TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / c0da10dc3a491a4aab41503c12921e11fe7b9fb7 / . / library / ssl_tls13_keys.c
blob: 91384f281f26658f9fadc1abc35c89dbaca8e914 [file] [log] [blame]
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]1/*
2 * TLS 1.3 key schedule
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 ( the "License" ); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
Hanno Becker58c5cea2020-09-08 10:31:33 +0100[diff] [blame]20#include "common.h"
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]21
22#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
23
24#include "mbedtls/hkdf.h"
Chris Jones84a773f2021-03-05 18:38:47 +0000[diff] [blame]25#include "ssl_misc.h"
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]26#include "ssl_tls13_keys.h"
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]27#include "mbedtls/debug.h"
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]28
29#include <stdint.h>
30#include <string.h>
31
Hanno Becker1413bd82020-09-09 12:46:09 +0100[diff] [blame]32#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]33 .name = string,
34
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]35struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels =
36{
37 /* This seems to work in C, despite the string literal being one
38 * character too long due to the 0-termination. */
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]39 MBEDTLS_SSL_TLS1_3_LABEL_LIST
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]40};
41
Hanno Beckera3a5a4e2020-09-08 11:33:48 +0100[diff] [blame]42#undef MBEDTLS_SSL_TLS1_3_LABEL
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]43
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]44/*
45 * This function creates a HkdfLabel structure used in the TLS 1.3 key schedule.
46 *
47 * The HkdfLabel is specified in RFC 8446 as follows:
48 *
49 * struct HkdfLabel {
50 * uint16 length; // Length of expanded key material
51 * opaque label<7..255>; // Always prefixed by "tls13 "
52 * opaque context<0..255>; // Usually a communication transcript hash
53 * };
54 *
55 * Parameters:
56 * - desired_length: Length of expanded key material
57 * Even though the standard allows expansion to up to
58 * 2**16 Bytes, TLS 1.3 never uses expansion to more than
59 * 255 Bytes, so we require `desired_length` to be at most
60 * 255. This allows us to save a few Bytes of code by
61 * hardcoding the writing of the high bytes.
62 * - (label, llen): label + label length, without "tls13 " prefix
Hanno Becker61baae72020-09-16 09:24:14 +0100[diff] [blame]63 * The label length MUST be less than or equal to
64 * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN
65 * It is the caller's responsibility to ensure this.
Hanno Becker815869a2020-09-08 11:16:16 +0100[diff] [blame]66 * All (label, label length) pairs used in TLS 1.3
67 * can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN().
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]68 * - (ctx, clen): context + context length
Hanno Becker61baae72020-09-16 09:24:14 +0100[diff] [blame]69 * The context length MUST be less than or equal to
70 * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN
71 * It is the caller's responsibility to ensure this.
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]72 * - dst: Target buffer for HkdfLabel structure,
73 * This MUST be a writable buffer of size
74 * at least SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN Bytes.
75 * - dlen: Pointer at which to store the actual length of
76 * the HkdfLabel structure on success.
77 */
78
Hanno Becker2dfe1322020-09-10 09:23:12 +0100[diff] [blame]79static const char tls1_3_label_prefix[6] = "tls13 ";
80
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]81#define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( label_len, context_len ) \
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]82 ( 2 /* expansion length */ \
83 + 1 /* label length */ \
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]84 + label_len \
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]85 + 1 /* context length */ \
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]86 + context_len )
87
88#define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \
89 SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \
Hanno Becker2dfe1322020-09-10 09:23:12 +0100[diff] [blame]90 sizeof(tls1_3_label_prefix) + \
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]91 MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN, \
92 MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]93
94static void ssl_tls1_3_hkdf_encode_label(
95 size_t desired_length,
96 const unsigned char *label, size_t llen,
97 const unsigned char *ctx, size_t clen,
98 unsigned char *dst, size_t *dlen )
99{
Hanno Becker2dfe1322020-09-10 09:23:12 +0100[diff] [blame]100 size_t total_label_len =
101 sizeof(tls1_3_label_prefix) + llen;
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]102 size_t total_hkdf_lbl_len =
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]103 SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( total_label_len, clen );
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]104
105 unsigned char *p = dst;
106
Hanno Becker531fe302020-09-16 09:45:27 +0100[diff] [blame]107 /* Add the size of the expanded key material.
108 * We're hardcoding the high byte to 0 here assuming that we never use
109 * TLS 1.3 HKDF key expansion to more than 255 Bytes. */
110#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255
111#error "The implementation of ssl_tls1_3_hkdf_encode_label() is not fit for the \
112 value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN"
113#endif
114
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]115 *p++ = 0;
116 *p++ = (unsigned char)( ( desired_length >> 0 ) & 0xFF );
117
118 /* Add label incl. prefix */
119 *p++ = (unsigned char)( total_label_len & 0xFF );
Hanno Becker2dfe1322020-09-10 09:23:12 +0100[diff] [blame]120 memcpy( p, tls1_3_label_prefix, sizeof(tls1_3_label_prefix) );
121 p += sizeof(tls1_3_label_prefix);
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]122 memcpy( p, label, llen );
123 p += llen;
124
125 /* Add context value */
126 *p++ = (unsigned char)( clen & 0xFF );
Hanno Becker00debc72020-09-08 11:12:24 +0100[diff] [blame]127 if( clen != 0 )
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]128 memcpy( p, ctx, clen );
129
130 /* Return total length to the caller. */
131 *dlen = total_hkdf_lbl_len;
132}
133
134int mbedtls_ssl_tls1_3_hkdf_expand_label(
135 mbedtls_md_type_t hash_alg,
136 const unsigned char *secret, size_t slen,
137 const unsigned char *label, size_t llen,
138 const unsigned char *ctx, size_t clen,
139 unsigned char *buf, size_t blen )
140{
141 const mbedtls_md_info_t *md;
142 unsigned char hkdf_label[ SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN ];
143 size_t hkdf_label_len;
144
145 if( llen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN )
146 {
147 /* Should never happen since this is an internal
148 * function, and we know statically which labels
149 * are allowed. */
150 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
151 }
152
153 if( clen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
154 {
155 /* Should not happen, as above. */
156 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
157 }
158
159 if( blen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN )
160 {
161 /* Should not happen, as above. */
162 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
163 }
164
165 md = mbedtls_md_info_from_type( hash_alg );
166 if( md == NULL )
167 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
168
169 ssl_tls1_3_hkdf_encode_label( blen,
170 label, llen,
171 ctx, clen,
172 hkdf_label,
173 &hkdf_label_len );
174
175 return( mbedtls_hkdf_expand( md,
176 secret, slen,
177 hkdf_label, hkdf_label_len,
178 buf, blen ) );
179}
180
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]181/*
182 * The traffic keying material is generated from the following inputs:
183 *
184 * - One secret value per sender.
185 * - A purpose value indicating the specific value being generated
186 * - The desired lengths of key and IV.
187 *
188 * The expansion itself is based on HKDF:
189 *
190 * [sender]_write_key = HKDF-Expand-Label( Secret, "key", "", key_length )
191 * [sender]_write_iv = HKDF-Expand-Label( Secret, "iv" , "", iv_length )
192 *
193 * [sender] denotes the sending side and the Secret value is provided
194 * by the function caller. Note that we generate server and client side
195 * keys in a single function call.
196 */
197int mbedtls_ssl_tls1_3_make_traffic_keys(
198 mbedtls_md_type_t hash_alg,
199 const unsigned char *client_secret,
200 const unsigned char *server_secret,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]201 size_t slen, size_t key_len, size_t iv_len,
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]202 mbedtls_ssl_key_set *keys )
203{
204 int ret = 0;
205
206 ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
207 client_secret, slen,
208 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
209 NULL, 0,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]210 keys->client_write_key, key_len );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]211 if( ret != 0 )
212 return( ret );
213
214 ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
215 server_secret, slen,
216 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
217 NULL, 0,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]218 keys->server_write_key, key_len );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]219 if( ret != 0 )
220 return( ret );
221
222 ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
223 client_secret, slen,
224 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
225 NULL, 0,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]226 keys->client_write_iv, iv_len );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]227 if( ret != 0 )
228 return( ret );
229
230 ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
231 server_secret, slen,
232 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
233 NULL, 0,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]234 keys->server_write_iv, iv_len );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]235 if( ret != 0 )
236 return( ret );
237
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]238 keys->key_len = key_len;
239 keys->iv_len = iv_len;
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]240
241 return( 0 );
242}
243
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]244int mbedtls_ssl_tls1_3_derive_secret(
245 mbedtls_md_type_t hash_alg,
246 const unsigned char *secret, size_t slen,
247 const unsigned char *label, size_t llen,
248 const unsigned char *ctx, size_t clen,
Hanno Becker0c42fd92020-09-09 12:58:29 +0100[diff] [blame]249 int ctx_hashed,
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]250 unsigned char *dstbuf, size_t buflen )
251{
252 int ret;
253 unsigned char hashed_context[ MBEDTLS_MD_MAX_SIZE ];
254
255 const mbedtls_md_info_t *md;
256 md = mbedtls_md_info_from_type( hash_alg );
257 if( md == NULL )
258 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
259
Hanno Becker0c42fd92020-09-09 12:58:29 +0100[diff] [blame]260 if( ctx_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED )
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]261 {
262 ret = mbedtls_md( md, ctx, clen, hashed_context );
263 if( ret != 0 )
264 return( ret );
265 clen = mbedtls_md_get_size( md );
266 }
267 else
268 {
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]269 if( clen > sizeof(hashed_context) )
Hanno Becker97a21562020-09-09 12:57:16 +0100[diff] [blame]270 {
271 /* This should never happen since this function is internal
Hanno Becker0c42fd92020-09-09 12:58:29 +0100[diff] [blame]272 * and the code sets `ctx_hashed` correctly.
Hanno Becker97a21562020-09-09 12:57:16 +0100[diff] [blame]273 * Let's double-check nonetheless to not run at the risk
274 * of getting a stack overflow. */
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]275 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Hanno Becker97a21562020-09-09 12:57:16 +0100[diff] [blame]276 }
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]277
278 memcpy( hashed_context, ctx, clen );
279 }
280
281 return( mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
282 secret, slen,
283 label, llen,
284 hashed_context, clen,
285 dstbuf, buflen ) );
286}
287
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]288int mbedtls_ssl_tls1_3_evolve_secret(
289 mbedtls_md_type_t hash_alg,
290 const unsigned char *secret_old,
291 const unsigned char *input, size_t input_len,
292 unsigned char *secret_new )
293{
294 int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
295 size_t hlen, ilen;
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]296 unsigned char tmp_secret[ MBEDTLS_MD_MAX_SIZE ] = { 0 };
297 unsigned char tmp_input [ MBEDTLS_MD_MAX_SIZE ] = { 0 };
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]298
299 const mbedtls_md_info_t *md;
300 md = mbedtls_md_info_from_type( hash_alg );
301 if( md == NULL )
302 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
303
304 hlen = mbedtls_md_get_size( md );
305
306 /* For non-initial runs, call Derive-Secret( ., "derived", "")
Hanno Becker61baae72020-09-16 09:24:14 +0100[diff] [blame]307 * on the old secret. */
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]308 if( secret_old != NULL )
309 {
310 ret = mbedtls_ssl_tls1_3_derive_secret(
311 hash_alg,
312 secret_old, hlen,
313 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( derived ),
314 NULL, 0, /* context */
315 MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]316 tmp_secret, hlen );
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]317 if( ret != 0 )
318 goto cleanup;
319 }
320
321 if( input != NULL )
322 {
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]323 memcpy( tmp_input, input, input_len );
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]324 ilen = input_len;
325 }
326 else
327 {
328 ilen = hlen;
329 }
330
331 /* HKDF-Extract takes a salt and input key material.
332 * The salt is the old secret, and the input key material
333 * is the input secret (PSK / ECDHE). */
334 ret = mbedtls_hkdf_extract( md,
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]335 tmp_secret, hlen,
336 tmp_input, ilen,
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]337 secret_new );
338 if( ret != 0 )
339 goto cleanup;
340
341 ret = 0;
342
343 cleanup:
344
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]345 mbedtls_platform_zeroize( tmp_secret, sizeof(tmp_secret) );
346 mbedtls_platform_zeroize( tmp_input, sizeof(tmp_input) );
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]347 return( ret );
348}
349
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]350int mbedtls_ssl_tls1_3_derive_early_secrets(
351 mbedtls_md_type_t md_type,
352 unsigned char const *early_secret,
353 unsigned char const *transcript, size_t transcript_len,
354 mbedtls_ssl_tls1_3_early_secrets *derived )
355{
356 int ret;
357 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
358 size_t const md_size = mbedtls_md_get_size( md_info );
359
360 /* We should never call this function with an unknown hash,
361 * but add an assertion anyway. */
362 if( md_info == 0 )
363 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
364
365 /*
366 * 0
367 * |
368 * v
369 * PSK -> HKDF-Extract = Early Secret
370 * |
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame]371 * +-----> Derive-Secret(., "c e traffic", ClientHello)
372 * | = client_early_traffic_secret
373 * |
374 * +-----> Derive-Secret(., "e exp master", ClientHello)
375 * | = early_exporter_master_secret
376 * v
377 */
378
379 /* Create client_early_traffic_secret */
380 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
381 early_secret, md_size,
382 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_e_traffic ),
383 transcript, transcript_len,
384 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
385 derived->client_early_traffic_secret,
386 md_size );
387 if( ret != 0 )
388 return( ret );
389
390 /* Create early exporter */
391 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
392 early_secret, md_size,
393 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( e_exp_master ),
394 transcript, transcript_len,
395 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
396 derived->early_exporter_master_secret,
397 md_size );
398 if( ret != 0 )
399 return( ret );
400
401 return( 0 );
402}
403
404int mbedtls_ssl_tls1_3_derive_handshake_secrets(
405 mbedtls_md_type_t md_type,
406 unsigned char const *handshake_secret,
407 unsigned char const *transcript, size_t transcript_len,
408 mbedtls_ssl_tls1_3_handshake_secrets *derived )
409{
410 int ret;
411 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
412 size_t const md_size = mbedtls_md_get_size( md_info );
413
414 /* We should never call this function with an unknown hash,
415 * but add an assertion anyway. */
416 if( md_info == 0 )
417 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
418
419 /*
420 *
421 * Handshake Secret
422 * |
423 * +-----> Derive-Secret( ., "c hs traffic",
424 * | ClientHello...ServerHello )
425 * | = client_handshake_traffic_secret
426 * |
427 * +-----> Derive-Secret( ., "s hs traffic",
428 * | ClientHello...ServerHello )
429 * | = server_handshake_traffic_secret
430 *
431 */
432
433 /*
434 * Compute client_handshake_traffic_secret with
435 * Derive-Secret( ., "c hs traffic", ClientHello...ServerHello )
436 */
437
438 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
439 handshake_secret, md_size,
440 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_hs_traffic ),
441 transcript, transcript_len,
442 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
443 derived->client_handshake_traffic_secret,
444 md_size );
445 if( ret != 0 )
446 return( ret );
447
448 /*
449 * Compute server_handshake_traffic_secret with
450 * Derive-Secret( ., "s hs traffic", ClientHello...ServerHello )
451 */
452
453 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
454 handshake_secret, md_size,
455 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( s_hs_traffic ),
456 transcript, transcript_len,
457 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
458 derived->server_handshake_traffic_secret,
459 md_size );
460 if( ret != 0 )
461 return( ret );
462
463 return( 0 );
464}
465
466int mbedtls_ssl_tls1_3_derive_application_secrets(
467 mbedtls_md_type_t md_type,
468 unsigned char const *application_secret,
469 unsigned char const *transcript, size_t transcript_len,
470 mbedtls_ssl_tls1_3_application_secrets *derived )
471{
472 int ret;
473 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
474 size_t const md_size = mbedtls_md_get_size( md_info );
475
476 /* We should never call this function with an unknown hash,
477 * but add an assertion anyway. */
478 if( md_info == 0 )
479 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
480
481 /* Generate {client,server}_application_traffic_secret_0
482 *
483 * Master Secret
484 * |
485 * +-----> Derive-Secret( ., "c ap traffic",
486 * | ClientHello...server Finished )
487 * | = client_application_traffic_secret_0
488 * |
489 * +-----> Derive-Secret( ., "s ap traffic",
490 * | ClientHello...Server Finished )
491 * | = server_application_traffic_secret_0
492 * |
493 * +-----> Derive-Secret( ., "exp master",
494 * | ClientHello...server Finished)
495 * | = exporter_master_secret
496 *
497 */
498
499 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
500 application_secret, md_size,
501 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_ap_traffic ),
502 transcript, transcript_len,
503 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
504 derived->client_application_traffic_secret_N,
505 md_size );
506 if( ret != 0 )
507 return( ret );
508
509 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
510 application_secret, md_size,
511 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( s_ap_traffic ),
512 transcript, transcript_len,
513 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
514 derived->server_application_traffic_secret_N,
515 md_size );
516 if( ret != 0 )
517 return( ret );
518
519 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
520 application_secret, md_size,
521 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( exp_master ),
522 transcript, transcript_len,
523 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
524 derived->exporter_master_secret,
525 md_size );
526 if( ret != 0 )
527 return( ret );
528
529 return( 0 );
530}
531
532/* Generate resumption_master_secret for use with the ticket exchange.
533 *
534 * This is not integrated with mbedtls_ssl_tls1_3_derive_application_secrets()
535 * because it uses the transcript hash up to and including ClientFinished. */
536int mbedtls_ssl_tls1_3_derive_resumption_master_secret(
537 mbedtls_md_type_t md_type,
538 unsigned char const *application_secret,
539 unsigned char const *transcript, size_t transcript_len,
540 mbedtls_ssl_tls1_3_application_secrets *derived )
541{
542 int ret;
543 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
544 size_t const md_size = mbedtls_md_get_size( md_info );
545
546 /* We should never call this function with an unknown hash,
547 * but add an assertion anyway. */
548 if( md_info == 0 )
549 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
550
551 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
552 application_secret, md_size,
553 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_master ),
554 transcript, transcript_len,
555 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
556 derived->resumption_master_secret,
557 md_size );
558
559 if( ret != 0 )
560 return( ret );
561
562 return( 0 );
563}
564
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]565static int ssl_tls1_3_calc_finished_core( mbedtls_md_type_t md_type,
566 unsigned char const *base_key,
567 unsigned char const *transcript,
568 unsigned char *dst )
569{
570 const mbedtls_md_info_t* const md_info = mbedtls_md_info_from_type( md_type );
571 size_t const md_size = mbedtls_md_get_size( md_info );
572 unsigned char finished_key[MBEDTLS_MD_MAX_SIZE];
573 int ret;
574
575 /* We should never call this function with an unknown hash,
576 * but add an assertion anyway. */
577 if( md_info == 0 )
578 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
579
580 /* TLS 1.3 Finished message
581 *
582 * struct {
583 * opaque verify_data[Hash.length];
584 * } Finished;
585 *
586 * verify_data =
587 * HMAC( finished_key,
588 * Hash( Handshake Context +
589 * Certificate* +
590 * CertificateVerify* )
591 * )
592 *
593 * finished_key =
594 * HKDF-Expand-Label( BaseKey, "finished", "", Hash.length )
595 */
596
597 ret = mbedtls_ssl_tls1_3_hkdf_expand_label(
598 md_type, base_key, md_size,
599 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( finished ),
600 NULL, 0,
601 finished_key, md_size );
602 if( ret != 0 )
603 goto exit;
604
605 ret = mbedtls_md_hmac( md_info, finished_key, md_size, transcript, md_size, dst );
606 if( ret != 0 )
607 goto exit;
608
609exit:
610
611 mbedtls_platform_zeroize( finished_key, sizeof( finished_key ) );
612 return( ret );
613}
614
615int mbedtls_ssl_tls1_3_create_psk_binder( mbedtls_ssl_context *ssl,
616 const mbedtls_md_type_t md_type,
617 unsigned char const *psk, size_t psk_len,
618 int psk_type,
619 unsigned char const *transcript,
620 unsigned char *result )
621{
622 int ret = 0;
623 unsigned char binder_key[MBEDTLS_MD_MAX_SIZE];
624 unsigned char early_secret[MBEDTLS_MD_MAX_SIZE];
625 mbedtls_md_info_t const *md_info = mbedtls_md_info_from_type( md_type );
626 size_t const md_size = mbedtls_md_get_size( md_info );
627
Hanno Becker28e5f1e2021-05-26 09:29:49 +0100[diff] [blame]628#if !defined(MBEDTLS_DEBUG_C)
629 ssl = NULL; /* make sure we don't use it except for debug */
630 ((void) ssl);
631#endif
632
Hanno Beckerb7d9bad2021-05-24 06:44:14 +0100[diff] [blame]633 /* We should never call this function with an unknown hash,
634 * but add an assertion anyway. */
635 if( md_info == 0 )
636 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
637
638 /*
639 * 0
640 * |
641 * v
642 * PSK -> HKDF-Extract = Early Secret
643 * |
644 * +-----> Derive-Secret(., "ext binder" | "res binder", "")
645 * | = binder_key
646 * v
647 */
648
649 ret = mbedtls_ssl_tls1_3_evolve_secret( md_type,
650 NULL, /* Old secret */
651 psk, psk_len, /* Input */
652 early_secret );
653 if( ret != 0 )
654 {
655 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_evolve_secret", ret );
656 goto exit;
657 }
658
659 if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION )
660 {
661 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
662 early_secret, md_size,
663 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_binder ),
664 NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
665 binder_key, md_size );
666 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Derive Early Secret with 'res binder'" ) );
667 }
668 else
669 {
670 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
671 early_secret, md_size,
672 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( ext_binder ),
673 NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
674 binder_key, md_size );
675 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Derive Early Secret with 'ext binder'" ) );
676 }
677
678 if( ret != 0 )
679 {
680 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_derive_secret", ret );
681 goto exit;
682 }
683
684 /*
685 * The binding_value is computed in the same way as the Finished message
686 * but with the BaseKey being the binder_key.
687 */
688
689 ret = ssl_tls1_3_calc_finished_core( md_type, binder_key, transcript, result );
690 if( ret != 0 )
691 goto exit;
692
693 MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder", result, md_size );
694
695exit:
696
697 mbedtls_platform_zeroize( early_secret, sizeof( early_secret ) );
698 mbedtls_platform_zeroize( binder_key, sizeof( binder_key ) );
699 return( ret );
700}
701
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]702int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
703 int endpoint,
704 int ciphersuite,
705 mbedtls_ssl_key_set const *traffic_keys,
706 mbedtls_ssl_context *ssl /* DEBUG ONLY */ )
707{
708 int ret;
709 mbedtls_cipher_info_t const *cipher_info;
710 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
711 unsigned char const *key_enc;
712 unsigned char const *iv_enc;
713 unsigned char const *key_dec;
714 unsigned char const *iv_dec;
715
716#if !defined(MBEDTLS_DEBUG_C)
717 ssl = NULL; /* make sure we don't use it except for those cases */
718 (void) ssl;
719#endif
720
721 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
Hanno Becker7887a772021-04-20 05:27:57 +0100[diff] [blame]722 if( ciphersuite_info == NULL )
723 {
724 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found",
725 ciphersuite ) );
726 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
727 }
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]728
729 cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
730 if( cipher_info == NULL )
731 {
Hanno Becker7887a772021-04-20 05:27:57 +0100[diff] [blame]732 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found",
733 ciphersuite_info->cipher ) );
Hanno Beckerf62a7302021-04-21 05:21:28 +0100[diff] [blame]734 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]735 }
736
737 /*
738 * Setup cipher contexts in target transform
739 */
740
741 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
742 cipher_info ) ) != 0 )
743 {
744 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
745 return( ret );
746 }
747
748 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
749 cipher_info ) ) != 0 )
750 {
751 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
752 return( ret );
753 }
754
755#if defined(MBEDTLS_SSL_SRV_C)
756 if( endpoint == MBEDTLS_SSL_IS_SERVER )
757 {
758 key_enc = traffic_keys->server_write_key;
759 key_dec = traffic_keys->client_write_key;
760 iv_enc = traffic_keys->server_write_iv;
761 iv_dec = traffic_keys->client_write_iv;
762 }
763 else
764#endif /* MBEDTLS_SSL_SRV_C */
765#if defined(MBEDTLS_SSL_CLI_C)
766 if( endpoint == MBEDTLS_SSL_IS_CLIENT )
767 {
768 key_enc = traffic_keys->client_write_key;
769 key_dec = traffic_keys->server_write_key;
770 iv_enc = traffic_keys->client_write_iv;
771 iv_dec = traffic_keys->server_write_iv;
772 }
773 else
774#endif /* MBEDTLS_SSL_CLI_C */
775 {
776 /* should not happen */
777 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
778 }
779
780 memcpy( transform->iv_enc, iv_enc, traffic_keys->iv_len );
781 memcpy( transform->iv_dec, iv_dec, traffic_keys->iv_len );
782
783 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc,
784 key_enc, cipher_info->key_bitlen,
785 MBEDTLS_ENCRYPT ) ) != 0 )
786 {
787 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
788 return( ret );
789 }
790
791 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec,
792 key_dec, cipher_info->key_bitlen,
793 MBEDTLS_DECRYPT ) ) != 0 )
794 {
795 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
796 return( ret );
797 }
798
799 /*
800 * Setup other fields in SSL transform
801 */
802
803 if( ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) != 0 )
804 transform->taglen = 8;
805 else
806 transform->taglen = 16;
807
808 transform->ivlen = traffic_keys->iv_len;
809 transform->maclen = 0;
810 transform->fixed_ivlen = transform->ivlen;
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]811 transform->minor_ver = MBEDTLS_SSL_MINOR_VERSION_4;
812
Hanno Beckeredd5bf02021-04-20 05:32:16 +0100[diff] [blame]813 /* We add the true record content type (1 Byte) to the plaintext and
814 * then pad to the configured granularity. The mimimum length of the
815 * type-extended and padded plaintext is therefore the padding
816 * granularity. */
817 transform->minlen =
818 transform->taglen + MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY;
819
Hanno Beckerc94060c2021-03-22 07:50:44 +0000[diff] [blame]820 return( 0 );
821}
822
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]823#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */