1 /*
2 * TLS 1.3 key schedule
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 #include "ssl_misc.h"
9
10 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
11
12 #include <stdint.h>
13 #include <string.h>
14
15 #include "debug_internal.h"
16 #include "mbedtls/error.h"
17 #include "mbedtls/platform.h"
18
19 #include "ssl_tls13_keys.h"
20 #include "ssl_tls13_invasive.h"
21
22 #include "psa/crypto.h"
23 #include "mbedtls/psa_util.h"
24
25 /* Define a local translating function to save code size by not using too many
26 * arguments in each translating place. */
local_err_translation(psa_status_t status)27 static int local_err_translation(psa_status_t status)
28 {
29 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
30 ARRAY_LENGTH(psa_to_ssl_errors),
31 psa_generic_status_to_mbedtls);
32 }
33 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
34
35 #define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \
36 .name = string,
37
38 struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels =
39 {
40 /* This seems to work in C, despite the string literal being one
41 * character too long due to the 0-termination. */
42 MBEDTLS_SSL_TLS1_3_LABEL_LIST
43 };
44
45 #undef MBEDTLS_SSL_TLS1_3_LABEL
46
47 /*
48 * This function creates a HkdfLabel structure used in the TLS 1.3 key schedule.
49 *
50 * The HkdfLabel is specified in RFC 8446 as follows:
51 *
52 * struct HkdfLabel {
53 * uint16 length; // Length of expanded key material
54 * opaque label<7..255>; // Always prefixed by "tls13 "
55 * opaque context<0..255>; // Usually a communication transcript hash
56 * };
57 *
58 * Parameters:
59 * - desired_length: Length of expanded key material.
60 * The length field can hold numbers up to 2**16, but HKDF
61 * can only generate outputs of up to 255 * HASH_LEN bytes.
62 * It is the caller's responsibility to ensure that this
63 * limit is not exceeded. In TLS 1.3, SHA256 is the hash
64 * function with the smallest block size, so a length
65 * <= 255 * 32 = 8160 is always safe.
66 * - (label, label_len): label + label length, without "tls13 " prefix
67 * The label length MUST be less than or equal to
68 * MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN.
69 * It is the caller's responsibility to ensure this.
70 * All (label, label length) pairs used in TLS 1.3
71 * can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN().
72 * - (ctx, ctx_len): context + context length
73 * The context length MUST be less than or equal to
74 * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN
75 * It is the caller's responsibility to ensure this.
76 * - dst: Target buffer for HkdfLabel structure,
77 * This MUST be a writable buffer of size
78 * at least SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN Bytes.
79 * - dst_len: Pointer at which to store the actual length of
80 * the HkdfLabel structure on success.
81 */
82
83 /* We need to tell the compiler that we meant to leave out the null character. */
84 static const char tls13_label_prefix[6] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING = "tls13 ";
85
86 #define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN(label_len, context_len) \
87 (2 /* expansion length */ \
88 + 1 /* label length */ \
89 + label_len \
90 + 1 /* context length */ \
91 + context_len)
92
93 #define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \
94 SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \
95 sizeof(tls13_label_prefix) + \
96 MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN, \
97 MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN)
98
ssl_tls13_hkdf_encode_label(size_t desired_length,const unsigned char * label,size_t label_len,const unsigned char * ctx,size_t ctx_len,unsigned char * dst,size_t * dst_len)99 static void ssl_tls13_hkdf_encode_label(
100 size_t desired_length,
101 const unsigned char *label, size_t label_len,
102 const unsigned char *ctx, size_t ctx_len,
103 unsigned char *dst, size_t *dst_len)
104 {
105 size_t total_label_len =
106 sizeof(tls13_label_prefix) + label_len;
107 size_t total_hkdf_lbl_len =
108 SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN(total_label_len, ctx_len);
109
110 unsigned char *p = dst;
111
112 /* Add the size of the expanded key material. */
113 #if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > UINT16_MAX
114 #error "The desired key length must fit into an uint16 but \
115 MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN is greater than UINT16_MAX"
116 #endif
117
118 *p++ = MBEDTLS_BYTE_1(desired_length);
119 *p++ = MBEDTLS_BYTE_0(desired_length);
120
121 /* Add label incl. prefix */
122 *p++ = MBEDTLS_BYTE_0(total_label_len);
123 memcpy(p, tls13_label_prefix, sizeof(tls13_label_prefix));
124 p += sizeof(tls13_label_prefix);
125 memcpy(p, label, label_len);
126 p += label_len;
127
128 /* Add context value */
129 *p++ = MBEDTLS_BYTE_0(ctx_len);
130 if (ctx_len != 0) {
131 memcpy(p, ctx, ctx_len);
132 }
133
134 /* Return total length to the caller. */
135 *dst_len = total_hkdf_lbl_len;
136 }
137
mbedtls_ssl_tls13_hkdf_expand_label(psa_algorithm_t hash_alg,const unsigned char * secret,size_t secret_len,const unsigned char * label,size_t label_len,const unsigned char * ctx,size_t ctx_len,unsigned char * buf,size_t buf_len)138 int mbedtls_ssl_tls13_hkdf_expand_label(
139 psa_algorithm_t hash_alg,
140 const unsigned char *secret, size_t secret_len,
141 const unsigned char *label, size_t label_len,
142 const unsigned char *ctx, size_t ctx_len,
143 unsigned char *buf, size_t buf_len)
144 {
145 unsigned char hkdf_label[SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN];
146 size_t hkdf_label_len = 0;
147 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
148 psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
149 psa_key_derivation_operation_t operation =
150 PSA_KEY_DERIVATION_OPERATION_INIT;
151
152 if (label_len > MBEDTLS_SSL_TLS1_3_HKDF_LABEL_MAX_LABEL_LEN) {
153 /* Should never happen since this is an internal
154 * function, and we know statically which labels
155 * are allowed. */
156 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
157 }
158
159 if (ctx_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN) {
160 /* Should not happen, as above. */
161 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
162 }
163
164 if (buf_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN) {
165 /* Should not happen, as above. */
166 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
167 }
168
169 if (!PSA_ALG_IS_HASH(hash_alg)) {
170 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
171 }
172
173 ssl_tls13_hkdf_encode_label(buf_len,
174 label, label_len,
175 ctx, ctx_len,
176 hkdf_label,
177 &hkdf_label_len);
178
179 status = psa_key_derivation_setup(&operation, PSA_ALG_HKDF_EXPAND(hash_alg));
180
181 if (status != PSA_SUCCESS) {
182 goto cleanup;
183 }
184
185 status = psa_key_derivation_input_bytes(&operation,
186 PSA_KEY_DERIVATION_INPUT_SECRET,
187 secret,
188 secret_len);
189
190 if (status != PSA_SUCCESS) {
191 goto cleanup;
192 }
193
194 status = psa_key_derivation_input_bytes(&operation,
195 PSA_KEY_DERIVATION_INPUT_INFO,
196 hkdf_label,
197 hkdf_label_len);
198
199 if (status != PSA_SUCCESS) {
200 goto cleanup;
201 }
202
203 status = psa_key_derivation_output_bytes(&operation,
204 buf,
205 buf_len);
206
207 if (status != PSA_SUCCESS) {
208 goto cleanup;
209 }
210
211 cleanup:
212 abort_status = psa_key_derivation_abort(&operation);
213 status = (status == PSA_SUCCESS ? abort_status : status);
214 mbedtls_platform_zeroize(hkdf_label, hkdf_label_len);
215 return PSA_TO_MBEDTLS_ERR(status);
216 }
217
218 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_make_traffic_key(psa_algorithm_t hash_alg,const unsigned char * secret,size_t secret_len,unsigned char * key,size_t key_len,unsigned char * iv,size_t iv_len)219 static int ssl_tls13_make_traffic_key(
220 psa_algorithm_t hash_alg,
221 const unsigned char *secret, size_t secret_len,
222 unsigned char *key, size_t key_len,
223 unsigned char *iv, size_t iv_len)
224 {
225 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
226
227 ret = mbedtls_ssl_tls13_hkdf_expand_label(
228 hash_alg,
229 secret, secret_len,
230 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(key),
231 NULL, 0,
232 key, key_len);
233 if (ret != 0) {
234 return ret;
235 }
236
237 ret = mbedtls_ssl_tls13_hkdf_expand_label(
238 hash_alg,
239 secret, secret_len,
240 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(iv),
241 NULL, 0,
242 iv, iv_len);
243 return ret;
244 }
245
246 /*
247 * The traffic keying material is generated from the following inputs:
248 *
249 * - One secret value per sender.
250 * - A purpose value indicating the specific value being generated
251 * - The desired lengths of key and IV.
252 *
253 * The expansion itself is based on HKDF:
254 *
255 * [sender]_write_key = HKDF-Expand-Label( Secret, "key", "", key_length )
256 * [sender]_write_iv = HKDF-Expand-Label( Secret, "iv" , "", iv_length )
257 *
258 * [sender] denotes the sending side and the Secret value is provided
259 * by the function caller. Note that we generate server and client side
260 * keys in a single function call.
261 */
mbedtls_ssl_tls13_make_traffic_keys(psa_algorithm_t hash_alg,const unsigned char * client_secret,const unsigned char * server_secret,size_t secret_len,size_t key_len,size_t iv_len,mbedtls_ssl_key_set * keys)262 int mbedtls_ssl_tls13_make_traffic_keys(
263 psa_algorithm_t hash_alg,
264 const unsigned char *client_secret,
265 const unsigned char *server_secret, size_t secret_len,
266 size_t key_len, size_t iv_len,
267 mbedtls_ssl_key_set *keys)
268 {
269 int ret = 0;
270
271 ret = ssl_tls13_make_traffic_key(
272 hash_alg, client_secret, secret_len,
273 keys->client_write_key, key_len,
274 keys->client_write_iv, iv_len);
275 if (ret != 0) {
276 return ret;
277 }
278
279 ret = ssl_tls13_make_traffic_key(
280 hash_alg, server_secret, secret_len,
281 keys->server_write_key, key_len,
282 keys->server_write_iv, iv_len);
283 if (ret != 0) {
284 return ret;
285 }
286
287 keys->key_len = key_len;
288 keys->iv_len = iv_len;
289
290 return 0;
291 }
292
mbedtls_ssl_tls13_derive_secret(psa_algorithm_t hash_alg,const unsigned char * secret,size_t secret_len,const unsigned char * label,size_t label_len,const unsigned char * ctx,size_t ctx_len,int ctx_hashed,unsigned char * dstbuf,size_t dstbuf_len)293 int mbedtls_ssl_tls13_derive_secret(
294 psa_algorithm_t hash_alg,
295 const unsigned char *secret, size_t secret_len,
296 const unsigned char *label, size_t label_len,
297 const unsigned char *ctx, size_t ctx_len,
298 int ctx_hashed,
299 unsigned char *dstbuf, size_t dstbuf_len)
300 {
301 int ret;
302 unsigned char hashed_context[PSA_HASH_MAX_SIZE];
303 if (ctx_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED) {
304 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
305
306 status = psa_hash_compute(hash_alg, ctx, ctx_len, hashed_context,
307 PSA_HASH_LENGTH(hash_alg), &ctx_len);
308 if (status != PSA_SUCCESS) {
309 ret = PSA_TO_MBEDTLS_ERR(status);
310 return ret;
311 }
312 } else {
313 if (ctx_len > sizeof(hashed_context)) {
314 /* This should never happen since this function is internal
315 * and the code sets `ctx_hashed` correctly.
316 * Let's double-check nonetheless to not run at the risk
317 * of getting a stack overflow. */
318 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
319 }
320
321 memcpy(hashed_context, ctx, ctx_len);
322 }
323
324 return mbedtls_ssl_tls13_hkdf_expand_label(hash_alg,
325 secret, secret_len,
326 label, label_len,
327 hashed_context, ctx_len,
328 dstbuf, dstbuf_len);
329
330 }
331
mbedtls_ssl_tls13_evolve_secret(psa_algorithm_t hash_alg,const unsigned char * secret_old,const unsigned char * input,size_t input_len,unsigned char * secret_new)332 int mbedtls_ssl_tls13_evolve_secret(
333 psa_algorithm_t hash_alg,
334 const unsigned char *secret_old,
335 const unsigned char *input, size_t input_len,
336 unsigned char *secret_new)
337 {
338 int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
339 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
340 psa_status_t abort_status = PSA_ERROR_CORRUPTION_DETECTED;
341 size_t hlen;
342 unsigned char tmp_secret[PSA_MAC_MAX_SIZE] = { 0 };
343 const unsigned char all_zeroes_input[MBEDTLS_TLS1_3_MD_MAX_SIZE] = { 0 };
344 const unsigned char *l_input = NULL;
345 size_t l_input_len;
346
347 psa_key_derivation_operation_t operation =
348 PSA_KEY_DERIVATION_OPERATION_INIT;
349
350 if (!PSA_ALG_IS_HASH(hash_alg)) {
351 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
352 }
353
354 hlen = PSA_HASH_LENGTH(hash_alg);
355
356 /* For non-initial runs, call Derive-Secret( ., "derived", "")
357 * on the old secret. */
358 if (secret_old != NULL) {
359 ret = mbedtls_ssl_tls13_derive_secret(
360 hash_alg,
361 secret_old, hlen,
362 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(derived),
363 NULL, 0, /* context */
364 MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
365 tmp_secret, hlen);
366 if (ret != 0) {
367 goto cleanup;
368 }
369 }
370
371 ret = 0;
372
373 if (input != NULL && input_len != 0) {
374 l_input = input;
375 l_input_len = input_len;
376 } else {
377 l_input = all_zeroes_input;
378 l_input_len = hlen;
379 }
380
381 status = psa_key_derivation_setup(&operation,
382 PSA_ALG_HKDF_EXTRACT(hash_alg));
383
384 if (status != PSA_SUCCESS) {
385 goto cleanup;
386 }
387
388 status = psa_key_derivation_input_bytes(&operation,
389 PSA_KEY_DERIVATION_INPUT_SALT,
390 tmp_secret,
391 hlen);
392
393 if (status != PSA_SUCCESS) {
394 goto cleanup;
395 }
396
397 status = psa_key_derivation_input_bytes(&operation,
398 PSA_KEY_DERIVATION_INPUT_SECRET,
399 l_input, l_input_len);
400
401 if (status != PSA_SUCCESS) {
402 goto cleanup;
403 }
404
405 status = psa_key_derivation_output_bytes(&operation,
406 secret_new,
407 PSA_HASH_LENGTH(hash_alg));
408
409 if (status != PSA_SUCCESS) {
410 goto cleanup;
411 }
412
413 cleanup:
414 abort_status = psa_key_derivation_abort(&operation);
415 status = (status == PSA_SUCCESS ? abort_status : status);
416 ret = (ret == 0 ? PSA_TO_MBEDTLS_ERR(status) : ret);
417 mbedtls_platform_zeroize(tmp_secret, sizeof(tmp_secret));
418 return ret;
419 }
420
mbedtls_ssl_tls13_derive_early_secrets(psa_algorithm_t hash_alg,unsigned char const * early_secret,unsigned char const * transcript,size_t transcript_len,mbedtls_ssl_tls13_early_secrets * derived)421 int mbedtls_ssl_tls13_derive_early_secrets(
422 psa_algorithm_t hash_alg,
423 unsigned char const *early_secret,
424 unsigned char const *transcript, size_t transcript_len,
425 mbedtls_ssl_tls13_early_secrets *derived)
426 {
427 int ret;
428 size_t const hash_len = PSA_HASH_LENGTH(hash_alg);
429
430 /* We should never call this function with an unknown hash,
431 * but add an assertion anyway. */
432 if (!PSA_ALG_IS_HASH(hash_alg)) {
433 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
434 }
435
436 /*
437 * 0
438 * |
439 * v
440 * PSK -> HKDF-Extract = Early Secret
441 * |
442 * +-----> Derive-Secret(., "c e traffic", ClientHello)
443 * | = client_early_traffic_secret
444 * |
445 * +-----> Derive-Secret(., "e exp master", ClientHello)
446 * | = early_exporter_master_secret
447 * v
448 */
449
450 /* Create client_early_traffic_secret */
451 ret = mbedtls_ssl_tls13_derive_secret(
452 hash_alg,
453 early_secret, hash_len,
454 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_e_traffic),
455 transcript, transcript_len,
456 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
457 derived->client_early_traffic_secret,
458 hash_len);
459 if (ret != 0) {
460 return ret;
461 }
462
463 /* Create early exporter */
464 ret = mbedtls_ssl_tls13_derive_secret(
465 hash_alg,
466 early_secret, hash_len,
467 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(e_exp_master),
468 transcript, transcript_len,
469 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
470 derived->early_exporter_master_secret,
471 hash_len);
472 if (ret != 0) {
473 return ret;
474 }
475
476 return 0;
477 }
478
mbedtls_ssl_tls13_derive_handshake_secrets(psa_algorithm_t hash_alg,unsigned char const * handshake_secret,unsigned char const * transcript,size_t transcript_len,mbedtls_ssl_tls13_handshake_secrets * derived)479 int mbedtls_ssl_tls13_derive_handshake_secrets(
480 psa_algorithm_t hash_alg,
481 unsigned char const *handshake_secret,
482 unsigned char const *transcript, size_t transcript_len,
483 mbedtls_ssl_tls13_handshake_secrets *derived)
484 {
485 int ret;
486 size_t const hash_len = PSA_HASH_LENGTH(hash_alg);
487
488 /* We should never call this function with an unknown hash,
489 * but add an assertion anyway. */
490 if (!PSA_ALG_IS_HASH(hash_alg)) {
491 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
492 }
493
494 /*
495 *
496 * Handshake Secret
497 * |
498 * +-----> Derive-Secret( ., "c hs traffic",
499 * | ClientHello...ServerHello )
500 * | = client_handshake_traffic_secret
501 * |
502 * +-----> Derive-Secret( ., "s hs traffic",
503 * | ClientHello...ServerHello )
504 * | = server_handshake_traffic_secret
505 *
506 */
507
508 /*
509 * Compute client_handshake_traffic_secret with
510 * Derive-Secret( ., "c hs traffic", ClientHello...ServerHello )
511 */
512
513 ret = mbedtls_ssl_tls13_derive_secret(
514 hash_alg,
515 handshake_secret, hash_len,
516 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_hs_traffic),
517 transcript, transcript_len,
518 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
519 derived->client_handshake_traffic_secret,
520 hash_len);
521 if (ret != 0) {
522 return ret;
523 }
524
525 /*
526 * Compute server_handshake_traffic_secret with
527 * Derive-Secret( ., "s hs traffic", ClientHello...ServerHello )
528 */
529
530 ret = mbedtls_ssl_tls13_derive_secret(
531 hash_alg,
532 handshake_secret, hash_len,
533 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(s_hs_traffic),
534 transcript, transcript_len,
535 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
536 derived->server_handshake_traffic_secret,
537 hash_len);
538 if (ret != 0) {
539 return ret;
540 }
541
542 return 0;
543 }
544
mbedtls_ssl_tls13_derive_application_secrets(psa_algorithm_t hash_alg,unsigned char const * application_secret,unsigned char const * transcript,size_t transcript_len,mbedtls_ssl_tls13_application_secrets * derived)545 int mbedtls_ssl_tls13_derive_application_secrets(
546 psa_algorithm_t hash_alg,
547 unsigned char const *application_secret,
548 unsigned char const *transcript, size_t transcript_len,
549 mbedtls_ssl_tls13_application_secrets *derived)
550 {
551 int ret;
552 size_t const hash_len = PSA_HASH_LENGTH(hash_alg);
553
554 /* We should never call this function with an unknown hash,
555 * but add an assertion anyway. */
556 if (!PSA_ALG_IS_HASH(hash_alg)) {
557 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
558 }
559
560 /* Generate {client,server}_application_traffic_secret_0
561 *
562 * Master Secret
563 * |
564 * +-----> Derive-Secret( ., "c ap traffic",
565 * | ClientHello...server Finished )
566 * | = client_application_traffic_secret_0
567 * |
568 * +-----> Derive-Secret( ., "s ap traffic",
569 * | ClientHello...Server Finished )
570 * | = server_application_traffic_secret_0
571 * |
572 * +-----> Derive-Secret( ., "exp master",
573 * | ClientHello...server Finished)
574 * | = exporter_master_secret
575 *
576 */
577
578 ret = mbedtls_ssl_tls13_derive_secret(
579 hash_alg,
580 application_secret, hash_len,
581 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_ap_traffic),
582 transcript, transcript_len,
583 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
584 derived->client_application_traffic_secret_N,
585 hash_len);
586 if (ret != 0) {
587 return ret;
588 }
589
590 ret = mbedtls_ssl_tls13_derive_secret(
591 hash_alg,
592 application_secret, hash_len,
593 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(s_ap_traffic),
594 transcript, transcript_len,
595 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
596 derived->server_application_traffic_secret_N,
597 hash_len);
598 if (ret != 0) {
599 return ret;
600 }
601
602 ret = mbedtls_ssl_tls13_derive_secret(
603 hash_alg,
604 application_secret, hash_len,
605 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exp_master),
606 transcript, transcript_len,
607 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
608 derived->exporter_master_secret,
609 hash_len);
610 if (ret != 0) {
611 return ret;
612 }
613
614 return 0;
615 }
616
617 /* Generate resumption_master_secret for use with the ticket exchange.
618 *
619 * This is not integrated with mbedtls_ssl_tls13_derive_application_secrets()
620 * because it uses the transcript hash up to and including ClientFinished. */
mbedtls_ssl_tls13_derive_resumption_master_secret(psa_algorithm_t hash_alg,unsigned char const * application_secret,unsigned char const * transcript,size_t transcript_len,mbedtls_ssl_tls13_application_secrets * derived)621 int mbedtls_ssl_tls13_derive_resumption_master_secret(
622 psa_algorithm_t hash_alg,
623 unsigned char const *application_secret,
624 unsigned char const *transcript, size_t transcript_len,
625 mbedtls_ssl_tls13_application_secrets *derived)
626 {
627 int ret;
628 size_t const hash_len = PSA_HASH_LENGTH(hash_alg);
629
630 /* We should never call this function with an unknown hash,
631 * but add an assertion anyway. */
632 if (!PSA_ALG_IS_HASH(hash_alg)) {
633 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
634 }
635
636 ret = mbedtls_ssl_tls13_derive_secret(
637 hash_alg,
638 application_secret, hash_len,
639 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(res_master),
640 transcript, transcript_len,
641 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
642 derived->resumption_master_secret,
643 hash_len);
644
645 if (ret != 0) {
646 return ret;
647 }
648
649 return 0;
650 }
651
652 /**
653 * \brief Transition into application stage of TLS 1.3 key schedule.
654 *
655 * The TLS 1.3 key schedule can be viewed as a simple state machine
656 * with states Initial -> Early -> Handshake -> Application, and
657 * this function represents the Handshake -> Application transition.
658 *
659 * In the handshake stage, ssl_tls13_generate_application_keys()
660 * can be used to derive the handshake traffic keys.
661 *
662 * \param ssl The SSL context to operate on. This must be in key schedule
663 * stage \c Handshake.
664 *
665 * \returns \c 0 on success.
666 * \returns A negative error code on failure.
667 */
668 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_key_schedule_stage_application(mbedtls_ssl_context * ssl)669 static int ssl_tls13_key_schedule_stage_application(mbedtls_ssl_context *ssl)
670 {
671 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
672 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
673 psa_algorithm_t const hash_alg = mbedtls_md_psa_alg_from_type(
674 (mbedtls_md_type_t) handshake->ciphersuite_info->mac);
675
676 /*
677 * Compute MasterSecret
678 */
679 ret = mbedtls_ssl_tls13_evolve_secret(
680 hash_alg,
681 handshake->tls13_master_secrets.handshake,
682 NULL, 0,
683 handshake->tls13_master_secrets.app);
684 if (ret != 0) {
685 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret);
686 return ret;
687 }
688
689 MBEDTLS_SSL_DEBUG_BUF(
690 4, "Master secret",
691 handshake->tls13_master_secrets.app, PSA_HASH_LENGTH(hash_alg));
692
693 return 0;
694 }
695
696 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_calc_finished_core(psa_algorithm_t hash_alg,unsigned char const * base_key,unsigned char const * transcript,unsigned char * dst,size_t * dst_len)697 static int ssl_tls13_calc_finished_core(psa_algorithm_t hash_alg,
698 unsigned char const *base_key,
699 unsigned char const *transcript,
700 unsigned char *dst,
701 size_t *dst_len)
702 {
703 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
704 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
705 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
706 size_t hash_len = PSA_HASH_LENGTH(hash_alg);
707 unsigned char finished_key[PSA_MAC_MAX_SIZE];
708 int ret;
709 psa_algorithm_t alg;
710
711 /* We should never call this function with an unknown hash,
712 * but add an assertion anyway. */
713 if (!PSA_ALG_IS_HASH(hash_alg)) {
714 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
715 }
716
717 /* TLS 1.3 Finished message
718 *
719 * struct {
720 * opaque verify_data[Hash.length];
721 * } Finished;
722 *
723 * verify_data =
724 * HMAC( finished_key,
725 * Hash( Handshake Context +
726 * Certificate* +
727 * CertificateVerify* )
728 * )
729 *
730 * finished_key =
731 * HKDF-Expand-Label( BaseKey, "finished", "", Hash.length )
732 */
733
734 ret = mbedtls_ssl_tls13_hkdf_expand_label(
735 hash_alg, base_key, hash_len,
736 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(finished),
737 NULL, 0,
738 finished_key, hash_len);
739 if (ret != 0) {
740 goto exit;
741 }
742
743 alg = PSA_ALG_HMAC(hash_alg);
744 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
745 psa_set_key_algorithm(&attributes, alg);
746 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
747
748 status = psa_import_key(&attributes, finished_key, hash_len, &key);
749 if (status != PSA_SUCCESS) {
750 ret = PSA_TO_MBEDTLS_ERR(status);
751 goto exit;
752 }
753
754 status = psa_mac_compute(key, alg, transcript, hash_len,
755 dst, hash_len, dst_len);
756 ret = PSA_TO_MBEDTLS_ERR(status);
757
758 exit:
759
760 status = psa_destroy_key(key);
761 if (ret == 0) {
762 ret = PSA_TO_MBEDTLS_ERR(status);
763 }
764
765 mbedtls_platform_zeroize(finished_key, sizeof(finished_key));
766
767 return ret;
768 }
769
mbedtls_ssl_tls13_calculate_verify_data(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * actual_len,int from)770 int mbedtls_ssl_tls13_calculate_verify_data(mbedtls_ssl_context *ssl,
771 unsigned char *dst,
772 size_t dst_len,
773 size_t *actual_len,
774 int from)
775 {
776 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
777
778 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
779 size_t transcript_len;
780
781 unsigned char *base_key = NULL;
782 size_t base_key_len = 0;
783 mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets =
784 &ssl->handshake->tls13_hs_secrets;
785
786 mbedtls_md_type_t const md_type = (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac;
787
788 psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(
789 (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac);
790 size_t const hash_len = PSA_HASH_LENGTH(hash_alg);
791
792 MBEDTLS_SSL_DEBUG_MSG(2, ("=> mbedtls_ssl_tls13_calculate_verify_data"));
793
794 if (from == MBEDTLS_SSL_IS_CLIENT) {
795 base_key = tls13_hs_secrets->client_handshake_traffic_secret;
796 base_key_len = sizeof(tls13_hs_secrets->client_handshake_traffic_secret);
797 } else {
798 base_key = tls13_hs_secrets->server_handshake_traffic_secret;
799 base_key_len = sizeof(tls13_hs_secrets->server_handshake_traffic_secret);
800 }
801
802 if (dst_len < hash_len) {
803 ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
804 goto exit;
805 }
806
807 ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type,
808 transcript, sizeof(transcript),
809 &transcript_len);
810 if (ret != 0) {
811 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_get_handshake_transcript", ret);
812 goto exit;
813 }
814 MBEDTLS_SSL_DEBUG_BUF(4, "handshake hash", transcript, transcript_len);
815
816 ret = ssl_tls13_calc_finished_core(hash_alg, base_key,
817 transcript, dst, actual_len);
818 if (ret != 0) {
819 goto exit;
820 }
821
822 MBEDTLS_SSL_DEBUG_BUF(3, "verify_data for finished message", dst, hash_len);
823 MBEDTLS_SSL_DEBUG_MSG(2, ("<= mbedtls_ssl_tls13_calculate_verify_data"));
824
825 exit:
826 /* Erase handshake secrets */
827 mbedtls_platform_zeroize(base_key, base_key_len);
828 mbedtls_platform_zeroize(transcript, sizeof(transcript));
829 return ret;
830 }
831
mbedtls_ssl_tls13_create_psk_binder(mbedtls_ssl_context * ssl,const psa_algorithm_t hash_alg,unsigned char const * psk,size_t psk_len,int psk_type,unsigned char const * transcript,unsigned char * result)832 int mbedtls_ssl_tls13_create_psk_binder(mbedtls_ssl_context *ssl,
833 const psa_algorithm_t hash_alg,
834 unsigned char const *psk, size_t psk_len,
835 int psk_type,
836 unsigned char const *transcript,
837 unsigned char *result)
838 {
839 int ret = 0;
840 unsigned char binder_key[PSA_MAC_MAX_SIZE];
841 unsigned char early_secret[PSA_MAC_MAX_SIZE];
842 size_t const hash_len = PSA_HASH_LENGTH(hash_alg);
843 size_t actual_len;
844
845 #if !defined(MBEDTLS_DEBUG_C)
846 ssl = NULL; /* make sure we don't use it except for debug */
847 ((void) ssl);
848 #endif
849
850 /* We should never call this function with an unknown hash,
851 * but add an assertion anyway. */
852 if (!PSA_ALG_IS_HASH(hash_alg)) {
853 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
854 }
855
856 /*
857 * 0
858 * |
859 * v
860 * PSK -> HKDF-Extract = Early Secret
861 * |
862 * +-----> Derive-Secret(., "ext binder" | "res binder", "")
863 * | = binder_key
864 * v
865 */
866
867 ret = mbedtls_ssl_tls13_evolve_secret(hash_alg,
868 NULL, /* Old secret */
869 psk, psk_len, /* Input */
870 early_secret);
871 if (ret != 0) {
872 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret);
873 goto exit;
874 }
875
876 MBEDTLS_SSL_DEBUG_BUF(4, "mbedtls_ssl_tls13_create_psk_binder",
877 early_secret, hash_len);
878
879 if (psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) {
880 ret = mbedtls_ssl_tls13_derive_secret(
881 hash_alg,
882 early_secret, hash_len,
883 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(res_binder),
884 NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
885 binder_key, hash_len);
886 MBEDTLS_SSL_DEBUG_MSG(4, ("Derive Early Secret with 'res binder'"));
887 } else {
888 ret = mbedtls_ssl_tls13_derive_secret(
889 hash_alg,
890 early_secret, hash_len,
891 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(ext_binder),
892 NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
893 binder_key, hash_len);
894 MBEDTLS_SSL_DEBUG_MSG(4, ("Derive Early Secret with 'ext binder'"));
895 }
896
897 if (ret != 0) {
898 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_derive_secret", ret);
899 goto exit;
900 }
901
902 /*
903 * The binding_value is computed in the same way as the Finished message
904 * but with the BaseKey being the binder_key.
905 */
906
907 ret = ssl_tls13_calc_finished_core(hash_alg, binder_key, transcript,
908 result, &actual_len);
909 if (ret != 0) {
910 goto exit;
911 }
912
913 MBEDTLS_SSL_DEBUG_BUF(3, "psk binder", result, actual_len);
914
915 exit:
916
917 mbedtls_platform_zeroize(early_secret, sizeof(early_secret));
918 mbedtls_platform_zeroize(binder_key, sizeof(binder_key));
919 return ret;
920 }
921
mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform * transform,int endpoint,int ciphersuite,mbedtls_ssl_key_set const * traffic_keys,mbedtls_ssl_context * ssl)922 int mbedtls_ssl_tls13_populate_transform(
923 mbedtls_ssl_transform *transform,
924 int endpoint, int ciphersuite,
925 mbedtls_ssl_key_set const *traffic_keys,
926 mbedtls_ssl_context *ssl /* DEBUG ONLY */)
927 {
928 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
929 unsigned char const *key_enc;
930 unsigned char const *iv_enc;
931 unsigned char const *key_dec;
932 unsigned char const *iv_dec;
933
934 psa_key_type_t key_type;
935 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
936 psa_algorithm_t alg;
937 size_t key_bits;
938 psa_status_t status = PSA_SUCCESS;
939
940 #if !defined(MBEDTLS_DEBUG_C)
941 ssl = NULL; /* make sure we don't use it except for those cases */
942 (void) ssl;
943 #endif
944
945 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
946 if (ciphersuite_info == NULL) {
947 MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found",
948 ciphersuite));
949 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
950 }
951
952
953 #if defined(MBEDTLS_SSL_SRV_C)
954 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
955 key_enc = traffic_keys->server_write_key;
956 key_dec = traffic_keys->client_write_key;
957 iv_enc = traffic_keys->server_write_iv;
958 iv_dec = traffic_keys->client_write_iv;
959 } else
960 #endif /* MBEDTLS_SSL_SRV_C */
961 #if defined(MBEDTLS_SSL_CLI_C)
962 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
963 key_enc = traffic_keys->client_write_key;
964 key_dec = traffic_keys->server_write_key;
965 iv_enc = traffic_keys->client_write_iv;
966 iv_dec = traffic_keys->server_write_iv;
967 } else
968 #endif /* MBEDTLS_SSL_CLI_C */
969 {
970 /* should not happen */
971 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
972 }
973
974 memcpy(transform->iv_enc, iv_enc, traffic_keys->iv_len);
975 memcpy(transform->iv_dec, iv_dec, traffic_keys->iv_len);
976
977
978 /*
979 * Setup other fields in SSL transform
980 */
981
982 if ((ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG) != 0) {
983 transform->taglen = 8;
984 } else {
985 transform->taglen = 16;
986 }
987
988 transform->ivlen = traffic_keys->iv_len;
989 transform->maclen = 0;
990 transform->fixed_ivlen = transform->ivlen;
991 transform->tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
992
993 /* We add the true record content type (1 Byte) to the plaintext and
994 * then pad to the configured granularity. The minimum length of the
995 * type-extended and padded plaintext is therefore the padding
996 * granularity. */
997 transform->minlen =
998 transform->taglen + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY;
999
1000 /*
1001 * Setup psa keys and alg
1002 */
1003 if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher,
1004 transform->taglen,
1005 &alg,
1006 &key_type,
1007 &key_bits)) != PSA_SUCCESS) {
1008 MBEDTLS_SSL_DEBUG_RET(
1009 1, "mbedtls_ssl_cipher_to_psa", PSA_TO_MBEDTLS_ERR(status));
1010 return PSA_TO_MBEDTLS_ERR(status);
1011 }
1012
1013 transform->psa_alg = alg;
1014
1015 if (alg != MBEDTLS_SSL_NULL_CIPHER) {
1016 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
1017 psa_set_key_algorithm(&attributes, alg);
1018 psa_set_key_type(&attributes, key_type);
1019
1020 if ((status = psa_import_key(&attributes,
1021 key_enc,
1022 PSA_BITS_TO_BYTES(key_bits),
1023 &transform->psa_key_enc)) != PSA_SUCCESS) {
1024 MBEDTLS_SSL_DEBUG_RET(
1025 1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status));
1026 return PSA_TO_MBEDTLS_ERR(status);
1027 }
1028
1029 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
1030
1031 if ((status = psa_import_key(&attributes,
1032 key_dec,
1033 PSA_BITS_TO_BYTES(key_bits),
1034 &transform->psa_key_dec)) != PSA_SUCCESS) {
1035 MBEDTLS_SSL_DEBUG_RET(
1036 1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status));
1037 return PSA_TO_MBEDTLS_ERR(status);
1038 }
1039 }
1040
1041 return 0;
1042 }
1043
1044 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_get_cipher_key_info(const mbedtls_ssl_ciphersuite_t * ciphersuite_info,size_t * key_len,size_t * iv_len)1045 static int ssl_tls13_get_cipher_key_info(
1046 const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
1047 size_t *key_len, size_t *iv_len)
1048 {
1049 psa_key_type_t key_type;
1050 psa_algorithm_t alg;
1051 size_t taglen;
1052 size_t key_bits;
1053 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1054
1055 if (ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG) {
1056 taglen = 8;
1057 } else {
1058 taglen = 16;
1059 }
1060
1061 status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher, taglen,
1062 &alg, &key_type, &key_bits);
1063 if (status != PSA_SUCCESS) {
1064 return PSA_TO_MBEDTLS_ERR(status);
1065 }
1066
1067 *key_len = PSA_BITS_TO_BYTES(key_bits);
1068
1069 /* TLS 1.3 only have AEAD ciphers, IV length is unconditionally 12 bytes */
1070 *iv_len = 12;
1071
1072 return 0;
1073 }
1074
1075 #if defined(MBEDTLS_SSL_EARLY_DATA)
1076 /*
1077 * ssl_tls13_generate_early_key() generates the key necessary for protecting
1078 * the early application data and handshake messages as described in section 7
1079 * of RFC 8446.
1080 *
1081 * NOTE: Only one key is generated, the key for the traffic from the client to
1082 * the server. The TLS 1.3 specification does not define a secret and thus
1083 * a key for server early traffic.
1084 */
1085 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_generate_early_key(mbedtls_ssl_context * ssl,mbedtls_ssl_key_set * traffic_keys)1086 static int ssl_tls13_generate_early_key(mbedtls_ssl_context *ssl,
1087 mbedtls_ssl_key_set *traffic_keys)
1088 {
1089 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1090 mbedtls_md_type_t md_type;
1091 psa_algorithm_t hash_alg;
1092 size_t hash_len;
1093 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
1094 size_t transcript_len;
1095 size_t key_len = 0;
1096 size_t iv_len = 0;
1097 mbedtls_ssl_tls13_early_secrets tls13_early_secrets;
1098
1099 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1100 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1101 handshake->ciphersuite_info;
1102
1103 MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_generate_early_key"));
1104
1105 ret = ssl_tls13_get_cipher_key_info(ciphersuite_info, &key_len, &iv_len);
1106 if (ret != 0) {
1107 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_get_cipher_key_info", ret);
1108 goto cleanup;
1109 }
1110
1111 md_type = (mbedtls_md_type_t) ciphersuite_info->mac;
1112
1113 hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
1114 hash_len = PSA_HASH_LENGTH(hash_alg);
1115
1116 ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type,
1117 transcript,
1118 sizeof(transcript),
1119 &transcript_len);
1120 if (ret != 0) {
1121 MBEDTLS_SSL_DEBUG_RET(1,
1122 "mbedtls_ssl_get_handshake_transcript",
1123 ret);
1124 goto cleanup;
1125 }
1126
1127 ret = mbedtls_ssl_tls13_derive_early_secrets(
1128 hash_alg, handshake->tls13_master_secrets.early,
1129 transcript, transcript_len, &tls13_early_secrets);
1130 if (ret != 0) {
1131 MBEDTLS_SSL_DEBUG_RET(
1132 1, "mbedtls_ssl_tls13_derive_early_secrets", ret);
1133 goto cleanup;
1134 }
1135
1136 MBEDTLS_SSL_DEBUG_BUF(
1137 4, "Client early traffic secret",
1138 tls13_early_secrets.client_early_traffic_secret, hash_len);
1139
1140 /*
1141 * Export client handshake traffic secret
1142 */
1143 if (ssl->f_export_keys != NULL) {
1144 ssl->f_export_keys(
1145 ssl->p_export_keys,
1146 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET,
1147 tls13_early_secrets.client_early_traffic_secret,
1148 hash_len,
1149 handshake->randbytes,
1150 handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
1151 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */);
1152 }
1153
1154 ret = ssl_tls13_make_traffic_key(
1155 hash_alg,
1156 tls13_early_secrets.client_early_traffic_secret,
1157 hash_len, traffic_keys->client_write_key, key_len,
1158 traffic_keys->client_write_iv, iv_len);
1159 if (ret != 0) {
1160 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_make_traffic_key", ret);
1161 goto cleanup;
1162 }
1163 traffic_keys->key_len = key_len;
1164 traffic_keys->iv_len = iv_len;
1165
1166 MBEDTLS_SSL_DEBUG_BUF(4, "client early write_key",
1167 traffic_keys->client_write_key,
1168 traffic_keys->key_len);
1169
1170 MBEDTLS_SSL_DEBUG_BUF(4, "client early write_iv",
1171 traffic_keys->client_write_iv,
1172 traffic_keys->iv_len);
1173
1174 MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_generate_early_key"));
1175
1176 cleanup:
1177 /* Erase early secrets and transcript */
1178 mbedtls_platform_zeroize(
1179 &tls13_early_secrets, sizeof(mbedtls_ssl_tls13_early_secrets));
1180 mbedtls_platform_zeroize(transcript, sizeof(transcript));
1181 return ret;
1182 }
1183
mbedtls_ssl_tls13_compute_early_transform(mbedtls_ssl_context * ssl)1184 int mbedtls_ssl_tls13_compute_early_transform(mbedtls_ssl_context *ssl)
1185 {
1186 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1187 mbedtls_ssl_key_set traffic_keys;
1188 mbedtls_ssl_transform *transform_earlydata = NULL;
1189 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1190
1191 /* Next evolution in key schedule: Establish early_data secret and
1192 * key material. */
1193 ret = ssl_tls13_generate_early_key(ssl, &traffic_keys);
1194 if (ret != 0) {
1195 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_generate_early_key",
1196 ret);
1197 goto cleanup;
1198 }
1199
1200 transform_earlydata = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
1201 if (transform_earlydata == NULL) {
1202 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1203 goto cleanup;
1204 }
1205
1206 ret = mbedtls_ssl_tls13_populate_transform(
1207 transform_earlydata,
1208 ssl->conf->endpoint,
1209 handshake->ciphersuite_info->id,
1210 &traffic_keys,
1211 ssl);
1212 if (ret != 0) {
1213 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_populate_transform", ret);
1214 goto cleanup;
1215 }
1216 handshake->transform_earlydata = transform_earlydata;
1217
1218 cleanup:
1219 mbedtls_platform_zeroize(&traffic_keys, sizeof(traffic_keys));
1220 if (ret != 0) {
1221 mbedtls_free(transform_earlydata);
1222 }
1223
1224 return ret;
1225 }
1226 #endif /* MBEDTLS_SSL_EARLY_DATA */
1227
mbedtls_ssl_tls13_key_schedule_stage_early(mbedtls_ssl_context * ssl)1228 int mbedtls_ssl_tls13_key_schedule_stage_early(mbedtls_ssl_context *ssl)
1229 {
1230 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1231 psa_algorithm_t hash_alg;
1232 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1233 unsigned char *psk = NULL;
1234 size_t psk_len = 0;
1235
1236 if (handshake->ciphersuite_info == NULL) {
1237 MBEDTLS_SSL_DEBUG_MSG(1, ("cipher suite info not found"));
1238 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1239 }
1240
1241 hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) handshake->ciphersuite_info->mac);
1242 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1243 if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
1244 ret = mbedtls_ssl_tls13_export_handshake_psk(ssl, &psk, &psk_len);
1245 if (ret != 0) {
1246 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_export_handshake_psk",
1247 ret);
1248 return ret;
1249 }
1250 }
1251 #endif
1252
1253 ret = mbedtls_ssl_tls13_evolve_secret(hash_alg, NULL, psk, psk_len,
1254 handshake->tls13_master_secrets.early);
1255 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1256 mbedtls_free((void *) psk);
1257 #endif
1258 if (ret != 0) {
1259 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret);
1260 return ret;
1261 }
1262
1263 MBEDTLS_SSL_DEBUG_BUF(4, "mbedtls_ssl_tls13_key_schedule_stage_early",
1264 handshake->tls13_master_secrets.early,
1265 PSA_HASH_LENGTH(hash_alg));
1266 return 0;
1267 }
1268
1269 /**
1270 * \brief Compute TLS 1.3 handshake traffic keys.
1271 *
1272 * ssl_tls13_generate_handshake_keys() generates keys necessary for
1273 * protecting the handshake messages, as described in Section 7 of
1274 * RFC 8446.
1275 *
1276 * \param ssl The SSL context to operate on. This must be in
1277 * key schedule stage \c Handshake, see
1278 * ssl_tls13_key_schedule_stage_handshake().
1279 * \param traffic_keys The address at which to store the handshake traffic
1280 * keys. This must be writable but may be uninitialized.
1281 *
1282 * \returns \c 0 on success.
1283 * \returns A negative error code on failure.
1284 */
1285 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_generate_handshake_keys(mbedtls_ssl_context * ssl,mbedtls_ssl_key_set * traffic_keys)1286 static int ssl_tls13_generate_handshake_keys(mbedtls_ssl_context *ssl,
1287 mbedtls_ssl_key_set *traffic_keys)
1288 {
1289 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1290 mbedtls_md_type_t md_type;
1291 psa_algorithm_t hash_alg;
1292 size_t hash_len;
1293 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
1294 size_t transcript_len;
1295 size_t key_len = 0;
1296 size_t iv_len = 0;
1297
1298 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1299 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1300 handshake->ciphersuite_info;
1301 mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets =
1302 &handshake->tls13_hs_secrets;
1303
1304 MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_generate_handshake_keys"));
1305
1306 ret = ssl_tls13_get_cipher_key_info(ciphersuite_info, &key_len, &iv_len);
1307 if (ret != 0) {
1308 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_get_cipher_key_info", ret);
1309 return ret;
1310 }
1311
1312 md_type = (mbedtls_md_type_t) ciphersuite_info->mac;
1313
1314 hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
1315 hash_len = PSA_HASH_LENGTH(hash_alg);
1316
1317 ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type,
1318 transcript,
1319 sizeof(transcript),
1320 &transcript_len);
1321 if (ret != 0) {
1322 MBEDTLS_SSL_DEBUG_RET(1,
1323 "mbedtls_ssl_get_handshake_transcript",
1324 ret);
1325 return ret;
1326 }
1327
1328 ret = mbedtls_ssl_tls13_derive_handshake_secrets(
1329 hash_alg, handshake->tls13_master_secrets.handshake,
1330 transcript, transcript_len, tls13_hs_secrets);
1331 if (ret != 0) {
1332 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_derive_handshake_secrets",
1333 ret);
1334 return ret;
1335 }
1336
1337 MBEDTLS_SSL_DEBUG_BUF(4, "Client handshake traffic secret",
1338 tls13_hs_secrets->client_handshake_traffic_secret,
1339 hash_len);
1340 MBEDTLS_SSL_DEBUG_BUF(4, "Server handshake traffic secret",
1341 tls13_hs_secrets->server_handshake_traffic_secret,
1342 hash_len);
1343
1344 /*
1345 * Export client handshake traffic secret
1346 */
1347 if (ssl->f_export_keys != NULL) {
1348 ssl->f_export_keys(
1349 ssl->p_export_keys,
1350 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET,
1351 tls13_hs_secrets->client_handshake_traffic_secret,
1352 hash_len,
1353 handshake->randbytes,
1354 handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
1355 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */);
1356
1357 ssl->f_export_keys(
1358 ssl->p_export_keys,
1359 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET,
1360 tls13_hs_secrets->server_handshake_traffic_secret,
1361 hash_len,
1362 handshake->randbytes,
1363 handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
1364 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */);
1365 }
1366
1367 ret = mbedtls_ssl_tls13_make_traffic_keys(
1368 hash_alg,
1369 tls13_hs_secrets->client_handshake_traffic_secret,
1370 tls13_hs_secrets->server_handshake_traffic_secret,
1371 hash_len, key_len, iv_len, traffic_keys);
1372 if (ret != 0) {
1373 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_make_traffic_keys", ret);
1374 goto exit;
1375 }
1376
1377 MBEDTLS_SSL_DEBUG_BUF(4, "client_handshake write_key",
1378 traffic_keys->client_write_key,
1379 traffic_keys->key_len);
1380
1381 MBEDTLS_SSL_DEBUG_BUF(4, "server_handshake write_key",
1382 traffic_keys->server_write_key,
1383 traffic_keys->key_len);
1384
1385 MBEDTLS_SSL_DEBUG_BUF(4, "client_handshake write_iv",
1386 traffic_keys->client_write_iv,
1387 traffic_keys->iv_len);
1388
1389 MBEDTLS_SSL_DEBUG_BUF(4, "server_handshake write_iv",
1390 traffic_keys->server_write_iv,
1391 traffic_keys->iv_len);
1392
1393 MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_generate_handshake_keys"));
1394
1395 exit:
1396
1397 return ret;
1398 }
1399
1400 /**
1401 * \brief Transition into handshake stage of TLS 1.3 key schedule.
1402 *
1403 * The TLS 1.3 key schedule can be viewed as a simple state machine
1404 * with states Initial -> Early -> Handshake -> Application, and
1405 * this function represents the Early -> Handshake transition.
1406 *
1407 * In the handshake stage, ssl_tls13_generate_handshake_keys()
1408 * can be used to derive the handshake traffic keys.
1409 *
1410 * \param ssl The SSL context to operate on. This must be in key schedule
1411 * stage \c Early.
1412 *
1413 * \returns \c 0 on success.
1414 * \returns A negative error code on failure.
1415 */
1416 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context * ssl)1417 static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
1418 {
1419 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1420 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1421 psa_algorithm_t const hash_alg = mbedtls_md_psa_alg_from_type(
1422 (mbedtls_md_type_t) handshake->ciphersuite_info->mac);
1423 unsigned char *shared_secret = NULL;
1424 size_t shared_secret_len = 0;
1425
1426 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
1427 /*
1428 * Compute ECDHE secret used to compute the handshake secret from which
1429 * client_handshake_traffic_secret and server_handshake_traffic_secret
1430 * are derived in the handshake secret derivation stage.
1431 */
1432 if (mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(ssl)) {
1433 if (mbedtls_ssl_tls13_named_group_is_ecdhe(handshake->offered_group_id) ||
1434 mbedtls_ssl_tls13_named_group_is_ffdh(handshake->offered_group_id)) {
1435 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
1436 psa_algorithm_t alg =
1437 mbedtls_ssl_tls13_named_group_is_ecdhe(handshake->offered_group_id) ?
1438 PSA_ALG_ECDH : PSA_ALG_FFDH;
1439
1440 /* Compute ECDH shared secret. */
1441 psa_status_t status = PSA_ERROR_GENERIC_ERROR;
1442 psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
1443
1444 status = psa_get_key_attributes(handshake->xxdh_psa_privkey,
1445 &key_attributes);
1446 if (status != PSA_SUCCESS) {
1447 ret = PSA_TO_MBEDTLS_ERR(status);
1448 }
1449
1450 shared_secret_len = PSA_BITS_TO_BYTES(
1451 psa_get_key_bits(&key_attributes));
1452 shared_secret = mbedtls_calloc(1, shared_secret_len);
1453 if (shared_secret == NULL) {
1454 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1455 }
1456
1457 status = psa_raw_key_agreement(
1458 alg, handshake->xxdh_psa_privkey,
1459 handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len,
1460 shared_secret, shared_secret_len, &shared_secret_len);
1461 if (status != PSA_SUCCESS) {
1462 ret = PSA_TO_MBEDTLS_ERR(status);
1463 MBEDTLS_SSL_DEBUG_RET(1, "psa_raw_key_agreement", ret);
1464 goto cleanup;
1465 }
1466
1467 status = psa_destroy_key(handshake->xxdh_psa_privkey);
1468 if (status != PSA_SUCCESS) {
1469 ret = PSA_TO_MBEDTLS_ERR(status);
1470 MBEDTLS_SSL_DEBUG_RET(1, "psa_destroy_key", ret);
1471 goto cleanup;
1472 }
1473
1474 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
1475 #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
1476 } else {
1477 MBEDTLS_SSL_DEBUG_MSG(1, ("Group not supported."));
1478 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1479 }
1480 }
1481 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
1482
1483 /*
1484 * Compute the Handshake Secret
1485 */
1486 ret = mbedtls_ssl_tls13_evolve_secret(
1487 hash_alg, handshake->tls13_master_secrets.early,
1488 shared_secret, shared_secret_len,
1489 handshake->tls13_master_secrets.handshake);
1490 if (ret != 0) {
1491 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret);
1492 goto cleanup;
1493 }
1494
1495 MBEDTLS_SSL_DEBUG_BUF(4, "Handshake secret",
1496 handshake->tls13_master_secrets.handshake,
1497 PSA_HASH_LENGTH(hash_alg));
1498
1499 cleanup:
1500 if (shared_secret != NULL) {
1501 mbedtls_zeroize_and_free(shared_secret, shared_secret_len);
1502 }
1503
1504 return ret;
1505 }
1506
1507 /**
1508 * \brief Compute TLS 1.3 application traffic keys.
1509 *
1510 * ssl_tls13_generate_application_keys() generates application traffic
1511 * keys, since any record following a 1-RTT Finished message MUST be
1512 * encrypted under the application traffic key.
1513 *
1514 * \param ssl The SSL context to operate on. This must be in
1515 * key schedule stage \c Application, see
1516 * ssl_tls13_key_schedule_stage_application().
1517 * \param traffic_keys The address at which to store the application traffic
1518 * keys. This must be writable but may be uninitialized.
1519 *
1520 * \returns \c 0 on success.
1521 * \returns A negative error code on failure.
1522 */
1523 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_generate_application_keys(mbedtls_ssl_context * ssl,mbedtls_ssl_key_set * traffic_keys)1524 static int ssl_tls13_generate_application_keys(
1525 mbedtls_ssl_context *ssl,
1526 mbedtls_ssl_key_set *traffic_keys)
1527 {
1528 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1529 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1530
1531 /* Address at which to store the application secrets */
1532 mbedtls_ssl_tls13_application_secrets * const app_secrets =
1533 &ssl->session_negotiate->app_secrets;
1534
1535 /* Holding the transcript up to and including the ServerFinished */
1536 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
1537 size_t transcript_len;
1538
1539 /* Variables relating to the hash for the chosen ciphersuite. */
1540 mbedtls_md_type_t md_type;
1541
1542 psa_algorithm_t hash_alg;
1543 size_t hash_len;
1544
1545 /* Variables relating to the cipher for the chosen ciphersuite. */
1546 size_t key_len = 0, iv_len = 0;
1547
1548 MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive application traffic keys"));
1549
1550 /* Extract basic information about hash and ciphersuite */
1551
1552 ret = ssl_tls13_get_cipher_key_info(handshake->ciphersuite_info,
1553 &key_len, &iv_len);
1554 if (ret != 0) {
1555 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_get_cipher_key_info", ret);
1556 goto cleanup;
1557 }
1558
1559 md_type = (mbedtls_md_type_t) handshake->ciphersuite_info->mac;
1560
1561 hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) handshake->ciphersuite_info->mac);
1562 hash_len = PSA_HASH_LENGTH(hash_alg);
1563
1564 /* Compute current handshake transcript. It's the caller's responsibility
1565 * to call this at the right time, that is, after the ServerFinished. */
1566
1567 ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type,
1568 transcript, sizeof(transcript),
1569 &transcript_len);
1570 if (ret != 0) {
1571 goto cleanup;
1572 }
1573
1574 /* Compute application secrets from master secret and transcript hash. */
1575
1576 ret = mbedtls_ssl_tls13_derive_application_secrets(
1577 hash_alg, handshake->tls13_master_secrets.app,
1578 transcript, transcript_len, app_secrets);
1579 if (ret != 0) {
1580 MBEDTLS_SSL_DEBUG_RET(
1581 1, "mbedtls_ssl_tls13_derive_application_secrets", ret);
1582 goto cleanup;
1583 }
1584
1585 /* Derive first epoch of IV + Key for application traffic. */
1586
1587 ret = mbedtls_ssl_tls13_make_traffic_keys(
1588 hash_alg,
1589 app_secrets->client_application_traffic_secret_N,
1590 app_secrets->server_application_traffic_secret_N,
1591 hash_len, key_len, iv_len, traffic_keys);
1592 if (ret != 0) {
1593 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_make_traffic_keys", ret);
1594 goto cleanup;
1595 }
1596
1597 MBEDTLS_SSL_DEBUG_BUF(4, "Client application traffic secret",
1598 app_secrets->client_application_traffic_secret_N,
1599 hash_len);
1600
1601 MBEDTLS_SSL_DEBUG_BUF(4, "Server application traffic secret",
1602 app_secrets->server_application_traffic_secret_N,
1603 hash_len);
1604
1605 /*
1606 * Export client/server application traffic secret 0
1607 */
1608 if (ssl->f_export_keys != NULL) {
1609 ssl->f_export_keys(
1610 ssl->p_export_keys,
1611 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET,
1612 app_secrets->client_application_traffic_secret_N, hash_len,
1613 handshake->randbytes,
1614 handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
1615 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
1616 a new constant for TLS 1.3! */);
1617
1618 ssl->f_export_keys(
1619 ssl->p_export_keys,
1620 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET,
1621 app_secrets->server_application_traffic_secret_N, hash_len,
1622 handshake->randbytes,
1623 handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
1624 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
1625 a new constant for TLS 1.3! */);
1626 }
1627
1628 MBEDTLS_SSL_DEBUG_BUF(4, "client application_write_key:",
1629 traffic_keys->client_write_key, key_len);
1630 MBEDTLS_SSL_DEBUG_BUF(4, "server application write key",
1631 traffic_keys->server_write_key, key_len);
1632 MBEDTLS_SSL_DEBUG_BUF(4, "client application write IV",
1633 traffic_keys->client_write_iv, iv_len);
1634 MBEDTLS_SSL_DEBUG_BUF(4, "server application write IV",
1635 traffic_keys->server_write_iv, iv_len);
1636
1637 MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive application traffic keys"));
1638
1639 cleanup:
1640 /* randbytes is not used again */
1641 mbedtls_platform_zeroize(ssl->handshake->randbytes,
1642 sizeof(ssl->handshake->randbytes));
1643
1644 mbedtls_platform_zeroize(transcript, sizeof(transcript));
1645 return ret;
1646 }
1647
mbedtls_ssl_tls13_compute_handshake_transform(mbedtls_ssl_context * ssl)1648 int mbedtls_ssl_tls13_compute_handshake_transform(mbedtls_ssl_context *ssl)
1649 {
1650 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1651 mbedtls_ssl_key_set traffic_keys;
1652 mbedtls_ssl_transform *transform_handshake = NULL;
1653 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1654
1655 /* Compute handshake secret */
1656 ret = ssl_tls13_key_schedule_stage_handshake(ssl);
1657 if (ret != 0) {
1658 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_derive_master_secret", ret);
1659 goto cleanup;
1660 }
1661
1662 /* Next evolution in key schedule: Establish handshake secret and
1663 * key material. */
1664 ret = ssl_tls13_generate_handshake_keys(ssl, &traffic_keys);
1665 if (ret != 0) {
1666 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls13_generate_handshake_keys",
1667 ret);
1668 goto cleanup;
1669 }
1670
1671 transform_handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
1672 if (transform_handshake == NULL) {
1673 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1674 goto cleanup;
1675 }
1676
1677 ret = mbedtls_ssl_tls13_populate_transform(
1678 transform_handshake,
1679 ssl->conf->endpoint,
1680 handshake->ciphersuite_info->id,
1681 &traffic_keys,
1682 ssl);
1683 if (ret != 0) {
1684 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_populate_transform", ret);
1685 goto cleanup;
1686 }
1687 handshake->transform_handshake = transform_handshake;
1688
1689 cleanup:
1690 mbedtls_platform_zeroize(&traffic_keys, sizeof(traffic_keys));
1691 if (ret != 0) {
1692 mbedtls_free(transform_handshake);
1693 }
1694
1695 return ret;
1696 }
1697
mbedtls_ssl_tls13_compute_resumption_master_secret(mbedtls_ssl_context * ssl)1698 int mbedtls_ssl_tls13_compute_resumption_master_secret(mbedtls_ssl_context *ssl)
1699 {
1700 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1701 mbedtls_md_type_t md_type;
1702 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1703 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
1704 size_t transcript_len;
1705
1706 MBEDTLS_SSL_DEBUG_MSG(
1707 2, ("=> mbedtls_ssl_tls13_compute_resumption_master_secret"));
1708
1709 md_type = (mbedtls_md_type_t) handshake->ciphersuite_info->mac;
1710
1711 ret = mbedtls_ssl_get_handshake_transcript(ssl, md_type,
1712 transcript, sizeof(transcript),
1713 &transcript_len);
1714 if (ret != 0) {
1715 return ret;
1716 }
1717
1718 ret = mbedtls_ssl_tls13_derive_resumption_master_secret(
1719 mbedtls_md_psa_alg_from_type(md_type),
1720 handshake->tls13_master_secrets.app,
1721 transcript, transcript_len,
1722 &ssl->session_negotiate->app_secrets);
1723 if (ret != 0) {
1724 return ret;
1725 }
1726
1727 /* Erase master secrets */
1728 mbedtls_platform_zeroize(&handshake->tls13_master_secrets,
1729 sizeof(handshake->tls13_master_secrets));
1730
1731 MBEDTLS_SSL_DEBUG_BUF(
1732 4, "Resumption master secret",
1733 ssl->session_negotiate->app_secrets.resumption_master_secret,
1734 PSA_HASH_LENGTH(mbedtls_md_psa_alg_from_type(md_type)));
1735
1736 MBEDTLS_SSL_DEBUG_MSG(
1737 2, ("<= mbedtls_ssl_tls13_compute_resumption_master_secret"));
1738 return 0;
1739 }
1740
mbedtls_ssl_tls13_compute_application_transform(mbedtls_ssl_context * ssl)1741 int mbedtls_ssl_tls13_compute_application_transform(mbedtls_ssl_context *ssl)
1742 {
1743 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1744 mbedtls_ssl_key_set traffic_keys;
1745 mbedtls_ssl_transform *transform_application = NULL;
1746
1747 ret = ssl_tls13_key_schedule_stage_application(ssl);
1748 if (ret != 0) {
1749 MBEDTLS_SSL_DEBUG_RET(1,
1750 "ssl_tls13_key_schedule_stage_application", ret);
1751 goto cleanup;
1752 }
1753
1754 ret = ssl_tls13_generate_application_keys(ssl, &traffic_keys);
1755 if (ret != 0) {
1756 MBEDTLS_SSL_DEBUG_RET(1,
1757 "ssl_tls13_generate_application_keys", ret);
1758 goto cleanup;
1759 }
1760
1761 transform_application =
1762 mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
1763 if (transform_application == NULL) {
1764 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1765 goto cleanup;
1766 }
1767
1768 ret = mbedtls_ssl_tls13_populate_transform(
1769 transform_application,
1770 ssl->conf->endpoint,
1771 ssl->handshake->ciphersuite_info->id,
1772 &traffic_keys,
1773 ssl);
1774 if (ret != 0) {
1775 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_populate_transform", ret);
1776 goto cleanup;
1777 }
1778
1779 ssl->transform_application = transform_application;
1780
1781 cleanup:
1782
1783 mbedtls_platform_zeroize(&traffic_keys, sizeof(traffic_keys));
1784 if (ret != 0) {
1785 mbedtls_free(transform_application);
1786 }
1787 return ret;
1788 }
1789
1790 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context * ssl,unsigned char ** psk,size_t * psk_len)1791 int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl,
1792 unsigned char **psk,
1793 size_t *psk_len)
1794 {
1795 psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
1796 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1797
1798 *psk_len = 0;
1799 *psk = NULL;
1800
1801 if (mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
1802 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
1803 }
1804
1805 status = psa_get_key_attributes(ssl->handshake->psk_opaque, &key_attributes);
1806 if (status != PSA_SUCCESS) {
1807 return PSA_TO_MBEDTLS_ERR(status);
1808 }
1809
1810 *psk_len = PSA_BITS_TO_BYTES(psa_get_key_bits(&key_attributes));
1811 *psk = mbedtls_calloc(1, *psk_len);
1812 if (*psk == NULL) {
1813 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1814 }
1815
1816 status = psa_export_key(ssl->handshake->psk_opaque,
1817 (uint8_t *) *psk, *psk_len, psk_len);
1818 if (status != PSA_SUCCESS) {
1819 mbedtls_free((void *) *psk);
1820 *psk = NULL;
1821 return PSA_TO_MBEDTLS_ERR(status);
1822 }
1823 return 0;
1824 }
1825 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
1826
1827 #if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
mbedtls_ssl_tls13_exporter(const psa_algorithm_t hash_alg,const unsigned char * secret,const size_t secret_len,const unsigned char * label,const size_t label_len,const unsigned char * context_value,const size_t context_len,unsigned char * out,const size_t out_len)1828 int mbedtls_ssl_tls13_exporter(const psa_algorithm_t hash_alg,
1829 const unsigned char *secret, const size_t secret_len,
1830 const unsigned char *label, const size_t label_len,
1831 const unsigned char *context_value, const size_t context_len,
1832 unsigned char *out, const size_t out_len)
1833 {
1834 size_t hash_len = PSA_HASH_LENGTH(hash_alg);
1835 unsigned char hkdf_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
1836 int ret = 0;
1837
1838 ret = mbedtls_ssl_tls13_derive_secret(hash_alg, secret, secret_len, label, label_len, NULL, 0,
1839 MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, hkdf_secret,
1840 hash_len);
1841 if (ret != 0) {
1842 goto exit;
1843 }
1844 ret = mbedtls_ssl_tls13_derive_secret(hash_alg,
1845 hkdf_secret,
1846 hash_len,
1847 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exporter),
1848 context_value,
1849 context_len,
1850 MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
1851 out,
1852 out_len);
1853
1854 exit:
1855 mbedtls_platform_zeroize(hkdf_secret, sizeof(hkdf_secret));
1856 return ret;
1857 }
1858 #endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
1859
1860 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1861