
     return false;
   }
 
@@ -702,10 +691,9 @@ bool ssl_ech_accept_confirmation(const SSL_HANDSHAKE *hs, Span<uint8_t> out,
 
   assert(out.size() == ECH_CONFIRMATION_SIGNAL_LEN);
   return hkdf_expand_label(
-      out, transcript.Digest(), MakeConstSpan(secret, secret_len),
-      is_hrr ? label_to_span("hrr ech accept confirmation")
-             : label_to_span("ech accept confirmation"),
-      MakeConstSpan(context, context_len), SSL_is_dtls(hs->ssl));
+      out, transcript.Digest(), Span(secret, secret_len),
+      is_hrr ? "hrr ech accept confirmation" : "ech accept confirmation",
+      Span(context, context_len), SSL_is_dtls(hs->ssl));
 }
 
 BSSL_NAMESPACE_END