TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 88e7101d030e863d1e65933da8e3034cc05afbf4 / . / library / ssl_tls13_keys.c
blob: f6bea34031890ce3b3bc85ba9c320e97693c60dc [file] [log] [blame]
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]1/*
2 * TLS 1.3 key schedule
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 ( the "License" ); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
Hanno Becker58c5cea2020-09-08 10:31:33 +0100[diff] [blame]20#include "common.h"
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]21
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]22#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]23
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]24#include <stdint.h>
25#include <string.h>
26
Jerry Yue3131ef2021-09-16 13:14:15 +0800[diff] [blame]27#include "mbedtls/hkdf.h"
28#include "mbedtls/debug.h"
29#include "mbedtls/error.h"
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]30#include "mbedtls/platform.h"
Jerry Yue3131ef2021-09-16 13:14:15 +0800[diff] [blame]31
32#include "ssl_misc.h"
33#include "ssl_tls13_keys.h"
Gabor Mezeia3eecd22022-02-09 16:57:26 +0100[diff] [blame]34#include "ssl_tls13_invasive.h"
35
36#include "psa/crypto.h"
Jerry Yue3131ef2021-09-16 13:14:15 +0800[diff] [blame]37
Hanno Becker1413bd82020-09-09 12:46:09 +0100[diff] [blame]38#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]39 .name = string,
40
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]41struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels =
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]42{
43 /* This seems to work in C, despite the string literal being one
44 * character too long due to the 0-termination. */
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]45 MBEDTLS_SSL_TLS1_3_LABEL_LIST
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]46};
47
Hanno Beckera3a5a4e2020-09-08 11:33:48 +0100[diff] [blame]48#undef MBEDTLS_SSL_TLS1_3_LABEL
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]49
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]50/*
51 * This function creates a HkdfLabel structure used in the TLS 1.3 key schedule.
52 *
53 * The HkdfLabel is specified in RFC 8446 as follows:
54 *
55 * struct HkdfLabel {
56 * uint16 length; // Length of expanded key material
57 * opaque label<7..255>; // Always prefixed by "tls13 "
58 * opaque context<0..255>; // Usually a communication transcript hash
59 * };
60 *
61 * Parameters:
62 * - desired_length: Length of expanded key material
63 * Even though the standard allows expansion to up to
64 * 2**16 Bytes, TLS 1.3 never uses expansion to more than
65 * 255 Bytes, so we require `desired_length` to be at most
66 * 255. This allows us to save a few Bytes of code by
67 * hardcoding the writing of the high bytes.
Xiaofei Baifeecbbb2021-11-23 07:24:58 +0000[diff] [blame]68 * - (label, label_len): label + label length, without "tls13 " prefix
69 * The label length MUST be less than or equal to
70 * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN
71 * It is the caller's responsibility to ensure this.
72 * All (label, label length) pairs used in TLS 1.3
73 * can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN().
74 * - (ctx, ctx_len): context + context length
75 * The context length MUST be less than or equal to
76 * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN
77 * It is the caller's responsibility to ensure this.
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]78 * - dst: Target buffer for HkdfLabel structure,
79 * This MUST be a writable buffer of size
80 * at least SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN Bytes.
Xiaofei Baifeecbbb2021-11-23 07:24:58 +0000[diff] [blame]81 * - dst_len: Pointer at which to store the actual length of
82 * the HkdfLabel structure on success.
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]83 */
84
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]85static const char tls13_label_prefix[6] = "tls13 ";
Hanno Becker2dfe1322020-09-10 09:23:12 +0100[diff] [blame]86
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]87#define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( label_len, context_len ) \
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]88 ( 2 /* expansion length */ \
89 + 1 /* label length */ \
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]90 + label_len \
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]91 + 1 /* context length */ \
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]92 + context_len )
93
94#define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \
95 SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]96 sizeof(tls13_label_prefix) + \
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]97 MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN, \
98 MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]99
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]100static void ssl_tls13_hkdf_encode_label(
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]101 size_t desired_length,
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]102 const unsigned char *label, size_t label_len,
103 const unsigned char *ctx, size_t ctx_len,
104 unsigned char *dst, size_t *dst_len )
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]105{
Hanno Becker2dfe1322020-09-10 09:23:12 +0100[diff] [blame]106 size_t total_label_len =
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]107 sizeof(tls13_label_prefix) + label_len;
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]108 size_t total_hkdf_lbl_len =
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]109 SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( total_label_len, ctx_len );
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]110
111 unsigned char *p = dst;
112
Hanno Becker531fe302020-09-16 09:45:27 +0100[diff] [blame]113 /* Add the size of the expanded key material.
114 * We're hardcoding the high byte to 0 here assuming that we never use
115 * TLS 1.3 HKDF key expansion to more than 255 Bytes. */
116#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]117#error "The implementation of ssl_tls13_hkdf_encode_label() is not fit for the \
Hanno Becker531fe302020-09-16 09:45:27 +0100[diff] [blame]118 value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN"
119#endif
120
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]121 *p++ = 0;
Joe Subbiani2194dc42021-07-14 12:31:31 +0100[diff] [blame]122 *p++ = MBEDTLS_BYTE_0( desired_length );
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]123
124 /* Add label incl. prefix */
Joe Subbiani2194dc42021-07-14 12:31:31 +0100[diff] [blame]125 *p++ = MBEDTLS_BYTE_0( total_label_len );
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]126 memcpy( p, tls13_label_prefix, sizeof(tls13_label_prefix) );
127 p += sizeof(tls13_label_prefix);
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]128 memcpy( p, label, label_len );
129 p += label_len;
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]130
131 /* Add context value */
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]132 *p++ = MBEDTLS_BYTE_0( ctx_len );
133 if( ctx_len != 0 )
134 memcpy( p, ctx, ctx_len );
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]135
136 /* Return total length to the caller. */
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]137 *dst_len = total_hkdf_lbl_len;
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]138}
139
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]140int mbedtls_ssl_tls13_hkdf_expand_label(
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]141 psa_algorithm_t hash_alg,
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]142 const unsigned char *secret, size_t secret_len,
143 const unsigned char *label, size_t label_len,
144 const unsigned char *ctx, size_t ctx_len,
145 unsigned char *buf, size_t buf_len )
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]146{
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]147 unsigned char hkdf_label[ SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN ];
148 size_t hkdf_label_len;
149
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]150 if( label_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN )
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]151 {
152 /* Should never happen since this is an internal
153 * function, and we know statically which labels
154 * are allowed. */
155 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
156 }
157
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]158 if( ctx_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]159 {
160 /* Should not happen, as above. */
161 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
162 }
163
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]164 if( buf_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN )
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]165 {
166 /* Should not happen, as above. */
167 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
168 }
169
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]170 if( ! PSA_ALG_IS_HASH( hash_alg ) )
Gabor Mezei58db6532022-03-21 12:12:37 +0100[diff] [blame]171 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
172
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]173 ssl_tls13_hkdf_encode_label( buf_len,
174 label, label_len,
175 ctx, ctx_len,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]176 hkdf_label,
177 &hkdf_label_len );
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]178
Gabor Mezei58db6532022-03-21 12:12:37 +0100[diff] [blame]179 return( psa_ssl_status_to_mbedtls(
Gabor Mezeied6d6582022-03-26 17:28:06 +0100[diff] [blame]180 mbedtls_psa_hkdf_expand( hash_alg,
Gabor Mezei58db6532022-03-21 12:12:37 +0100[diff] [blame]181 secret, secret_len,
182 hkdf_label, hkdf_label_len,
183 buf, buf_len ) ) );
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]184}
185
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]186/*
187 * The traffic keying material is generated from the following inputs:
188 *
189 * - One secret value per sender.
190 * - A purpose value indicating the specific value being generated
191 * - The desired lengths of key and IV.
192 *
193 * The expansion itself is based on HKDF:
194 *
195 * [sender]_write_key = HKDF-Expand-Label( Secret, "key", "", key_length )
196 * [sender]_write_iv = HKDF-Expand-Label( Secret, "iv" , "", iv_length )
197 *
198 * [sender] denotes the sending side and the Secret value is provided
199 * by the function caller. Note that we generate server and client side
200 * keys in a single function call.
201 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]202int mbedtls_ssl_tls13_make_traffic_keys(
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]203 psa_algorithm_t hash_alg,
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]204 const unsigned char *client_secret,
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]205 const unsigned char *server_secret, size_t secret_len,
206 size_t key_len, size_t iv_len,
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]207 mbedtls_ssl_key_set *keys )
208{
209 int ret = 0;
210
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]211 ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]212 client_secret, secret_len,
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]213 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
214 NULL, 0,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]215 keys->client_write_key, key_len );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]216 if( ret != 0 )
217 return( ret );
218
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]219 ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]220 server_secret, secret_len,
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]221 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
222 NULL, 0,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]223 keys->server_write_key, key_len );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]224 if( ret != 0 )
225 return( ret );
226
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]227 ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]228 client_secret, secret_len,
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]229 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
230 NULL, 0,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]231 keys->client_write_iv, iv_len );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]232 if( ret != 0 )
233 return( ret );
234
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]235 ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]236 server_secret, secret_len,
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]237 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
238 NULL, 0,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]239 keys->server_write_iv, iv_len );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]240 if( ret != 0 )
241 return( ret );
242
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]243 keys->key_len = key_len;
244 keys->iv_len = iv_len;
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]245
246 return( 0 );
247}
248
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]249int mbedtls_ssl_tls13_derive_secret(
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]250 psa_algorithm_t hash_alg,
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]251 const unsigned char *secret, size_t secret_len,
252 const unsigned char *label, size_t label_len,
253 const unsigned char *ctx, size_t ctx_len,
Hanno Becker0c42fd92020-09-09 12:58:29 +0100[diff] [blame]254 int ctx_hashed,
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]255 unsigned char *dstbuf, size_t dstbuf_len )
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]256{
257 int ret;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]258 unsigned char hashed_context[ PSA_HASH_MAX_SIZE ];
Hanno Becker0c42fd92020-09-09 12:58:29 +0100[diff] [blame]259 if( ctx_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED )
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]260 {
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]261 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
262
263 status = psa_hash_compute( hash_alg, ctx, ctx_len, hashed_context,
264 PSA_HASH_LENGTH( hash_alg ), &ctx_len );
265 if( status != PSA_SUCCESS )
266 {
267 ret = psa_ssl_status_to_mbedtls( status );
268 return ret;
269 }
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]270 }
271 else
272 {
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]273 if( ctx_len > sizeof(hashed_context) )
Hanno Becker97a21562020-09-09 12:57:16 +0100[diff] [blame]274 {
275 /* This should never happen since this function is internal
Hanno Becker0c42fd92020-09-09 12:58:29 +0100[diff] [blame]276 * and the code sets `ctx_hashed` correctly.
Hanno Becker97a21562020-09-09 12:57:16 +0100[diff] [blame]277 * Let's double-check nonetheless to not run at the risk
278 * of getting a stack overflow. */
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]279 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Hanno Becker97a21562020-09-09 12:57:16 +0100[diff] [blame]280 }
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]281
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]282 memcpy( hashed_context, ctx, ctx_len );
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]283 }
284
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]285 return( mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]286 secret, secret_len,
287 label, label_len,
288 hashed_context, ctx_len,
289 dstbuf, dstbuf_len ) );
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]290
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]291}
292
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]293int mbedtls_ssl_tls13_evolve_secret(
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]294 psa_algorithm_t hash_alg,
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]295 const unsigned char *secret_old,
296 const unsigned char *input, size_t input_len,
297 unsigned char *secret_new )
298{
299 int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
300 size_t hlen, ilen;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]301 unsigned char tmp_secret[ PSA_MAC_MAX_SIZE ] = { 0 };
Jerry Yu6eaa41c2021-11-22 18:16:45 +0800[diff] [blame]302 unsigned char tmp_input [ MBEDTLS_ECP_MAX_BYTES ] = { 0 };
Gabor Mezei58db6532022-03-21 12:12:37 +0100[diff] [blame]303 size_t secret_len;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]304
305 if( ! PSA_ALG_IS_HASH( hash_alg ) )
Gabor Mezei58db6532022-03-21 12:12:37 +0100[diff] [blame]306 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
307
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]308 hlen = PSA_HASH_LENGTH( hash_alg );
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]309
310 /* For non-initial runs, call Derive-Secret( ., "derived", "")
Hanno Becker61baae72020-09-16 09:24:14 +0100[diff] [blame]311 * on the old secret. */
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]312 if( secret_old != NULL )
313 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]314 ret = mbedtls_ssl_tls13_derive_secret(
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]315 hash_alg,
316 secret_old, hlen,
317 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( derived ),
318 NULL, 0, /* context */
319 MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]320 tmp_secret, hlen );
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]321 if( ret != 0 )
322 goto cleanup;
323 }
324
325 if( input != NULL )
326 {
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]327 memcpy( tmp_input, input, input_len );
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]328 ilen = input_len;
329 }
330 else
331 {
332 ilen = hlen;
333 }
334
335 /* HKDF-Extract takes a salt and input key material.
336 * The salt is the old secret, and the input key material
337 * is the input secret (PSK / ECDHE). */
Gabor Mezei58db6532022-03-21 12:12:37 +0100[diff] [blame]338 ret = psa_ssl_status_to_mbedtls(
Gabor Mezeied6d6582022-03-26 17:28:06 +0100[diff] [blame]339 mbedtls_psa_hkdf_extract( hash_alg,
Gabor Mezei58db6532022-03-21 12:12:37 +0100[diff] [blame]340 tmp_secret, hlen,
341 tmp_input, ilen,
342 secret_new, hlen, &secret_len ) );
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]343
344 cleanup:
345
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]346 mbedtls_platform_zeroize( tmp_secret, sizeof(tmp_secret) );
347 mbedtls_platform_zeroize( tmp_input, sizeof(tmp_input) );
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]348 return( ret );
349}
350
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]351int mbedtls_ssl_tls13_derive_early_secrets(
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]352 psa_algorithm_t hash_alg,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]353 unsigned char const *early_secret,
354 unsigned char const *transcript, size_t transcript_len,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]355 mbedtls_ssl_tls13_early_secrets *derived )
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]356{
357 int ret;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]358 size_t const hash_len = PSA_HASH_LENGTH( hash_alg );
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]359
360 /* We should never call this function with an unknown hash,
361 * but add an assertion anyway. */
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]362 if( ! PSA_ALG_IS_HASH( hash_alg ) )
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]363 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
364
365 /*
366 * 0
367 * |
368 * v
369 * PSK -> HKDF-Extract = Early Secret
370 * |
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]371 * +-----> Derive-Secret(., "c e traffic", ClientHello)
372 * | = client_early_traffic_secret
373 * |
374 * +-----> Derive-Secret(., "e exp master", ClientHello)
375 * | = early_exporter_master_secret
376 * v
377 */
378
379 /* Create client_early_traffic_secret */
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]380 ret = mbedtls_ssl_tls13_derive_secret( hash_alg,
381 early_secret, hash_len,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]382 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_e_traffic ),
383 transcript, transcript_len,
384 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
385 derived->client_early_traffic_secret,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]386 hash_len );
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]387 if( ret != 0 )
388 return( ret );
389
390 /* Create early exporter */
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]391 ret = mbedtls_ssl_tls13_derive_secret( hash_alg,
392 early_secret, hash_len,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]393 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( e_exp_master ),
394 transcript, transcript_len,
395 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
396 derived->early_exporter_master_secret,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]397 hash_len );
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]398 if( ret != 0 )
399 return( ret );
400
401 return( 0 );
402}
403
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]404int mbedtls_ssl_tls13_derive_handshake_secrets(
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]405 psa_algorithm_t hash_alg,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]406 unsigned char const *handshake_secret,
407 unsigned char const *transcript, size_t transcript_len,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]408 mbedtls_ssl_tls13_handshake_secrets *derived )
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]409{
410 int ret;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]411 size_t const hash_len = PSA_HASH_LENGTH( hash_alg );
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]412
413 /* We should never call this function with an unknown hash,
414 * but add an assertion anyway. */
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]415 if( ! PSA_ALG_IS_HASH( hash_alg ) )
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]416 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
417
418 /*
419 *
420 * Handshake Secret
421 * |
422 * +-----> Derive-Secret( ., "c hs traffic",
423 * | ClientHello...ServerHello )
424 * | = client_handshake_traffic_secret
425 * |
426 * +-----> Derive-Secret( ., "s hs traffic",
427 * | ClientHello...ServerHello )
428 * | = server_handshake_traffic_secret
429 *
430 */
431
432 /*
433 * Compute client_handshake_traffic_secret with
434 * Derive-Secret( ., "c hs traffic", ClientHello...ServerHello )
435 */
436
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]437 ret = mbedtls_ssl_tls13_derive_secret( hash_alg,
438 handshake_secret, hash_len,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]439 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_hs_traffic ),
440 transcript, transcript_len,
441 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
442 derived->client_handshake_traffic_secret,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]443 hash_len );
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]444 if( ret != 0 )
445 return( ret );
446
447 /*
448 * Compute server_handshake_traffic_secret with
449 * Derive-Secret( ., "s hs traffic", ClientHello...ServerHello )
450 */
451
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]452 ret = mbedtls_ssl_tls13_derive_secret( hash_alg,
453 handshake_secret, hash_len,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]454 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( s_hs_traffic ),
455 transcript, transcript_len,
456 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
457 derived->server_handshake_traffic_secret,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]458 hash_len );
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]459 if( ret != 0 )
460 return( ret );
461
462 return( 0 );
463}
464
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]465int mbedtls_ssl_tls13_derive_application_secrets(
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]466 psa_algorithm_t hash_alg,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]467 unsigned char const *application_secret,
468 unsigned char const *transcript, size_t transcript_len,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]469 mbedtls_ssl_tls13_application_secrets *derived )
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]470{
471 int ret;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]472 size_t const hash_len = PSA_HASH_LENGTH( hash_alg );
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]473
474 /* We should never call this function with an unknown hash,
475 * but add an assertion anyway. */
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]476 if( ! PSA_ALG_IS_HASH( hash_alg ) )
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]477 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
478
479 /* Generate {client,server}_application_traffic_secret_0
480 *
481 * Master Secret
482 * |
483 * +-----> Derive-Secret( ., "c ap traffic",
484 * | ClientHello...server Finished )
485 * | = client_application_traffic_secret_0
486 * |
487 * +-----> Derive-Secret( ., "s ap traffic",
488 * | ClientHello...Server Finished )
489 * | = server_application_traffic_secret_0
490 * |
491 * +-----> Derive-Secret( ., "exp master",
492 * | ClientHello...server Finished)
493 * | = exporter_master_secret
494 *
495 */
496
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]497 ret = mbedtls_ssl_tls13_derive_secret( hash_alg,
498 application_secret, hash_len,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]499 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_ap_traffic ),
500 transcript, transcript_len,
501 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
502 derived->client_application_traffic_secret_N,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]503 hash_len );
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]504 if( ret != 0 )
505 return( ret );
506
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]507 ret = mbedtls_ssl_tls13_derive_secret( hash_alg,
508 application_secret, hash_len,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]509 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( s_ap_traffic ),
510 transcript, transcript_len,
511 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
512 derived->server_application_traffic_secret_N,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]513 hash_len );
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]514 if( ret != 0 )
515 return( ret );
516
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]517 ret = mbedtls_ssl_tls13_derive_secret( hash_alg,
518 application_secret, hash_len,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]519 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( exp_master ),
520 transcript, transcript_len,
521 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
522 derived->exporter_master_secret,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]523 hash_len );
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]524 if( ret != 0 )
525 return( ret );
526
527 return( 0 );
528}
529
530/* Generate resumption_master_secret for use with the ticket exchange.
531 *
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]532 * This is not integrated with mbedtls_ssl_tls13_derive_application_secrets()
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]533 * because it uses the transcript hash up to and including ClientFinished. */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]534int mbedtls_ssl_tls13_derive_resumption_master_secret(
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]535 psa_algorithm_t hash_alg,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]536 unsigned char const *application_secret,
537 unsigned char const *transcript, size_t transcript_len,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]538 mbedtls_ssl_tls13_application_secrets *derived )
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]539{
540 int ret;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]541 size_t const hash_len = PSA_HASH_LENGTH( hash_alg );
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]542
543 /* We should never call this function with an unknown hash,
544 * but add an assertion anyway. */
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]545 if( ! PSA_ALG_IS_HASH( hash_alg ) )
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]546 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
547
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]548 ret = mbedtls_ssl_tls13_derive_secret( hash_alg,
549 application_secret, hash_len,
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]550 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_master ),
551 transcript, transcript_len,
552 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
553 derived->resumption_master_secret,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]554 hash_len );
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]555
556 if( ret != 0 )
557 return( ret );
558
559 return( 0 );
560}
561
XiaokangQiana4c99f22021-11-11 06:46:35 +0000[diff] [blame]562int mbedtls_ssl_tls13_key_schedule_stage_application( mbedtls_ssl_context *ssl )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]563{
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]564 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]565 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]566 psa_algorithm_t const hash_alg = mbedtls_psa_translate_md(
567 handshake->ciphersuite_info->mac );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]568
569 /*
570 * Compute MasterSecret
571 */
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]572 ret = mbedtls_ssl_tls13_evolve_secret( hash_alg,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]573 handshake->tls13_master_secrets.handshake,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]574 NULL, 0,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]575 handshake->tls13_master_secrets.app );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]576 if( ret != 0 )
577 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]578 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]579 return( ret );
580 }
581
582 MBEDTLS_SSL_DEBUG_BUF( 4, "Master secret",
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]583 handshake->tls13_master_secrets.app, PSA_HASH_LENGTH( hash_alg ) );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]584
585 return( 0 );
586}
587
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]588static int ssl_tls13_calc_finished_core( psa_algorithm_t hash_alg,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]589 unsigned char const *base_key,
590 unsigned char const *transcript,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]591 unsigned char *dst,
592 size_t *dst_len )
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]593{
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]594 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
595 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
596 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
597 size_t hash_len = PSA_HASH_LENGTH( hash_alg );
598 unsigned char finished_key[PSA_MAC_MAX_SIZE];
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]599 int ret;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]600 psa_algorithm_t alg;
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]601
602 /* We should never call this function with an unknown hash,
603 * but add an assertion anyway. */
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]604 if( ! PSA_ALG_IS_HASH( hash_alg ) )
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]605 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
606
607 /* TLS 1.3 Finished message
608 *
609 * struct {
610 * opaque verify_data[Hash.length];
611 * } Finished;
612 *
613 * verify_data =
614 * HMAC( finished_key,
615 * Hash( Handshake Context +
616 * Certificate* +
617 * CertificateVerify* )
618 * )
619 *
620 * finished_key =
621 * HKDF-Expand-Label( BaseKey, "finished", "", Hash.length )
622 */
623
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]624 ret = mbedtls_ssl_tls13_hkdf_expand_label(
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]625 hash_alg, base_key, hash_len,
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]626 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( finished ),
627 NULL, 0,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]628 finished_key, hash_len );
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]629 if( ret != 0 )
630 goto exit;
631
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]632 alg = PSA_ALG_HMAC( hash_alg );
633 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE );
634 psa_set_key_algorithm( &attributes, alg );
635 psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC );
636
637 status = psa_import_key( &attributes, finished_key, hash_len, &key );
638 if( status != PSA_SUCCESS )
639 {
640 ret = psa_ssl_status_to_mbedtls( status );
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]641 goto exit;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]642 }
643
644 status = psa_mac_compute( key, alg, transcript, hash_len,
645 dst, hash_len, dst_len );
646 ret = psa_ssl_status_to_mbedtls( status );
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]647
648exit:
649
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]650 status = psa_destroy_key( key );
651 if( ret == 0 )
652 ret = psa_ssl_status_to_mbedtls( status );
653
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]654 mbedtls_platform_zeroize( finished_key, sizeof( finished_key ) );
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]655
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]656 return( ret );
657}
658
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]659int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context* ssl,
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]660 unsigned char* dst,
661 size_t dst_len,
662 size_t *actual_len,
663 int from )
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]664{
XiaokangQiana7634982021-10-22 06:32:32 +0000[diff] [blame]665 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]666
XiaokangQianaaa0e192021-11-10 03:07:04 +0000[diff] [blame]667 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]668 size_t transcript_len;
669
Jerry Yu4a2fa5d2021-12-10 10:19:34 +0800[diff] [blame]670 unsigned char *base_key = NULL;
Jerry Yub737f6a2021-12-10 17:55:23 +0800[diff] [blame]671 size_t base_key_len = 0;
Jerry Yu9c074732021-12-10 17:12:43 +0800[diff] [blame]672 mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets =
673 &ssl->handshake->tls13_hs_secrets;
Jerry Yua5563f62021-12-10 18:14:36 +0800[diff] [blame]674
675 mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]676
677 psa_algorithm_t hash_alg = mbedtls_psa_translate_md(
678 ssl->handshake->ciphersuite_info->mac );
Gabor Mezei29e7ca82022-03-29 17:08:49 +0200[diff] [blame]679 size_t const hash_len = PSA_HASH_LENGTH( hash_alg );
Jerry Yua5563f62021-12-10 18:14:36 +0800[diff] [blame]680
681 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_calculate_verify_data" ) );
682
Jerry Yub737f6a2021-12-10 17:55:23 +0800[diff] [blame]683 if( from == MBEDTLS_SSL_IS_CLIENT )
684 {
685 base_key = tls13_hs_secrets->client_handshake_traffic_secret;
686 base_key_len = sizeof( tls13_hs_secrets->client_handshake_traffic_secret );
687 }
688 else
689 {
690 base_key = tls13_hs_secrets->server_handshake_traffic_secret;
691 base_key_len = sizeof( tls13_hs_secrets->server_handshake_traffic_secret );
692 }
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]693
Gabor Mezei29e7ca82022-03-29 17:08:49 +0200[diff] [blame]694 if( dst_len < hash_len )
Jerry Yu9c074732021-12-10 17:12:43 +0800[diff] [blame]695 {
696 ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
697 goto exit;
698 }
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]699
700 ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type,
701 transcript, sizeof( transcript ),
702 &transcript_len );
703 if( ret != 0 )
704 {
705 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_handshake_transcript", ret );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]706 goto exit;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]707 }
708 MBEDTLS_SSL_DEBUG_BUF( 4, "handshake hash", transcript, transcript_len );
709
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]710 ret = ssl_tls13_calc_finished_core( hash_alg, base_key, transcript, dst, actual_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]711 if( ret != 0 )
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]712 goto exit;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]713
Gabor Mezei29e7ca82022-03-29 17:08:49 +0200[diff] [blame]714 MBEDTLS_SSL_DEBUG_BUF( 3, "verify_data for finished message", dst, hash_len );
XiaokangQianc5c39d52021-11-09 11:55:10 +0000[diff] [blame]715 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_calculate_verify_data" ) );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]716
717exit:
Jerry Yu4a2fa5d2021-12-10 10:19:34 +0800[diff] [blame]718 /* Erase handshake secrets */
Jerry Yub737f6a2021-12-10 17:55:23 +0800[diff] [blame]719 mbedtls_platform_zeroize( base_key, base_key_len );
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]720 mbedtls_platform_zeroize( transcript, sizeof( transcript ) );
XiaokangQian61bdbbc2021-10-28 08:03:38 +0000[diff] [blame]721 return( ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]722}
723
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]724int mbedtls_ssl_tls13_create_psk_binder( mbedtls_ssl_context *ssl,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]725 const psa_algorithm_t hash_alg,
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]726 unsigned char const *psk, size_t psk_len,
727 int psk_type,
728 unsigned char const *transcript,
729 unsigned char *result )
730{
731 int ret = 0;
Gabor Mezeied6d6582022-03-26 17:28:06 +0100[diff] [blame]732 unsigned char binder_key[PSA_MAC_MAX_SIZE];
733 unsigned char early_secret[PSA_MAC_MAX_SIZE];
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]734 size_t const hash_len = PSA_HASH_LENGTH( hash_alg );
735 size_t actual_len;
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]736
Hanno Becker28e5f1e2021-05-26 09:29:49 +0100[diff] [blame]737#if !defined(MBEDTLS_DEBUG_C)
738 ssl = NULL; /* make sure we don't use it except for debug */
739 ((void) ssl);
740#endif
741
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]742 /* We should never call this function with an unknown hash,
743 * but add an assertion anyway. */
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]744 if( ! PSA_ALG_IS_HASH( hash_alg ) )
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]745 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
746
747 /*
748 * 0
749 * |
750 * v
751 * PSK -> HKDF-Extract = Early Secret
752 * |
753 * +-----> Derive-Secret(., "ext binder" | "res binder", "")
754 * | = binder_key
755 * v
756 */
757
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]758 ret = mbedtls_ssl_tls13_evolve_secret( hash_alg,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]759 NULL, /* Old secret */
760 psk, psk_len, /* Input */
761 early_secret );
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]762 if( ret != 0 )
763 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]764 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret );
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]765 goto exit;
766 }
767
768 if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION )
769 {
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]770 ret = mbedtls_ssl_tls13_derive_secret( hash_alg,
771 early_secret, hash_len,
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]772 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_binder ),
773 NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]774 binder_key, hash_len );
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]775 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Derive Early Secret with 'res binder'" ) );
776 }
777 else
778 {
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]779 ret = mbedtls_ssl_tls13_derive_secret( hash_alg,
780 early_secret, hash_len,
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]781 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( ext_binder ),
782 NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]783 binder_key, hash_len );
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]784 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Derive Early Secret with 'ext binder'" ) );
785 }
786
787 if( ret != 0 )
788 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]789 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_derive_secret", ret );
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]790 goto exit;
791 }
792
793 /*
794 * The binding_value is computed in the same way as the Finished message
795 * but with the BaseKey being the binder_key.
796 */
797
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]798 ret = ssl_tls13_calc_finished_core( hash_alg, binder_key, transcript,
799 result, &actual_len );
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]800 if( ret != 0 )
801 goto exit;
802
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]803 MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder", result, actual_len );
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]804
805exit:
806
807 mbedtls_platform_zeroize( early_secret, sizeof( early_secret ) );
808 mbedtls_platform_zeroize( binder_key, sizeof( binder_key ) );
809 return( ret );
810}
811
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]812int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
813 int endpoint,
814 int ciphersuite,
815 mbedtls_ssl_key_set const *traffic_keys,
816 mbedtls_ssl_context *ssl /* DEBUG ONLY */ )
817{
Przemyslaw Stekiel6be9cf52022-01-19 16:00:22 +0100[diff] [blame]818#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]819 int ret;
820 mbedtls_cipher_info_t const *cipher_info;
Neil Armstronga8093f52022-05-04 17:44:05 +0200[diff] [blame]821#endif /* MBEDTLS_USE_PSA_CRYPTO */
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]822 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
823 unsigned char const *key_enc;
824 unsigned char const *iv_enc;
825 unsigned char const *key_dec;
826 unsigned char const *iv_dec;
827
Przemyslaw Stekielae77b0a2022-01-12 10:29:03 +0100[diff] [blame]828#if defined(MBEDTLS_USE_PSA_CRYPTO)
829 psa_key_type_t key_type;
830 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
831 psa_algorithm_t alg;
832 size_t key_bits;
833 psa_status_t status = PSA_SUCCESS;
834#endif
835
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]836#if !defined(MBEDTLS_DEBUG_C)
837 ssl = NULL; /* make sure we don't use it except for those cases */
838 (void) ssl;
839#endif
840
841 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
Hanno Becker7887a772021-04-20 05:27:57 +0100[diff] [blame]842 if( ciphersuite_info == NULL )
843 {
844 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found",
845 ciphersuite ) );
846 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
847 }
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]848
Neil Armstronga8093f52022-05-04 17:44:05 +0200[diff] [blame]849#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]850 cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
851 if( cipher_info == NULL )
852 {
Hanno Becker7887a772021-04-20 05:27:57 +0100[diff] [blame]853 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found",
854 ciphersuite_info->cipher ) );
Hanno Beckerf62a7302021-04-21 05:21:28 +0100[diff] [blame]855 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]856 }
857
858 /*
859 * Setup cipher contexts in target transform
860 */
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]861 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
862 cipher_info ) ) != 0 )
863 {
864 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
865 return( ret );
866 }
867
868 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
869 cipher_info ) ) != 0 )
870 {
871 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
872 return( ret );
873 }
Przemyslaw Stekiel6be9cf52022-01-19 16:00:22 +0100[diff] [blame]874#endif /* MBEDTLS_USE_PSA_CRYPTO */
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]875
876#if defined(MBEDTLS_SSL_SRV_C)
877 if( endpoint == MBEDTLS_SSL_IS_SERVER )
878 {
879 key_enc = traffic_keys->server_write_key;
880 key_dec = traffic_keys->client_write_key;
881 iv_enc = traffic_keys->server_write_iv;
882 iv_dec = traffic_keys->client_write_iv;
883 }
884 else
885#endif /* MBEDTLS_SSL_SRV_C */
886#if defined(MBEDTLS_SSL_CLI_C)
887 if( endpoint == MBEDTLS_SSL_IS_CLIENT )
888 {
889 key_enc = traffic_keys->client_write_key;
890 key_dec = traffic_keys->server_write_key;
891 iv_enc = traffic_keys->client_write_iv;
892 iv_dec = traffic_keys->server_write_iv;
893 }
894 else
895#endif /* MBEDTLS_SSL_CLI_C */
896 {
897 /* should not happen */
898 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
899 }
900
901 memcpy( transform->iv_enc, iv_enc, traffic_keys->iv_len );
902 memcpy( transform->iv_dec, iv_dec, traffic_keys->iv_len );
903
Przemyslaw Stekiel6be9cf52022-01-19 16:00:22 +0100[diff] [blame]904#if !defined(MBEDTLS_USE_PSA_CRYPTO)
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]905 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc,
906 key_enc, cipher_info->key_bitlen,
907 MBEDTLS_ENCRYPT ) ) != 0 )
908 {
909 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
910 return( ret );
911 }
912
913 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec,
914 key_dec, cipher_info->key_bitlen,
915 MBEDTLS_DECRYPT ) ) != 0 )
916 {
917 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
918 return( ret );
919 }
Przemyslaw Stekiel6be9cf52022-01-19 16:00:22 +0100[diff] [blame]920#endif /* MBEDTLS_USE_PSA_CRYPTO */
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]921
Przemyslaw Stekieldd7b5012022-01-17 15:28:57 +0100[diff] [blame]922 /*
923 * Setup other fields in SSL transform
924 */
925
926 if( ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) != 0 )
927 transform->taglen = 8;
928 else
929 transform->taglen = 16;
930
931 transform->ivlen = traffic_keys->iv_len;
932 transform->maclen = 0;
933 transform->fixed_ivlen = transform->ivlen;
Glenn Strauss07c64162022-03-14 12:34:51 -0400[diff] [blame]934 transform->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
Przemyslaw Stekieldd7b5012022-01-17 15:28:57 +0100[diff] [blame]935
936 /* We add the true record content type (1 Byte) to the plaintext and
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]937 * then pad to the configured granularity. The minimum length of the
Przemyslaw Stekieldd7b5012022-01-17 15:28:57 +0100[diff] [blame]938 * type-extended and padded plaintext is therefore the padding
939 * granularity. */
940 transform->minlen =
941 transform->taglen + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY;
942
Przemyslaw Stekielae77b0a2022-01-12 10:29:03 +0100[diff] [blame]943#if defined(MBEDTLS_USE_PSA_CRYPTO)
Przemyslaw Stekiel6be9cf52022-01-19 16:00:22 +0100[diff] [blame]944 /*
945 * Setup psa keys and alg
946 */
Neil Armstronga8093f52022-05-04 17:44:05 +0200[diff] [blame]947 if( ( status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher,
Przemyslaw Stekielae77b0a2022-01-12 10:29:03 +0100[diff] [blame]948 transform->taglen,
949 &alg,
950 &key_type,
951 &key_bits ) ) != PSA_SUCCESS )
952 {
Przemyslaw Stekiel77aec8d2022-01-31 20:22:53 +0100[diff] [blame]953 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cipher_to_psa", psa_ssl_status_to_mbedtls( status ) );
954 return( psa_ssl_status_to_mbedtls( status ) );
Przemyslaw Stekielae77b0a2022-01-12 10:29:03 +0100[diff] [blame]955 }
956
Przemyslaw Stekielae77b0a2022-01-12 10:29:03 +0100[diff] [blame]957 transform->psa_alg = alg;
958
Przemyslaw Stekielf9cd6082022-02-01 11:25:55 +0100[diff] [blame]959 if ( alg != MBEDTLS_SSL_NULL_CIPHER )
Przemyslaw Stekielae77b0a2022-01-12 10:29:03 +0100[diff] [blame]960 {
Przemyslaw Stekielf9cd6082022-02-01 11:25:55 +0100[diff] [blame]961 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT );
962 psa_set_key_algorithm( &attributes, alg );
963 psa_set_key_type( &attributes, key_type );
Przemyslaw Stekielfe7397d2022-01-17 15:47:07 +0100[diff] [blame]964
Przemyslaw Stekielf9cd6082022-02-01 11:25:55 +0100[diff] [blame]965 if( ( status = psa_import_key( &attributes,
966 key_enc,
967 PSA_BITS_TO_BYTES( key_bits ),
968 &transform->psa_key_enc ) ) != PSA_SUCCESS )
969 {
970 MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", psa_ssl_status_to_mbedtls( status ) );
971 return( psa_ssl_status_to_mbedtls( status ) );
972 }
Przemyslaw Stekielfe7397d2022-01-17 15:47:07 +0100[diff] [blame]973
Przemyslaw Stekielf9cd6082022-02-01 11:25:55 +0100[diff] [blame]974 psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT );
975
976 if( ( status = psa_import_key( &attributes,
977 key_dec,
978 PSA_BITS_TO_BYTES( key_bits ),
979 &transform->psa_key_dec ) ) != PSA_SUCCESS )
980 {
981 MBEDTLS_SSL_DEBUG_RET( 1, "psa_import_key", psa_ssl_status_to_mbedtls( status ) );
982 return( psa_ssl_status_to_mbedtls( status ) );
983 }
Przemyslaw Stekielae77b0a2022-01-12 10:29:03 +0100[diff] [blame]984 }
985#endif /* MBEDTLS_USE_PSA_CRYPTO */
986
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]987 return( 0 );
988}
989
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]990int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl )
Jerry Yu89ea3212021-09-09 14:31:24 +0800[diff] [blame]991{
Jerry Yue3131ef2021-09-16 13:14:15 +0800[diff] [blame]992 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]993 psa_algorithm_t hash_alg;
Jerry Yu5ccfcd42021-10-11 16:39:29 +0800[diff] [blame]994 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Jerry Yu6ca7c7f2021-09-28 18:51:40 +0800[diff] [blame]995
Jerry Yu5ccfcd42021-10-11 16:39:29 +0800[diff] [blame]996 if( handshake->ciphersuite_info == NULL )
Jerry Yu89ea3212021-09-09 14:31:24 +0800[diff] [blame]997 {
998 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher suite info not found" ) );
999 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1000 }
Jerry Yue3131ef2021-09-16 13:14:15 +0800[diff] [blame]1001
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1002 hash_alg = mbedtls_psa_translate_md( handshake->ciphersuite_info->mac );
Jerry Yue06f4532021-09-23 18:35:07 +0800[diff] [blame]1003
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1004 ret = mbedtls_ssl_tls13_evolve_secret( hash_alg, NULL, NULL, 0,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1005 handshake->tls13_master_secrets.early );
Jerry Yu89ea3212021-09-09 14:31:24 +0800[diff] [blame]1006 if( ret != 0 )
1007 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1008 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret );
Jerry Yu89ea3212021-09-09 14:31:24 +0800[diff] [blame]1009 return( ret );
1010 }
1011
1012 return( 0 );
1013}
1014
Neil Armstrongb818e162022-05-17 09:24:52 +0200[diff] [blame]1015static int mbedtls_ssl_tls13_get_cipher_key_info(
1016 const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
1017 size_t *key_len, size_t *iv_len )
1018{
1019 psa_key_type_t key_type;
1020 psa_algorithm_t alg;
1021 size_t taglen;
1022 size_t key_bits;
1023 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1024
1025 if( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG )
1026 taglen = 8;
1027 else
1028 taglen = 16;
1029
1030 status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher, taglen,
1031 &alg, &key_type, &key_bits );
1032 if( status != PSA_SUCCESS )
1033 return psa_ssl_status_to_mbedtls( status );
1034
1035 *key_len = PSA_BITS_TO_BYTES( key_bits );
1036
Neil Armstrong0fa8ce32022-05-17 14:42:57 +0200[diff] [blame]1037 /* TLS 1.3 only have AEAD ciphers, IV length is unconditionally 12 bytes */
1038 *iv_len = 12;
Neil Armstrongb818e162022-05-17 09:24:52 +0200[diff] [blame]1039
1040 return 0;
1041}
1042
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1043/* mbedtls_ssl_tls13_generate_handshake_keys() generates keys necessary for
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1044 * protecting the handshake messages, as described in Section 7 of TLS 1.3. */
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1045int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl,
1046 mbedtls_ssl_key_set *traffic_keys )
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1047{
1048 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1049
1050 mbedtls_md_type_t md_type;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1051
1052 psa_algorithm_t hash_alg;
1053 size_t hash_len;
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1054
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]1055 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1056 size_t transcript_len;
1057
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]1058 size_t key_len, iv_len;
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1059
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]1060 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1061 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info;
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1062 mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets = &handshake->tls13_hs_secrets;
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]1063
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1064 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) );
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1065
Neil Armstrongb818e162022-05-17 09:24:52 +0200[diff] [blame]1066 ret = mbedtls_ssl_tls13_get_cipher_key_info( ciphersuite_info,
1067 &key_len, &iv_len );
1068 if( ret != 0 )
Neil Armstrong4f4f2712022-05-05 15:34:39 +0200[diff] [blame]1069 {
Neil Armstrongb818e162022-05-17 09:24:52 +0200[diff] [blame]1070 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_get_cipher_key_info", ret );
Neil Armstrong4f4f2712022-05-05 15:34:39 +0200[diff] [blame]1071 return ret;
1072 }
1073
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]1074 md_type = ciphersuite_info->mac;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1075
1076 hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
1077 hash_len = PSA_HASH_LENGTH( hash_alg );
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1078
1079 ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type,
1080 transcript,
1081 sizeof( transcript ),
1082 &transcript_len );
1083 if( ret != 0 )
1084 {
1085 MBEDTLS_SSL_DEBUG_RET( 1,
1086 "mbedtls_ssl_get_handshake_transcript",
1087 ret );
1088 return( ret );
1089 }
1090
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1091 ret = mbedtls_ssl_tls13_derive_handshake_secrets( hash_alg,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1092 handshake->tls13_master_secrets.handshake,
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]1093 transcript, transcript_len, tls13_hs_secrets );
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1094 if( ret != 0 )
1095 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1096 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_derive_handshake_secrets",
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1097 ret );
1098 return( ret );
1099 }
1100
1101 MBEDTLS_SSL_DEBUG_BUF( 4, "Client handshake traffic secret",
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]1102 tls13_hs_secrets->client_handshake_traffic_secret,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1103 hash_len );
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1104 MBEDTLS_SSL_DEBUG_BUF( 4, "Server handshake traffic secret",
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]1105 tls13_hs_secrets->server_handshake_traffic_secret,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1106 hash_len );
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1107
1108 /*
1109 * Export client handshake traffic secret
1110 */
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1111 if( ssl->f_export_keys != NULL )
1112 {
1113 ssl->f_export_keys( ssl->p_export_keys,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1114 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET,
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]1115 tls13_hs_secrets->client_handshake_traffic_secret,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1116 hash_len,
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]1117 handshake->randbytes,
lhuang04a3890a32022-01-04 09:47:20 -0800[diff] [blame]1118 handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1119 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ );
1120
1121 ssl->f_export_keys( ssl->p_export_keys,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1122 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET,
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]1123 tls13_hs_secrets->server_handshake_traffic_secret,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1124 hash_len,
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]1125 handshake->randbytes,
lhuang04a3890a32022-01-04 09:47:20 -0800[diff] [blame]1126 handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1127 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ );
1128 }
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1129
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1130 ret = mbedtls_ssl_tls13_make_traffic_keys( hash_alg,
Jerry Yu435208a2021-10-13 11:22:16 +0800[diff] [blame]1131 tls13_hs_secrets->client_handshake_traffic_secret,
1132 tls13_hs_secrets->server_handshake_traffic_secret,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1133 hash_len, key_len, iv_len, traffic_keys );
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1134 if( ret != 0 )
1135 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1136 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret );
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1137 goto exit;
1138 }
1139
1140 MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_key",
1141 traffic_keys->client_write_key,
1142 traffic_keys->key_len);
1143
1144 MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_key",
1145 traffic_keys->server_write_key,
1146 traffic_keys->key_len);
1147
1148 MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_iv",
1149 traffic_keys->client_write_iv,
1150 traffic_keys->iv_len);
1151
1152 MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_iv",
1153 traffic_keys->server_write_iv,
1154 traffic_keys->iv_len);
1155
Jerry Yuc068b662021-10-11 22:30:19 +0800[diff] [blame]1156 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_generate_handshake_keys" ) );
Jerry Yu61e35e02021-09-16 18:59:08 +0800[diff] [blame]1157
1158exit:
1159
1160 return( ret );
1161}
1162
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1163int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl )
Jerry Yua0650eb2021-09-09 17:14:45 +0800[diff] [blame]1164{
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1165 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Przemyslaw Stekielc0824bf2022-02-10 10:37:15 +0100[diff] [blame]1166#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) && defined(MBEDTLS_ECDH_C)
1167 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
1168#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED && MBEDTLS_ECDH_C */
Jerry Yu5ccfcd42021-10-11 16:39:29 +0800[diff] [blame]1169 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1170 psa_algorithm_t const hash_alg = mbedtls_psa_translate_md(
1171 handshake->ciphersuite_info->mac );
Jerry Yua0650eb2021-09-09 17:14:45 +0800[diff] [blame]1172
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1173#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
1174 /*
1175 * Compute ECDHE secret used to compute the handshake secret from which
1176 * client_handshake_traffic_secret and server_handshake_traffic_secret
1177 * are derived in the handshake secret derivation stage.
1178 */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1179 if( mbedtls_ssl_tls13_ephemeral_enabled( ssl ) )
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1180 {
1181 if( mbedtls_ssl_tls13_named_group_is_ecdhe( handshake->offered_group_id ) )
1182 {
1183#if defined(MBEDTLS_ECDH_C)
Przemyslaw Stekielc0824bf2022-02-10 10:37:15 +0100[diff] [blame]1184 /* Compute ECDH shared secret. */
1185 status = psa_raw_key_agreement(
1186 PSA_ALG_ECDH, handshake->ecdh_psa_privkey,
1187 handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey_len,
1188 handshake->premaster, sizeof( handshake->premaster ),
1189 &handshake->pmslen );
1190 if( status != PSA_SUCCESS )
1191 {
1192 ret = psa_ssl_status_to_mbedtls( status );
1193 MBEDTLS_SSL_DEBUG_RET( 1, "psa_raw_key_agreement", ret );
1194 return( ret );
1195 }
1196
1197 status = psa_destroy_key( handshake->ecdh_psa_privkey );
1198 if( status != PSA_SUCCESS )
1199 {
1200 ret = psa_ssl_status_to_mbedtls( status );
1201 MBEDTLS_SSL_DEBUG_RET( 1, "psa_destroy_key", ret );
1202 return( ret );
1203 }
1204
1205 handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1206#endif /* MBEDTLS_ECDH_C */
1207 }
1208 else if( mbedtls_ssl_tls13_named_group_is_dhe( handshake->offered_group_id ) )
1209 {
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1210 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHE not supported." ) );
1211 return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
1212 }
1213 }
1214#else
1215 return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
1216#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
Jerry Yua0650eb2021-09-09 17:14:45 +0800[diff] [blame]1217
1218 /*
Jerry Yuf0ac2352021-10-11 17:47:07 +0800[diff] [blame]1219 * Compute the Handshake Secret
Jerry Yua0650eb2021-09-09 17:14:45 +0800[diff] [blame]1220 */
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1221 ret = mbedtls_ssl_tls13_evolve_secret( hash_alg,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1222 handshake->tls13_master_secrets.early,
Przemyslaw Stekielc0824bf2022-02-10 10:37:15 +0100[diff] [blame]1223 handshake->premaster, handshake->pmslen,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1224 handshake->tls13_master_secrets.handshake );
Jerry Yua0650eb2021-09-09 17:14:45 +0800[diff] [blame]1225 if( ret != 0 )
1226 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1227 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret );
Jerry Yua0650eb2021-09-09 17:14:45 +0800[diff] [blame]1228 return( ret );
1229 }
1230
1231 MBEDTLS_SSL_DEBUG_BUF( 4, "Handshake secret",
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1232 handshake->tls13_master_secrets.handshake,
1233 PSA_HASH_LENGTH( hash_alg ) );
Jerry Yua0650eb2021-09-09 17:14:45 +0800[diff] [blame]1234
1235#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
Przemyslaw Stekielc0824bf2022-02-10 10:37:15 +0100[diff] [blame]1236 mbedtls_platform_zeroize( handshake->premaster, sizeof( handshake->premaster ) );
Jerry Yua0650eb2021-09-09 17:14:45 +0800[diff] [blame]1237#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
1238 return( 0 );
1239}
1240
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1241/* Generate application traffic keys since any records following a 1-RTT Finished message
1242 * MUST be encrypted under the application traffic key.
1243 */
XiaokangQiand0aa3e92021-11-10 06:17:40 +0000[diff] [blame]1244int mbedtls_ssl_tls13_generate_application_keys(
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1245 mbedtls_ssl_context *ssl,
1246 mbedtls_ssl_key_set *traffic_keys )
1247{
XiaokangQiana7634982021-10-22 06:32:32 +0000[diff] [blame]1248 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1249 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1250
1251 /* Address at which to store the application secrets */
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1252 mbedtls_ssl_tls13_application_secrets * const app_secrets =
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1253 &ssl->session_negotiate->app_secrets;
1254
1255 /* Holding the transcript up to and including the ServerFinished */
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1256 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1257 size_t transcript_len;
1258
1259 /* Variables relating to the hash for the chosen ciphersuite. */
1260 mbedtls_md_type_t md_type;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1261
1262 psa_algorithm_t hash_alg;
1263 size_t hash_len;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1264
1265 /* Variables relating to the cipher for the chosen ciphersuite. */
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]1266 size_t key_len, iv_len;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1267
1268 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive application traffic keys" ) );
1269
1270 /* Extract basic information about hash and ciphersuite */
1271
Neil Armstrongb818e162022-05-17 09:24:52 +0200[diff] [blame]1272 ret = mbedtls_ssl_tls13_get_cipher_key_info( handshake->ciphersuite_info,
1273 &key_len, &iv_len );
1274 if( ret != 0 )
Neil Armstrong4f4f2712022-05-05 15:34:39 +0200[diff] [blame]1275 {
Neil Armstrongb818e162022-05-17 09:24:52 +0200[diff] [blame]1276 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_get_cipher_key_info", ret );
Neil Armstrong4f4f2712022-05-05 15:34:39 +0200[diff] [blame]1277 goto cleanup;
1278 }
1279
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1280 md_type = handshake->ciphersuite_info->mac;
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1281
1282 hash_alg = mbedtls_psa_translate_md( handshake->ciphersuite_info->mac );
1283 hash_len = PSA_HASH_LENGTH( hash_alg );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1284
Shaun Case8b0ecbc2021-12-20 21:14:10 -0800[diff] [blame]1285 /* Compute current handshake transcript. It's the caller's responsibility
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1286 * to call this at the right time, that is, after the ServerFinished. */
1287
1288 ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type,
1289 transcript, sizeof( transcript ),
1290 &transcript_len );
1291 if( ret != 0 )
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]1292 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1293
1294 /* Compute application secrets from master secret and transcript hash. */
1295
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1296 ret = mbedtls_ssl_tls13_derive_application_secrets( hash_alg,
Xiaofei Baid25fab62021-12-02 06:36:27 +0000[diff] [blame]1297 handshake->tls13_master_secrets.app,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1298 transcript, transcript_len,
1299 app_secrets );
1300 if( ret != 0 )
1301 {
1302 MBEDTLS_SSL_DEBUG_RET( 1,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1303 "mbedtls_ssl_tls13_derive_application_secrets", ret );
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]1304 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1305 }
1306
1307 /* Derive first epoch of IV + Key for application traffic. */
1308
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1309 ret = mbedtls_ssl_tls13_make_traffic_keys( hash_alg,
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1310 app_secrets->client_application_traffic_secret_N,
1311 app_secrets->server_application_traffic_secret_N,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1312 hash_len, key_len, iv_len, traffic_keys );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1313 if( ret != 0 )
1314 {
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1315 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret );
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]1316 goto cleanup;
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1317 }
1318
1319 MBEDTLS_SSL_DEBUG_BUF( 4, "Client application traffic secret",
1320 app_secrets->client_application_traffic_secret_N,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1321 hash_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1322
1323 MBEDTLS_SSL_DEBUG_BUF( 4, "Server application traffic secret",
1324 app_secrets->server_application_traffic_secret_N,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1325 hash_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1326
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]1327 /*
1328 * Export client/server application traffic secret 0
1329 */
1330 if( ssl->f_export_keys != NULL )
1331 {
1332 ssl->f_export_keys( ssl->p_export_keys,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1333 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1334 app_secrets->client_application_traffic_secret_N, hash_len,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1335 handshake->randbytes,
lhuang04a3890a32022-01-04 09:47:20 -0800[diff] [blame]1336 handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
XiaokangQianb51f8842021-11-04 03:02:47 +0000[diff] [blame]1337 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
1338 a new constant for TLS 1.3! */ );
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]1339
1340 ssl->f_export_keys( ssl->p_export_keys,
Xiaofei Bai746f9482021-11-12 08:53:56 +0000[diff] [blame]1341 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET,
Gabor Mezei07732f72022-03-26 17:04:19 +0100[diff] [blame]1342 app_secrets->server_application_traffic_secret_N, hash_len,
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1343 handshake->randbytes,
lhuang04a3890a32022-01-04 09:47:20 -0800[diff] [blame]1344 handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
XiaokangQianb51f8842021-11-04 03:02:47 +0000[diff] [blame]1345 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
1346 a new constant for TLS 1.3! */ );
XiaokangQianac0385c2021-11-03 06:40:11 +0000[diff] [blame]1347 }
1348
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1349 MBEDTLS_SSL_DEBUG_BUF( 4, "client application_write_key:",
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]1350 traffic_keys->client_write_key, key_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1351 MBEDTLS_SSL_DEBUG_BUF( 4, "server application write key",
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]1352 traffic_keys->server_write_key, key_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1353 MBEDTLS_SSL_DEBUG_BUF( 4, "client application write IV",
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]1354 traffic_keys->client_write_iv, iv_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1355 MBEDTLS_SSL_DEBUG_BUF( 4, "server application write IV",
Xiaofei Baib7972842021-11-18 07:29:56 +0000[diff] [blame]1356 traffic_keys->server_write_iv, iv_len );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1357
1358 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive application traffic keys" ) );
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]1359
1360 cleanup:
Jerry Yu2c70a392021-12-08 13:28:49 +0800[diff] [blame]1361 /* randbytes is not used again */
1362 mbedtls_platform_zeroize( ssl->handshake->randbytes,
1363 sizeof( ssl->handshake->randbytes ) );
Jerry Yuef2b98a2022-05-06 16:40:05 +0800[diff] [blame]1364
XiaokangQian33062842021-11-11 03:37:45 +0000[diff] [blame]1365 mbedtls_platform_zeroize( transcript, sizeof( transcript ) );
XiaokangQian4cab0242021-10-12 08:43:37 +0000[diff] [blame]1366 return( ret );
XiaokangQianaa5f5c12021-09-18 06:20:25 +0000[diff] [blame]1367}
1368
Jerry Yuf86eb752022-05-06 11:16:55 +0800[diff] [blame]1369int mbedtls_ssl_tls13_compute_handshake_transform( mbedtls_ssl_context *ssl )
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1370{
Jerry Yuef2b98a2022-05-06 16:40:05 +0800[diff] [blame]1371 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1372 mbedtls_ssl_key_set traffic_keys;
1373 mbedtls_ssl_transform *transform_handshake = NULL;
1374 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1375
1376 /* Compute handshake secret */
1377 ret = mbedtls_ssl_tls13_key_schedule_stage_handshake( ssl );
1378 if( ret != 0 )
1379 {
1380 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_derive_master_secret", ret );
1381 goto cleanup;
1382 }
1383
1384 /* Next evolution in key schedule: Establish handshake secret and
1385 * key material. */
1386 ret = mbedtls_ssl_tls13_generate_handshake_keys( ssl, &traffic_keys );
1387 if( ret != 0 )
1388 {
1389 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_generate_handshake_keys",
1390 ret );
1391 goto cleanup;
1392 }
1393
1394 transform_handshake = mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
1395 if( transform_handshake == NULL )
1396 {
1397 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1398 goto cleanup;
1399 }
1400
Jerry Yuef2b98a2022-05-06 16:40:05 +0800[diff] [blame]1401 ret = mbedtls_ssl_tls13_populate_transform(
1402 transform_handshake,
1403 ssl->conf->endpoint,
1404 ssl->session_negotiate->ciphersuite,
1405 &traffic_keys,
1406 ssl );
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1407 if( ret != 0 )
1408 {
1409 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
1410 goto cleanup;
1411 }
1412 handshake->transform_handshake = transform_handshake;
1413
1414cleanup:
1415 mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
1416 if( ret != 0 )
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1417 mbedtls_free( transform_handshake );
Jerry Yue110d252022-05-05 10:19:22 +0800[diff] [blame]1418
1419 return( ret );
1420}
1421
Jerry Yuff226982022-04-16 16:52:57 +0800[diff] [blame]1422int mbedtls_ssl_tls13_generate_resumption_master_secret(
1423 mbedtls_ssl_context *ssl )
1424{
1425 /* Erase master secrets */
1426 mbedtls_platform_zeroize( &ssl->handshake->tls13_master_secrets,
1427 sizeof( ssl->handshake->tls13_master_secrets ) );
1428 return( 0 );
1429}
1430
Jerry Yufd5ea042022-05-19 14:29:48 +0800[diff] [blame]1431int mbedtls_ssl_tls13_compute_application_transform( mbedtls_ssl_context *ssl )
1432{
1433 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1434 mbedtls_ssl_key_set traffic_keys;
1435 mbedtls_ssl_transform *transform_application = NULL;
1436
1437 ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl );
1438 if( ret != 0 )
1439 {
1440 MBEDTLS_SSL_DEBUG_RET( 1,
1441 "mbedtls_ssl_tls13_key_schedule_stage_application", ret );
1442 goto cleanup;
1443 }
1444
1445 ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys );
1446 if( ret != 0 )
1447 {
1448 MBEDTLS_SSL_DEBUG_RET( 1,
1449 "mbedtls_ssl_tls13_generate_application_keys", ret );
1450 goto cleanup;
1451 }
1452
1453 transform_application =
1454 mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
1455 if( transform_application == NULL )
1456 {
1457 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1458 goto cleanup;
1459 }
1460
1461 ret = mbedtls_ssl_tls13_populate_transform(
1462 transform_application,
1463 ssl->conf->endpoint,
1464 ssl->session_negotiate->ciphersuite,
1465 &traffic_keys,
1466 ssl );
1467 if( ret != 0 )
1468 {
1469 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
1470 goto cleanup;
1471 }
1472
1473 ssl->transform_application = transform_application;
1474
1475cleanup:
1476
1477 mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
1478 if( ret != 0 )
1479 {
1480 mbedtls_free( transform_application );
1481 }
1482 return( ret );
1483}
1484
Ronald Cron6f135e12021-12-08 16:57:54 +0100[diff] [blame]1485#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */