1 /*
2  *  TLS 1.3 key schedule
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 ( the "License" ); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 
20 #include "common.h"
21 
22 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
23 
24 #include <stdint.h>
25 #include <string.h>
26 
27 #include "mbedtls/hkdf.h"
28 #include "mbedtls/debug.h"
29 #include "mbedtls/error.h"
30 
31 #include "ssl_misc.h"
32 #include "ssl_tls13_keys.h"
33 
34 #define MBEDTLS_SSL_TLS1_3_LABEL( name, string )       \
35     .name = string,
36 
37 struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels =
38 {
39     /* This seems to work in C, despite the string literal being one
40      * character too long due to the 0-termination. */
41     MBEDTLS_SSL_TLS1_3_LABEL_LIST
42 };
43 
44 #undef MBEDTLS_SSL_TLS1_3_LABEL
45 
46 /*
47  * This function creates a HkdfLabel structure used in the TLS 1.3 key schedule.
48  *
49  * The HkdfLabel is specified in RFC 8446 as follows:
50  *
51  * struct HkdfLabel {
52  *   uint16 length;            // Length of expanded key material
53  *   opaque label<7..255>;     // Always prefixed by "tls13 "
54  *   opaque context<0..255>;   // Usually a communication transcript hash
55  * };
56  *
57  * Parameters:
58  * - desired_length: Length of expanded key material
59  *                   Even though the standard allows expansion to up to
60  *                   2**16 Bytes, TLS 1.3 never uses expansion to more than
61  *                   255 Bytes, so we require `desired_length` to be at most
62  *                   255. This allows us to save a few Bytes of code by
63  *                   hardcoding the writing of the high bytes.
64  * - (label, llen): label + label length, without "tls13 " prefix
65  *                  The label length MUST be less than or equal to
66  *                  MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN
67  *                  It is the caller's responsibility to ensure this.
68  *                  All (label, label length) pairs used in TLS 1.3
69  *                  can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN().
70  * - (ctx, clen): context + context length
71  *                The context length MUST be less than or equal to
72  *                MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN
73  *                It is the caller's responsibility to ensure this.
74  * - dst: Target buffer for HkdfLabel structure,
75  *        This MUST be a writable buffer of size
76  *        at least SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN Bytes.
77  * - dlen: Pointer at which to store the actual length of
78  *         the HkdfLabel structure on success.
79  */
80 
81 static const char tls1_3_label_prefix[6] = "tls13 ";
82 
83 #define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( label_len, context_len ) \
84     (   2                  /* expansion length           */ \
85       + 1                  /* label length               */ \
86       + label_len                                           \
87       + 1                  /* context length             */ \
88       + context_len )
89 
90 #define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN                      \
91     SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN(                             \
92                      sizeof(tls1_3_label_prefix) +                      \
93                      MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN,     \
94                      MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
95 
ssl_tls1_3_hkdf_encode_label(size_t desired_length,const unsigned char * label,size_t llen,const unsigned char * ctx,size_t clen,unsigned char * dst,size_t * dlen)96 static void ssl_tls1_3_hkdf_encode_label(
97                             size_t desired_length,
98                             const unsigned char *label, size_t llen,
99                             const unsigned char *ctx, size_t clen,
100                             unsigned char *dst, size_t *dlen )
101 {
102     size_t total_label_len =
103         sizeof(tls1_3_label_prefix) + llen;
104     size_t total_hkdf_lbl_len =
105         SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( total_label_len, clen );
106 
107     unsigned char *p = dst;
108 
109     /* Add the size of the expanded key material.
110      * We're hardcoding the high byte to 0 here assuming that we never use
111      * TLS 1.3 HKDF key expansion to more than 255 Bytes. */
112 #if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255
113 #error "The implementation of ssl_tls1_3_hkdf_encode_label() is not fit for the \
114         value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN"
115 #endif
116 
117     *p++ = 0;
118     *p++ = MBEDTLS_BYTE_0( desired_length );
119 
120     /* Add label incl. prefix */
121     *p++ = MBEDTLS_BYTE_0( total_label_len );
122     memcpy( p, tls1_3_label_prefix, sizeof(tls1_3_label_prefix) );
123     p += sizeof(tls1_3_label_prefix);
124     memcpy( p, label, llen );
125     p += llen;
126 
127     /* Add context value */
128     *p++ = MBEDTLS_BYTE_0( clen );
129     if( clen != 0 )
130         memcpy( p, ctx, clen );
131 
132     /* Return total length to the caller.  */
133     *dlen = total_hkdf_lbl_len;
134 }
135 
mbedtls_ssl_tls1_3_hkdf_expand_label(mbedtls_md_type_t hash_alg,const unsigned char * secret,size_t slen,const unsigned char * label,size_t llen,const unsigned char * ctx,size_t clen,unsigned char * buf,size_t blen)136 int mbedtls_ssl_tls1_3_hkdf_expand_label(
137                      mbedtls_md_type_t hash_alg,
138                      const unsigned char *secret, size_t slen,
139                      const unsigned char *label, size_t llen,
140                      const unsigned char *ctx, size_t clen,
141                      unsigned char *buf, size_t blen )
142 {
143     const mbedtls_md_info_t *md;
144     unsigned char hkdf_label[ SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN ];
145     size_t hkdf_label_len;
146 
147     if( llen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN )
148     {
149         /* Should never happen since this is an internal
150          * function, and we know statically which labels
151          * are allowed. */
152         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
153     }
154 
155     if( clen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
156     {
157         /* Should not happen, as above. */
158         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
159     }
160 
161     if( blen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN )
162     {
163         /* Should not happen, as above. */
164         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
165     }
166 
167     md = mbedtls_md_info_from_type( hash_alg );
168     if( md == NULL )
169         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
170 
171     ssl_tls1_3_hkdf_encode_label( blen,
172                                   label, llen,
173                                   ctx, clen,
174                                   hkdf_label,
175                                   &hkdf_label_len );
176 
177     return( mbedtls_hkdf_expand( md,
178                                  secret, slen,
179                                  hkdf_label, hkdf_label_len,
180                                  buf, blen ) );
181 }
182 
183 /*
184  * The traffic keying material is generated from the following inputs:
185  *
186  *  - One secret value per sender.
187  *  - A purpose value indicating the specific value being generated
188  *  - The desired lengths of key and IV.
189  *
190  * The expansion itself is based on HKDF:
191  *
192  *   [sender]_write_key = HKDF-Expand-Label( Secret, "key", "", key_length )
193  *   [sender]_write_iv  = HKDF-Expand-Label( Secret, "iv" , "", iv_length )
194  *
195  * [sender] denotes the sending side and the Secret value is provided
196  * by the function caller. Note that we generate server and client side
197  * keys in a single function call.
198  */
mbedtls_ssl_tls1_3_make_traffic_keys(mbedtls_md_type_t hash_alg,const unsigned char * client_secret,const unsigned char * server_secret,size_t slen,size_t key_len,size_t iv_len,mbedtls_ssl_key_set * keys)199 int mbedtls_ssl_tls1_3_make_traffic_keys(
200                      mbedtls_md_type_t hash_alg,
201                      const unsigned char *client_secret,
202                      const unsigned char *server_secret,
203                      size_t slen, size_t key_len, size_t iv_len,
204                      mbedtls_ssl_key_set *keys )
205 {
206     int ret = 0;
207 
208     ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
209                     client_secret, slen,
210                     MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
211                     NULL, 0,
212                     keys->client_write_key, key_len );
213     if( ret != 0 )
214         return( ret );
215 
216     ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
217                     server_secret, slen,
218                     MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
219                     NULL, 0,
220                     keys->server_write_key, key_len );
221     if( ret != 0 )
222         return( ret );
223 
224     ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
225                     client_secret, slen,
226                     MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
227                     NULL, 0,
228                     keys->client_write_iv, iv_len );
229     if( ret != 0 )
230         return( ret );
231 
232     ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
233                     server_secret, slen,
234                     MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
235                     NULL, 0,
236                     keys->server_write_iv, iv_len );
237     if( ret != 0 )
238         return( ret );
239 
240     keys->key_len = key_len;
241     keys->iv_len = iv_len;
242 
243     return( 0 );
244 }
245 
mbedtls_ssl_tls1_3_derive_secret(mbedtls_md_type_t hash_alg,const unsigned char * secret,size_t slen,const unsigned char * label,size_t llen,const unsigned char * ctx,size_t clen,int ctx_hashed,unsigned char * dstbuf,size_t buflen)246 int mbedtls_ssl_tls1_3_derive_secret(
247                    mbedtls_md_type_t hash_alg,
248                    const unsigned char *secret, size_t slen,
249                    const unsigned char *label, size_t llen,
250                    const unsigned char *ctx, size_t clen,
251                    int ctx_hashed,
252                    unsigned char *dstbuf, size_t buflen )
253 {
254     int ret;
255     unsigned char hashed_context[ MBEDTLS_MD_MAX_SIZE ];
256 
257     const mbedtls_md_info_t *md;
258     md = mbedtls_md_info_from_type( hash_alg );
259     if( md == NULL )
260         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
261 
262     if( ctx_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED )
263     {
264         ret = mbedtls_md( md, ctx, clen, hashed_context );
265         if( ret != 0 )
266             return( ret );
267         clen = mbedtls_md_get_size( md );
268     }
269     else
270     {
271         if( clen > sizeof(hashed_context) )
272         {
273             /* This should never happen since this function is internal
274              * and the code sets `ctx_hashed` correctly.
275              * Let's double-check nonetheless to not run at the risk
276              * of getting a stack overflow. */
277             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
278         }
279 
280         memcpy( hashed_context, ctx, clen );
281     }
282 
283     return( mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
284                                                   secret, slen,
285                                                   label, llen,
286                                                   hashed_context, clen,
287                                                   dstbuf, buflen ) );
288 }
289 
mbedtls_ssl_tls1_3_evolve_secret(mbedtls_md_type_t hash_alg,const unsigned char * secret_old,const unsigned char * input,size_t input_len,unsigned char * secret_new)290 int mbedtls_ssl_tls1_3_evolve_secret(
291                    mbedtls_md_type_t hash_alg,
292                    const unsigned char *secret_old,
293                    const unsigned char *input, size_t input_len,
294                    unsigned char *secret_new )
295 {
296     int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
297     size_t hlen, ilen;
298     unsigned char tmp_secret[ MBEDTLS_MD_MAX_SIZE ] = { 0 };
299     unsigned char tmp_input [ MBEDTLS_MD_MAX_SIZE ] = { 0 };
300 
301     const mbedtls_md_info_t *md;
302     md = mbedtls_md_info_from_type( hash_alg );
303     if( md == NULL )
304         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
305 
306     hlen = mbedtls_md_get_size( md );
307 
308     /* For non-initial runs, call Derive-Secret( ., "derived", "")
309      * on the old secret. */
310     if( secret_old != NULL )
311     {
312         ret = mbedtls_ssl_tls1_3_derive_secret(
313                    hash_alg,
314                    secret_old, hlen,
315                    MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( derived ),
316                    NULL, 0, /* context */
317                    MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
318                    tmp_secret, hlen );
319         if( ret != 0 )
320             goto cleanup;
321     }
322 
323     if( input != NULL )
324     {
325         memcpy( tmp_input, input, input_len );
326         ilen = input_len;
327     }
328     else
329     {
330         ilen = hlen;
331     }
332 
333     /* HKDF-Extract takes a salt and input key material.
334      * The salt is the old secret, and the input key material
335      * is the input secret (PSK / ECDHE). */
336     ret = mbedtls_hkdf_extract( md,
337                     tmp_secret, hlen,
338                     tmp_input, ilen,
339                     secret_new );
340     if( ret != 0 )
341         goto cleanup;
342 
343     ret = 0;
344 
345  cleanup:
346 
347     mbedtls_platform_zeroize( tmp_secret, sizeof(tmp_secret) );
348     mbedtls_platform_zeroize( tmp_input,  sizeof(tmp_input)  );
349     return( ret );
350 }
351 
mbedtls_ssl_tls1_3_derive_early_secrets(mbedtls_md_type_t md_type,unsigned char const * early_secret,unsigned char const * transcript,size_t transcript_len,mbedtls_ssl_tls1_3_early_secrets * derived)352 int mbedtls_ssl_tls1_3_derive_early_secrets(
353           mbedtls_md_type_t md_type,
354           unsigned char const *early_secret,
355           unsigned char const *transcript, size_t transcript_len,
356           mbedtls_ssl_tls1_3_early_secrets *derived )
357 {
358     int ret;
359     mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
360     size_t const md_size = mbedtls_md_get_size( md_info );
361 
362     /* We should never call this function with an unknown hash,
363      * but add an assertion anyway. */
364     if( md_info == 0 )
365         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
366 
367     /*
368      *            0
369      *            |
370      *            v
371      *  PSK ->  HKDF-Extract = Early Secret
372      *            |
373      *            +-----> Derive-Secret(., "c e traffic", ClientHello)
374      *            |                     = client_early_traffic_secret
375      *            |
376      *            +-----> Derive-Secret(., "e exp master", ClientHello)
377      *            |                     = early_exporter_master_secret
378      *            v
379      */
380 
381     /* Create client_early_traffic_secret */
382     ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
383                          early_secret, md_size,
384                          MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_e_traffic ),
385                          transcript, transcript_len,
386                          MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
387                          derived->client_early_traffic_secret,
388                          md_size );
389     if( ret != 0 )
390         return( ret );
391 
392     /* Create early exporter */
393     ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
394                          early_secret, md_size,
395                          MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( e_exp_master ),
396                          transcript, transcript_len,
397                          MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
398                          derived->early_exporter_master_secret,
399                          md_size );
400     if( ret != 0 )
401         return( ret );
402 
403     return( 0 );
404 }
405 
mbedtls_ssl_tls1_3_derive_handshake_secrets(mbedtls_md_type_t md_type,unsigned char const * handshake_secret,unsigned char const * transcript,size_t transcript_len,mbedtls_ssl_tls1_3_handshake_secrets * derived)406 int mbedtls_ssl_tls1_3_derive_handshake_secrets(
407           mbedtls_md_type_t md_type,
408           unsigned char const *handshake_secret,
409           unsigned char const *transcript, size_t transcript_len,
410           mbedtls_ssl_tls1_3_handshake_secrets *derived )
411 {
412     int ret;
413     mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
414     size_t const md_size = mbedtls_md_get_size( md_info );
415 
416     /* We should never call this function with an unknown hash,
417      * but add an assertion anyway. */
418     if( md_info == 0 )
419         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
420 
421     /*
422      *
423      * Handshake Secret
424      * |
425      * +-----> Derive-Secret( ., "c hs traffic",
426      * |                     ClientHello...ServerHello )
427      * |                     = client_handshake_traffic_secret
428      * |
429      * +-----> Derive-Secret( ., "s hs traffic",
430      * |                     ClientHello...ServerHello )
431      * |                     = server_handshake_traffic_secret
432      *
433      */
434 
435     /*
436      * Compute client_handshake_traffic_secret with
437      * Derive-Secret( ., "c hs traffic", ClientHello...ServerHello )
438      */
439 
440     ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
441              handshake_secret, md_size,
442              MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_hs_traffic ),
443              transcript, transcript_len,
444              MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
445              derived->client_handshake_traffic_secret,
446              md_size );
447     if( ret != 0 )
448         return( ret );
449 
450     /*
451      * Compute server_handshake_traffic_secret with
452      * Derive-Secret( ., "s hs traffic", ClientHello...ServerHello )
453      */
454 
455     ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
456              handshake_secret, md_size,
457              MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( s_hs_traffic ),
458              transcript, transcript_len,
459              MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
460              derived->server_handshake_traffic_secret,
461              md_size );
462     if( ret != 0 )
463         return( ret );
464 
465     return( 0 );
466 }
467 
mbedtls_ssl_tls1_3_derive_application_secrets(mbedtls_md_type_t md_type,unsigned char const * application_secret,unsigned char const * transcript,size_t transcript_len,mbedtls_ssl_tls1_3_application_secrets * derived)468 int mbedtls_ssl_tls1_3_derive_application_secrets(
469           mbedtls_md_type_t md_type,
470           unsigned char const *application_secret,
471           unsigned char const *transcript, size_t transcript_len,
472           mbedtls_ssl_tls1_3_application_secrets *derived )
473 {
474     int ret;
475     mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
476     size_t const md_size = mbedtls_md_get_size( md_info );
477 
478     /* We should never call this function with an unknown hash,
479      * but add an assertion anyway. */
480     if( md_info == 0 )
481         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
482 
483     /* Generate {client,server}_application_traffic_secret_0
484      *
485      * Master Secret
486      * |
487      * +-----> Derive-Secret( ., "c ap traffic",
488      * |                      ClientHello...server Finished )
489      * |                      = client_application_traffic_secret_0
490      * |
491      * +-----> Derive-Secret( ., "s ap traffic",
492      * |                      ClientHello...Server Finished )
493      * |                      = server_application_traffic_secret_0
494      * |
495      * +-----> Derive-Secret( ., "exp master",
496      * |                      ClientHello...server Finished)
497      * |                      = exporter_master_secret
498      *
499      */
500 
501     ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
502               application_secret, md_size,
503               MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_ap_traffic ),
504               transcript, transcript_len,
505               MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
506               derived->client_application_traffic_secret_N,
507               md_size );
508     if( ret != 0 )
509         return( ret );
510 
511     ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
512               application_secret, md_size,
513               MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( s_ap_traffic ),
514               transcript, transcript_len,
515               MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
516               derived->server_application_traffic_secret_N,
517               md_size );
518     if( ret != 0 )
519         return( ret );
520 
521     ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
522               application_secret, md_size,
523               MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( exp_master ),
524               transcript, transcript_len,
525               MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
526               derived->exporter_master_secret,
527               md_size );
528     if( ret != 0 )
529         return( ret );
530 
531     return( 0 );
532 }
533 
534 /* Generate resumption_master_secret for use with the ticket exchange.
535  *
536  * This is not integrated with mbedtls_ssl_tls1_3_derive_application_secrets()
537  * because it uses the transcript hash up to and including ClientFinished. */
mbedtls_ssl_tls1_3_derive_resumption_master_secret(mbedtls_md_type_t md_type,unsigned char const * application_secret,unsigned char const * transcript,size_t transcript_len,mbedtls_ssl_tls1_3_application_secrets * derived)538 int mbedtls_ssl_tls1_3_derive_resumption_master_secret(
539           mbedtls_md_type_t md_type,
540           unsigned char const *application_secret,
541           unsigned char const *transcript, size_t transcript_len,
542           mbedtls_ssl_tls1_3_application_secrets *derived )
543 {
544     int ret;
545     mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
546     size_t const md_size = mbedtls_md_get_size( md_info );
547 
548     /* We should never call this function with an unknown hash,
549      * but add an assertion anyway. */
550     if( md_info == 0 )
551         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
552 
553     ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
554               application_secret, md_size,
555               MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_master ),
556               transcript, transcript_len,
557               MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
558               derived->resumption_master_secret,
559               md_size );
560 
561     if( ret != 0 )
562         return( ret );
563 
564     return( 0 );
565 }
566 
mbedtls_ssl_tls13_key_schedule_stage_application(mbedtls_ssl_context * ssl)567 int mbedtls_ssl_tls13_key_schedule_stage_application( mbedtls_ssl_context *ssl )
568 {
569     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
570     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
571     mbedtls_md_type_t const md_type = handshake->ciphersuite_info->mac;
572 #if defined(MBEDTLS_DEBUG_C)
573     mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
574     size_t const md_size = mbedtls_md_get_size( md_info );
575 #endif /* MBEDTLS_DEBUG_C */
576 
577     /*
578      * Compute MasterSecret
579      */
580     ret = mbedtls_ssl_tls1_3_evolve_secret( md_type,
581                     handshake->tls1_3_master_secrets.handshake,
582                     NULL, 0,
583                     handshake->tls1_3_master_secrets.app );
584     if( ret != 0 )
585     {
586         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_evolve_secret", ret );
587         return( ret );
588     }
589 
590     MBEDTLS_SSL_DEBUG_BUF( 4, "Master secret",
591              handshake->tls1_3_master_secrets.app, md_size );
592 
593     return( 0 );
594 }
595 
ssl_tls1_3_calc_finished_core(mbedtls_md_type_t md_type,unsigned char const * base_key,unsigned char const * transcript,unsigned char * dst)596 static int ssl_tls1_3_calc_finished_core( mbedtls_md_type_t md_type,
597                                           unsigned char const *base_key,
598                                           unsigned char const *transcript,
599                                           unsigned char *dst )
600 {
601     const mbedtls_md_info_t* const md_info = mbedtls_md_info_from_type( md_type );
602     size_t const md_size = mbedtls_md_get_size( md_info );
603     unsigned char finished_key[MBEDTLS_MD_MAX_SIZE];
604     int ret;
605 
606     /* We should never call this function with an unknown hash,
607      * but add an assertion anyway. */
608     if( md_info == 0 )
609         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
610 
611     /* TLS 1.3 Finished message
612      *
613      * struct {
614      *     opaque verify_data[Hash.length];
615      * } Finished;
616      *
617      * verify_data =
618      *     HMAC( finished_key,
619      *            Hash( Handshake Context +
620      *                  Certificate*      +
621      *                  CertificateVerify* )
622      *    )
623      *
624      * finished_key =
625      *    HKDF-Expand-Label( BaseKey, "finished", "", Hash.length )
626      */
627 
628     ret = mbedtls_ssl_tls1_3_hkdf_expand_label(
629                                  md_type, base_key, md_size,
630                                  MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( finished ),
631                                  NULL, 0,
632                                  finished_key, md_size );
633     if( ret != 0 )
634         goto exit;
635 
636     ret = mbedtls_md_hmac( md_info, finished_key, md_size, transcript, md_size, dst );
637     if( ret != 0 )
638         goto exit;
639 
640 exit:
641 
642     mbedtls_platform_zeroize( finished_key, sizeof( finished_key ) );
643     return( ret );
644 }
645 
mbedtls_ssl_tls13_calculate_verify_data(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * actual_len,int from)646 int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context* ssl,
647                                              unsigned char* dst,
648                                              size_t dst_len,
649                                              size_t *actual_len,
650                                              int from )
651 {
652     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
653 
654     unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
655     size_t transcript_len;
656 
657     unsigned char const *base_key = NULL;
658 
659     mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac;
660     const mbedtls_md_info_t* const md = mbedtls_md_info_from_type( md_type );
661     size_t const md_size = mbedtls_md_get_size( md );
662 
663     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_calculate_verify_data" ) );
664 
665     if( dst_len < md_size )
666         return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
667 
668     ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type,
669                                                 transcript, sizeof( transcript ),
670                                                 &transcript_len );
671     if( ret != 0 )
672     {
673         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_handshake_transcript", ret );
674         goto exit;
675     }
676     MBEDTLS_SSL_DEBUG_BUF( 4, "handshake hash", transcript, transcript_len );
677 
678     if( from == MBEDTLS_SSL_IS_CLIENT )
679         base_key = ssl->handshake->tls13_hs_secrets.client_handshake_traffic_secret;
680     else
681         base_key = ssl->handshake->tls13_hs_secrets.server_handshake_traffic_secret;
682 
683     ret = ssl_tls1_3_calc_finished_core( md_type, base_key, transcript, dst );
684     if( ret != 0 )
685         goto exit;
686     *actual_len = md_size;
687 
688     MBEDTLS_SSL_DEBUG_BUF( 3, "verify_data for finished message", dst, md_size );
689     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_calculate_verify_data" ) );
690 
691 exit:
692 
693     mbedtls_platform_zeroize( transcript, sizeof( transcript ) );
694     return( ret );
695 }
696 
mbedtls_ssl_tls1_3_create_psk_binder(mbedtls_ssl_context * ssl,const mbedtls_md_type_t md_type,unsigned char const * psk,size_t psk_len,int psk_type,unsigned char const * transcript,unsigned char * result)697 int mbedtls_ssl_tls1_3_create_psk_binder( mbedtls_ssl_context *ssl,
698                                const mbedtls_md_type_t md_type,
699                                unsigned char const *psk, size_t psk_len,
700                                int psk_type,
701                                unsigned char const *transcript,
702                                unsigned char *result )
703 {
704     int ret = 0;
705     unsigned char binder_key[MBEDTLS_MD_MAX_SIZE];
706     unsigned char early_secret[MBEDTLS_MD_MAX_SIZE];
707     mbedtls_md_info_t const *md_info = mbedtls_md_info_from_type( md_type );
708     size_t const md_size = mbedtls_md_get_size( md_info );
709 
710 #if !defined(MBEDTLS_DEBUG_C)
711     ssl = NULL; /* make sure we don't use it except for debug */
712     ((void) ssl);
713 #endif
714 
715     /* We should never call this function with an unknown hash,
716      * but add an assertion anyway. */
717     if( md_info == 0 )
718         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
719 
720     /*
721      *            0
722      *            |
723      *            v
724      *  PSK ->  HKDF-Extract = Early Secret
725      *            |
726      *            +-----> Derive-Secret(., "ext binder" | "res binder", "")
727      *            |                     = binder_key
728      *            v
729      */
730 
731     ret = mbedtls_ssl_tls1_3_evolve_secret( md_type,
732                                             NULL,          /* Old secret */
733                                             psk, psk_len,  /* Input      */
734                                             early_secret );
735     if( ret != 0 )
736     {
737         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_evolve_secret", ret );
738         goto exit;
739     }
740 
741     if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION )
742     {
743         ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
744                             early_secret, md_size,
745                             MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_binder ),
746                             NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
747                             binder_key, md_size );
748         MBEDTLS_SSL_DEBUG_MSG( 4, ( "Derive Early Secret with 'res binder'" ) );
749     }
750     else
751     {
752         ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
753                             early_secret, md_size,
754                             MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( ext_binder ),
755                             NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
756                             binder_key, md_size );
757         MBEDTLS_SSL_DEBUG_MSG( 4, ( "Derive Early Secret with 'ext binder'" ) );
758     }
759 
760     if( ret != 0 )
761     {
762         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_derive_secret", ret );
763         goto exit;
764     }
765 
766     /*
767      * The binding_value is computed in the same way as the Finished message
768      * but with the BaseKey being the binder_key.
769      */
770 
771     ret = ssl_tls1_3_calc_finished_core( md_type, binder_key, transcript, result );
772     if( ret != 0 )
773         goto exit;
774 
775     MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder", result, md_size );
776 
777 exit:
778 
779     mbedtls_platform_zeroize( early_secret, sizeof( early_secret ) );
780     mbedtls_platform_zeroize( binder_key,   sizeof( binder_key ) );
781     return( ret );
782 }
783 
mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform * transform,int endpoint,int ciphersuite,mbedtls_ssl_key_set const * traffic_keys,mbedtls_ssl_context * ssl)784 int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
785                                           int endpoint,
786                                           int ciphersuite,
787                                           mbedtls_ssl_key_set const *traffic_keys,
788                                           mbedtls_ssl_context *ssl /* DEBUG ONLY */ )
789 {
790     int ret;
791     mbedtls_cipher_info_t const *cipher_info;
792     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
793     unsigned char const *key_enc;
794     unsigned char const *iv_enc;
795     unsigned char const *key_dec;
796     unsigned char const *iv_dec;
797 
798 #if !defined(MBEDTLS_DEBUG_C)
799     ssl = NULL; /* make sure we don't use it except for those cases */
800     (void) ssl;
801 #endif
802 
803     ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
804     if( ciphersuite_info == NULL )
805     {
806         MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found",
807                                     ciphersuite ) );
808         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
809     }
810 
811     cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
812     if( cipher_info == NULL )
813     {
814         MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found",
815                                     ciphersuite_info->cipher ) );
816         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
817     }
818 
819     /*
820      * Setup cipher contexts in target transform
821      */
822 
823     if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
824                                       cipher_info ) ) != 0 )
825     {
826         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
827         return( ret );
828     }
829 
830     if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
831                                       cipher_info ) ) != 0 )
832     {
833         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
834         return( ret );
835     }
836 
837 #if defined(MBEDTLS_SSL_SRV_C)
838     if( endpoint == MBEDTLS_SSL_IS_SERVER )
839     {
840         key_enc = traffic_keys->server_write_key;
841         key_dec = traffic_keys->client_write_key;
842         iv_enc = traffic_keys->server_write_iv;
843         iv_dec = traffic_keys->client_write_iv;
844     }
845     else
846 #endif /* MBEDTLS_SSL_SRV_C */
847 #if defined(MBEDTLS_SSL_CLI_C)
848     if( endpoint == MBEDTLS_SSL_IS_CLIENT )
849     {
850         key_enc = traffic_keys->client_write_key;
851         key_dec = traffic_keys->server_write_key;
852         iv_enc = traffic_keys->client_write_iv;
853         iv_dec = traffic_keys->server_write_iv;
854     }
855     else
856 #endif /* MBEDTLS_SSL_CLI_C */
857     {
858         /* should not happen */
859         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
860     }
861 
862     memcpy( transform->iv_enc, iv_enc, traffic_keys->iv_len );
863     memcpy( transform->iv_dec, iv_dec, traffic_keys->iv_len );
864 
865     if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc,
866                                        key_enc, cipher_info->key_bitlen,
867                                        MBEDTLS_ENCRYPT ) ) != 0 )
868     {
869         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
870         return( ret );
871     }
872 
873     if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec,
874                                        key_dec, cipher_info->key_bitlen,
875                                        MBEDTLS_DECRYPT ) ) != 0 )
876     {
877         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
878         return( ret );
879     }
880 
881     /*
882      * Setup other fields in SSL transform
883      */
884 
885     if( ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) != 0 )
886         transform->taglen  = 8;
887     else
888         transform->taglen  = 16;
889 
890     transform->ivlen       = traffic_keys->iv_len;
891     transform->maclen      = 0;
892     transform->fixed_ivlen = transform->ivlen;
893     transform->minor_ver   = MBEDTLS_SSL_MINOR_VERSION_4;
894 
895     /* We add the true record content type (1 Byte) to the plaintext and
896      * then pad to the configured granularity. The mimimum length of the
897      * type-extended and padded plaintext is therefore the padding
898      * granularity. */
899     transform->minlen =
900         transform->taglen + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY;
901 
902     return( 0 );
903 }
904 
mbedtls_ssl_tls1_3_key_schedule_stage_early(mbedtls_ssl_context * ssl)905 int mbedtls_ssl_tls1_3_key_schedule_stage_early( mbedtls_ssl_context *ssl )
906 {
907     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
908     mbedtls_md_type_t md_type;
909     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
910 
911     if( handshake->ciphersuite_info == NULL )
912     {
913         MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher suite info not found" ) );
914         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
915     }
916 
917     md_type = handshake->ciphersuite_info->mac;
918 
919     ret = mbedtls_ssl_tls1_3_evolve_secret( md_type, NULL, NULL, 0,
920                                             handshake->tls1_3_master_secrets.early );
921     if( ret != 0 )
922     {
923         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_evolve_secret", ret );
924         return( ret );
925     }
926 
927     return( 0 );
928 }
929 
930 /* mbedtls_ssl_tls13_generate_handshake_keys() generates keys necessary for
931  * protecting the handshake messages, as described in Section 7 of TLS 1.3. */
mbedtls_ssl_tls13_generate_handshake_keys(mbedtls_ssl_context * ssl,mbedtls_ssl_key_set * traffic_keys)932 int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl,
933                                                mbedtls_ssl_key_set *traffic_keys )
934 {
935     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
936 
937     mbedtls_md_type_t md_type;
938     mbedtls_md_info_t const *md_info;
939     size_t md_size;
940 
941     unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
942     size_t transcript_len;
943 
944     mbedtls_cipher_info_t const *cipher_info;
945     size_t keylen, ivlen;
946 
947     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
948     const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info;
949     mbedtls_ssl_tls1_3_handshake_secrets *tls13_hs_secrets = &handshake->tls13_hs_secrets;
950 
951     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) );
952 
953     cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
954     keylen = cipher_info->key_bitlen >> 3;
955     ivlen = cipher_info->iv_size;
956 
957     md_type = ciphersuite_info->mac;
958     md_info = mbedtls_md_info_from_type( md_type );
959     md_size = mbedtls_md_get_size( md_info );
960 
961     ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type,
962                                                 transcript,
963                                                 sizeof( transcript ),
964                                                 &transcript_len );
965     if( ret != 0 )
966     {
967         MBEDTLS_SSL_DEBUG_RET( 1,
968                                "mbedtls_ssl_get_handshake_transcript",
969                                ret );
970         return( ret );
971     }
972 
973     ret = mbedtls_ssl_tls1_3_derive_handshake_secrets( md_type,
974                                     handshake->tls1_3_master_secrets.handshake,
975                                     transcript, transcript_len, tls13_hs_secrets );
976     if( ret != 0 )
977     {
978         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_derive_handshake_secrets",
979                                ret );
980         return( ret );
981     }
982 
983     MBEDTLS_SSL_DEBUG_BUF( 4, "Client handshake traffic secret",
984                     tls13_hs_secrets->client_handshake_traffic_secret,
985                     md_size );
986     MBEDTLS_SSL_DEBUG_BUF( 4, "Server handshake traffic secret",
987                     tls13_hs_secrets->server_handshake_traffic_secret,
988                     md_size );
989 
990     /*
991      * Export client handshake traffic secret
992      */
993     if( ssl->f_export_keys != NULL )
994     {
995         ssl->f_export_keys( ssl->p_export_keys,
996                 MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_HANDSHAKE_TRAFFIC_SECRET,
997                 tls13_hs_secrets->client_handshake_traffic_secret,
998                 md_size,
999                 handshake->randbytes + 32,
1000                 handshake->randbytes,
1001                 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ );
1002 
1003         ssl->f_export_keys( ssl->p_export_keys,
1004                 MBEDTLS_SSL_KEY_EXPORT_TLS13_SERVER_HANDSHAKE_TRAFFIC_SECRET,
1005                 tls13_hs_secrets->server_handshake_traffic_secret,
1006                 md_size,
1007                 handshake->randbytes + 32,
1008                 handshake->randbytes,
1009                 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ );
1010     }
1011 
1012     ret = mbedtls_ssl_tls1_3_make_traffic_keys( md_type,
1013                             tls13_hs_secrets->client_handshake_traffic_secret,
1014                             tls13_hs_secrets->server_handshake_traffic_secret,
1015                             md_size, keylen, ivlen, traffic_keys );
1016     if( ret != 0 )
1017     {
1018         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_make_traffic_keys", ret );
1019         goto exit;
1020     }
1021 
1022     MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_key",
1023                            traffic_keys->client_write_key,
1024                            traffic_keys->key_len);
1025 
1026     MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_key",
1027                            traffic_keys->server_write_key,
1028                            traffic_keys->key_len);
1029 
1030     MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_iv",
1031                            traffic_keys->client_write_iv,
1032                            traffic_keys->iv_len);
1033 
1034     MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_iv",
1035                            traffic_keys->server_write_iv,
1036                            traffic_keys->iv_len);
1037 
1038     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_generate_handshake_keys" ) );
1039 
1040 exit:
1041 
1042     return( ret );
1043 }
1044 
mbedtls_ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context * ssl)1045 int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl )
1046 {
1047     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1048     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1049     mbedtls_md_type_t const md_type = handshake->ciphersuite_info->mac;
1050     size_t ephemeral_len = 0;
1051     unsigned char ecdhe[MBEDTLS_ECP_MAX_BYTES];
1052 #if defined(MBEDTLS_DEBUG_C)
1053     mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
1054     size_t const md_size = mbedtls_md_get_size( md_info );
1055 #endif /* MBEDTLS_DEBUG_C */
1056 
1057 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
1058     /*
1059      * Compute ECDHE secret used to compute the handshake secret from which
1060      * client_handshake_traffic_secret and server_handshake_traffic_secret
1061      * are derived in the handshake secret derivation stage.
1062      */
1063     if( mbedtls_ssl_tls1_3_ephemeral_enabled( ssl ) )
1064     {
1065         if( mbedtls_ssl_tls13_named_group_is_ecdhe( handshake->offered_group_id ) )
1066         {
1067 #if defined(MBEDTLS_ECDH_C)
1068             ret = mbedtls_ecdh_calc_secret( &handshake->ecdh_ctx,
1069                                             &ephemeral_len, ecdhe, sizeof( ecdhe ),
1070                                             ssl->conf->f_rng,
1071                                             ssl->conf->p_rng );
1072             if( ret != 0 )
1073             {
1074                 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
1075                 return( ret );
1076             }
1077 #endif /* MBEDTLS_ECDH_C */
1078         }
1079         else if( mbedtls_ssl_tls13_named_group_is_dhe( handshake->offered_group_id ) )
1080         {
1081             MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHE not supported." ) );
1082             return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
1083         }
1084     }
1085 #else
1086     return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
1087 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
1088 
1089     /*
1090      * Compute the Handshake Secret
1091      */
1092     ret = mbedtls_ssl_tls1_3_evolve_secret( md_type,
1093                                             handshake->tls1_3_master_secrets.early,
1094                                             ecdhe, ephemeral_len,
1095                                             handshake->tls1_3_master_secrets.handshake );
1096     if( ret != 0 )
1097     {
1098         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_evolve_secret", ret );
1099         return( ret );
1100     }
1101 
1102     MBEDTLS_SSL_DEBUG_BUF( 4, "Handshake secret",
1103                            handshake->tls1_3_master_secrets.handshake, md_size );
1104 
1105 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
1106     mbedtls_platform_zeroize( ecdhe, sizeof( ecdhe ) );
1107 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
1108     return( 0 );
1109 }
1110 
1111 /* Generate application traffic keys since any records following a 1-RTT Finished message
1112  * MUST be encrypted under the application traffic key.
1113  */
mbedtls_ssl_tls13_generate_application_keys(mbedtls_ssl_context * ssl,mbedtls_ssl_key_set * traffic_keys)1114 int mbedtls_ssl_tls13_generate_application_keys(
1115                                         mbedtls_ssl_context *ssl,
1116                                         mbedtls_ssl_key_set *traffic_keys )
1117 {
1118     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1119     mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1120 
1121     /* Address at which to store the application secrets */
1122     mbedtls_ssl_tls1_3_application_secrets * const app_secrets =
1123         &ssl->session_negotiate->app_secrets;
1124 
1125     /* Holding the transcript up to and including the ServerFinished */
1126     unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
1127     size_t transcript_len;
1128 
1129     /* Variables relating to the hash for the chosen ciphersuite. */
1130     mbedtls_md_type_t md_type;
1131     mbedtls_md_info_t const *md_info;
1132     size_t md_size;
1133 
1134     /* Variables relating to the cipher for the chosen ciphersuite. */
1135     mbedtls_cipher_info_t const *cipher_info;
1136     size_t keylen, ivlen;
1137 
1138     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive application traffic keys" ) );
1139 
1140     /* Extract basic information about hash and ciphersuite */
1141 
1142     cipher_info = mbedtls_cipher_info_from_type(
1143                                   handshake->ciphersuite_info->cipher );
1144     keylen = cipher_info->key_bitlen / 8;
1145     ivlen = cipher_info->iv_size;
1146 
1147     md_type = handshake->ciphersuite_info->mac;
1148     md_info = mbedtls_md_info_from_type( md_type );
1149     md_size = mbedtls_md_get_size( md_info );
1150 
1151     /* Compute current handshake transcript. It's the caller's responsiblity
1152      * to call this at the right time, that is, after the ServerFinished. */
1153 
1154     ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type,
1155                                       transcript, sizeof( transcript ),
1156                                       &transcript_len );
1157     if( ret != 0 )
1158         goto cleanup;
1159 
1160     /* Compute application secrets from master secret and transcript hash. */
1161 
1162     ret = mbedtls_ssl_tls1_3_derive_application_secrets( md_type,
1163                                    handshake->tls1_3_master_secrets.app,
1164                                    transcript, transcript_len,
1165                                    app_secrets );
1166     if( ret != 0 )
1167     {
1168         MBEDTLS_SSL_DEBUG_RET( 1,
1169                      "mbedtls_ssl_tls1_3_derive_application_secrets", ret );
1170         goto cleanup;
1171     }
1172 
1173     /* Derive first epoch of IV + Key for application traffic. */
1174 
1175     ret = mbedtls_ssl_tls1_3_make_traffic_keys( md_type,
1176                              app_secrets->client_application_traffic_secret_N,
1177                              app_secrets->server_application_traffic_secret_N,
1178                              md_size, keylen, ivlen, traffic_keys );
1179     if( ret != 0 )
1180     {
1181         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_make_traffic_keys", ret );
1182         goto cleanup;
1183     }
1184 
1185     MBEDTLS_SSL_DEBUG_BUF( 4, "Client application traffic secret",
1186                            app_secrets->client_application_traffic_secret_N,
1187                            md_size );
1188 
1189     MBEDTLS_SSL_DEBUG_BUF( 4, "Server application traffic secret",
1190                            app_secrets->server_application_traffic_secret_N,
1191                            md_size );
1192 
1193     /*
1194      * Export client/server application traffic secret 0
1195      */
1196     if( ssl->f_export_keys != NULL )
1197     {
1198         ssl->f_export_keys( ssl->p_export_keys,
1199                 MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_APPLICATION_TRAFFIC_SECRET,
1200                 app_secrets->client_application_traffic_secret_N, md_size,
1201                 handshake->randbytes + 32,
1202                 handshake->randbytes,
1203                 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
1204                                             a new constant for TLS 1.3! */ );
1205 
1206         ssl->f_export_keys( ssl->p_export_keys,
1207                 MBEDTLS_SSL_KEY_EXPORT_TLS13_SERVER_APPLICATION_TRAFFIC_SECRET,
1208                 app_secrets->server_application_traffic_secret_N, md_size,
1209                 handshake->randbytes + 32,
1210                 handshake->randbytes,
1211                 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
1212                                             a new constant for TLS 1.3! */ );
1213     }
1214 
1215     MBEDTLS_SSL_DEBUG_BUF( 4, "client application_write_key:",
1216                               traffic_keys->client_write_key, keylen );
1217     MBEDTLS_SSL_DEBUG_BUF( 4, "server application write key",
1218                               traffic_keys->server_write_key, keylen );
1219     MBEDTLS_SSL_DEBUG_BUF( 4, "client application write IV",
1220                               traffic_keys->client_write_iv, ivlen );
1221     MBEDTLS_SSL_DEBUG_BUF( 4, "server application write IV",
1222                               traffic_keys->server_write_iv, ivlen );
1223 
1224     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive application traffic keys" ) );
1225 
1226  cleanup:
1227 
1228     mbedtls_platform_zeroize( transcript, sizeof( transcript ) );
1229     return( ret );
1230 }
1231 
1232 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
1233