1 /*
2 * TLS 1.3 key schedule
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 ( the "License" ); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
20 #include "common.h"
21
22 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
23
24 #include <stdint.h>
25 #include <string.h>
26
27 #include "mbedtls/hkdf.h"
28 #include "mbedtls/debug.h"
29 #include "mbedtls/error.h"
30
31 #include "ssl_misc.h"
32 #include "ssl_tls13_keys.h"
33
34 #define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \
35 .name = string,
36
37 struct mbedtls_ssl_tls13_labels_struct const mbedtls_ssl_tls13_labels =
38 {
39 /* This seems to work in C, despite the string literal being one
40 * character too long due to the 0-termination. */
41 MBEDTLS_SSL_TLS1_3_LABEL_LIST
42 };
43
44 #undef MBEDTLS_SSL_TLS1_3_LABEL
45
46 /*
47 * This function creates a HkdfLabel structure used in the TLS 1.3 key schedule.
48 *
49 * The HkdfLabel is specified in RFC 8446 as follows:
50 *
51 * struct HkdfLabel {
52 * uint16 length; // Length of expanded key material
53 * opaque label<7..255>; // Always prefixed by "tls13 "
54 * opaque context<0..255>; // Usually a communication transcript hash
55 * };
56 *
57 * Parameters:
58 * - desired_length: Length of expanded key material
59 * Even though the standard allows expansion to up to
60 * 2**16 Bytes, TLS 1.3 never uses expansion to more than
61 * 255 Bytes, so we require `desired_length` to be at most
62 * 255. This allows us to save a few Bytes of code by
63 * hardcoding the writing of the high bytes.
64 * - (label, label_len): label + label length, without "tls13 " prefix
65 * The label length MUST be less than or equal to
66 * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN
67 * It is the caller's responsibility to ensure this.
68 * All (label, label length) pairs used in TLS 1.3
69 * can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN().
70 * - (ctx, ctx_len): context + context length
71 * The context length MUST be less than or equal to
72 * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN
73 * It is the caller's responsibility to ensure this.
74 * - dst: Target buffer for HkdfLabel structure,
75 * This MUST be a writable buffer of size
76 * at least SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN Bytes.
77 * - dst_len: Pointer at which to store the actual length of
78 * the HkdfLabel structure on success.
79 */
80
81 static const char tls13_label_prefix[6] = "tls13 ";
82
83 #define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( label_len, context_len ) \
84 ( 2 /* expansion length */ \
85 + 1 /* label length */ \
86 + label_len \
87 + 1 /* context length */ \
88 + context_len )
89
90 #define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \
91 SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \
92 sizeof(tls13_label_prefix) + \
93 MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN, \
94 MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
95
ssl_tls13_hkdf_encode_label(size_t desired_length,const unsigned char * label,size_t label_len,const unsigned char * ctx,size_t ctx_len,unsigned char * dst,size_t * dst_len)96 static void ssl_tls13_hkdf_encode_label(
97 size_t desired_length,
98 const unsigned char *label, size_t label_len,
99 const unsigned char *ctx, size_t ctx_len,
100 unsigned char *dst, size_t *dst_len )
101 {
102 size_t total_label_len =
103 sizeof(tls13_label_prefix) + label_len;
104 size_t total_hkdf_lbl_len =
105 SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( total_label_len, ctx_len );
106
107 unsigned char *p = dst;
108
109 /* Add the size of the expanded key material.
110 * We're hardcoding the high byte to 0 here assuming that we never use
111 * TLS 1.3 HKDF key expansion to more than 255 Bytes. */
112 #if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255
113 #error "The implementation of ssl_tls13_hkdf_encode_label() is not fit for the \
114 value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN"
115 #endif
116
117 *p++ = 0;
118 *p++ = MBEDTLS_BYTE_0( desired_length );
119
120 /* Add label incl. prefix */
121 *p++ = MBEDTLS_BYTE_0( total_label_len );
122 memcpy( p, tls13_label_prefix, sizeof(tls13_label_prefix) );
123 p += sizeof(tls13_label_prefix);
124 memcpy( p, label, label_len );
125 p += label_len;
126
127 /* Add context value */
128 *p++ = MBEDTLS_BYTE_0( ctx_len );
129 if( ctx_len != 0 )
130 memcpy( p, ctx, ctx_len );
131
132 /* Return total length to the caller. */
133 *dst_len = total_hkdf_lbl_len;
134 }
135
mbedtls_ssl_tls13_hkdf_expand_label(mbedtls_md_type_t hash_alg,const unsigned char * secret,size_t secret_len,const unsigned char * label,size_t label_len,const unsigned char * ctx,size_t ctx_len,unsigned char * buf,size_t buf_len)136 int mbedtls_ssl_tls13_hkdf_expand_label(
137 mbedtls_md_type_t hash_alg,
138 const unsigned char *secret, size_t secret_len,
139 const unsigned char *label, size_t label_len,
140 const unsigned char *ctx, size_t ctx_len,
141 unsigned char *buf, size_t buf_len )
142 {
143 const mbedtls_md_info_t *md_info;
144 unsigned char hkdf_label[ SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN ];
145 size_t hkdf_label_len;
146
147 if( label_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN )
148 {
149 /* Should never happen since this is an internal
150 * function, and we know statically which labels
151 * are allowed. */
152 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
153 }
154
155 if( ctx_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
156 {
157 /* Should not happen, as above. */
158 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
159 }
160
161 if( buf_len > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN )
162 {
163 /* Should not happen, as above. */
164 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
165 }
166
167 md_info = mbedtls_md_info_from_type( hash_alg );
168 if( md_info == NULL )
169 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
170
171 ssl_tls13_hkdf_encode_label( buf_len,
172 label, label_len,
173 ctx, ctx_len,
174 hkdf_label,
175 &hkdf_label_len );
176
177 return( mbedtls_hkdf_expand( md_info,
178 secret, secret_len,
179 hkdf_label, hkdf_label_len,
180 buf, buf_len ) );
181 }
182
183 /*
184 * The traffic keying material is generated from the following inputs:
185 *
186 * - One secret value per sender.
187 * - A purpose value indicating the specific value being generated
188 * - The desired lengths of key and IV.
189 *
190 * The expansion itself is based on HKDF:
191 *
192 * [sender]_write_key = HKDF-Expand-Label( Secret, "key", "", key_length )
193 * [sender]_write_iv = HKDF-Expand-Label( Secret, "iv" , "", iv_length )
194 *
195 * [sender] denotes the sending side and the Secret value is provided
196 * by the function caller. Note that we generate server and client side
197 * keys in a single function call.
198 */
mbedtls_ssl_tls13_make_traffic_keys(mbedtls_md_type_t hash_alg,const unsigned char * client_secret,const unsigned char * server_secret,size_t secret_len,size_t key_len,size_t iv_len,mbedtls_ssl_key_set * keys)199 int mbedtls_ssl_tls13_make_traffic_keys(
200 mbedtls_md_type_t hash_alg,
201 const unsigned char *client_secret,
202 const unsigned char *server_secret, size_t secret_len,
203 size_t key_len, size_t iv_len,
204 mbedtls_ssl_key_set *keys )
205 {
206 int ret = 0;
207
208 ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
209 client_secret, secret_len,
210 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
211 NULL, 0,
212 keys->client_write_key, key_len );
213 if( ret != 0 )
214 return( ret );
215
216 ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
217 server_secret, secret_len,
218 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
219 NULL, 0,
220 keys->server_write_key, key_len );
221 if( ret != 0 )
222 return( ret );
223
224 ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
225 client_secret, secret_len,
226 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
227 NULL, 0,
228 keys->client_write_iv, iv_len );
229 if( ret != 0 )
230 return( ret );
231
232 ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
233 server_secret, secret_len,
234 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
235 NULL, 0,
236 keys->server_write_iv, iv_len );
237 if( ret != 0 )
238 return( ret );
239
240 keys->key_len = key_len;
241 keys->iv_len = iv_len;
242
243 return( 0 );
244 }
245
mbedtls_ssl_tls13_derive_secret(mbedtls_md_type_t hash_alg,const unsigned char * secret,size_t secret_len,const unsigned char * label,size_t label_len,const unsigned char * ctx,size_t ctx_len,int ctx_hashed,unsigned char * dstbuf,size_t dstbuf_len)246 int mbedtls_ssl_tls13_derive_secret(
247 mbedtls_md_type_t hash_alg,
248 const unsigned char *secret, size_t secret_len,
249 const unsigned char *label, size_t label_len,
250 const unsigned char *ctx, size_t ctx_len,
251 int ctx_hashed,
252 unsigned char *dstbuf, size_t dstbuf_len )
253 {
254 int ret;
255 unsigned char hashed_context[ MBEDTLS_MD_MAX_SIZE ];
256
257 const mbedtls_md_info_t *md_info;
258 md_info = mbedtls_md_info_from_type( hash_alg );
259 if( md_info == NULL )
260 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
261
262 if( ctx_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED )
263 {
264 ret = mbedtls_md( md_info, ctx, ctx_len, hashed_context );
265 if( ret != 0 )
266 return( ret );
267 ctx_len = mbedtls_md_get_size( md_info );
268 }
269 else
270 {
271 if( ctx_len > sizeof(hashed_context) )
272 {
273 /* This should never happen since this function is internal
274 * and the code sets `ctx_hashed` correctly.
275 * Let's double-check nonetheless to not run at the risk
276 * of getting a stack overflow. */
277 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
278 }
279
280 memcpy( hashed_context, ctx, ctx_len );
281 }
282
283 return( mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
284 secret, secret_len,
285 label, label_len,
286 hashed_context, ctx_len,
287 dstbuf, dstbuf_len ) );
288 }
289
mbedtls_ssl_tls13_evolve_secret(mbedtls_md_type_t hash_alg,const unsigned char * secret_old,const unsigned char * input,size_t input_len,unsigned char * secret_new)290 int mbedtls_ssl_tls13_evolve_secret(
291 mbedtls_md_type_t hash_alg,
292 const unsigned char *secret_old,
293 const unsigned char *input, size_t input_len,
294 unsigned char *secret_new )
295 {
296 int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
297 size_t hlen, ilen;
298 unsigned char tmp_secret[ MBEDTLS_MD_MAX_SIZE ] = { 0 };
299 unsigned char tmp_input [ MBEDTLS_ECP_MAX_BYTES ] = { 0 };
300
301 const mbedtls_md_info_t *md_info;
302 md_info = mbedtls_md_info_from_type( hash_alg );
303 if( md_info == NULL )
304 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
305
306 hlen = mbedtls_md_get_size( md_info );
307
308 /* For non-initial runs, call Derive-Secret( ., "derived", "")
309 * on the old secret. */
310 if( secret_old != NULL )
311 {
312 ret = mbedtls_ssl_tls13_derive_secret(
313 hash_alg,
314 secret_old, hlen,
315 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( derived ),
316 NULL, 0, /* context */
317 MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
318 tmp_secret, hlen );
319 if( ret != 0 )
320 goto cleanup;
321 }
322
323 if( input != NULL )
324 {
325 memcpy( tmp_input, input, input_len );
326 ilen = input_len;
327 }
328 else
329 {
330 ilen = hlen;
331 }
332
333 /* HKDF-Extract takes a salt and input key material.
334 * The salt is the old secret, and the input key material
335 * is the input secret (PSK / ECDHE). */
336 ret = mbedtls_hkdf_extract( md_info,
337 tmp_secret, hlen,
338 tmp_input, ilen,
339 secret_new );
340 if( ret != 0 )
341 goto cleanup;
342
343 ret = 0;
344
345 cleanup:
346
347 mbedtls_platform_zeroize( tmp_secret, sizeof(tmp_secret) );
348 mbedtls_platform_zeroize( tmp_input, sizeof(tmp_input) );
349 return( ret );
350 }
351
mbedtls_ssl_tls13_derive_early_secrets(mbedtls_md_type_t md_type,unsigned char const * early_secret,unsigned char const * transcript,size_t transcript_len,mbedtls_ssl_tls13_early_secrets * derived)352 int mbedtls_ssl_tls13_derive_early_secrets(
353 mbedtls_md_type_t md_type,
354 unsigned char const *early_secret,
355 unsigned char const *transcript, size_t transcript_len,
356 mbedtls_ssl_tls13_early_secrets *derived )
357 {
358 int ret;
359 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
360 size_t const md_size = mbedtls_md_get_size( md_info );
361
362 /* We should never call this function with an unknown hash,
363 * but add an assertion anyway. */
364 if( md_info == 0 )
365 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
366
367 /*
368 * 0
369 * |
370 * v
371 * PSK -> HKDF-Extract = Early Secret
372 * |
373 * +-----> Derive-Secret(., "c e traffic", ClientHello)
374 * | = client_early_traffic_secret
375 * |
376 * +-----> Derive-Secret(., "e exp master", ClientHello)
377 * | = early_exporter_master_secret
378 * v
379 */
380
381 /* Create client_early_traffic_secret */
382 ret = mbedtls_ssl_tls13_derive_secret( md_type,
383 early_secret, md_size,
384 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_e_traffic ),
385 transcript, transcript_len,
386 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
387 derived->client_early_traffic_secret,
388 md_size );
389 if( ret != 0 )
390 return( ret );
391
392 /* Create early exporter */
393 ret = mbedtls_ssl_tls13_derive_secret( md_type,
394 early_secret, md_size,
395 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( e_exp_master ),
396 transcript, transcript_len,
397 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
398 derived->early_exporter_master_secret,
399 md_size );
400 if( ret != 0 )
401 return( ret );
402
403 return( 0 );
404 }
405
mbedtls_ssl_tls13_derive_handshake_secrets(mbedtls_md_type_t md_type,unsigned char const * handshake_secret,unsigned char const * transcript,size_t transcript_len,mbedtls_ssl_tls13_handshake_secrets * derived)406 int mbedtls_ssl_tls13_derive_handshake_secrets(
407 mbedtls_md_type_t md_type,
408 unsigned char const *handshake_secret,
409 unsigned char const *transcript, size_t transcript_len,
410 mbedtls_ssl_tls13_handshake_secrets *derived )
411 {
412 int ret;
413 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
414 size_t const md_size = mbedtls_md_get_size( md_info );
415
416 /* We should never call this function with an unknown hash,
417 * but add an assertion anyway. */
418 if( md_info == 0 )
419 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
420
421 /*
422 *
423 * Handshake Secret
424 * |
425 * +-----> Derive-Secret( ., "c hs traffic",
426 * | ClientHello...ServerHello )
427 * | = client_handshake_traffic_secret
428 * |
429 * +-----> Derive-Secret( ., "s hs traffic",
430 * | ClientHello...ServerHello )
431 * | = server_handshake_traffic_secret
432 *
433 */
434
435 /*
436 * Compute client_handshake_traffic_secret with
437 * Derive-Secret( ., "c hs traffic", ClientHello...ServerHello )
438 */
439
440 ret = mbedtls_ssl_tls13_derive_secret( md_type,
441 handshake_secret, md_size,
442 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_hs_traffic ),
443 transcript, transcript_len,
444 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
445 derived->client_handshake_traffic_secret,
446 md_size );
447 if( ret != 0 )
448 return( ret );
449
450 /*
451 * Compute server_handshake_traffic_secret with
452 * Derive-Secret( ., "s hs traffic", ClientHello...ServerHello )
453 */
454
455 ret = mbedtls_ssl_tls13_derive_secret( md_type,
456 handshake_secret, md_size,
457 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( s_hs_traffic ),
458 transcript, transcript_len,
459 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
460 derived->server_handshake_traffic_secret,
461 md_size );
462 if( ret != 0 )
463 return( ret );
464
465 return( 0 );
466 }
467
mbedtls_ssl_tls13_derive_application_secrets(mbedtls_md_type_t md_type,unsigned char const * application_secret,unsigned char const * transcript,size_t transcript_len,mbedtls_ssl_tls13_application_secrets * derived)468 int mbedtls_ssl_tls13_derive_application_secrets(
469 mbedtls_md_type_t md_type,
470 unsigned char const *application_secret,
471 unsigned char const *transcript, size_t transcript_len,
472 mbedtls_ssl_tls13_application_secrets *derived )
473 {
474 int ret;
475 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
476 size_t const md_size = mbedtls_md_get_size( md_info );
477
478 /* We should never call this function with an unknown hash,
479 * but add an assertion anyway. */
480 if( md_info == 0 )
481 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
482
483 /* Generate {client,server}_application_traffic_secret_0
484 *
485 * Master Secret
486 * |
487 * +-----> Derive-Secret( ., "c ap traffic",
488 * | ClientHello...server Finished )
489 * | = client_application_traffic_secret_0
490 * |
491 * +-----> Derive-Secret( ., "s ap traffic",
492 * | ClientHello...Server Finished )
493 * | = server_application_traffic_secret_0
494 * |
495 * +-----> Derive-Secret( ., "exp master",
496 * | ClientHello...server Finished)
497 * | = exporter_master_secret
498 *
499 */
500
501 ret = mbedtls_ssl_tls13_derive_secret( md_type,
502 application_secret, md_size,
503 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_ap_traffic ),
504 transcript, transcript_len,
505 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
506 derived->client_application_traffic_secret_N,
507 md_size );
508 if( ret != 0 )
509 return( ret );
510
511 ret = mbedtls_ssl_tls13_derive_secret( md_type,
512 application_secret, md_size,
513 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( s_ap_traffic ),
514 transcript, transcript_len,
515 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
516 derived->server_application_traffic_secret_N,
517 md_size );
518 if( ret != 0 )
519 return( ret );
520
521 ret = mbedtls_ssl_tls13_derive_secret( md_type,
522 application_secret, md_size,
523 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( exp_master ),
524 transcript, transcript_len,
525 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
526 derived->exporter_master_secret,
527 md_size );
528 if( ret != 0 )
529 return( ret );
530
531 return( 0 );
532 }
533
534 /* Generate resumption_master_secret for use with the ticket exchange.
535 *
536 * This is not integrated with mbedtls_ssl_tls13_derive_application_secrets()
537 * because it uses the transcript hash up to and including ClientFinished. */
mbedtls_ssl_tls13_derive_resumption_master_secret(mbedtls_md_type_t md_type,unsigned char const * application_secret,unsigned char const * transcript,size_t transcript_len,mbedtls_ssl_tls13_application_secrets * derived)538 int mbedtls_ssl_tls13_derive_resumption_master_secret(
539 mbedtls_md_type_t md_type,
540 unsigned char const *application_secret,
541 unsigned char const *transcript, size_t transcript_len,
542 mbedtls_ssl_tls13_application_secrets *derived )
543 {
544 int ret;
545 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
546 size_t const md_size = mbedtls_md_get_size( md_info );
547
548 /* We should never call this function with an unknown hash,
549 * but add an assertion anyway. */
550 if( md_info == 0 )
551 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
552
553 ret = mbedtls_ssl_tls13_derive_secret( md_type,
554 application_secret, md_size,
555 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_master ),
556 transcript, transcript_len,
557 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
558 derived->resumption_master_secret,
559 md_size );
560
561 if( ret != 0 )
562 return( ret );
563
564 return( 0 );
565 }
566
mbedtls_ssl_tls13_key_schedule_stage_application(mbedtls_ssl_context * ssl)567 int mbedtls_ssl_tls13_key_schedule_stage_application( mbedtls_ssl_context *ssl )
568 {
569 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
570 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
571 mbedtls_md_type_t const md_type = handshake->ciphersuite_info->mac;
572 #if defined(MBEDTLS_DEBUG_C)
573 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
574 size_t const md_size = mbedtls_md_get_size( md_info );
575 #endif /* MBEDTLS_DEBUG_C */
576
577 /*
578 * Compute MasterSecret
579 */
580 ret = mbedtls_ssl_tls13_evolve_secret( md_type,
581 handshake->tls13_master_secrets.handshake,
582 NULL, 0,
583 handshake->tls13_master_secrets.app );
584 if( ret != 0 )
585 {
586 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret );
587 return( ret );
588 }
589
590 MBEDTLS_SSL_DEBUG_BUF( 4, "Master secret",
591 handshake->tls13_master_secrets.app, md_size );
592
593 return( 0 );
594 }
595
ssl_tls13_calc_finished_core(mbedtls_md_type_t md_type,unsigned char const * base_key,unsigned char const * transcript,unsigned char * dst)596 static int ssl_tls13_calc_finished_core( mbedtls_md_type_t md_type,
597 unsigned char const *base_key,
598 unsigned char const *transcript,
599 unsigned char *dst )
600 {
601 const mbedtls_md_info_t* const md_info = mbedtls_md_info_from_type( md_type );
602 size_t const md_size = mbedtls_md_get_size( md_info );
603 unsigned char finished_key[MBEDTLS_MD_MAX_SIZE];
604 int ret;
605
606 /* We should never call this function with an unknown hash,
607 * but add an assertion anyway. */
608 if( md_info == 0 )
609 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
610
611 /* TLS 1.3 Finished message
612 *
613 * struct {
614 * opaque verify_data[Hash.length];
615 * } Finished;
616 *
617 * verify_data =
618 * HMAC( finished_key,
619 * Hash( Handshake Context +
620 * Certificate* +
621 * CertificateVerify* )
622 * )
623 *
624 * finished_key =
625 * HKDF-Expand-Label( BaseKey, "finished", "", Hash.length )
626 */
627
628 ret = mbedtls_ssl_tls13_hkdf_expand_label(
629 md_type, base_key, md_size,
630 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( finished ),
631 NULL, 0,
632 finished_key, md_size );
633 if( ret != 0 )
634 goto exit;
635
636 ret = mbedtls_md_hmac( md_info, finished_key, md_size, transcript, md_size, dst );
637 if( ret != 0 )
638 goto exit;
639
640 exit:
641
642 mbedtls_platform_zeroize( finished_key, sizeof( finished_key ) );
643 return( ret );
644 }
645
mbedtls_ssl_tls13_calculate_verify_data(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * actual_len,int from)646 int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context* ssl,
647 unsigned char* dst,
648 size_t dst_len,
649 size_t *actual_len,
650 int from )
651 {
652 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
653
654 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
655 size_t transcript_len;
656
657 unsigned char *base_key = NULL;
658 size_t base_key_len = 0;
659 mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets =
660 &ssl->handshake->tls13_hs_secrets;
661
662 mbedtls_md_type_t const md_type = ssl->handshake->ciphersuite_info->mac;
663 const mbedtls_md_info_t* const md_info =
664 mbedtls_md_info_from_type( md_type );
665 size_t const md_size = mbedtls_md_get_size( md_info );
666
667 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_calculate_verify_data" ) );
668
669 if( from == MBEDTLS_SSL_IS_CLIENT )
670 {
671 base_key = tls13_hs_secrets->client_handshake_traffic_secret;
672 base_key_len = sizeof( tls13_hs_secrets->client_handshake_traffic_secret );
673 }
674 else
675 {
676 base_key = tls13_hs_secrets->server_handshake_traffic_secret;
677 base_key_len = sizeof( tls13_hs_secrets->server_handshake_traffic_secret );
678 }
679
680 if( dst_len < md_size )
681 {
682 ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
683 goto exit;
684 }
685
686 ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type,
687 transcript, sizeof( transcript ),
688 &transcript_len );
689 if( ret != 0 )
690 {
691 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_handshake_transcript", ret );
692 goto exit;
693 }
694 MBEDTLS_SSL_DEBUG_BUF( 4, "handshake hash", transcript, transcript_len );
695
696 ret = ssl_tls13_calc_finished_core( md_type, base_key, transcript, dst );
697 if( ret != 0 )
698 goto exit;
699 *actual_len = md_size;
700
701 MBEDTLS_SSL_DEBUG_BUF( 3, "verify_data for finished message", dst, md_size );
702 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_calculate_verify_data" ) );
703
704 exit:
705 /* Erase handshake secrets */
706 mbedtls_platform_zeroize( base_key, base_key_len );
707 mbedtls_platform_zeroize( transcript, sizeof( transcript ) );
708 return( ret );
709 }
710
mbedtls_ssl_tls13_create_psk_binder(mbedtls_ssl_context * ssl,const mbedtls_md_type_t md_type,unsigned char const * psk,size_t psk_len,int psk_type,unsigned char const * transcript,unsigned char * result)711 int mbedtls_ssl_tls13_create_psk_binder( mbedtls_ssl_context *ssl,
712 const mbedtls_md_type_t md_type,
713 unsigned char const *psk, size_t psk_len,
714 int psk_type,
715 unsigned char const *transcript,
716 unsigned char *result )
717 {
718 int ret = 0;
719 unsigned char binder_key[MBEDTLS_MD_MAX_SIZE];
720 unsigned char early_secret[MBEDTLS_MD_MAX_SIZE];
721 mbedtls_md_info_t const *md_info = mbedtls_md_info_from_type( md_type );
722 size_t const md_size = mbedtls_md_get_size( md_info );
723
724 #if !defined(MBEDTLS_DEBUG_C)
725 ssl = NULL; /* make sure we don't use it except for debug */
726 ((void) ssl);
727 #endif
728
729 /* We should never call this function with an unknown hash,
730 * but add an assertion anyway. */
731 if( md_info == 0 )
732 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
733
734 /*
735 * 0
736 * |
737 * v
738 * PSK -> HKDF-Extract = Early Secret
739 * |
740 * +-----> Derive-Secret(., "ext binder" | "res binder", "")
741 * | = binder_key
742 * v
743 */
744
745 ret = mbedtls_ssl_tls13_evolve_secret( md_type,
746 NULL, /* Old secret */
747 psk, psk_len, /* Input */
748 early_secret );
749 if( ret != 0 )
750 {
751 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret );
752 goto exit;
753 }
754
755 if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION )
756 {
757 ret = mbedtls_ssl_tls13_derive_secret( md_type,
758 early_secret, md_size,
759 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_binder ),
760 NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
761 binder_key, md_size );
762 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Derive Early Secret with 'res binder'" ) );
763 }
764 else
765 {
766 ret = mbedtls_ssl_tls13_derive_secret( md_type,
767 early_secret, md_size,
768 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( ext_binder ),
769 NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
770 binder_key, md_size );
771 MBEDTLS_SSL_DEBUG_MSG( 4, ( "Derive Early Secret with 'ext binder'" ) );
772 }
773
774 if( ret != 0 )
775 {
776 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_derive_secret", ret );
777 goto exit;
778 }
779
780 /*
781 * The binding_value is computed in the same way as the Finished message
782 * but with the BaseKey being the binder_key.
783 */
784
785 ret = ssl_tls13_calc_finished_core( md_type, binder_key, transcript, result );
786 if( ret != 0 )
787 goto exit;
788
789 MBEDTLS_SSL_DEBUG_BUF( 3, "psk binder", result, md_size );
790
791 exit:
792
793 mbedtls_platform_zeroize( early_secret, sizeof( early_secret ) );
794 mbedtls_platform_zeroize( binder_key, sizeof( binder_key ) );
795 return( ret );
796 }
797
mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform * transform,int endpoint,int ciphersuite,mbedtls_ssl_key_set const * traffic_keys,mbedtls_ssl_context * ssl)798 int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
799 int endpoint,
800 int ciphersuite,
801 mbedtls_ssl_key_set const *traffic_keys,
802 mbedtls_ssl_context *ssl /* DEBUG ONLY */ )
803 {
804 int ret;
805 mbedtls_cipher_info_t const *cipher_info;
806 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
807 unsigned char const *key_enc;
808 unsigned char const *iv_enc;
809 unsigned char const *key_dec;
810 unsigned char const *iv_dec;
811
812 #if !defined(MBEDTLS_DEBUG_C)
813 ssl = NULL; /* make sure we don't use it except for those cases */
814 (void) ssl;
815 #endif
816
817 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
818 if( ciphersuite_info == NULL )
819 {
820 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found",
821 ciphersuite ) );
822 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
823 }
824
825 cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
826 if( cipher_info == NULL )
827 {
828 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found",
829 ciphersuite_info->cipher ) );
830 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
831 }
832
833 /*
834 * Setup cipher contexts in target transform
835 */
836
837 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
838 cipher_info ) ) != 0 )
839 {
840 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
841 return( ret );
842 }
843
844 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
845 cipher_info ) ) != 0 )
846 {
847 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
848 return( ret );
849 }
850
851 #if defined(MBEDTLS_SSL_SRV_C)
852 if( endpoint == MBEDTLS_SSL_IS_SERVER )
853 {
854 key_enc = traffic_keys->server_write_key;
855 key_dec = traffic_keys->client_write_key;
856 iv_enc = traffic_keys->server_write_iv;
857 iv_dec = traffic_keys->client_write_iv;
858 }
859 else
860 #endif /* MBEDTLS_SSL_SRV_C */
861 #if defined(MBEDTLS_SSL_CLI_C)
862 if( endpoint == MBEDTLS_SSL_IS_CLIENT )
863 {
864 key_enc = traffic_keys->client_write_key;
865 key_dec = traffic_keys->server_write_key;
866 iv_enc = traffic_keys->client_write_iv;
867 iv_dec = traffic_keys->server_write_iv;
868 }
869 else
870 #endif /* MBEDTLS_SSL_CLI_C */
871 {
872 /* should not happen */
873 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
874 }
875
876 memcpy( transform->iv_enc, iv_enc, traffic_keys->iv_len );
877 memcpy( transform->iv_dec, iv_dec, traffic_keys->iv_len );
878
879 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc,
880 key_enc, cipher_info->key_bitlen,
881 MBEDTLS_ENCRYPT ) ) != 0 )
882 {
883 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
884 return( ret );
885 }
886
887 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec,
888 key_dec, cipher_info->key_bitlen,
889 MBEDTLS_DECRYPT ) ) != 0 )
890 {
891 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
892 return( ret );
893 }
894
895 /*
896 * Setup other fields in SSL transform
897 */
898
899 if( ( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) != 0 )
900 transform->taglen = 8;
901 else
902 transform->taglen = 16;
903
904 transform->ivlen = traffic_keys->iv_len;
905 transform->maclen = 0;
906 transform->fixed_ivlen = transform->ivlen;
907 transform->minor_ver = MBEDTLS_SSL_MINOR_VERSION_4;
908
909 /* We add the true record content type (1 Byte) to the plaintext and
910 * then pad to the configured granularity. The mimimum length of the
911 * type-extended and padded plaintext is therefore the padding
912 * granularity. */
913 transform->minlen =
914 transform->taglen + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY;
915
916 return( 0 );
917 }
918
mbedtls_ssl_tls13_key_schedule_stage_early(mbedtls_ssl_context * ssl)919 int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl )
920 {
921 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
922 mbedtls_md_type_t md_type;
923 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
924
925 if( handshake->ciphersuite_info == NULL )
926 {
927 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher suite info not found" ) );
928 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
929 }
930
931 md_type = handshake->ciphersuite_info->mac;
932
933 ret = mbedtls_ssl_tls13_evolve_secret( md_type, NULL, NULL, 0,
934 handshake->tls13_master_secrets.early );
935 if( ret != 0 )
936 {
937 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret );
938 return( ret );
939 }
940
941 return( 0 );
942 }
943
944 /* mbedtls_ssl_tls13_generate_handshake_keys() generates keys necessary for
945 * protecting the handshake messages, as described in Section 7 of TLS 1.3. */
mbedtls_ssl_tls13_generate_handshake_keys(mbedtls_ssl_context * ssl,mbedtls_ssl_key_set * traffic_keys)946 int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl,
947 mbedtls_ssl_key_set *traffic_keys )
948 {
949 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
950
951 mbedtls_md_type_t md_type;
952 mbedtls_md_info_t const *md_info;
953 size_t md_size;
954
955 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
956 size_t transcript_len;
957
958 mbedtls_cipher_info_t const *cipher_info;
959 size_t key_len, iv_len;
960
961 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
962 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info;
963 mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets = &handshake->tls13_hs_secrets;
964
965 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) );
966
967 cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
968 key_len = cipher_info->key_bitlen >> 3;
969 iv_len = cipher_info->iv_size;
970
971 md_type = ciphersuite_info->mac;
972 md_info = mbedtls_md_info_from_type( md_type );
973 md_size = mbedtls_md_get_size( md_info );
974
975 ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type,
976 transcript,
977 sizeof( transcript ),
978 &transcript_len );
979 if( ret != 0 )
980 {
981 MBEDTLS_SSL_DEBUG_RET( 1,
982 "mbedtls_ssl_get_handshake_transcript",
983 ret );
984 return( ret );
985 }
986
987 ret = mbedtls_ssl_tls13_derive_handshake_secrets( md_type,
988 handshake->tls13_master_secrets.handshake,
989 transcript, transcript_len, tls13_hs_secrets );
990 if( ret != 0 )
991 {
992 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_derive_handshake_secrets",
993 ret );
994 return( ret );
995 }
996
997 MBEDTLS_SSL_DEBUG_BUF( 4, "Client handshake traffic secret",
998 tls13_hs_secrets->client_handshake_traffic_secret,
999 md_size );
1000 MBEDTLS_SSL_DEBUG_BUF( 4, "Server handshake traffic secret",
1001 tls13_hs_secrets->server_handshake_traffic_secret,
1002 md_size );
1003
1004 /*
1005 * Export client handshake traffic secret
1006 */
1007 if( ssl->f_export_keys != NULL )
1008 {
1009 ssl->f_export_keys( ssl->p_export_keys,
1010 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET,
1011 tls13_hs_secrets->client_handshake_traffic_secret,
1012 md_size,
1013 handshake->randbytes + 32,
1014 handshake->randbytes,
1015 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ );
1016
1017 ssl->f_export_keys( ssl->p_export_keys,
1018 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET,
1019 tls13_hs_secrets->server_handshake_traffic_secret,
1020 md_size,
1021 handshake->randbytes + 32,
1022 handshake->randbytes,
1023 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ );
1024 }
1025
1026 ret = mbedtls_ssl_tls13_make_traffic_keys( md_type,
1027 tls13_hs_secrets->client_handshake_traffic_secret,
1028 tls13_hs_secrets->server_handshake_traffic_secret,
1029 md_size, key_len, iv_len, traffic_keys );
1030 if( ret != 0 )
1031 {
1032 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret );
1033 goto exit;
1034 }
1035
1036 MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_key",
1037 traffic_keys->client_write_key,
1038 traffic_keys->key_len);
1039
1040 MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_key",
1041 traffic_keys->server_write_key,
1042 traffic_keys->key_len);
1043
1044 MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_iv",
1045 traffic_keys->client_write_iv,
1046 traffic_keys->iv_len);
1047
1048 MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_iv",
1049 traffic_keys->server_write_iv,
1050 traffic_keys->iv_len);
1051
1052 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls13_generate_handshake_keys" ) );
1053
1054 exit:
1055
1056 return( ret );
1057 }
1058
mbedtls_ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context * ssl)1059 int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl )
1060 {
1061 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1062 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1063 mbedtls_md_type_t const md_type = handshake->ciphersuite_info->mac;
1064 size_t ephemeral_len = 0;
1065 unsigned char ecdhe[MBEDTLS_ECP_MAX_BYTES];
1066 #if defined(MBEDTLS_DEBUG_C)
1067 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
1068 size_t const md_size = mbedtls_md_get_size( md_info );
1069 #endif /* MBEDTLS_DEBUG_C */
1070
1071 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
1072 /*
1073 * Compute ECDHE secret used to compute the handshake secret from which
1074 * client_handshake_traffic_secret and server_handshake_traffic_secret
1075 * are derived in the handshake secret derivation stage.
1076 */
1077 if( mbedtls_ssl_tls13_ephemeral_enabled( ssl ) )
1078 {
1079 if( mbedtls_ssl_tls13_named_group_is_ecdhe( handshake->offered_group_id ) )
1080 {
1081 #if defined(MBEDTLS_ECDH_C)
1082 ret = mbedtls_ecdh_calc_secret( &handshake->ecdh_ctx,
1083 &ephemeral_len, ecdhe, sizeof( ecdhe ),
1084 ssl->conf->f_rng,
1085 ssl->conf->p_rng );
1086 if( ret != 0 )
1087 {
1088 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
1089 return( ret );
1090 }
1091 #endif /* MBEDTLS_ECDH_C */
1092 }
1093 else if( mbedtls_ssl_tls13_named_group_is_dhe( handshake->offered_group_id ) )
1094 {
1095 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DHE not supported." ) );
1096 return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
1097 }
1098 }
1099 #else
1100 return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
1101 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
1102
1103 /*
1104 * Compute the Handshake Secret
1105 */
1106 ret = mbedtls_ssl_tls13_evolve_secret( md_type,
1107 handshake->tls13_master_secrets.early,
1108 ecdhe, ephemeral_len,
1109 handshake->tls13_master_secrets.handshake );
1110 if( ret != 0 )
1111 {
1112 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_evolve_secret", ret );
1113 return( ret );
1114 }
1115
1116 MBEDTLS_SSL_DEBUG_BUF( 4, "Handshake secret",
1117 handshake->tls13_master_secrets.handshake, md_size );
1118
1119 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED)
1120 mbedtls_platform_zeroize( ecdhe, sizeof( ecdhe ) );
1121 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED */
1122 return( 0 );
1123 }
1124
1125 /* Generate application traffic keys since any records following a 1-RTT Finished message
1126 * MUST be encrypted under the application traffic key.
1127 */
mbedtls_ssl_tls13_generate_application_keys(mbedtls_ssl_context * ssl,mbedtls_ssl_key_set * traffic_keys)1128 int mbedtls_ssl_tls13_generate_application_keys(
1129 mbedtls_ssl_context *ssl,
1130 mbedtls_ssl_key_set *traffic_keys )
1131 {
1132 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1133 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
1134
1135 /* Address at which to store the application secrets */
1136 mbedtls_ssl_tls13_application_secrets * const app_secrets =
1137 &ssl->session_negotiate->app_secrets;
1138
1139 /* Holding the transcript up to and including the ServerFinished */
1140 unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
1141 size_t transcript_len;
1142
1143 /* Variables relating to the hash for the chosen ciphersuite. */
1144 mbedtls_md_type_t md_type;
1145 mbedtls_md_info_t const *md_info;
1146 size_t md_size;
1147
1148 /* Variables relating to the cipher for the chosen ciphersuite. */
1149 mbedtls_cipher_info_t const *cipher_info;
1150 size_t key_len, iv_len;
1151
1152 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive application traffic keys" ) );
1153
1154 /* Extract basic information about hash and ciphersuite */
1155
1156 cipher_info = mbedtls_cipher_info_from_type(
1157 handshake->ciphersuite_info->cipher );
1158 key_len = cipher_info->key_bitlen / 8;
1159 iv_len = cipher_info->iv_size;
1160
1161 md_type = handshake->ciphersuite_info->mac;
1162 md_info = mbedtls_md_info_from_type( md_type );
1163 md_size = mbedtls_md_get_size( md_info );
1164
1165 /* Compute current handshake transcript. It's the caller's responsiblity
1166 * to call this at the right time, that is, after the ServerFinished. */
1167
1168 ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type,
1169 transcript, sizeof( transcript ),
1170 &transcript_len );
1171 if( ret != 0 )
1172 goto cleanup;
1173
1174 /* Compute application secrets from master secret and transcript hash. */
1175
1176 ret = mbedtls_ssl_tls13_derive_application_secrets( md_type,
1177 handshake->tls13_master_secrets.app,
1178 transcript, transcript_len,
1179 app_secrets );
1180 /* Erase master secrets */
1181 mbedtls_platform_zeroize( &ssl->handshake->tls13_master_secrets,
1182 sizeof( ssl->handshake->tls13_master_secrets ) );
1183 if( ret != 0 )
1184 {
1185 MBEDTLS_SSL_DEBUG_RET( 1,
1186 "mbedtls_ssl_tls13_derive_application_secrets", ret );
1187 goto cleanup;
1188 }
1189
1190 /* Derive first epoch of IV + Key for application traffic. */
1191
1192 ret = mbedtls_ssl_tls13_make_traffic_keys( md_type,
1193 app_secrets->client_application_traffic_secret_N,
1194 app_secrets->server_application_traffic_secret_N,
1195 md_size, key_len, iv_len, traffic_keys );
1196 if( ret != 0 )
1197 {
1198 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret );
1199 goto cleanup;
1200 }
1201
1202 MBEDTLS_SSL_DEBUG_BUF( 4, "Client application traffic secret",
1203 app_secrets->client_application_traffic_secret_N,
1204 md_size );
1205
1206 MBEDTLS_SSL_DEBUG_BUF( 4, "Server application traffic secret",
1207 app_secrets->server_application_traffic_secret_N,
1208 md_size );
1209
1210 /*
1211 * Export client/server application traffic secret 0
1212 */
1213 if( ssl->f_export_keys != NULL )
1214 {
1215 ssl->f_export_keys( ssl->p_export_keys,
1216 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET,
1217 app_secrets->client_application_traffic_secret_N, md_size,
1218 handshake->randbytes + 32,
1219 handshake->randbytes,
1220 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
1221 a new constant for TLS 1.3! */ );
1222
1223 ssl->f_export_keys( ssl->p_export_keys,
1224 MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET,
1225 app_secrets->server_application_traffic_secret_N, md_size,
1226 handshake->randbytes + 32,
1227 handshake->randbytes,
1228 MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
1229 a new constant for TLS 1.3! */ );
1230 }
1231
1232 MBEDTLS_SSL_DEBUG_BUF( 4, "client application_write_key:",
1233 traffic_keys->client_write_key, key_len );
1234 MBEDTLS_SSL_DEBUG_BUF( 4, "server application write key",
1235 traffic_keys->server_write_key, key_len );
1236 MBEDTLS_SSL_DEBUG_BUF( 4, "client application write IV",
1237 traffic_keys->client_write_iv, iv_len );
1238 MBEDTLS_SSL_DEBUG_BUF( 4, "server application write IV",
1239 traffic_keys->server_write_iv, iv_len );
1240
1241 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive application traffic keys" ) );
1242
1243 cleanup:
1244 /* randbytes is not used again */
1245 mbedtls_platform_zeroize( ssl->handshake->randbytes,
1246 sizeof( ssl->handshake->randbytes ) );
1247 mbedtls_platform_zeroize( transcript, sizeof( transcript ) );
1248 return( ret );
1249 }
1250
1251 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1252