/src/mbedtls/library/ssl_tls13_keys.c
Line | Count | Source |
1 | | /* |
2 | | * TLS 1.3 key schedule |
3 | | * |
4 | | * Copyright The Mbed TLS Contributors |
5 | | * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later |
6 | | */ |
7 | | |
8 | | #include "common.h" |
9 | | |
10 | | #if defined(MBEDTLS_SSL_PROTO_TLS1_3) |
11 | | |
12 | | #include <stdint.h> |
13 | | #include <string.h> |
14 | | |
15 | | #include "mbedtls/hkdf.h" |
16 | | #include "debug_internal.h" |
17 | | #include "mbedtls/error.h" |
18 | | #include "mbedtls/platform.h" |
19 | | |
20 | | #include "ssl_misc.h" |
21 | | #include "ssl_tls13_keys.h" |
22 | | #include "ssl_tls13_invasive.h" |
23 | | |
24 | | #include "psa/crypto.h" |
25 | | #include "mbedtls/psa_util.h" |
26 | | |
27 | | /* Define a local translating function to save code size by not using too many |
28 | | * arguments in each translating place. */ |
29 | | static int local_err_translation(psa_status_t status) |
30 | 0 | { |
31 | 0 | return psa_status_to_mbedtls(status, psa_to_ssl_errors, |
32 | 0 | ARRAY_LENGTH(psa_to_ssl_errors), |
33 | 0 | psa_generic_status_to_mbedtls); |
34 | 0 | } |
35 | 0 | #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status) |
36 | | |
37 | | #define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \ |
38 | | .name = string, |
39 | | |
40 | | struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels = |
41 | | { |
42 | | /* This seems to work in C, despite the string literal being one |
43 | | * character too long due to the 0-termination. */ |
44 | | MBEDTLS_SSL_TLS1_3_LABEL_LIST |
45 | | }; |
46 | | |
47 | | #undef MBEDTLS_SSL_TLS1_3_LABEL |
48 | | |
49 | | /* |
50 | | * This function creates a HkdfLabel structure used in the TLS 1.3 key schedule. |
51 | | * |
52 | | * The HkdfLabel is specified in RFC 8446 as follows: |
53 | | * |
54 | | * struct HkdfLabel { |
55 | | * uint16 length; // Length of expanded key material |
56 | | * opaque label<7..255>; // Always prefixed by "tls13 " |
57 | | * opaque context<0..255>; // Usually a communication transcript hash |
58 | | * }; |
59 | | * |
60 | | * Parameters: |
61 | | * - desired_length: Length of expanded key material. |
62 | | * The length field can hold numbers up to 2**16, but HKDF |
63 | | * can only generate outputs of up to 255 * HASH_LEN bytes. |
64 | | * It is the caller's responsibility to ensure that this |
65 | | * limit is not exceeded. In TLS 1.3, SHA256 is the hash |
66 | | * function with the smallest block size, so a length |
67 | | * <= 255 * 32 = 8160 is always safe. |
68 | | * - (label, label_len): label + label length, without "tls13 " prefix |
69 | | * The label length MUST be less than or equal to |
70 | | * MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN. |
71 | | * It is the caller's responsibility to ensure this. |
72 | | * All (label, label length) pairs used in TLS 1.3 |
73 | | * can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(). |
74 | | * - (ctx, ctx_len): context + context length |
75 | | * The context length MUST be less than or equal to |
76 | | * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN |
77 | | * It is the caller's responsibility to ensure this. |
78 | | * - dst: Target buffer for HkdfLabel structure, |
79 | | * This MUST be a writable buffer of size |
80 | | * at least SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN Bytes. |
81 | | * - dst_len: Pointer at which to store the actual length of |
82 | | * the HkdfLabel structure on success. |
83 | | */ |
84 | | |
85 | | /* We need to tell the compiler that we meant to leave out the null character. */ |
86 | | static const char tls13_label_prefix[6] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING = "tls13 "; |
87 | | |
88 | | #define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN(label_len, context_len) \ |
89 | 0 | (2 /* expansion length */ \ |
90 | 0 | + 1 /* label length */ \ |
91 | 0 | + label_len \ |
92 | 0 | + 1 /* context length */ \ |
93 | 0 | + context_len) |
94 | | |
95 | | #define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \ |
96 | | SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \ |
97 | | sizeof(tls13_label_prefix) + \ |
98 | | MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN, \ |
99 | | MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN) |
100 | | |
101 | | static void ssl_tls13_hkdf_encode_label( |
102 | | size_t desired_length, |
103 | | const unsigned char *label, size_t label_len, |
104 | | const unsigned char *ctx, size_t ctx_len, |
105 | | unsigned char *dst, size_t *dst_len) |
106 | 0 | { |
107 | 0 | size_t total_label_len = |
108 | 0 | sizeof(tls13_label_prefix) + label_len; |
109 | 0 | size_t total_hkdf_lbl_len = |
110 | 0 | SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN(total_label_len, ctx_len); |
111 | |
|
112 | 0 | unsigned char *p = dst; |
113 | | |
114 | | /* Add the size of the expanded key material. */ |
115 | | #if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > UINT16_MAX |
116 | | #error "The desired key length must fit into an uint16 but \ |
117 | | MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN is greater than UINT16_MAX" |
118 | | #endif |
119 | |
|
120 | 0 | *p++ = MBEDTLS_BYTE_1(desired_length); |
121 | 0 | *p++ = MBEDTLS_BYTE_0(desired_length); |
122 | | |
123 | | /* Add label incl. prefix */ |
124 | 0 | *p++ = MBEDTLS_BYTE_0(total_label_len); |
125 | 0 | memcpy(p, tls13_label_prefix, sizeof(tls13_label_prefix)); |
126 | 0 | p += sizeof(tls13_label_prefix); |
127 | 0 | memcpy(p, label, label_len); |
128 | 0 | p += label_len; |
129 | | |
130 | | /* Add context value */ |
131 | 0 | *p++ = MBEDTLS_BYTE_0(ctx_len); |
132 | 0 | if (ctx_len != 0) { |
133 | 0 | memcpy(p, ctx, ctx_len); |
134 | 0 | } |
135 | | |
136 | | /* Return total length to the caller. */ |
137 | 0 | *dst_len = total_hkdf_lbl_len; |
138 | 0 | } |
139 | | |
140 | | int mbedtls_ssl_tls13_hkdf_expand_label( |
141 | | psa_algorithm_t hash_alg, |
142 | | const unsigned char *secret, size_t secret_len, |
143 | | const unsigned char *label, size_t label_len, |
144 | | const unsigned char *ctx, size_t ctx_len, |
145 | | unsigned char *buf, size_t buf_len) |
146 | 0 | { |
147 | 0 | unsigned char hkdf_label[SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN]; |
148 | 0 | size_t hkdf_label_len = 0; |
149 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
150 | 0 | psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; |
151 | 0 | psa_key_derivation_operation_t operation = |
152 | 0 | PSA_KEY_DERIVATION_OPERATION_INIT; |
153 | |
|
154 | 0 | if (label_len > MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN) { |
155 | | /* Should never happen since this is an internal |
156 | | * function, and we know statically which labels |
157 | | * are allowed. */ |
158 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
159 | 0 | } |
160 | | |
161 | 0 | if (ctx_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN) { |
162 | | /* Should not happen, as above. */ |
163 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
164 | 0 | } |
165 | | |
166 | 0 | if (buf_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN) { |
167 | | /* Should not happen, as above. */ |
168 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
169 | 0 | } |
170 | | |
171 | 0 | if (!PSA_ALG_IS_HASH(hash_alg)) { |
172 | 0 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
173 | 0 | } |
174 | | |
175 | 0 | ssl_tls13_hkdf_encode_label(buf_len, |
176 | 0 | label, label_len, |
177 | 0 | ctx, ctx_len, |
178 | 0 | hkdf_label, |
179 | 0 | &hkdf_label_len); |
180 | |
|
181 | 0 | status = psa_key_derivation_setup(&operation, PSA_ALG_HKDF_EXPAND(hash_alg)); |
182 | |
|
183 | 0 | if (status != PSA_SUCCESS) { |
184 | 0 | goto cleanup; |
185 | 0 | } |
186 | | |
187 | 0 | status = psa_key_derivation_input_bytes(&operation, |
188 | 0 | PSA_KEY_DERIVATION_INPUT_SECRET, |
189 | 0 | secret, |
190 | 0 | secret_len); |
191 | |
|
192 | 0 | if (status != PSA_SUCCESS) { |
193 | 0 | goto cleanup; |
194 | 0 | } |
195 | | |
196 | 0 | status = psa_key_derivation_input_bytes(&operation, |
197 | 0 | PSA_KEY_DERIVATION_INPUT_INFO, |
198 | 0 | hkdf_label, |
199 | 0 | hkdf_label_len); |
200 | |
|
201 | 0 | if (status != PSA_SUCCESS) { |
202 | 0 | goto cleanup; |
203 | 0 | } |
204 | | |
205 | 0 | status = psa_key_derivation_output_bytes(&operation, |
206 | 0 | buf, |
207 | 0 | buf_len); |
208 | |
|
209 | 0 | if (status != PSA_SUCCESS) { |
210 | 0 | goto cleanup; |
211 | 0 | } |
212 | | |
213 | 0 | cleanup: |
214 | 0 | abort_status = psa_key_derivation_abort(&operation); |
215 | 0 | status = (status == PSA_SUCCESS ? abort_status : status); |
216 | 0 | mbedtls_platform_zeroize(hkdf_label, hkdf_label_len); |
217 | 0 | return PSA_TO_MBEDTLS_ERR(status); |
218 | 0 | } |
219 | | |
220 | | MBEDTLS_CHECK_RETURN_CRITICAL |
221 | | static int ssl_tls13_make_traffic_key( |
222 | | psa_algorithm_t hash_alg, |
223 | | const unsigned char *secret, size_t secret_len, |
224 | | unsigned char *key, size_t key_len, |
225 | | unsigned char *iv, size_t iv_len) |
226 | 0 | { |
227 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
228 | |
|
229 | 0 | ret = mbedtls_ssl_tls13_hkdf_expand_label( |
230 | 0 | hash_alg, |
231 | 0 | secret, secret_len, |
232 | 0 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(key), |
233 | 0 | NULL, 0, |
234 | 0 | key, key_len); |
235 | 0 | if (ret != 0) { |
236 | 0 | return ret; |
237 | 0 | } |
238 | | |
239 | 0 | ret = mbedtls_ssl_tls13_hkdf_expand_label( |
240 | 0 | hash_alg, |
241 | 0 | secret, secret_len, |
242 | 0 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(iv), |
243 | 0 | NULL, 0, |
244 | 0 | iv, iv_len); |
245 | 0 | return ret; |
246 | 0 | } |
247 | | |
248 | | /* |
249 | | * The traffic keying material is generated from the following inputs: |
250 | | * |
251 | | * - One secret value per sender. |
252 | | * - A purpose value indicating the specific value being generated |
253 | | * - The desired lengths of key and IV. |
254 | | * |
255 | | * The expansion itself is based on HKDF: |
256 | | * |
257 | | * [sender]_write_key = HKDF-Expand-Label( Secret, "key", "", key_length ) |
258 | | * [sender]_write_iv = HKDF-Expand-Label( Secret, "iv" , "", iv_length ) |
259 | | * |
260 | | * [sender] denotes the sending side and the Secret value is provided |
261 | | * by the function caller. Note that we generate server and client side |
262 | | * keys in a single function call. |
263 | | */ |
264 | | int mbedtls_ssl_tls13_make_traffic_keys( |
265 | | psa_algorithm_t hash_alg, |
266 | | const unsigned char *client_secret, |
267 | | const unsigned char *server_secret, size_t secret_len, |
268 | | size_t key_len, size_t iv_len, |
269 | | mbedtls_ssl_key_set *keys) |
270 | 0 | { |
271 | 0 | int ret = 0; |
272 | |
|
273 | 0 | ret = ssl_tls13_make_traffic_key( |
274 | 0 | hash_alg, client_secret, secret_len, |
275 | 0 | keys->client_write_key, key_len, |
276 | 0 | keys->client_write_iv, iv_len); |
277 | 0 | if (ret != 0) { |
278 | 0 | return ret; |
279 | 0 | } |
280 | | |
281 | 0 | ret = ssl_tls13_make_traffic_key( |
282 | 0 | hash_alg, server_secret, secret_len, |
283 | 0 | keys->server_write_key, key_len, |
284 | 0 | keys->server_write_iv, iv_len); |
285 | 0 | if (ret != 0) { |
286 | 0 | return ret; |
287 | 0 | } |
288 | | |
289 | 0 | keys->key_len = key_len; |
290 | 0 | keys->iv_len = iv_len; |
291 | |
|
292 | 0 | return 0; |
293 | 0 | } |
294 | | |
295 | | int mbedtls_ssl_tls13_derive_secret( |
296 | | psa_algorithm_t hash_alg, |
297 | | const unsigned char *secret, size_t secret_len, |
298 | | const unsigned char *label, size_t label_len, |
299 | | const unsigned char *ctx, size_t ctx_len, |
300 | | int ctx_hashed, |
301 | | unsigned char *dstbuf, size_t dstbuf_len) |
302 | 0 | { |
303 | 0 | int ret; |
304 | 0 | unsigned char hashed_context[PSA_HASH_MAX_SIZE]; |
305 | 0 | if (ctx_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED) { |
306 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
307 | |
|
308 | 0 | status = psa_hash_compute(hash_alg, ctx, ctx_len, hashed_context, |
309 | 0 | PSA_HASH_LENGTH(hash_alg), &ctx_len); |
310 | 0 | if (status != PSA_SUCCESS) { |
311 | 0 | ret = PSA_TO_MBEDTLS_ERR(status); |
312 | 0 | return ret; |
313 | 0 | } |
314 | 0 | } else { |
315 | 0 | if (ctx_len > sizeof(hashed_context)) { |
316 | | /* This should never happen since this function is internal |
317 | | * and the code sets `ctx_hashed` correctly. |
318 | | * Let's double-check nonetheless to not run at the risk |
319 | | * of getting a stack overflow. */ |
320 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
321 | 0 | } |
322 | | |
323 | 0 | memcpy(hashed_context, ctx, ctx_len); |
324 | 0 | } |
325 | | |
326 | 0 | return mbedtls_ssl_tls13_hkdf_expand_label(hash_alg, |
327 | 0 | secret, secret_len, |
328 | 0 | label, label_len, |
329 | 0 | hashed_context, ctx_len, |
330 | 0 | dstbuf, dstbuf_len); |
331 | |
|
332 | 0 | } |
333 | | |
334 | | int mbedtls_ssl_tls13_evolve_secret( |
335 | | psa_algorithm_t hash_alg, |
336 | | const unsigned char *secret_old, |
337 | | const unsigned char *input, size_t input_len, |
338 | | unsigned char *secret_new) |
339 | 0 | { |
340 | 0 | int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
341 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
342 | 0 | psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED; |
343 | 0 | size_t hlen; |
344 | 0 | unsigned char tmp_secret[PSA_MAC_MAX_SIZE] = { 0 }; |
345 | 0 | const unsigned char all_zeroes_input[MBEDTLS_TLS1_3_MD_MAX_SIZE] = { 0 }; |
346 | 0 | const unsigned char *l_input = NULL; |
347 | 0 | size_t l_input_len; |
348 | |
|
349 | 0 | psa_key_derivation_operation_t operation = |
350 | 0 | PSA_KEY_DERIVATION_OPERATION_INIT; |
351 | |
|
352 | 0 | if (!PSA_ALG_IS_HASH(hash_alg)) { |
353 | 0 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
354 | 0 | } |
355 | | |
356 | 0 | hlen = PSA_HASH_LENGTH(hash_alg); |
357 | | |
358 | | /* For non-initial runs, call Derive-Secret( ., "derived", "") |
359 | | * on the old secret. */ |
360 | 0 | if (secret_old != NULL) { |
361 | 0 | ret = mbedtls_ssl_tls13_derive_secret( |
362 | 0 | hash_alg, |
363 | 0 | secret_old, hlen, |
364 | 0 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(derived), |
365 | 0 | NULL, 0, /* context */ |
366 | 0 | MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, |
367 | 0 | tmp_secret, hlen); |
368 | 0 | if (ret != 0) { |
369 | 0 | goto cleanup; |
370 | 0 | } |
371 | 0 | } |
372 | | |
373 | 0 | ret = 0; |
374 | |
|
375 | 0 | if (input != NULL && input_len != 0) { |
376 | 0 | l_input = input; |
377 | 0 | l_input_len = input_len; |
378 | 0 | } else { |
379 | 0 | l_input = all_zeroes_input; |
380 | 0 | l_input_len = hlen; |
381 | 0 | } |
382 | |
|
383 | 0 | status = psa_key_derivation_setup(&operation, |
384 | 0 | PSA_ALG_HKDF_EXTRACT(hash_alg)); |
385 | |
|
386 | 0 | if (status != PSA_SUCCESS) { |
387 | 0 | goto cleanup; |
388 | 0 | } |
389 | | |
390 | 0 | status = psa_key_derivation_input_bytes(&operation, |
391 | 0 | PSA_KEY_DERIVATION_INPUT_SALT, |
392 | 0 | tmp_secret, |
393 | 0 | hlen); |
394 | |
|
395 | 0 | if (status != PSA_SUCCESS) { |
396 | 0 | goto cleanup; |
397 | 0 | } |
398 | | |
399 | 0 | status = psa_key_derivation_input_bytes(&operation, |
400 | 0 | PSA_KEY_DERIVATION_INPUT_SECRET, |
401 | 0 | l_input, l_input_len); |
402 | |
|
403 | 0 | if (status != PSA_SUCCESS) { |
404 | 0 | goto cleanup; |
405 | 0 | } |
406 | | |
407 | 0 | status = psa_key_derivation_output_bytes(&operation, |
408 | 0 | secret_new, |
409 | 0 | PSA_HASH_LENGTH(hash_alg)); |
410 | |
|
411 | 0 | if (status != PSA_SUCCESS) { |
412 | 0 | goto cleanup; |
413 | 0 | } |
414 | | |
415 | 0 | cleanup: |
416 | 0 | abort_status = psa_key_derivation_abort(&operation); |
417 | 0 | status = (status == PSA_SUCCESS ? abort_status : status); |
418 | 0 | ret = (ret == 0 ? PSA_TO_MBEDTLS_ERR(status) : ret); |
419 | 0 | mbedtls_platform_zeroize(tmp_secret, sizeof(tmp_secret)); |
420 | 0 | return ret; |
421 | 0 | } |
422 | | |
423 | | int mbedtls_ssl_tls13_derive_early_secrets( |
424 | | psa_algorithm_t hash_alg, |
425 | | unsigned char const *early_secret, |
426 | | unsigned char const *transcript, size_t transcript_len, |
427 | | mbedtls_ssl_tls13_early_secrets *derived) |
428 | 0 | { |
429 | 0 | int ret; |
430 | 0 | size_t const hash_len = PSA_HASH_LENGTH(hash_alg); |
431 | | |
432 | | /* We should never call this function with an unknown hash, |
433 | | * but add an assertion anyway. */ |
434 | 0 | if (!PSA_ALG_IS_HASH(hash_alg)) { |
435 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
436 | 0 | } |
437 | | |
438 | | /* |
439 | | * 0 |
440 | | * | |
441 | | * v |
442 | | * PSK -> HKDF-Extract = Early Secret |
443 | | * | |
444 | | * +-----> Derive-Secret(., "c e traffic", ClientHello) |
445 | | * | = client_early_traffic_secret |
446 | | * | |
447 | | * +-----> Derive-Secret(., "e exp master", ClientHello) |
448 | | * | = early_exporter_master_secret |
449 | | * v |
450 | | */ |
451 | | |
452 | | /* Create client_early_traffic_secret */ |
453 | 0 | ret = mbedtls_ssl_tls13_derive_secret( |
454 | 0 | hash_alg, |
455 | 0 | early_secret, hash_len, |
456 | 0 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_e_traffic), |
457 | 0 | transcript, transcript_len, |
458 | 0 | MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, |
459 | 0 | derived->client_early_traffic_secret, |
460 | 0 | hash_len); |
461 | 0 | if (ret != 0) { |
462 | 0 | return ret; |
463 | 0 | } |
464 | | |
465 | | /* Create early exporter */ |
466 | 0 | ret = mbedtls_ssl_tls13_derive_secret( |
467 | 0 | hash_alg, |
468 | 0 | early_secret, hash_len, |
469 | 0 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(e_exp_master), |
470 | 0 | transcript, transcript_len, |
471 | 0 | MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, |
472 | 0 | derived->early_exporter_master_secret, |
473 | 0 | hash_len); |
474 | 0 | if (ret != 0) { |
475 | 0 | return ret; |
476 | 0 | } |
477 | | |
478 | 0 | return 0; |
479 | 0 | } |
480 | | |
481 | | int mbedtls_ssl_tls13_derive_handshake_secrets( |
482 | | psa_algorithm_t hash_alg, |
483 | | unsigned char const *handshake_secret, |
484 | | unsigned char const *transcript, size_t transcript_len, |
485 | | mbedtls_ssl_tls13_handshake_secrets *derived) |
486 | 0 | { |
487 | 0 | int ret; |
488 | 0 | size_t const hash_len = PSA_HASH_LENGTH(hash_alg); |
489 | | |
490 | | /* We should never call this function with an unknown hash, |
491 | | * but add an assertion anyway. */ |
492 | 0 | if (!PSA_ALG_IS_HASH(hash_alg)) { |
493 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
494 | 0 | } |
495 | | |
496 | | /* |
497 | | * |
498 | | * Handshake Secret |
499 | | * | |
500 | | * +-----> Derive-Secret( ., "c hs traffic", |
501 | | * | ClientHello...ServerHello ) |
502 | | * | = client_handshake_traffic_secret |
503 | | * | |
504 | | * +-----> Derive-Secret( ., "s hs traffic", |
505 | | * | ClientHello...ServerHello ) |
506 | | * | = server_handshake_traffic_secret |
507 | | * |
508 | | */ |
509 | | |
510 | | /* |
511 | | * Compute client_handshake_traffic_secret with |
512 | | * Derive-Secret( ., "c hs traffic", ClientHello...ServerHello ) |
513 | | */ |
514 | | |
515 | 0 | ret = mbedtls_ssl_tls13_derive_secret( |
516 | 0 | hash_alg, |
517 | 0 | handshake_secret, hash_len, |
518 | 0 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_hs_traffic), |
519 | 0 | transcript, transcript_len, |
520 | 0 | MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, |
521 | 0 | derived->client_handshake_traffic_secret, |
522 | 0 | hash_len); |
523 | 0 | if (ret != 0) { |
524 | 0 | return ret; |
525 | 0 | } |
526 | | |
527 | | /* |
528 | | * Compute server_handshake_traffic_secret with |
529 | | * Derive-Secret( ., "s hs traffic", ClientHello...ServerHello ) |
530 | | */ |
531 | | |
532 | 0 | ret = mbedtls_ssl_tls13_derive_secret( |
533 | 0 | hash_alg, |
534 | 0 | handshake_secret, hash_len, |
535 | 0 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(s_hs_traffic), |
536 | 0 | transcript, transcript_len, |
537 | 0 | MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, |
538 | 0 | derived->server_handshake_traffic_secret, |
539 | 0 | hash_len); |
540 | 0 | if (ret != 0) { |
541 | 0 | return ret; |
542 | 0 | } |
543 | | |
544 | 0 | return 0; |
545 | 0 | } |
546 | | |
547 | | int mbedtls_ssl_tls13_derive_application_secrets( |
548 | | psa_algorithm_t hash_alg, |
549 | | unsigned char const *application_secret, |
550 | | unsigned char const *transcript, size_t transcript_len, |
551 | | mbedtls_ssl_tls13_application_secrets *derived) |
552 | 0 | { |
553 | 0 | int ret; |
554 | 0 | size_t const hash_len = PSA_HASH_LENGTH(hash_alg); |
555 | | |
556 | | /* We should never call this function with an unknown hash, |
557 | | * but add an assertion anyway. */ |
558 | 0 | if (!PSA_ALG_IS_HASH(hash_alg)) { |
559 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
560 | 0 | } |
561 | | |
562 | | /* Generate {client,server}_application_traffic_secret_0 |
563 | | * |
564 | | * Master Secret |
565 | | * | |
566 | | * +-----> Derive-Secret( ., "c ap traffic", |
567 | | * | ClientHello...server Finished ) |
568 | | * | = client_application_traffic_secret_0 |
569 | | * | |
570 | | * +-----> Derive-Secret( ., "s ap traffic", |
571 | | * | ClientHello...Server Finished ) |
572 | | * | = server_application_traffic_secret_0 |
573 | | * | |
574 | | * +-----> Derive-Secret( ., "exp master", |
575 | | * | ClientHello...server Finished) |
576 | | * | = exporter_master_secret |
577 | | * |
578 | | */ |
579 | | |
580 | 0 | ret = mbedtls_ssl_tls13_derive_secret( |
581 | 0 | hash_alg, |
582 | 0 | application_secret, hash_len, |
583 | 0 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_ap_traffic), |
584 | 0 | transcript, transcript_len, |
585 | 0 | MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, |
586 | 0 | derived->client_application_traffic_secret_N, |
587 | 0 | hash_len); |
588 | 0 | if (ret != 0) { |
589 | 0 | return ret; |
590 | 0 | } |
591 | | |
592 | 0 | ret = mbedtls_ssl_tls13_derive_secret( |
593 | 0 | hash_alg, |
594 | 0 | application_secret, hash_len, |
595 | 0 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(s_ap_traffic), |
596 | 0 | transcript, transcript_len, |
597 | 0 | MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, |
598 | 0 | derived->server_application_traffic_secret_N, |
599 | 0 | hash_len); |
600 | 0 | if (ret != 0) { |
601 | 0 | return ret; |
602 | 0 | } |
603 | | |
604 | 0 | ret = mbedtls_ssl_tls13_derive_secret( |
605 | 0 | hash_alg, |
606 | 0 | application_secret, hash_len, |
607 | 0 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exp_master), |
608 | 0 | transcript, transcript_len, |
609 | 0 | MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, |
610 | 0 | derived->exporter_master_secret, |
611 | 0 | hash_len); |
612 | 0 | if (ret != 0) { |
613 | 0 | return ret; |
614 | 0 | } |
615 | | |
616 | 0 | return 0; |
617 | 0 | } |
618 | | |
619 | | /* Generate resumption_master_secret for use with the ticket exchange. |
620 | | * |
621 | | * This is not integrated with mbedtls_ssl_tls13_derive_application_secrets() |
622 | | * because it uses the transcript hash up to and including ClientFinished. */ |
623 | | int mbedtls_ssl_tls13_derive_resumption_master_secret( |
624 | | psa_algorithm_t hash_alg, |
625 | | unsigned char const *application_secret, |
626 | | unsigned char const *transcript, size_t transcript_len, |
627 | | mbedtls_ssl_tls13_application_secrets *derived) |
628 | 0 | { |
629 | 0 | int ret; |
630 | 0 | size_t const hash_len = PSA_HASH_LENGTH(hash_alg); |
631 | | |
632 | | /* We should never call this function with an unknown hash, |
633 | | * but add an assertion anyway. */ |
634 | 0 | if (!PSA_ALG_IS_HASH(hash_alg)) { |
635 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
636 | 0 | } |
637 | | |
638 | 0 | ret = mbedtls_ssl_tls13_derive_secret( |
639 | 0 | hash_alg, |
640 | 0 | application_secret, hash_len, |
641 | 0 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(res_master), |
642 | 0 | transcript, transcript_len, |
643 | 0 | MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED, |
644 | 0 | derived->resumption_master_secret, |
645 | 0 | hash_len); |
646 | |
|
647 | 0 | if (ret != 0) { |
648 | 0 | return ret; |
649 | 0 | } |
650 | | |
651 | 0 | return 0; |
652 | 0 | } |
653 | | |
654 | | /** |
655 | | * \brief Transition into application stage of TLS 1.3 key schedule. |
656 | | * |
657 | | * The TLS 1.3 key schedule can be viewed as a simple state machine |
658 | | * with states Initial -> Early -> Handshake -> Application, and |
659 | | * this function represents the Handshake -> Application transition. |
660 | | * |
661 | | * In the handshake stage, ssl_tls13_generate_application_keys() |
662 | | * can be used to derive the handshake traffic keys. |
663 | | * |
664 | | * \param ssl The SSL context to operate on. This must be in key schedule |
665 | | * stage \c Handshake. |
666 | | * |
667 | | * \returns \c 0 on success. |
668 | | * \returns A negative error code on failure. |
669 | | */ |
670 | | MBEDTLS_CHECK_RETURN_CRITICAL |
671 | | static int ssl_tls13_key_schedule_stage_application(mbedtls_ssl_context *ssl) |
672 | 0 | { |
673 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
674 | 0 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
675 | 0 | psa_algorithm_t const hash_alg = mbedtls_md_psa_alg_from_type( |
676 | 0 | (mbedtls_md_type_t) handshake->ciphersuite_info->mac); |
677 | | |
678 | | /* |
679 | | * Compute MasterSecret |
680 | | */ |
681 | 0 | ret = mbedtls_ssl_tls13_evolve_secret( |
682 | 0 | hash_alg, |
683 | 0 | handshake->tls13_master_secrets.handshake, |
684 | 0 | NULL, 0, |
685 | 0 | handshake->tls13_master_secrets.app); |
686 | 0 | if (ret != 0) { |
687 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret); |
688 | 0 | return ret; |
689 | 0 | } |
690 | | |
691 | 0 | MBEDTLS_SSL_DEBUG_BUF( |
692 | 0 | 4, "Master secret", |
693 | 0 | handshake->tls13_master_secrets.app, PSA_HASH_LENGTH(hash_alg)); |
694 | |
|
695 | 0 | return 0; |
696 | 0 | } |
697 | | |
698 | | MBEDTLS_CHECK_RETURN_CRITICAL |
699 | | static int ssl_tls13_calc_finished_core(psa_algorithm_t hash_alg, |
700 | | unsigned char const *base_key, |
701 | | unsigned char const *transcript, |
702 | | unsigned char *dst, |
703 | | size_t *dst_len) |
704 | 0 | { |
705 | 0 | mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; |
706 | 0 | psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; |
707 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
708 | 0 | size_t hash_len = PSA_HASH_LENGTH(hash_alg); |
709 | 0 | unsigned char finished_key[PSA_MAC_MAX_SIZE]; |
710 | 0 | int ret; |
711 | 0 | psa_algorithm_t alg; |
712 | | |
713 | | /* We should never call this function with an unknown hash, |
714 | | * but add an assertion anyway. */ |
715 | 0 | if (!PSA_ALG_IS_HASH(hash_alg)) { |
716 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
717 | 0 | } |
718 | | |
719 | | /* TLS 1.3 Finished message |
720 | | * |
721 | | * struct { |
722 | | * opaque verify_data[Hash.length]; |
723 | | * } Finished; |
724 | | * |
725 | | * verify_data = |
726 | | * HMAC( finished_key, |
727 | | * Hash( Handshake Context + |
728 | | * Certificate* + |
729 | | * CertificateVerify* ) |
730 | | * ) |
731 | | * |
732 | | * finished_key = |
733 | | * HKDF-Expand-Label( BaseKey, "finished", "", Hash.length ) |
734 | | */ |
735 | | |
736 | 0 | ret = mbedtls_ssl_tls13_hkdf_expand_label( |
737 | 0 | hash_alg, base_key, hash_len, |
738 | 0 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(finished), |
739 | 0 | NULL, 0, |
740 | 0 | finished_key, hash_len); |
741 | 0 | if (ret != 0) { |
742 | 0 | goto exit; |
743 | 0 | } |
744 | | |
745 | 0 | alg = PSA_ALG_HMAC(hash_alg); |
746 | 0 | psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); |
747 | 0 | psa_set_key_algorithm(&attributes, alg); |
748 | 0 | psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC); |
749 | |
|
750 | 0 | status = psa_import_key(&attributes, finished_key, hash_len, &key); |
751 | 0 | if (status != PSA_SUCCESS) { |
752 | 0 | ret = PSA_TO_MBEDTLS_ERR(status); |
753 | 0 | goto exit; |
754 | 0 | } |
755 | | |
756 | 0 | status = psa_mac_compute(key, alg, transcript, hash_len, |
757 | 0 | dst, hash_len, dst_len); |
758 | 0 | ret = PSA_TO_MBEDTLS_ERR(status); |
759 | |
|
760 | 0 | exit: |
761 | |
|
762 | 0 | status = psa_destroy_key(key); |
763 | 0 | if (ret == 0) { |
764 | 0 | ret = PSA_TO_MBEDTLS_ERR(status); |
765 | 0 | } |
766 | |
|
767 | 0 | mbedtls_platform_zeroize(finished_key, sizeof(finished_key)); |
768 | |
|
769 | 0 | return ret; |
770 | 0 | } |
771 | | |
772 | | int mbedtls_ssl_tls13_calculate_verify_data(mbedtls_ssl_context *ssl, |
773 | | unsigned char *dst, |
774 | | size_t dst_len, |
775 | | size_t *actual_len, |
776 | | int from) |
777 | 0 | { |
778 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
779 | |
|
780 | 0 | unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; |
781 | 0 | size_t transcript_len; |
782 | |
|
783 | 0 | unsigned char *base_key = NULL; |
784 | 0 | size_t base_key_len = 0; |
785 | 0 | mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets = |
786 | 0 | &ssl->handshake->tls13_hs_secrets; |
787 | |
|
788 | 0 | mbedtls_md_type_t const md_type = (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac; |
789 | |
|
790 | 0 | psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type( |
791 | 0 | (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac); |
792 | 0 | size_t const hash_len = PSA_HASH_LENGTH(hash_alg); |
793 | |
|
794 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> mbedtls_ssl_tls13_calculate_verify_data")); |
795 | |
|
796 | 0 | if (from == MBEDTLS_SSL_IS_CLIENT) { |
797 | 0 | base_key = tls13_hs_secrets->client_handshake_traffic_secret; |
798 | 0 | base_key_len = sizeof(tls13_hs_secrets->client_handshake_traffic_secret); |
799 | 0 | } else { |
800 | 0 | base_key = tls13_hs_secrets->server_handshake_traffic_secret; |
801 | 0 | base_key_len = sizeof(tls13_hs_secrets->server_handshake_traffic_secret); |
802 | 0 | } |
803 | |
|
804 | 0 | if (dst_len < hash_len) { |
805 | 0 | ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; |
806 | 0 | goto exit; |
807 | 0 | } |
808 | | |
809 | 0 | ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type, |
810 | 0 | transcript, sizeof(transcript), |
811 | 0 | &transcript_len); |
812 | 0 | if (ret != 0) { |
813 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_get_handshake_transcript", ret); |
814 | 0 | goto exit; |
815 | 0 | } |
816 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "handshake hash", transcript, transcript_len); |
817 | |
|
818 | 0 | ret = ssl_tls13_calc_finished_core(hash_alg, base_key, |
819 | 0 | transcript, dst, actual_len); |
820 | 0 | if (ret != 0) { |
821 | 0 | goto exit; |
822 | 0 | } |
823 | | |
824 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "verify_data for finished message", dst, hash_len); |
825 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= mbedtls_ssl_tls13_calculate_verify_data")); |
826 | |
|
827 | 0 | exit: |
828 | | /* Erase handshake secrets */ |
829 | 0 | mbedtls_platform_zeroize(base_key, base_key_len); |
830 | 0 | mbedtls_platform_zeroize(transcript, sizeof(transcript)); |
831 | 0 | return ret; |
832 | 0 | } |
833 | | |
834 | | int mbedtls_ssl_tls13_create_psk_binder(mbedtls_ssl_context *ssl, |
835 | | const psa_algorithm_t hash_alg, |
836 | | unsigned char const *psk, size_t psk_len, |
837 | | int psk_type, |
838 | | unsigned char const *transcript, |
839 | | unsigned char *result) |
840 | 0 | { |
841 | 0 | int ret = 0; |
842 | 0 | unsigned char binder_key[PSA_MAC_MAX_SIZE]; |
843 | 0 | unsigned char early_secret[PSA_MAC_MAX_SIZE]; |
844 | 0 | size_t const hash_len = PSA_HASH_LENGTH(hash_alg); |
845 | 0 | size_t actual_len; |
846 | |
|
847 | | #if !defined(MBEDTLS_DEBUG_C) |
848 | | ssl = NULL; /* make sure we don't use it except for debug */ |
849 | | ((void) ssl); |
850 | | #endif |
851 | | |
852 | | /* We should never call this function with an unknown hash, |
853 | | * but add an assertion anyway. */ |
854 | 0 | if (!PSA_ALG_IS_HASH(hash_alg)) { |
855 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
856 | 0 | } |
857 | | |
858 | | /* |
859 | | * 0 |
860 | | * | |
861 | | * v |
862 | | * PSK -> HKDF-Extract = Early Secret |
863 | | * | |
864 | | * +-----> Derive-Secret(., "ext binder" | "res binder", "") |
865 | | * | = binder_key |
866 | | * v |
867 | | */ |
868 | | |
869 | 0 | ret = mbedtls_ssl_tls13_evolve_secret(hash_alg, |
870 | 0 | NULL, /* Old secret */ |
871 | 0 | psk, psk_len, /* Input */ |
872 | 0 | early_secret); |
873 | 0 | if (ret != 0) { |
874 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret); |
875 | 0 | goto exit; |
876 | 0 | } |
877 | | |
878 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "mbedtls_ssl_tls13_create_psk_binder", |
879 | 0 | early_secret, hash_len); |
880 | |
|
881 | 0 | if (psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) { |
882 | 0 | ret = mbedtls_ssl_tls13_derive_secret( |
883 | 0 | hash_alg, |
884 | 0 | early_secret, hash_len, |
885 | 0 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(res_binder), |
886 | 0 | NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, |
887 | 0 | binder_key, hash_len); |
888 | 0 | MBEDTLS_SSL_DEBUG_MSG(4, ("Derive Early Secret with 'res binder'")); |
889 | 0 | } else { |
890 | 0 | ret = mbedtls_ssl_tls13_derive_secret( |
891 | 0 | hash_alg, |
892 | 0 | early_secret, hash_len, |
893 | 0 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(ext_binder), |
894 | 0 | NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, |
895 | 0 | binder_key, hash_len); |
896 | 0 | MBEDTLS_SSL_DEBUG_MSG(4, ("Derive Early Secret with 'ext binder'")); |
897 | 0 | } |
898 | |
|
899 | 0 | if (ret != 0) { |
900 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_derive_secret", ret); |
901 | 0 | goto exit; |
902 | 0 | } |
903 | | |
904 | | /* |
905 | | * The binding_value is computed in the same way as the Finished message |
906 | | * but with the BaseKey being the binder_key. |
907 | | */ |
908 | | |
909 | 0 | ret = ssl_tls13_calc_finished_core(hash_alg, binder_key, transcript, |
910 | 0 | result, &actual_len); |
911 | 0 | if (ret != 0) { |
912 | 0 | goto exit; |
913 | 0 | } |
914 | | |
915 | 0 | MBEDTLS_SSL_DEBUG_BUF(3, "psk binder", result, actual_len); |
916 | |
|
917 | 0 | exit: |
918 | |
|
919 | 0 | mbedtls_platform_zeroize(early_secret, sizeof(early_secret)); |
920 | 0 | mbedtls_platform_zeroize(binder_key, sizeof(binder_key)); |
921 | 0 | return ret; |
922 | 0 | } |
923 | | |
924 | | int mbedtls_ssl_tls13_populate_transform( |
925 | | mbedtls_ssl_transform *transform, |
926 | | int endpoint, int ciphersuite, |
927 | | mbedtls_ssl_key_set const *traffic_keys, |
928 | | mbedtls_ssl_context *ssl /* DEBUG ONLY */) |
929 | 0 | { |
930 | | #if !defined(MBEDTLS_USE_PSA_CRYPTO) |
931 | | int ret; |
932 | | mbedtls_cipher_info_t const *cipher_info; |
933 | | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
934 | 0 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info; |
935 | 0 | unsigned char const *key_enc; |
936 | 0 | unsigned char const *iv_enc; |
937 | 0 | unsigned char const *key_dec; |
938 | 0 | unsigned char const *iv_dec; |
939 | |
|
940 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
941 | | psa_key_type_t key_type; |
942 | 0 | psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; |
943 | | psa_algorithm_t alg; |
944 | | size_t key_bits; |
945 | 0 | psa_status_t status = PSA_SUCCESS; |
946 | | #endif |
947 | |
|
948 | | #if !defined(MBEDTLS_DEBUG_C) |
949 | | ssl = NULL; /* make sure we don't use it except for those cases */ |
950 | | (void) ssl; |
951 | | #endif |
952 | |
|
953 | 0 | ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite); |
954 | 0 | if (ciphersuite_info == NULL) { |
955 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found", |
956 | 0 | ciphersuite)); |
957 | 0 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
958 | 0 | } |
959 | | |
960 | | #if !defined(MBEDTLS_USE_PSA_CRYPTO) |
961 | 0 | cipher_info = mbedtls_cipher_info_from_type(ciphersuite_info->cipher); |
962 | 0 | if (cipher_info == NULL) { |
963 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found", |
964 | 0 | ciphersuite_info->cipher)); |
965 | 0 | return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; |
966 | 0 | } |
967 | | |
968 | | /* |
969 | | * Setup cipher contexts in target transform |
970 | | */ |
971 | 0 | if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc, |
972 | 0 | cipher_info)) != 0) { |
973 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret); |
974 | 0 | return ret; |
975 | 0 | } |
976 | | |
977 | 0 | if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec, |
978 | 0 | cipher_info)) != 0) { |
979 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret); |
980 | 0 | return ret; |
981 | 0 | } |
982 | 0 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
983 | | |
984 | 0 | #if defined(MBEDTLS_SSL_SRV_C) |
985 | 0 | if (endpoint == MBEDTLS_SSL_IS_SERVER) { |
986 | 0 | key_enc = traffic_keys->server_write_key; |
987 | 0 | key_dec = traffic_keys->client_write_key; |
988 | 0 | iv_enc = traffic_keys->server_write_iv; |
989 | 0 | iv_dec = traffic_keys->client_write_iv; |
990 | 0 | } else |
991 | 0 | #endif /* MBEDTLS_SSL_SRV_C */ |
992 | 0 | #if defined(MBEDTLS_SSL_CLI_C) |
993 | 0 | if (endpoint == MBEDTLS_SSL_IS_CLIENT) { |
994 | 0 | key_enc = traffic_keys->client_write_key; |
995 | 0 | key_dec = traffic_keys->server_write_key; |
996 | 0 | iv_enc = traffic_keys->client_write_iv; |
997 | 0 | iv_dec = traffic_keys->server_write_iv; |
998 | 0 | } else |
999 | 0 | #endif /* MBEDTLS_SSL_CLI_C */ |
1000 | 0 | { |
1001 | | /* should not happen */ |
1002 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
1003 | 0 | } |
1004 | | |
1005 | 0 | memcpy(transform->iv_enc, iv_enc, traffic_keys->iv_len); |
1006 | 0 | memcpy(transform->iv_dec, iv_dec, traffic_keys->iv_len); |
1007 | |
|
1008 | | #if !defined(MBEDTLS_USE_PSA_CRYPTO) |
1009 | 0 | if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, |
1010 | 0 | key_enc, (int) mbedtls_cipher_info_get_key_bitlen(cipher_info), |
1011 | 0 | MBEDTLS_ENCRYPT)) != 0) { |
1012 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret); |
1013 | 0 | return ret; |
1014 | 0 | } |
1015 | | |
1016 | 0 | if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, |
1017 | 0 | key_dec, (int) mbedtls_cipher_info_get_key_bitlen(cipher_info), |
1018 | 0 | MBEDTLS_DECRYPT)) != 0) { |
1019 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret); |
1020 | 0 | return ret; |
1021 | 0 | } |
1022 | 0 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
1023 | | |
1024 | | /* |
1025 | | * Setup other fields in SSL transform |
1026 | | */ |
1027 | | |
1028 | 0 | if ((ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG) != 0) { |
1029 | 0 | transform->taglen = 8; |
1030 | 0 | } else { |
1031 | 0 | transform->taglen = 16; |
1032 | 0 | } |
1033 | |
|
1034 | 0 | transform->ivlen = traffic_keys->iv_len; |
1035 | 0 | transform->maclen = 0; |
1036 | 0 | transform->fixed_ivlen = transform->ivlen; |
1037 | 0 | transform->tls_version = MBEDTLS_SSL_VERSION_TLS1_3; |
1038 | | |
1039 | | /* We add the true record content type (1 Byte) to the plaintext and |
1040 | | * then pad to the configured granularity. The minimum length of the |
1041 | | * type-extended and padded plaintext is therefore the padding |
1042 | | * granularity. */ |
1043 | 0 | transform->minlen = |
1044 | 0 | transform->taglen + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY; |
1045 | |
|
1046 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
1047 | | /* |
1048 | | * Setup psa keys and alg |
1049 | | */ |
1050 | 0 | if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher, |
1051 | 0 | transform->taglen, |
1052 | 0 | &alg, |
1053 | 0 | &key_type, |
1054 | 0 | &key_bits)) != PSA_SUCCESS) { |
1055 | 0 | MBEDTLS_SSL_DEBUG_RET( |
1056 | 0 | 1, "mbedtls_ssl_cipher_to_psa", PSA_TO_MBEDTLS_ERR(status)); |
1057 | 0 | return PSA_TO_MBEDTLS_ERR(status); |
1058 | 0 | } |
1059 | | |
1060 | 0 | transform->psa_alg = alg; |
1061 | |
|
1062 | 0 | if (alg != MBEDTLS_SSL_NULL_CIPHER) { |
1063 | 0 | psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); |
1064 | 0 | psa_set_key_algorithm(&attributes, alg); |
1065 | 0 | psa_set_key_type(&attributes, key_type); |
1066 | |
|
1067 | 0 | if ((status = psa_import_key(&attributes, |
1068 | 0 | key_enc, |
1069 | 0 | PSA_BITS_TO_BYTES(key_bits), |
1070 | 0 | &transform->psa_key_enc)) != PSA_SUCCESS) { |
1071 | 0 | MBEDTLS_SSL_DEBUG_RET( |
1072 | 0 | 1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status)); |
1073 | 0 | return PSA_TO_MBEDTLS_ERR(status); |
1074 | 0 | } |
1075 | | |
1076 | 0 | psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); |
1077 | |
|
1078 | 0 | if ((status = psa_import_key(&attributes, |
1079 | 0 | key_dec, |
1080 | 0 | PSA_BITS_TO_BYTES(key_bits), |
1081 | 0 | &transform->psa_key_dec)) != PSA_SUCCESS) { |
1082 | 0 | MBEDTLS_SSL_DEBUG_RET( |
1083 | 0 | 1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status)); |
1084 | 0 | return PSA_TO_MBEDTLS_ERR(status); |
1085 | 0 | } |
1086 | 0 | } |
1087 | 0 | #endif /* MBEDTLS_USE_PSA_CRYPTO */ |
1088 | | |
1089 | 0 | return 0; |
1090 | 0 | } Unexecuted instantiation: mbedtls_ssl_tls13_populate_transform Unexecuted instantiation: mbedtls_ssl_tls13_populate_transform |
1091 | | |
1092 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1093 | | static int ssl_tls13_get_cipher_key_info( |
1094 | | const mbedtls_ssl_ciphersuite_t *ciphersuite_info, |
1095 | | size_t *key_len, size_t *iv_len) |
1096 | 0 | { |
1097 | 0 | psa_key_type_t key_type; |
1098 | 0 | psa_algorithm_t alg; |
1099 | 0 | size_t taglen; |
1100 | 0 | size_t key_bits; |
1101 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
1102 | |
|
1103 | 0 | if (ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG) { |
1104 | 0 | taglen = 8; |
1105 | 0 | } else { |
1106 | 0 | taglen = 16; |
1107 | 0 | } |
1108 | |
|
1109 | 0 | status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher, taglen, |
1110 | 0 | &alg, &key_type, &key_bits); |
1111 | 0 | if (status != PSA_SUCCESS) { |
1112 | 0 | return PSA_TO_MBEDTLS_ERR(status); |
1113 | 0 | } |
1114 | | |
1115 | 0 | *key_len = PSA_BITS_TO_BYTES(key_bits); |
1116 | | |
1117 | | /* TLS 1.3 only have AEAD ciphers, IV length is unconditionally 12 bytes */ |
1118 | 0 | *iv_len = 12; |
1119 | |
|
1120 | 0 | return 0; |
1121 | 0 | } |
1122 | | |
1123 | | #if defined(MBEDTLS_SSL_EARLY_DATA) |
1124 | | /* |
1125 | | * ssl_tls13_generate_early_key() generates the key necessary for protecting |
1126 | | * the early application data and handshake messages as described in section 7 |
1127 | | * of RFC 8446. |
1128 | | * |
1129 | | * NOTE: Only one key is generated, the key for the traffic from the client to |
1130 | | * the server. The TLS 1.3 specification does not define a secret and thus |
1131 | | * a key for server early traffic. |
1132 | | */ |
1133 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1134 | | static int ssl_tls13_generate_early_key(mbedtls_ssl_context *ssl, |
1135 | | mbedtls_ssl_key_set *traffic_keys) |
1136 | 0 | { |
1137 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1138 | 0 | mbedtls_md_type_t md_type; |
1139 | 0 | psa_algorithm_t hash_alg; |
1140 | 0 | size_t hash_len; |
1141 | 0 | unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; |
1142 | 0 | size_t transcript_len; |
1143 | 0 | size_t key_len = 0; |
1144 | 0 | size_t iv_len = 0; |
1145 | 0 | mbedtls_ssl_tls13_early_secrets tls13_early_secrets; |
1146 | |
|
1147 | 0 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
1148 | 0 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
1149 | 0 | handshake->ciphersuite_info; |
1150 | |
|
1151 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_generate_early_key")); |
1152 | |
|
1153 | 0 | ret = ssl_tls13_get_cipher_key_info(ciphersuite_info, &key_len, &iv_len); |
1154 | 0 | if (ret != 0) { |
1155 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_get_cipher_key_info", ret); |
1156 | 0 | goto cleanup; |
1157 | 0 | } |
1158 | | |
1159 | 0 | md_type = (mbedtls_md_type_t) ciphersuite_info->mac; |
1160 | |
|
1161 | 0 | hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac); |
1162 | 0 | hash_len = PSA_HASH_LENGTH(hash_alg); |
1163 | |
|
1164 | 0 | ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type, |
1165 | 0 | transcript, |
1166 | 0 | sizeof(transcript), |
1167 | 0 | &transcript_len); |
1168 | 0 | if (ret != 0) { |
1169 | 0 | MBEDTLS_SSL_DEBUG_RET(1, |
1170 | 0 | "mbedtls_ssl_get_handshake_transcript", |
1171 | 0 | ret); |
1172 | 0 | goto cleanup; |
1173 | 0 | } |
1174 | | |
1175 | 0 | ret = mbedtls_ssl_tls13_derive_early_secrets( |
1176 | 0 | hash_alg, handshake->tls13_master_secrets.early, |
1177 | 0 | transcript, transcript_len, &tls13_early_secrets); |
1178 | 0 | if (ret != 0) { |
1179 | 0 | MBEDTLS_SSL_DEBUG_RET( |
1180 | 0 | 1, "mbedtls_ssl_tls13_derive_early_secrets", ret); |
1181 | 0 | goto cleanup; |
1182 | 0 | } |
1183 | | |
1184 | 0 | MBEDTLS_SSL_DEBUG_BUF( |
1185 | 0 | 4, "Client early traffic secret", |
1186 | 0 | tls13_early_secrets.client_early_traffic_secret, hash_len); |
1187 | | |
1188 | | /* |
1189 | | * Export client handshake traffic secret |
1190 | | */ |
1191 | 0 | if (ssl->f_export_keys != NULL) { |
1192 | 0 | ssl->f_export_keys( |
1193 | 0 | ssl->p_export_keys, |
1194 | 0 | MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET, |
1195 | 0 | tls13_early_secrets.client_early_traffic_secret, |
1196 | 0 | hash_len, |
1197 | 0 | handshake->randbytes, |
1198 | 0 | handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, |
1199 | 0 | MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */); |
1200 | 0 | } |
1201 | |
|
1202 | 0 | ret = ssl_tls13_make_traffic_key( |
1203 | 0 | hash_alg, |
1204 | 0 | tls13_early_secrets.client_early_traffic_secret, |
1205 | 0 | hash_len, traffic_keys->client_write_key, key_len, |
1206 | 0 | traffic_keys->client_write_iv, iv_len); |
1207 | 0 | if (ret != 0) { |
1208 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_make_traffic_key", ret); |
1209 | 0 | goto cleanup; |
1210 | 0 | } |
1211 | 0 | traffic_keys->key_len = key_len; |
1212 | 0 | traffic_keys->iv_len = iv_len; |
1213 | |
|
1214 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "client early write_key", |
1215 | 0 | traffic_keys->client_write_key, |
1216 | 0 | traffic_keys->key_len); |
1217 | |
|
1218 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "client early write_iv", |
1219 | 0 | traffic_keys->client_write_iv, |
1220 | 0 | traffic_keys->iv_len); |
1221 | |
|
1222 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_generate_early_key")); |
1223 | |
|
1224 | 0 | cleanup: |
1225 | | /* Erase early secrets and transcript */ |
1226 | 0 | mbedtls_platform_zeroize( |
1227 | 0 | &tls13_early_secrets, sizeof(mbedtls_ssl_tls13_early_secrets)); |
1228 | 0 | mbedtls_platform_zeroize(transcript, sizeof(transcript)); |
1229 | 0 | return ret; |
1230 | 0 | } |
1231 | | |
1232 | | int mbedtls_ssl_tls13_compute_early_transform(mbedtls_ssl_context *ssl) |
1233 | 0 | { |
1234 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1235 | 0 | mbedtls_ssl_key_set traffic_keys; |
1236 | 0 | mbedtls_ssl_transform *transform_earlydata = NULL; |
1237 | 0 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
1238 | | |
1239 | | /* Next evolution in key schedule: Establish early_data secret and |
1240 | | * key material. */ |
1241 | 0 | ret = ssl_tls13_generate_early_key(ssl, &traffic_keys); |
1242 | 0 | if (ret != 0) { |
1243 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_generate_early_key", |
1244 | 0 | ret); |
1245 | 0 | goto cleanup; |
1246 | 0 | } |
1247 | | |
1248 | 0 | transform_earlydata = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform)); |
1249 | 0 | if (transform_earlydata == NULL) { |
1250 | 0 | ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; |
1251 | 0 | goto cleanup; |
1252 | 0 | } |
1253 | | |
1254 | 0 | ret = mbedtls_ssl_tls13_populate_transform( |
1255 | 0 | transform_earlydata, |
1256 | 0 | ssl->conf->endpoint, |
1257 | 0 | handshake->ciphersuite_info->id, |
1258 | 0 | &traffic_keys, |
1259 | 0 | ssl); |
1260 | 0 | if (ret != 0) { |
1261 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_populate_transform", ret); |
1262 | 0 | goto cleanup; |
1263 | 0 | } |
1264 | 0 | handshake->transform_earlydata = transform_earlydata; |
1265 | |
|
1266 | 0 | cleanup: |
1267 | 0 | mbedtls_platform_zeroize(&traffic_keys, sizeof(traffic_keys)); |
1268 | 0 | if (ret != 0) { |
1269 | 0 | mbedtls_free(transform_earlydata); |
1270 | 0 | } |
1271 | |
|
1272 | 0 | return ret; |
1273 | 0 | } |
1274 | | #endif /* MBEDTLS_SSL_EARLY_DATA */ |
1275 | | |
1276 | | int mbedtls_ssl_tls13_key_schedule_stage_early(mbedtls_ssl_context *ssl) |
1277 | 0 | { |
1278 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1279 | 0 | psa_algorithm_t hash_alg; |
1280 | 0 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
1281 | 0 | unsigned char *psk = NULL; |
1282 | 0 | size_t psk_len = 0; |
1283 | |
|
1284 | 0 | if (handshake->ciphersuite_info == NULL) { |
1285 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("cipher suite info not found")); |
1286 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
1287 | 0 | } |
1288 | | |
1289 | 0 | hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) handshake->ciphersuite_info->mac); |
1290 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
1291 | 0 | if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) { |
1292 | 0 | ret = mbedtls_ssl_tls13_export_handshake_psk(ssl, &psk, &psk_len); |
1293 | 0 | if (ret != 0) { |
1294 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_export_handshake_psk", |
1295 | 0 | ret); |
1296 | 0 | return ret; |
1297 | 0 | } |
1298 | 0 | } |
1299 | 0 | #endif |
1300 | | |
1301 | 0 | ret = mbedtls_ssl_tls13_evolve_secret(hash_alg, NULL, psk, psk_len, |
1302 | 0 | handshake->tls13_master_secrets.early); |
1303 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ |
1304 | | defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
1305 | | mbedtls_free((void *) psk); |
1306 | | #endif |
1307 | 0 | if (ret != 0) { |
1308 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret); |
1309 | 0 | return ret; |
1310 | 0 | } |
1311 | | |
1312 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "mbedtls_ssl_tls13_key_schedule_stage_early", |
1313 | 0 | handshake->tls13_master_secrets.early, |
1314 | 0 | PSA_HASH_LENGTH(hash_alg)); |
1315 | 0 | return 0; |
1316 | 0 | } |
1317 | | |
1318 | | /** |
1319 | | * \brief Compute TLS 1.3 handshake traffic keys. |
1320 | | * |
1321 | | * ssl_tls13_generate_handshake_keys() generates keys necessary for |
1322 | | * protecting the handshake messages, as described in Section 7 of |
1323 | | * RFC 8446. |
1324 | | * |
1325 | | * \param ssl The SSL context to operate on. This must be in |
1326 | | * key schedule stage \c Handshake, see |
1327 | | * ssl_tls13_key_schedule_stage_handshake(). |
1328 | | * \param traffic_keys The address at which to store the handshake traffic |
1329 | | * keys. This must be writable but may be uninitialized. |
1330 | | * |
1331 | | * \returns \c 0 on success. |
1332 | | * \returns A negative error code on failure. |
1333 | | */ |
1334 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1335 | | static int ssl_tls13_generate_handshake_keys(mbedtls_ssl_context *ssl, |
1336 | | mbedtls_ssl_key_set *traffic_keys) |
1337 | 0 | { |
1338 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1339 | 0 | mbedtls_md_type_t md_type; |
1340 | 0 | psa_algorithm_t hash_alg; |
1341 | 0 | size_t hash_len; |
1342 | 0 | unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; |
1343 | 0 | size_t transcript_len; |
1344 | 0 | size_t key_len = 0; |
1345 | 0 | size_t iv_len = 0; |
1346 | |
|
1347 | 0 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
1348 | 0 | const mbedtls_ssl_ciphersuite_t *ciphersuite_info = |
1349 | 0 | handshake->ciphersuite_info; |
1350 | 0 | mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets = |
1351 | 0 | &handshake->tls13_hs_secrets; |
1352 | |
|
1353 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_generate_handshake_keys")); |
1354 | |
|
1355 | 0 | ret = ssl_tls13_get_cipher_key_info(ciphersuite_info, &key_len, &iv_len); |
1356 | 0 | if (ret != 0) { |
1357 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_get_cipher_key_info", ret); |
1358 | 0 | return ret; |
1359 | 0 | } |
1360 | | |
1361 | 0 | md_type = (mbedtls_md_type_t) ciphersuite_info->mac; |
1362 | |
|
1363 | 0 | hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac); |
1364 | 0 | hash_len = PSA_HASH_LENGTH(hash_alg); |
1365 | |
|
1366 | 0 | ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type, |
1367 | 0 | transcript, |
1368 | 0 | sizeof(transcript), |
1369 | 0 | &transcript_len); |
1370 | 0 | if (ret != 0) { |
1371 | 0 | MBEDTLS_SSL_DEBUG_RET(1, |
1372 | 0 | "mbedtls_ssl_get_handshake_transcript", |
1373 | 0 | ret); |
1374 | 0 | return ret; |
1375 | 0 | } |
1376 | | |
1377 | 0 | ret = mbedtls_ssl_tls13_derive_handshake_secrets( |
1378 | 0 | hash_alg, handshake->tls13_master_secrets.handshake, |
1379 | 0 | transcript, transcript_len, tls13_hs_secrets); |
1380 | 0 | if (ret != 0) { |
1381 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_derive_handshake_secrets", |
1382 | 0 | ret); |
1383 | 0 | return ret; |
1384 | 0 | } |
1385 | | |
1386 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "Client handshake traffic secret", |
1387 | 0 | tls13_hs_secrets->client_handshake_traffic_secret, |
1388 | 0 | hash_len); |
1389 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "Server handshake traffic secret", |
1390 | 0 | tls13_hs_secrets->server_handshake_traffic_secret, |
1391 | 0 | hash_len); |
1392 | | |
1393 | | /* |
1394 | | * Export client handshake traffic secret |
1395 | | */ |
1396 | 0 | if (ssl->f_export_keys != NULL) { |
1397 | 0 | ssl->f_export_keys( |
1398 | 0 | ssl->p_export_keys, |
1399 | 0 | MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET, |
1400 | 0 | tls13_hs_secrets->client_handshake_traffic_secret, |
1401 | 0 | hash_len, |
1402 | 0 | handshake->randbytes, |
1403 | 0 | handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, |
1404 | 0 | MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */); |
1405 | |
|
1406 | 0 | ssl->f_export_keys( |
1407 | 0 | ssl->p_export_keys, |
1408 | 0 | MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET, |
1409 | 0 | tls13_hs_secrets->server_handshake_traffic_secret, |
1410 | 0 | hash_len, |
1411 | 0 | handshake->randbytes, |
1412 | 0 | handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, |
1413 | 0 | MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */); |
1414 | 0 | } |
1415 | |
|
1416 | 0 | ret = mbedtls_ssl_tls13_make_traffic_keys( |
1417 | 0 | hash_alg, |
1418 | 0 | tls13_hs_secrets->client_handshake_traffic_secret, |
1419 | 0 | tls13_hs_secrets->server_handshake_traffic_secret, |
1420 | 0 | hash_len, key_len, iv_len, traffic_keys); |
1421 | 0 | if (ret != 0) { |
1422 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_make_traffic_keys", ret); |
1423 | 0 | goto exit; |
1424 | 0 | } |
1425 | | |
1426 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "client_handshake write_key", |
1427 | 0 | traffic_keys->client_write_key, |
1428 | 0 | traffic_keys->key_len); |
1429 | |
|
1430 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "server_handshake write_key", |
1431 | 0 | traffic_keys->server_write_key, |
1432 | 0 | traffic_keys->key_len); |
1433 | |
|
1434 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "client_handshake write_iv", |
1435 | 0 | traffic_keys->client_write_iv, |
1436 | 0 | traffic_keys->iv_len); |
1437 | |
|
1438 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "server_handshake write_iv", |
1439 | 0 | traffic_keys->server_write_iv, |
1440 | 0 | traffic_keys->iv_len); |
1441 | |
|
1442 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_generate_handshake_keys")); |
1443 | |
|
1444 | 0 | exit: |
1445 | |
|
1446 | 0 | return ret; |
1447 | 0 | } |
1448 | | |
1449 | | /** |
1450 | | * \brief Transition into handshake stage of TLS 1.3 key schedule. |
1451 | | * |
1452 | | * The TLS 1.3 key schedule can be viewed as a simple state machine |
1453 | | * with states Initial -> Early -> Handshake -> Application, and |
1454 | | * this function represents the Early -> Handshake transition. |
1455 | | * |
1456 | | * In the handshake stage, ssl_tls13_generate_handshake_keys() |
1457 | | * can be used to derive the handshake traffic keys. |
1458 | | * |
1459 | | * \param ssl The SSL context to operate on. This must be in key schedule |
1460 | | * stage \c Early. |
1461 | | * |
1462 | | * \returns \c 0 on success. |
1463 | | * \returns A negative error code on failure. |
1464 | | */ |
1465 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1466 | | static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl) |
1467 | 0 | { |
1468 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1469 | 0 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
1470 | 0 | psa_algorithm_t const hash_alg = mbedtls_md_psa_alg_from_type( |
1471 | 0 | (mbedtls_md_type_t) handshake->ciphersuite_info->mac); |
1472 | 0 | unsigned char *shared_secret = NULL; |
1473 | 0 | size_t shared_secret_len = 0; |
1474 | |
|
1475 | 0 | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) |
1476 | | /* |
1477 | | * Compute ECDHE secret used to compute the handshake secret from which |
1478 | | * client_handshake_traffic_secret and server_handshake_traffic_secret |
1479 | | * are derived in the handshake secret derivation stage. |
1480 | | */ |
1481 | 0 | if (mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) { |
1482 | 0 | if (mbedtls_ssl_tls13_named_group_is_ecdhe(handshake->offered_group_id) || |
1483 | 0 | mbedtls_ssl_tls13_named_group_is_ffdh(handshake->offered_group_id)) { |
1484 | 0 | #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) |
1485 | 0 | psa_algorithm_t alg = |
1486 | 0 | mbedtls_ssl_tls13_named_group_is_ecdhe(handshake->offered_group_id) ? |
1487 | 0 | PSA_ALG_ECDH : PSA_ALG_FFDH; |
1488 | | |
1489 | | /* Compute ECDH shared secret. */ |
1490 | 0 | psa_status_t status = PSA_ERROR_GENERIC_ERROR; |
1491 | 0 | psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; |
1492 | |
|
1493 | 0 | status = psa_get_key_attributes(handshake->xxdh_psa_privkey, |
1494 | 0 | &key_attributes); |
1495 | 0 | if (status != PSA_SUCCESS) { |
1496 | 0 | ret = PSA_TO_MBEDTLS_ERR(status); |
1497 | 0 | } |
1498 | |
|
1499 | 0 | shared_secret_len = PSA_BITS_TO_BYTES( |
1500 | 0 | psa_get_key_bits(&key_attributes)); |
1501 | 0 | shared_secret = mbedtls_calloc(1, shared_secret_len); |
1502 | 0 | if (shared_secret == NULL) { |
1503 | 0 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
1504 | 0 | } |
1505 | | |
1506 | 0 | status = psa_raw_key_agreement( |
1507 | 0 | alg, handshake->xxdh_psa_privkey, |
1508 | 0 | handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len, |
1509 | 0 | shared_secret, shared_secret_len, &shared_secret_len); |
1510 | 0 | if (status != PSA_SUCCESS) { |
1511 | 0 | ret = PSA_TO_MBEDTLS_ERR(status); |
1512 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret); |
1513 | 0 | goto cleanup; |
1514 | 0 | } |
1515 | | |
1516 | 0 | status = psa_destroy_key(handshake->xxdh_psa_privkey); |
1517 | 0 | if (status != PSA_SUCCESS) { |
1518 | 0 | ret = PSA_TO_MBEDTLS_ERR(status); |
1519 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret); |
1520 | 0 | goto cleanup; |
1521 | 0 | } |
1522 | | |
1523 | 0 | handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; |
1524 | 0 | #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */ |
1525 | 0 | } else { |
1526 | 0 | MBEDTLS_SSL_DEBUG_MSG(1, ("Group not supported.")); |
1527 | 0 | return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
1528 | 0 | } |
1529 | 0 | } |
1530 | 0 | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */ |
1531 | | |
1532 | | /* |
1533 | | * Compute the Handshake Secret |
1534 | | */ |
1535 | 0 | ret = mbedtls_ssl_tls13_evolve_secret( |
1536 | 0 | hash_alg, handshake->tls13_master_secrets.early, |
1537 | 0 | shared_secret, shared_secret_len, |
1538 | 0 | handshake->tls13_master_secrets.handshake); |
1539 | 0 | if (ret != 0) { |
1540 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret); |
1541 | 0 | goto cleanup; |
1542 | 0 | } |
1543 | | |
1544 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "Handshake secret", |
1545 | 0 | handshake->tls13_master_secrets.handshake, |
1546 | 0 | PSA_HASH_LENGTH(hash_alg)); |
1547 | |
|
1548 | 0 | cleanup: |
1549 | 0 | if (shared_secret != NULL) { |
1550 | 0 | mbedtls_zeroize_and_free(shared_secret, shared_secret_len); |
1551 | 0 | } |
1552 | |
|
1553 | 0 | return ret; |
1554 | 0 | } |
1555 | | |
1556 | | /** |
1557 | | * \brief Compute TLS 1.3 application traffic keys. |
1558 | | * |
1559 | | * ssl_tls13_generate_application_keys() generates application traffic |
1560 | | * keys, since any record following a 1-RTT Finished message MUST be |
1561 | | * encrypted under the application traffic key. |
1562 | | * |
1563 | | * \param ssl The SSL context to operate on. This must be in |
1564 | | * key schedule stage \c Application, see |
1565 | | * ssl_tls13_key_schedule_stage_application(). |
1566 | | * \param traffic_keys The address at which to store the application traffic |
1567 | | * keys. This must be writable but may be uninitialized. |
1568 | | * |
1569 | | * \returns \c 0 on success. |
1570 | | * \returns A negative error code on failure. |
1571 | | */ |
1572 | | MBEDTLS_CHECK_RETURN_CRITICAL |
1573 | | static int ssl_tls13_generate_application_keys( |
1574 | | mbedtls_ssl_context *ssl, |
1575 | | mbedtls_ssl_key_set *traffic_keys) |
1576 | 0 | { |
1577 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1578 | 0 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
1579 | | |
1580 | | /* Address at which to store the application secrets */ |
1581 | 0 | mbedtls_ssl_tls13_application_secrets * const app_secrets = |
1582 | 0 | &ssl->session_negotiate->app_secrets; |
1583 | | |
1584 | | /* Holding the transcript up to and including the ServerFinished */ |
1585 | 0 | unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; |
1586 | 0 | size_t transcript_len; |
1587 | | |
1588 | | /* Variables relating to the hash for the chosen ciphersuite. */ |
1589 | 0 | mbedtls_md_type_t md_type; |
1590 | |
|
1591 | 0 | psa_algorithm_t hash_alg; |
1592 | 0 | size_t hash_len; |
1593 | | |
1594 | | /* Variables relating to the cipher for the chosen ciphersuite. */ |
1595 | 0 | size_t key_len = 0, iv_len = 0; |
1596 | |
|
1597 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive application traffic keys")); |
1598 | | |
1599 | | /* Extract basic information about hash and ciphersuite */ |
1600 | |
|
1601 | 0 | ret = ssl_tls13_get_cipher_key_info(handshake->ciphersuite_info, |
1602 | 0 | &key_len, &iv_len); |
1603 | 0 | if (ret != 0) { |
1604 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_get_cipher_key_info", ret); |
1605 | 0 | goto cleanup; |
1606 | 0 | } |
1607 | | |
1608 | 0 | md_type = (mbedtls_md_type_t) handshake->ciphersuite_info->mac; |
1609 | |
|
1610 | 0 | hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) handshake->ciphersuite_info->mac); |
1611 | 0 | hash_len = PSA_HASH_LENGTH(hash_alg); |
1612 | | |
1613 | | /* Compute current handshake transcript. It's the caller's responsibility |
1614 | | * to call this at the right time, that is, after the ServerFinished. */ |
1615 | |
|
1616 | 0 | ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type, |
1617 | 0 | transcript, sizeof(transcript), |
1618 | 0 | &transcript_len); |
1619 | 0 | if (ret != 0) { |
1620 | 0 | goto cleanup; |
1621 | 0 | } |
1622 | | |
1623 | | /* Compute application secrets from master secret and transcript hash. */ |
1624 | | |
1625 | 0 | ret = mbedtls_ssl_tls13_derive_application_secrets( |
1626 | 0 | hash_alg, handshake->tls13_master_secrets.app, |
1627 | 0 | transcript, transcript_len, app_secrets); |
1628 | 0 | if (ret != 0) { |
1629 | 0 | MBEDTLS_SSL_DEBUG_RET( |
1630 | 0 | 1, "mbedtls_ssl_tls13_derive_application_secrets", ret); |
1631 | 0 | goto cleanup; |
1632 | 0 | } |
1633 | | |
1634 | | /* Derive first epoch of IV + Key for application traffic. */ |
1635 | | |
1636 | 0 | ret = mbedtls_ssl_tls13_make_traffic_keys( |
1637 | 0 | hash_alg, |
1638 | 0 | app_secrets->client_application_traffic_secret_N, |
1639 | 0 | app_secrets->server_application_traffic_secret_N, |
1640 | 0 | hash_len, key_len, iv_len, traffic_keys); |
1641 | 0 | if (ret != 0) { |
1642 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_make_traffic_keys", ret); |
1643 | 0 | goto cleanup; |
1644 | 0 | } |
1645 | | |
1646 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "Client application traffic secret", |
1647 | 0 | app_secrets->client_application_traffic_secret_N, |
1648 | 0 | hash_len); |
1649 | |
|
1650 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "Server application traffic secret", |
1651 | 0 | app_secrets->server_application_traffic_secret_N, |
1652 | 0 | hash_len); |
1653 | | |
1654 | | /* |
1655 | | * Export client/server application traffic secret 0 |
1656 | | */ |
1657 | 0 | if (ssl->f_export_keys != NULL) { |
1658 | 0 | ssl->f_export_keys( |
1659 | 0 | ssl->p_export_keys, |
1660 | 0 | MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET, |
1661 | 0 | app_secrets->client_application_traffic_secret_N, hash_len, |
1662 | 0 | handshake->randbytes, |
1663 | 0 | handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, |
1664 | 0 | MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by |
1665 | 0 | a new constant for TLS 1.3! */); |
1666 | |
|
1667 | 0 | ssl->f_export_keys( |
1668 | 0 | ssl->p_export_keys, |
1669 | 0 | MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET, |
1670 | 0 | app_secrets->server_application_traffic_secret_N, hash_len, |
1671 | 0 | handshake->randbytes, |
1672 | 0 | handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, |
1673 | 0 | MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by |
1674 | 0 | a new constant for TLS 1.3! */); |
1675 | 0 | } |
1676 | |
|
1677 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "client application_write_key:", |
1678 | 0 | traffic_keys->client_write_key, key_len); |
1679 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "server application write key", |
1680 | 0 | traffic_keys->server_write_key, key_len); |
1681 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "client application write IV", |
1682 | 0 | traffic_keys->client_write_iv, iv_len); |
1683 | 0 | MBEDTLS_SSL_DEBUG_BUF(4, "server application write IV", |
1684 | 0 | traffic_keys->server_write_iv, iv_len); |
1685 | |
|
1686 | 0 | MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive application traffic keys")); |
1687 | |
|
1688 | 0 | cleanup: |
1689 | | /* randbytes is not used again */ |
1690 | 0 | mbedtls_platform_zeroize(ssl->handshake->randbytes, |
1691 | 0 | sizeof(ssl->handshake->randbytes)); |
1692 | |
|
1693 | 0 | mbedtls_platform_zeroize(transcript, sizeof(transcript)); |
1694 | 0 | return ret; |
1695 | 0 | } |
1696 | | |
1697 | | int mbedtls_ssl_tls13_compute_handshake_transform(mbedtls_ssl_context *ssl) |
1698 | 0 | { |
1699 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1700 | 0 | mbedtls_ssl_key_set traffic_keys; |
1701 | 0 | mbedtls_ssl_transform *transform_handshake = NULL; |
1702 | 0 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
1703 | | |
1704 | | /* Compute handshake secret */ |
1705 | 0 | ret = ssl_tls13_key_schedule_stage_handshake(ssl); |
1706 | 0 | if (ret != 0) { |
1707 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_derive_master_secret", ret); |
1708 | 0 | goto cleanup; |
1709 | 0 | } |
1710 | | |
1711 | | /* Next evolution in key schedule: Establish handshake secret and |
1712 | | * key material. */ |
1713 | 0 | ret = ssl_tls13_generate_handshake_keys(ssl, &traffic_keys); |
1714 | 0 | if (ret != 0) { |
1715 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_generate_handshake_keys", |
1716 | 0 | ret); |
1717 | 0 | goto cleanup; |
1718 | 0 | } |
1719 | | |
1720 | 0 | transform_handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform)); |
1721 | 0 | if (transform_handshake == NULL) { |
1722 | 0 | ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; |
1723 | 0 | goto cleanup; |
1724 | 0 | } |
1725 | | |
1726 | 0 | ret = mbedtls_ssl_tls13_populate_transform( |
1727 | 0 | transform_handshake, |
1728 | 0 | ssl->conf->endpoint, |
1729 | 0 | handshake->ciphersuite_info->id, |
1730 | 0 | &traffic_keys, |
1731 | 0 | ssl); |
1732 | 0 | if (ret != 0) { |
1733 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_populate_transform", ret); |
1734 | 0 | goto cleanup; |
1735 | 0 | } |
1736 | 0 | handshake->transform_handshake = transform_handshake; |
1737 | |
|
1738 | 0 | cleanup: |
1739 | 0 | mbedtls_platform_zeroize(&traffic_keys, sizeof(traffic_keys)); |
1740 | 0 | if (ret != 0) { |
1741 | 0 | mbedtls_free(transform_handshake); |
1742 | 0 | } |
1743 | |
|
1744 | 0 | return ret; |
1745 | 0 | } |
1746 | | |
1747 | | int mbedtls_ssl_tls13_compute_resumption_master_secret(mbedtls_ssl_context *ssl) |
1748 | 0 | { |
1749 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1750 | 0 | mbedtls_md_type_t md_type; |
1751 | 0 | mbedtls_ssl_handshake_params *handshake = ssl->handshake; |
1752 | 0 | unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; |
1753 | 0 | size_t transcript_len; |
1754 | |
|
1755 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
1756 | 0 | 2, ("=> mbedtls_ssl_tls13_compute_resumption_master_secret")); |
1757 | |
|
1758 | 0 | md_type = (mbedtls_md_type_t) handshake->ciphersuite_info->mac; |
1759 | |
|
1760 | 0 | ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type, |
1761 | 0 | transcript, sizeof(transcript), |
1762 | 0 | &transcript_len); |
1763 | 0 | if (ret != 0) { |
1764 | 0 | return ret; |
1765 | 0 | } |
1766 | | |
1767 | 0 | ret = mbedtls_ssl_tls13_derive_resumption_master_secret( |
1768 | 0 | mbedtls_md_psa_alg_from_type(md_type), |
1769 | 0 | handshake->tls13_master_secrets.app, |
1770 | 0 | transcript, transcript_len, |
1771 | 0 | &ssl->session_negotiate->app_secrets); |
1772 | 0 | if (ret != 0) { |
1773 | 0 | return ret; |
1774 | 0 | } |
1775 | | |
1776 | | /* Erase master secrets */ |
1777 | 0 | mbedtls_platform_zeroize(&handshake->tls13_master_secrets, |
1778 | 0 | sizeof(handshake->tls13_master_secrets)); |
1779 | |
|
1780 | 0 | MBEDTLS_SSL_DEBUG_BUF( |
1781 | 0 | 4, "Resumption master secret", |
1782 | 0 | ssl->session_negotiate->app_secrets.resumption_master_secret, |
1783 | 0 | PSA_HASH_LENGTH(mbedtls_md_psa_alg_from_type(md_type))); |
1784 | |
|
1785 | 0 | MBEDTLS_SSL_DEBUG_MSG( |
1786 | 0 | 2, ("<= mbedtls_ssl_tls13_compute_resumption_master_secret")); |
1787 | 0 | return 0; |
1788 | 0 | } |
1789 | | |
1790 | | int mbedtls_ssl_tls13_compute_application_transform(mbedtls_ssl_context *ssl) |
1791 | 0 | { |
1792 | 0 | int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
1793 | 0 | mbedtls_ssl_key_set traffic_keys; |
1794 | 0 | mbedtls_ssl_transform *transform_application = NULL; |
1795 | |
|
1796 | 0 | ret = ssl_tls13_key_schedule_stage_application(ssl); |
1797 | 0 | if (ret != 0) { |
1798 | 0 | MBEDTLS_SSL_DEBUG_RET(1, |
1799 | 0 | "ssl_tls13_key_schedule_stage_application", ret); |
1800 | 0 | goto cleanup; |
1801 | 0 | } |
1802 | | |
1803 | 0 | ret = ssl_tls13_generate_application_keys(ssl, &traffic_keys); |
1804 | 0 | if (ret != 0) { |
1805 | 0 | MBEDTLS_SSL_DEBUG_RET(1, |
1806 | 0 | "ssl_tls13_generate_application_keys", ret); |
1807 | 0 | goto cleanup; |
1808 | 0 | } |
1809 | | |
1810 | 0 | transform_application = |
1811 | 0 | mbedtls_calloc(1, sizeof(mbedtls_ssl_transform)); |
1812 | 0 | if (transform_application == NULL) { |
1813 | 0 | ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; |
1814 | 0 | goto cleanup; |
1815 | 0 | } |
1816 | | |
1817 | 0 | ret = mbedtls_ssl_tls13_populate_transform( |
1818 | 0 | transform_application, |
1819 | 0 | ssl->conf->endpoint, |
1820 | 0 | ssl->handshake->ciphersuite_info->id, |
1821 | 0 | &traffic_keys, |
1822 | 0 | ssl); |
1823 | 0 | if (ret != 0) { |
1824 | 0 | MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_populate_transform", ret); |
1825 | 0 | goto cleanup; |
1826 | 0 | } |
1827 | | |
1828 | 0 | ssl->transform_application = transform_application; |
1829 | |
|
1830 | 0 | cleanup: |
1831 | |
|
1832 | 0 | mbedtls_platform_zeroize(&traffic_keys, sizeof(traffic_keys)); |
1833 | 0 | if (ret != 0) { |
1834 | 0 | mbedtls_free(transform_application); |
1835 | 0 | } |
1836 | 0 | return ret; |
1837 | 0 | } |
1838 | | |
1839 | | #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) |
1840 | | int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl, |
1841 | | unsigned char **psk, |
1842 | | size_t *psk_len) |
1843 | 0 | { |
1844 | | #if defined(MBEDTLS_USE_PSA_CRYPTO) |
1845 | 0 | psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; |
1846 | 0 | psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; |
1847 | | |
1848 | | *psk_len = 0; |
1849 | | *psk = NULL; |
1850 | | |
1851 | 0 | if (mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { |
1852 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
1853 | 0 | } |
1854 | | |
1855 | 0 | status = psa_get_key_attributes(ssl->handshake->psk_opaque, &key_attributes); |
1856 | 0 | if (status != PSA_SUCCESS) { |
1857 | 0 | return PSA_TO_MBEDTLS_ERR(status); |
1858 | 0 | } |
1859 | | |
1860 | 0 | *psk_len = PSA_BITS_TO_BYTES(psa_get_key_bits(&key_attributes)); |
1861 | 0 | *psk = mbedtls_calloc(1, *psk_len); |
1862 | 0 | if (*psk == NULL) { |
1863 | 0 | return MBEDTLS_ERR_SSL_ALLOC_FAILED; |
1864 | 0 | } |
1865 | | |
1866 | 0 | status = psa_export_key(ssl->handshake->psk_opaque, |
1867 | 0 | (uint8_t *) *psk, *psk_len, psk_len); |
1868 | 0 | if (status != PSA_SUCCESS) { |
1869 | 0 | mbedtls_free((void *) *psk); |
1870 | 0 | *psk = NULL; |
1871 | 0 | return PSA_TO_MBEDTLS_ERR(status); |
1872 | 0 | } |
1873 | 0 | return 0; |
1874 | | #else |
1875 | | *psk = ssl->handshake->psk; |
1876 | | *psk_len = ssl->handshake->psk_len; |
1877 | 0 | if (*psk == NULL) { |
1878 | 0 | return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
1879 | 0 | } |
1880 | 0 | return 0; |
1881 | | #endif /* !MBEDTLS_USE_PSA_CRYPTO */ |
1882 | 0 | } Unexecuted instantiation: mbedtls_ssl_tls13_export_handshake_psk Unexecuted instantiation: mbedtls_ssl_tls13_export_handshake_psk |
1883 | | #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ |
1884 | | |
1885 | | #if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) |
1886 | | int mbedtls_ssl_tls13_exporter(const psa_algorithm_t hash_alg, |
1887 | | const unsigned char *secret, const size_t secret_len, |
1888 | | const unsigned char *label, const size_t label_len, |
1889 | | const unsigned char *context_value, const size_t context_len, |
1890 | | unsigned char *out, const size_t out_len) |
1891 | 0 | { |
1892 | 0 | size_t hash_len = PSA_HASH_LENGTH(hash_alg); |
1893 | 0 | unsigned char hkdf_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; |
1894 | 0 | int ret = 0; |
1895 | |
|
1896 | 0 | ret = mbedtls_ssl_tls13_derive_secret(hash_alg, secret, secret_len, label, label_len, NULL, 0, |
1897 | 0 | MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, hkdf_secret, |
1898 | 0 | hash_len); |
1899 | 0 | if (ret != 0) { |
1900 | 0 | goto exit; |
1901 | 0 | } |
1902 | 0 | ret = mbedtls_ssl_tls13_derive_secret(hash_alg, |
1903 | 0 | hkdf_secret, |
1904 | 0 | hash_len, |
1905 | 0 | MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exporter), |
1906 | 0 | context_value, |
1907 | 0 | context_len, |
1908 | 0 | MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, |
1909 | 0 | out, |
1910 | 0 | out_len); |
1911 | |
|
1912 | 0 | exit: |
1913 | 0 | mbedtls_platform_zeroize(hkdf_secret, sizeof(hkdf_secret)); |
1914 | 0 | return ret; |
1915 | 0 | } |
1916 | | #endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */ |
1917 | | |
1918 | | #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ |