TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / eef150418ff6885d9ece744f3ad146fca86a71bc / . / library / ssl_tls13_keys.c
blob: 555f9070e50e0445a6109f02f31b71bf14d65ef5 [file] [log] [blame]
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]1/*
2 * TLS 1.3 key schedule
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 ( the "License" ); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
Hanno Becker58c5cea2020-09-08 10:31:33 +0100[diff] [blame]20#include "common.h"
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]21
22#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
23
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]24#include <stdint.h>
25#include <string.h>
26
Jerry Yue3131ef2021-09-16 13:14:15 +0800[diff] [blame]27#include "mbedtls/hkdf.h"
28#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
30
31#include "ssl_misc.h"
32#include "ssl_tls13_keys.h"
33
Hanno Becker1413bd82020-09-09 12:46:09 +0100[diff] [blame]34#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]35 .name = string,
36
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]37struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels =
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]38{
39 /* This seems to work in C, despite the string literal being one
40 * character too long due to the 0-termination. */
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]41 MBEDTLS_SSL_TLS1_3_LABEL_LIST
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]42};
43
Hanno Beckera3a5a4e2020-09-08 11:33:48 +0100[diff] [blame]44#undef MBEDTLS_SSL_TLS1_3_LABEL
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]45
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]46/*
47 * This function creates a HkdfLabel structure used in the TLS 1.3 key schedule.
48 *
49 * The HkdfLabel is specified in RFC 8446 as follows:
50 *
51 * struct HkdfLabel {
52 * uint16 length; // Length of expanded key material
53 * opaque label<7..255>; // Always prefixed by "tls13 "
54 * opaque context<0..255>; // Usually a communication transcript hash
55 * };
56 *
57 * Parameters:
58 * - desired_length: Length of expanded key material
59 * Even though the standard allows expansion to up to
60 * 2**16 Bytes, TLS 1.3 never uses expansion to more than
61 * 255 Bytes, so we require `desired_length` to be at most
62 * 255. This allows us to save a few Bytes of code by
63 * hardcoding the writing of the high bytes.
64 * - (label, llen): label + label length, without "tls13 " prefix
Hanno Becker61baae72020-09-16 09:24:14 +0100[diff] [blame]65 * The label length MUST be less than or equal to
66 * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN
67 * It is the caller's responsibility to ensure this.
Hanno Becker815869a2020-09-08 11:16:16 +0100[diff] [blame]68 * All (label, label length) pairs used in TLS 1.3
69 * can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN().
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]70 * - (ctx, clen): context + context length
Hanno Becker61baae72020-09-16 09:24:14 +0100[diff] [blame]71 * The context length MUST be less than or equal to
72 * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN
73 * It is the caller's responsibility to ensure this.
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]74 * - dst: Target buffer for HkdfLabel structure,
75 * This MUST be a writable buffer of size
76 * at least SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN Bytes.
77 * - dlen: Pointer at which to store the actual length of
78 * the HkdfLabel structure on success.
79 */
80
Hanno Becker2dfe1322020-09-10 09:23:12 +0100[diff] [blame]81static const char tls1_3_label_prefix[6] = "tls13 ";
82
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]83#define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( label_len, context_len ) \
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]84 ( 2 /* expansion length */ \
85 + 1 /* label length */ \
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]86 + label_len \
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]87 + 1 /* context length */ \
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]88 + context_len )
89
90#define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \
91 SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \
Hanno Becker2dfe1322020-09-10 09:23:12 +0100[diff] [blame]92 sizeof(tls1_3_label_prefix) + \
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]93 MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN, \
94 MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]95
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]96static void ssl_tls13_hkdf_encode_label(
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]97 size_t desired_length,
98 const unsigned char *label, size_t llen,
99 const unsigned char *ctx, size_t clen,
100 unsigned char *dst, size_t *dlen )
101{
Hanno Becker2dfe1322020-09-10 09:23:12 +0100[diff] [blame]102 size_t total_label_len =
103 sizeof(tls1_3_label_prefix) + llen;
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]104 size_t total_hkdf_lbl_len =
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]105 SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( total_label_len, clen );
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]106
107 unsigned char *p = dst;
108
Hanno Becker531fe302020-09-16 09:45:27 +0100[diff] [blame]109 /* Add the size of the expanded key material.
110 * We're hardcoding the high byte to 0 here assuming that we never use
111 * TLS 1.3 HKDF key expansion to more than 255 Bytes. */
112#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]113#error "The implementation of ssl_tls13_hkdf_encode_label() is not fit for the \
Hanno Becker531fe302020-09-16 09:45:27 +0100[diff] [blame]114 value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN"
115#endif
116
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]117 *p++ = 0;
Joe Subbiani2194dc42021-07-14 12:31:31 +0100[diff] [blame]118 *p++ = MBEDTLS_BYTE_0( desired_length );
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]119
120 /* Add label incl. prefix */
Joe Subbiani2194dc42021-07-14 12:31:31 +0100[diff] [blame]121 *p++ = MBEDTLS_BYTE_0( total_label_len );
Hanno Becker2dfe1322020-09-10 09:23:12 +0100[diff] [blame]122 memcpy( p, tls1_3_label_prefix, sizeof(tls1_3_label_prefix) );
123 p += sizeof(tls1_3_label_prefix);
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]124 memcpy( p, label, llen );
125 p += llen;
126
127 /* Add context value */
Joe Subbiani2194dc42021-07-14 12:31:31 +0100[diff] [blame]128 *p++ = MBEDTLS_BYTE_0( clen );
Hanno Becker00debc72020-09-08 11:12:24 +0100[diff] [blame]129 if( clen != 0 )
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]130 memcpy( p, ctx, clen );
131
132 /* Return total length to the caller. */
133 *dlen = total_hkdf_lbl_len;
134}
135
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]136int mbedtls_ssl_tls13_hkdf_expand_label(
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]137 mbedtls_md_type_t hash_alg,
138 const unsigned char *secret, size_t slen,
139 const unsigned char *label, size_t llen,
140 const unsigned char *ctx, size_t clen,
141 unsigned char *buf, size_t blen )
142{
143 const mbedtls_md_info_t *md;
144 unsigned char hkdf_label[ SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN ];
145 size_t hkdf_label_len;
146
147 if( llen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN )
148 {
149 /* Should never happen since this is an internal
150 * function, and we know statically which labels
151 * are allowed. */
152 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
153 }
154
155 if( clen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
156 {
157 /* Should not happen, as above. */
158 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
159 }
160
161 if( blen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN )
162 {
163 /* Should not happen, as above. */
164 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
165 }
166
167 md = mbedtls_md_info_from_type( hash_alg );
168 if( md == NULL )
169 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
170
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]171 ssl_tls13_hkdf_encode_label( blen,
172 label, llen,
173 ctx, clen,
174 hkdf_label,
175 &hkdf_label_len );
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]176
177 return( mbedtls_hkdf_expand( md,
178 secret, slen,
179 hkdf_label, hkdf_label_len,
180 buf, blen ) );
181}
182
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]183/*
184 * The traffic keying material is generated from the following inputs:
185 *
186 * - One secret value per sender.
187 * - A purpose value indicating the specific value being generated
188 * - The desired lengths of key and IV.
189 *
190 * The expansion itself is based on HKDF:
191 *
192 * [sender]_write_key = HKDF-Expand-Label( Secret, "key", "", key_length )
193 * [sender]_write_iv = HKDF-Expand-Label( Secret, "iv" , "", iv_length )
194 *
195 * [sender] denotes the sending side and the Secret value is provided
196 * by the function caller. Note that we generate server and client side
197 * keys in a single function call.
198 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]199int mbedtls_ssl_tls13_make_traffic_keys(
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]200 mbedtls_md_type_t hash_alg,
201 const unsigned char *client_secret,
202 const unsigned char *server_secret,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]203 size_t slen, size_t key_len, size_t iv_len,
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]204 mbedtls_ssl_key_set *keys )
205{
206 int ret = 0;
207
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]208 ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]209 client_secret, slen,
210 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
211 NULL, 0,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]212 keys->client_write_key, key_len );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]213 if( ret != 0 )
214 return( ret );
215
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]216 ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]217 server_secret, slen,
218 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
219 NULL, 0,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]220 keys->server_write_key, key_len );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]221 if( ret != 0 )
222 return( ret );
223
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]224 ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]225 client_secret, slen,
226 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
227 NULL, 0,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]228 keys->client_write_iv, iv_len );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]229 if( ret != 0 )
230 return( ret );
231
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]232 ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]233 server_secret, slen,
234 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
235 NULL, 0,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]236 keys->server_write_iv, iv_len );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]237 if( ret != 0 )
238 return( ret );
239
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]240 keys->key_len = key_len;
241 keys->iv_len = iv_len;
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]242
243 return( 0 );
244}
245
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]246int mbedtls_ssl_tls13_derive_secret(
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]247 mbedtls_md_type_t hash_alg,
248 const unsigned char *secret, size_t slen,
249 const unsigned char *label, size_t llen,
250 const unsigned char *ctx, size_t clen,
Hanno Becker0c42fd92020-09-09 12:58:29 +0100[diff] [blame]251 int ctx_hashed,
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]252 unsigned char *dstbuf, size_t buflen )
253{
254 int ret;
255 unsigned char hashed_context[ MBEDTLS_MD_MAX_SIZE ];
256
257 const mbedtls_md_info_t *md;
258 md = mbedtls_md_info_from_type( hash_alg );
259 if( md == NULL )
260 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
261
Hanno Becker0c42fd92020-09-09 12:58:29 +0100[diff] [blame]262 if( ctx_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED )
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]263 {
264 ret = mbedtls_md( md, ctx, clen, hashed_context );
265 if( ret != 0 )
266 return( ret );
267 clen = mbedtls_md_get_size( md );
268 }
269 else
270 {
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]271 if( clen > sizeof(hashed_context) )
Hanno Becker97a21562020-09-09 12:57:16 +0100[diff] [blame]272 {
273 /* This should never happen since this function is internal
Hanno Becker0c42fd92020-09-09 12:58:29 +0100[diff] [blame]274 * and the code sets `ctx_hashed` correctly.
Hanno Becker97a21562020-09-09 12:57:16 +0100[diff] [blame]275 * Let's double-check nonetheless to not run at the risk
276 * of getting a stack overflow. */
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]277 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Hanno Becker97a21562020-09-09 12:57:16 +0100[diff] [blame]278 }
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]279
280 memcpy( hashed_context, ctx, clen );
281 }
282
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]283 return( mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
284 secret, slen,
285 label, llen,
286 hashed_context, clen,
287 dstbuf, buflen ) );
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]288}
289
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]290int mbedtls_ssl_tls13_evolve_secret(
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]291 mbedtls_md_type_t hash_alg,
292 const unsigned char *secret_old,
293 const unsigned char *input, size_t input_len,
294 unsigned char *secret_new )
295{
296 int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
297 size_t hlen, ilen;
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]298 unsigned char tmp_secret[ MBEDTLS_MD_MAX_SIZE ] = { 0 };
299 unsigned char tmp_input [ MBEDTLS_MD_MAX_SIZE ] = { 0 };
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]300
301 const mbedtls_md_info_t *md;
302 md = mbedtls_md_info_from_type( hash_alg );
303 if( md == NULL )
304 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
305
306 hlen = mbedtls_md_get_size( md );
307
308 /* For non-initial runs, call Derive-Secret( ., "derived", "")
Hanno Becker61baae72020-09-16 09:24:14 +0100[diff] [blame]309 * on the old secret. */
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]310 if( secret_old != NULL )
311 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]312 ret = mbedtls_ssl_tls13_derive_secret(
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]313 hash_alg,
314 secret_old, hlen,
315 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( derived ),
316 NULL, 0, /* context */
317 MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]318 tmp_secret, hlen );
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]319 if( ret != 0 )
320 goto cleanup;
321 }
322
323 if( input != NULL )
324 {
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]325 memcpy( tmp_input, input, input_len );
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]326 ilen = input_len;
327 }
328 else
329 {
330 ilen = hlen;
331 }
332
333 /* HKDF-Extract takes a salt and input key material.
334 * The salt is the old secret, and the input key material
335 * is the input secret (PSK / ECDHE). */
336 ret = mbedtls_hkdf_extract( md,
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]337 tmp_secret, hlen,
338 tmp_input, ilen,
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]339 secret_new );
340 if( ret != 0 )
341 goto cleanup;
342
343 ret = 0;
344
345 cleanup:
346
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]347 mbedtls_platform_zeroize( tmp_secret, sizeof(tmp_secret) );
348 mbedtls_platform_zeroize( tmp_input, sizeof(tmp_input) );
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]349 return( ret );
350}
351
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]352int mbedtls_ssl_tls13_derive_early_secrets(
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]353 mbedtls_md_type_t md_type,
354 unsigned char const *early_secret,
355 unsigned char const *transcript, size_t transcript_len,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]356 mbedtls_ssl_tls13_early_secrets *derived )
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]357{
358 int ret;
359 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
360 size_t const md_size = mbedtls_md_get_size( md_info );
361
362 /* We should never call this function with an unknown hash,
363 * but add an assertion anyway. */
364 if( md_info == 0 )
365 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
366
367 /*
368 * 0
369 * |
370 * v
371 * PSK -> HKDF-Extract = Early Secret
372 * |
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]373 * +-----> Derive-Secret(., "c e traffic", ClientHello)
374 * | = client_early_traffic_secret
375 * |
376 * +-----> Derive-Secret(., "e exp master", ClientHello)
377 * | = early_exporter_master_secret
378 * v
379 */
380
381 /* Create client_early_traffic_secret */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]382 ret = mbedtls_ssl_tls13_derive_secret( md_type,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]383 early_secret, md_size,
384 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_e_traffic ),
385 transcript, transcript_len,
386 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
387 derived->client_early_traffic_secret,
388 md_size );
389 if( ret != 0 )
390 return( ret );
391
392 /* Create early exporter */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]393 ret = mbedtls_ssl_tls13_derive_secret( md_type,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]394 early_secret, md_size,
395 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( e_exp_master ),
396 transcript, transcript_len,
397 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
398 derived->early_exporter_master_secret,
399 md_size );
400 if( ret != 0 )
401 return( ret );
402
403 return( 0 );
404}
405
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]406int mbedtls_ssl_tls13_derive_handshake_secrets(
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]407 mbedtls_md_type_t md_type,
408 unsigned char const *handshake_secret,
409 unsigned char const *transcript, size_t transcript_len,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]410 mbedtls_ssl_tls13_handshake_secrets *derived )
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]411{
412 int ret;
413 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
414 size_t const md_size = mbedtls_md_get_size( md_info );
415
416 /* We should never call this function with an unknown hash,
417 * but add an assertion anyway. */
418 if( md_info == 0 )
419 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
420
421 /*
422 *
423 * Handshake Secret
424 * |
425 * +-----> Derive-Secret( ., "c hs traffic",
426 * | ClientHello...ServerHello )
427 * | = client_handshake_traffic_secret
428 * |
429 * +-----> Derive-Secret( ., "s hs traffic",
430 * | ClientHello...ServerHello )
431 * | = server_handshake_traffic_secret
432 *
433 */
434
435 /*
436 * Compute client_handshake_traffic_secret with
437 * Derive-Secret( ., "c hs traffic", ClientHello...ServerHello )
438 */
439
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]440 ret = mbedtls_ssl_tls13_derive_secret( md_type,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]441 handshake_secret, md_size,
442 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_hs_traffic ),
443 transcript, transcript_len,
444 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
445 derived->client_handshake_traffic_secret,
446 md_size );
447 if( ret != 0 )
448 return( ret );
449
450 /*
451 * Compute server_handshake_traffic_secret with
452 * Derive-Secret( ., "s hs traffic", ClientHello...ServerHello )
453 */
454
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]455 ret = mbedtls_ssl_tls13_derive_secret( md_type,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]456 handshake_secret, md_size,
457 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( s_hs_traffic ),
458 transcript, transcript_len,
459 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
460 derived->server_handshake_traffic_secret,
461 md_size );
462 if( ret != 0 )
463 return( ret );
464
465 return( 0 );
466}
467
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]468int mbedtls_ssl_tls13_derive_application_secrets(
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]469 mbedtls_md_type_t md_type,
470 unsigned char const *application_secret,
471 unsigned char const *transcript, size_t transcript_len,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]472 mbedtls_ssl_tls13_application_secrets *derived )
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]473{
474 int ret;
475 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
476 size_t const md_size = mbedtls_md_get_size( md_info );
477
478 /* We should never call this function with an unknown hash,
479 * but add an assertion anyway. */
480 if( md_info == 0 )
481 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
482
483 /* Generate {client,server}_application_traffic_secret_0
484 *
485 * Master Secret
486 * |
487 * +-----> Derive-Secret( ., "c ap traffic",
488 * | ClientHello...server Finished )
489 * | = client_application_traffic_secret_0
490 * |
491 * +-----> Derive-Secret( ., "s ap traffic",
492 * | ClientHello...Server Finished )
493 * | = server_application_traffic_secret_0
494 * |
495 * +-----> Derive-Secret( ., "exp master",
496 * | ClientHello...server Finished)
497 * | = exporter_master_secret
498 *
499 */
500
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]501 ret = mbedtls_ssl_tls13_derive_secret( md_type,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]502 application_secret, md_size,
503 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_ap_traffic ),
504 transcript, transcript_len,
505 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
506 derived->client_application_traffic_secret_N,
507 md_size );
508 if( ret != 0 )
509 return( ret );
510
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]511 ret = mbedtls_ssl_tls13_derive_secret( md_type,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]512 application_secret, md_size,
513 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( s_ap_traffic ),
514 transcript, transcript_len,
515 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
516 derived->server_application_traffic_secret_N,
517 md_size );
518 if( ret != 0 )
519 return( ret );
520
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]521 ret = mbedtls_ssl_tls13_derive_secret( md_type,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]522 application_secret, md_size,
523 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( exp_master ),
524 transcript, transcript_len,
525 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
526 derived->exporter_master_secret,
527 md_size );
528 if( ret != 0 )
529 return( ret );
530
531 return( 0 );
532}
533
534/* Generate resumption_master_secret for use with the ticket exchange.
535 *
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]536 * This is not integrated with mbedtls_ssl_tls13_derive_application_secrets()
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]537 * because it uses the transcript hash up to and including ClientFinished. */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]538int mbedtls_ssl_tls13_derive_resumption_master_secret(
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]539 mbedtls_md_type_t md_type,
540 unsigned char const *application_secret,
541 unsigned char const *transcript, size_t transcript_len,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]542 mbedtls_ssl_tls13_application_secrets *derived )
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]543{
544 int ret;
545 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
546 size_t const md_size = mbedtls_md_get_size( md_info );
547
548 /* We should never call this function with an unknown hash,
549 * but add an assertion anyway. */
550 if( md_info == 0 )
551 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
552
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]553 ret = mbedtls_ssl_tls13_derive_secret( md_type,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]554 application_secret, md_size,
555 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_master ),
556 transcript, transcript_len,
557 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
558 derived->resumption_master_secret,
559 md_size );
560
561 if( ret != 0 )
562 return( ret );
563
564 return( 0 );
565}
566
XiaokangQiana4c99f22021-11-11 06:46:35 +0000[diff] [blame]567int mbedtls_ssl_tls13_key_schedule_stage_application( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]568{
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]569 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]570 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
571 mbedtls_md_type_t const md_type = handshake->ciphersuite_info->mac;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]572#if defined(MBEDTLS_DEBUG_C)
573 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
574 size_t const md_size = mbedtls_md_get_size( md_info );
575#endif /* MBEDTLS_DEBUG_C */
576
577 /*
578 * Compute MasterSecret
579 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]580 ret = mbedtls_ssl_tls13_evolve_secret( md_type,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]581 handshake->tls1_3_master_secrets.handshake,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]582 NULL, 0,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]583 handshake->tls1_3_master_secrets.app );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]584 if( ret != 0 )
585 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]586 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]587 return( ret );
588 }
589
590 MBEDTLS_SSL_DEBUG_BUF( 4, "Master secret",
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]591 handshake->tls1_3_master_secrets.app, md_size );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]592
593 return( 0 );
594}
595
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]596static int ssl_tls13_calc_finished_core( mbedtls_md_type_t md_type,
597 unsigned char const *base_key,
598 unsigned char const *transcript,
599 unsigned char *dst )
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]600{
601 const mbedtls_md_info_t* const md_info = mbedtls_md_info_from_type( md_type );
602 size_t const md_size = mbedtls_md_get_size( md_info );
603 unsigned char finished_key[MBEDTLS_MD_MAX_SIZE];
604 int ret;
605
606 /* We should never call this function with an unknown hash,
607 * but add an assertion anyway. */
608 if( md_info == 0 )
609 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
610
611 /* TLS 1.3 Finished message
612 *
613 * struct {
614 * opaque verify_data[Hash.length];
615 * } Finished;
616 *
617 * verify_data =
618 * HMAC( finished_key,
619 * Hash( Handshake Context +
620 * Certificate* +
621 * CertificateVerify* )
622 * )
623 *
624 * finished_key =
625 * HKDF-Expand-Label( BaseKey, "finished", "", Hash.length )
626 */
627
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]628 ret = mbedtls_ssl_tls13_hkdf_expand_label(
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]629 md_type, base_key, md_size,
630 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( finished ),
631 NULL, 0,
632 finished_key, md_size );
633 if( ret != 0 )
634 goto exit;
635
636 ret = mbedtls_md_hmac( md_info, finished_key, md_size, transcript, md_size, dst );
637 if( ret != 0 )
638 goto exit;
639
640exit:
641
642 mbedtls_platform_zeroize( finished_key, sizeof( finished_key ) );
643 return( ret );
644}
645
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]646int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context* ssl,
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]647 unsigned char* dst,
648 size_t dst_len,
649 size_t *actual_len,
650 int from )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]651{
XiaokangQiana7634982021-10-22 06:32:32 +0000[diff] [blame]652 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]653
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]654 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]655 size_t transcript_len;
656
657 unsigned char const *base_key = NULL;
658
659 mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac;
660 const mbedtls_md_info_t* const md = mbedtls_md_info_from_type( md_type );
661 size_t const md_size = mbedtls_md_get_size( md );
662
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]663 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_calculate_verify_data" ) );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]664
665 if( dst_len < md_size )
666 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
667
668 ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type,
669 transcript, sizeof( transcript ),
670 &transcript_len );
671 if( ret != 0 )
672 {
673 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_handshake_transcript", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]674 goto exit;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]675 }
676 MBEDTLS_SSL_DEBUG_BUF( 4, "handshake hash", transcript, transcript_len );
677
678 if( from == MBEDTLS_SSL_IS_CLIENT )
XiaokangQianf26f6ad2021-10-28 05:50:31 +0000[diff] [blame]679 base_key = ssl->handshake->tls13_hs_secrets.client_handshake_traffic_secret;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]680 else
XiaokangQianf26f6ad2021-10-28 05:50:31 +0000[diff] [blame]681 base_key = ssl->handshake->tls13_hs_secrets.server_handshake_traffic_secret;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]682
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]683 ret = ssl_tls13_calc_finished_core( md_type, base_key, transcript, dst );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]684 if( ret != 0 )
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]685 goto exit;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]686 *actual_len = md_size;
687
688 MBEDTLS_SSL_DEBUG_BUF( 3, "verify_data for finished message", dst, md_size );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]689 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_calculate_verify_data" ) );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]690
691exit:
692
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]693 mbedtls_platform_zeroize( transcript, sizeof( transcript ) );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]694 return( ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]695}
696
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]697int mbedtls_ssl_tls13_create_psk_binder( mbedtls_ssl_context *ssl,
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]698 const mbedtls_md_type_t md_type,
699 unsigned char const *psk, size_t psk_len,
700 int psk_type,
701 unsigned char const *transcript,
702 unsigned char *result )
703{
704 int ret = 0;
705 unsigned char binder_key[MBEDTLS_MD_MAX_SIZE];
706 unsigned char early_secret[MBEDTLS_MD_MAX_SIZE];
707 mbedtls_md_info_t const *md_info = mbedtls_md_info_from_type( md_type );
708 size_t const md_size = mbedtls_md_get_size( md_info );
709
Hanno Becker28e5f1e2021-05-26 09:29:49 +0100[diff] [blame]710#if !defined(MBEDTLS_DEBUG_C)
711 ssl = NULL; /* make sure we don't use it except for debug */
712 ((void) ssl);
713#endif
714
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]715 /* We should never call this function with an unknown hash,
716 * but add an assertion anyway. */
717 if( md_info == 0 )
718 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
719
720 /*
721 * 0
722 * |
723 * v
724 * PSK -> HKDF-Extract = Early Secret
725 * |
726 * +-----> Derive-Secret(., "ext binder" | "res binder", "")
727 * | = binder_key
728 * v
729 */
730
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]731 ret = mbedtls_ssl_tls13_evolve_secret( md_type,
732 NULL, /* Old secret */
733 psk, psk_len, /* Input */
734 early_secret );
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]735 if( ret != 0 )
736 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]737 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret );
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]738 goto exit;
739 }
740
741 if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION )
742 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]743 ret = mbedtls_ssl_tls13_derive_secret( md_type,
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]744 early_secret, md_size,
745 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_binder ),
746 NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
747 binder_key, md_size );
748 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Derive Early Secret with 'res binder'" ) );
749 }
750 else
751 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]752 ret = mbedtls_ssl_tls13_derive_secret( md_type,
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]753 early_secret, md_size,
754 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( ext_binder ),
755 NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
756 binder_key, md_size );
757 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Derive Early Secret with 'ext binder'" ) );
758 }
759
760 if( ret != 0 )
761 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]762 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_derive_secret", ret );
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]763 goto exit;
764 }
765
766 /*
767 * The binding_value is computed in the same way as the Finished message
768 * but with the BaseKey being the binder_key.
769 */
770
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]771 ret = ssl_tls13_calc_finished_core( md_type, binder_key, transcript, result );
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]772 if( ret != 0 )
773 goto exit;
774
775 MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder", result, md_size );
776
777exit:
778
779 mbedtls_platform_zeroize( early_secret, sizeof( early_secret ) );
780 mbedtls_platform_zeroize( binder_key, sizeof( binder_key ) );
781 return( ret );
782}
783
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]784int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
785 int endpoint,
786 int ciphersuite,
787 mbedtls_ssl_key_set const *traffic_keys,
788 mbedtls_ssl_context *ssl /* DEBUG ONLY */ )
789{
790 int ret;
791 mbedtls_cipher_info_t const *cipher_info;
792 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
793 unsigned char const *key_enc;
794 unsigned char const *iv_enc;
795 unsigned char const *key_dec;
796 unsigned char const *iv_dec;
797
798#if !defined(MBEDTLS_DEBUG_C)
799 ssl = NULL; /* make sure we don't use it except for those cases */
800 (void) ssl;
801#endif
802
803 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
Hanno Becker7887a772021-04-20 05:27:57 +0100[diff] [blame]804 if( ciphersuite_info == NULL )
805 {
806 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found",
807 ciphersuite ) );
808 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
809 }
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]810
811 cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
812 if( cipher_info == NULL )
813 {
Hanno Becker7887a772021-04-20 05:27:57 +0100[diff] [blame]814 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found",
815 ciphersuite_info->cipher ) );
Hanno Beckerf62a7302021-04-21 05:21:28 +0100[diff] [blame]816 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]817 }
818
819 /*
820 * Setup cipher contexts in target transform
821 */
822
823 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
824 cipher_info ) ) != 0 )
825 {
826 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
827 return( ret );
828 }
829
830 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
831 cipher_info ) ) != 0 )
832 {
833 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
834 return( ret );
835 }
836
837#if defined(MBEDTLS_SSL_SRV_C)
838 if( endpoint == MBEDTLS_SSL_IS_SERVER )
839 {
840 key_enc = traffic_keys->server_write_key;
841 key_dec = traffic_keys->client_write_key;
842 iv_enc = traffic_keys->server_write_iv;
843 iv_dec = traffic_keys->client_write_iv;
844 }
845 else
846#endif /* MBEDTLS_SSL_SRV_C */
847#if defined(MBEDTLS_SSL_CLI_C)
848 if( endpoint == MBEDTLS_SSL_IS_CLIENT )
849 {
850 key_enc = traffic_keys->client_write_key;
851 key_dec = traffic_keys->server_write_key;
852 iv_enc = traffic_keys->client_write_iv;
853 iv_dec = traffic_keys->server_write_iv;
854 }
855 else
856#endif /* MBEDTLS_SSL_CLI_C */
857 {
858 /* should not happen */
859 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
860 }
861
862 memcpy( transform->iv_enc, iv_enc, traffic_keys->iv_len );
863 memcpy( transform->iv_dec, iv_dec, traffic_keys->iv_len );
864
865 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc,
866 key_enc, cipher_info->key_bitlen,
867 MBEDTLS_ENCRYPT ) ) != 0 )
868 {
869 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
870 return( ret );
871 }
872
873 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec,
874 key_dec, cipher_info->key_bitlen,
875 MBEDTLS_DECRYPT ) ) != 0 )
876 {
877 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
878 return( ret );
879 }
880
881 /*
882 * Setup other fields in SSL transform
883 */
884
885 if( ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) != 0 )
886 transform->taglen = 8;
887 else
888 transform->taglen = 16;
889
890 transform->ivlen = traffic_keys->iv_len;
891 transform->maclen = 0;
892 transform->fixed_ivlen = transform->ivlen;
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]893 transform->minor_ver = MBEDTLS_SSL_MINOR_VERSION_4;
894
Hanno Beckeredd5bf02021-04-20 05:32:16 +0100[diff] [blame]895 /* We add the true record content type (1 Byte) to the plaintext and
896 * then pad to the configured granularity. The mimimum length of the
897 * type-extended and padded plaintext is therefore the padding
898 * granularity. */
899 transform->minlen =
Hanno Beckerdfba0652021-08-01 19:16:57 +0100[diff] [blame]900 transform->taglen + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY;
Hanno Beckeredd5bf02021-04-20 05:32:16 +0100[diff] [blame]901
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]902 return( 0 );
903}
904
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]905int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl )
Jerry Yu89ea3212021-09-09 14:31:24 +0800[diff] [blame]906{
Jerry Yue3131ef2021-09-16 13:14:15 +0800[diff] [blame]907 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
908 mbedtls_md_type_t md_type;
Jerry Yu5ccfcd42021-10-11 16:39:29 +0800[diff] [blame]909 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yu6ca7c7f2021-09-28 18:51:40 +0800[diff] [blame]910
Jerry Yu5ccfcd42021-10-11 16:39:29 +0800[diff] [blame]911 if( handshake->ciphersuite_info == NULL )
Jerry Yu89ea3212021-09-09 14:31:24 +0800[diff] [blame]912 {
913 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher suite info not found" ) );
914 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
915 }
Jerry Yue3131ef2021-09-16 13:14:15 +0800[diff] [blame]916
Jerry Yu5ccfcd42021-10-11 16:39:29 +0800[diff] [blame]917 md_type = handshake->ciphersuite_info->mac;
Jerry Yue06f4532021-09-23 18:35:07 +0800[diff] [blame]918
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]919 ret = mbedtls_ssl_tls13_evolve_secret( md_type, NULL, NULL, 0,
920 handshake->tls1_3_master_secrets.early );
Jerry Yu89ea3212021-09-09 14:31:24 +0800[diff] [blame]921 if( ret != 0 )
922 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]923 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret );
Jerry Yu89ea3212021-09-09 14:31:24 +0800[diff] [blame]924 return( ret );
925 }
926
927 return( 0 );
928}
929
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]930/* mbedtls_ssl_tls13_generate_handshake_keys() generates keys necessary for
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]931 * protecting the handshake messages, as described in Section 7 of TLS 1.3. */
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]932int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl,
933 mbedtls_ssl_key_set *traffic_keys )
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]934{
935 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
936
937 mbedtls_md_type_t md_type;
938 mbedtls_md_info_t const *md_info;
939 size_t md_size;
940
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]941 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]942 size_t transcript_len;
943
944 mbedtls_cipher_info_t const *cipher_info;
945 size_t keylen, ivlen;
946
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]947 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
948 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info;
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]949 mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets = &handshake->tls13_hs_secrets;
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]950
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]951 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) );
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]952
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]953 cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]954 keylen = cipher_info->key_bitlen >> 3;
955 ivlen = cipher_info->iv_size;
956
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]957 md_type = ciphersuite_info->mac;
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]958 md_info = mbedtls_md_info_from_type( md_type );
959 md_size = mbedtls_md_get_size( md_info );
960
961 ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type,
962 transcript,
963 sizeof( transcript ),
964 &transcript_len );
965 if( ret != 0 )
966 {
967 MBEDTLS_SSL_DEBUG_RET( 1,
968 "mbedtls_ssl_get_handshake_transcript",
969 ret );
970 return( ret );
971 }
972
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]973 ret = mbedtls_ssl_tls13_derive_handshake_secrets( md_type,
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]974 handshake->tls1_3_master_secrets.handshake,
975 transcript, transcript_len, tls13_hs_secrets );
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]976 if( ret != 0 )
977 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]978 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_derive_handshake_secrets",
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]979 ret );
980 return( ret );
981 }
982
983 MBEDTLS_SSL_DEBUG_BUF( 4, "Client handshake traffic secret",
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]984 tls13_hs_secrets->client_handshake_traffic_secret,
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]985 md_size );
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]986 MBEDTLS_SSL_DEBUG_BUF( 4, "Server handshake traffic secret",
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]987 tls13_hs_secrets->server_handshake_traffic_secret,
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]988 md_size );
989
990 /*
991 * Export client handshake traffic secret
992 */
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]993 if( ssl->f_export_keys != NULL )
994 {
995 ssl->f_export_keys( ssl->p_export_keys,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]996 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET,
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]997 tls13_hs_secrets->client_handshake_traffic_secret,
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]998 md_size,
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]999 handshake->randbytes + 32,
1000 handshake->randbytes,
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1001 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ );
1002
1003 ssl->f_export_keys( ssl->p_export_keys,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1004 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET,
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]1005 tls13_hs_secrets->server_handshake_traffic_secret,
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1006 md_size,
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]1007 handshake->randbytes + 32,
1008 handshake->randbytes,
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1009 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ );
1010 }
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1011
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1012 ret = mbedtls_ssl_tls13_make_traffic_keys( md_type,
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]1013 tls13_hs_secrets->client_handshake_traffic_secret,
1014 tls13_hs_secrets->server_handshake_traffic_secret,
1015 md_size, keylen, ivlen, traffic_keys );
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1016 if( ret != 0 )
1017 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1018 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret );
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1019 goto exit;
1020 }
1021
1022 MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_key",
1023 traffic_keys->client_write_key,
1024 traffic_keys->key_len);
1025
1026 MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_key",
1027 traffic_keys->server_write_key,
1028 traffic_keys->key_len);
1029
1030 MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_iv",
1031 traffic_keys->client_write_iv,
1032 traffic_keys->iv_len);
1033
1034 MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_iv",
1035 traffic_keys->server_write_iv,
1036 traffic_keys->iv_len);
1037
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1038 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_generate_handshake_keys" ) );
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1039
1040exit:
1041
1042 return( ret );
1043}
1044
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1045int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl )
Jerry Yua0650eb2021-09-09 17:14:45 +0800[diff] [blame]1046{
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1047 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yu5ccfcd42021-10-11 16:39:29 +0800[diff] [blame]1048 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1049 mbedtls_md_type_t const md_type = handshake->ciphersuite_info->mac;
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1050 size_t ephemeral_len = 0;
1051 unsigned char ecdhe[MBEDTLS_ECP_MAX_BYTES];
Jerry Yua0650eb2021-09-09 17:14:45 +0800[diff] [blame]1052#if defined(MBEDTLS_DEBUG_C)
1053 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
1054 size_t const md_size = mbedtls_md_get_size( md_info );
1055#endif /* MBEDTLS_DEBUG_C */
1056
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1057#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
1058 /*
1059 * Compute ECDHE secret used to compute the handshake secret from which
1060 * client_handshake_traffic_secret and server_handshake_traffic_secret
1061 * are derived in the handshake secret derivation stage.
1062 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1063 if( mbedtls_ssl_tls13_ephemeral_enabled( ssl ) )
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1064 {
1065 if( mbedtls_ssl_tls13_named_group_is_ecdhe( handshake->offered_group_id ) )
1066 {
1067#if defined(MBEDTLS_ECDH_C)
1068 ret = mbedtls_ecdh_calc_secret( &handshake->ecdh_ctx,
1069 &ephemeral_len, ecdhe, sizeof( ecdhe ),
1070 ssl->conf->f_rng,
1071 ssl->conf->p_rng );
1072 if( ret != 0 )
1073 {
1074 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
1075 return( ret );
1076 }
1077#endif /* MBEDTLS_ECDH_C */
1078 }
1079 else if( mbedtls_ssl_tls13_named_group_is_dhe( handshake->offered_group_id ) )
1080 {
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1081 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHE not supported." ) );
1082 return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
1083 }
1084 }
1085#else
1086 return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
1087#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
Jerry Yua0650eb2021-09-09 17:14:45 +0800[diff] [blame]1088
1089 /*
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1090 * Compute the Handshake Secret
Jerry Yua0650eb2021-09-09 17:14:45 +0800[diff] [blame]1091 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1092 ret = mbedtls_ssl_tls13_evolve_secret( md_type,
Jerry Yu5ccfcd42021-10-11 16:39:29 +0800[diff] [blame]1093 handshake->tls1_3_master_secrets.early,
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1094 ecdhe, ephemeral_len,
Jerry Yu5ccfcd42021-10-11 16:39:29 +0800[diff] [blame]1095 handshake->tls1_3_master_secrets.handshake );
Jerry Yua0650eb2021-09-09 17:14:45 +0800[diff] [blame]1096 if( ret != 0 )
1097 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1098 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret );
Jerry Yua0650eb2021-09-09 17:14:45 +0800[diff] [blame]1099 return( ret );
1100 }
1101
1102 MBEDTLS_SSL_DEBUG_BUF( 4, "Handshake secret",
Jerry Yu5ccfcd42021-10-11 16:39:29 +0800[diff] [blame]1103 handshake->tls1_3_master_secrets.handshake, md_size );
Jerry Yua0650eb2021-09-09 17:14:45 +0800[diff] [blame]1104
1105#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
1106 mbedtls_platform_zeroize( ecdhe, sizeof( ecdhe ) );
1107#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
1108 return( 0 );
1109}
1110
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1111/* Generate application traffic keys since any records following a 1-RTT Finished message
1112 * MUST be encrypted under the application traffic key.
1113 */
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1114int mbedtls_ssl_tls13_generate_application_keys(
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1115 mbedtls_ssl_context *ssl,
1116 mbedtls_ssl_key_set *traffic_keys )
1117{
XiaokangQiana7634982021-10-22 06:32:32 +0000[diff] [blame]1118 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1119 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1120
1121 /* Address at which to store the application secrets */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1122 mbedtls_ssl_tls13_application_secrets * const app_secrets =
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1123 &ssl->session_negotiate->app_secrets;
1124
1125 /* Holding the transcript up to and including the ServerFinished */
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1126 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1127 size_t transcript_len;
1128
1129 /* Variables relating to the hash for the chosen ciphersuite. */
1130 mbedtls_md_type_t md_type;
1131 mbedtls_md_info_t const *md_info;
1132 size_t md_size;
1133
1134 /* Variables relating to the cipher for the chosen ciphersuite. */
1135 mbedtls_cipher_info_t const *cipher_info;
1136 size_t keylen, ivlen;
1137
1138 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive application traffic keys" ) );
1139
1140 /* Extract basic information about hash and ciphersuite */
1141
1142 cipher_info = mbedtls_cipher_info_from_type(
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1143 handshake->ciphersuite_info->cipher );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1144 keylen = cipher_info->key_bitlen / 8;
1145 ivlen = cipher_info->iv_size;
1146
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1147 md_type = handshake->ciphersuite_info->mac;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1148 md_info = mbedtls_md_info_from_type( md_type );
1149 md_size = mbedtls_md_get_size( md_info );
1150
1151 /* Compute current handshake transcript. It's the caller's responsiblity
1152 * to call this at the right time, that is, after the ServerFinished. */
1153
1154 ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type,
1155 transcript, sizeof( transcript ),
1156 &transcript_len );
1157 if( ret != 0 )
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]1158 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1159
1160 /* Compute application secrets from master secret and transcript hash. */
1161
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1162 ret = mbedtls_ssl_tls13_derive_application_secrets( md_type,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1163 handshake->tls1_3_master_secrets.app,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1164 transcript, transcript_len,
1165 app_secrets );
1166 if( ret != 0 )
1167 {
1168 MBEDTLS_SSL_DEBUG_RET( 1,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1169 "mbedtls_ssl_tls13_derive_application_secrets", ret );
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]1170 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1171 }
1172
1173 /* Derive first epoch of IV + Key for application traffic. */
1174
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1175 ret = mbedtls_ssl_tls13_make_traffic_keys( md_type,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1176 app_secrets->client_application_traffic_secret_N,
1177 app_secrets->server_application_traffic_secret_N,
1178 md_size, keylen, ivlen, traffic_keys );
1179 if( ret != 0 )
1180 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1181 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret );
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]1182 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1183 }
1184
1185 MBEDTLS_SSL_DEBUG_BUF( 4, "Client application traffic secret",
1186 app_secrets->client_application_traffic_secret_N,
1187 md_size );
1188
1189 MBEDTLS_SSL_DEBUG_BUF( 4, "Server application traffic secret",
1190 app_secrets->server_application_traffic_secret_N,
1191 md_size );
1192
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]1193 /*
1194 * Export client/server application traffic secret 0
1195 */
1196 if( ssl->f_export_keys != NULL )
1197 {
1198 ssl->f_export_keys( ssl->p_export_keys,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1199 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET,
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]1200 app_secrets->client_application_traffic_secret_N, md_size,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1201 handshake->randbytes + 32,
1202 handshake->randbytes,
XiaokangQianb51f8842021-11-04 03:02:47 +0000[diff] [blame]1203 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
1204 a new constant for TLS 1.3! */ );
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]1205
1206 ssl->f_export_keys( ssl->p_export_keys,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1207 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET,
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]1208 app_secrets->server_application_traffic_secret_N, md_size,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1209 handshake->randbytes + 32,
1210 handshake->randbytes,
XiaokangQianb51f8842021-11-04 03:02:47 +0000[diff] [blame]1211 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
1212 a new constant for TLS 1.3! */ );
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]1213 }
1214
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1215 MBEDTLS_SSL_DEBUG_BUF( 4, "client application_write_key:",
1216 traffic_keys->client_write_key, keylen );
1217 MBEDTLS_SSL_DEBUG_BUF( 4, "server application write key",
1218 traffic_keys->server_write_key, keylen );
1219 MBEDTLS_SSL_DEBUG_BUF( 4, "client application write IV",
1220 traffic_keys->client_write_iv, ivlen );
1221 MBEDTLS_SSL_DEBUG_BUF( 4, "server application write IV",
1222 traffic_keys->server_write_iv, ivlen );
1223
1224 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive application traffic keys" ) );
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]1225
1226 cleanup:
1227
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1228 mbedtls_platform_zeroize( transcript, sizeof( transcript ) );
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]1229 return( ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1230}
1231
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]1232#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */