1 /*
2 * This file is part of the openHiTLS project.
3 *
4 * openHiTLS is licensed under the Mulan PSL v2.
5 * You can use this software according to the terms and conditions of the Mulan PSL v2.
6 * You may obtain a copy of Mulan PSL v2 at:
7 *
8 * http://license.coscl.org.cn/MulanPSL2
9 *
10 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
11 * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
12 * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
13 * See the Mulan PSL v2 for more details.
14 */
15 #include "hitls_build.h"
16 #ifdef HITLS_TLS_PROTO_TLS13
17 #include <stdbool.h>
18 #include "securec.h"
19 #include "bsl_bytes.h"
20 #include "bsl_err_internal.h"
21 #include "tls_binlog_id.h"
22 #include "hitls_error.h"
23 #include "hitls_crypt_type.h"
24 #include "tls.h"
25 #include "crypt.h"
26 #include "rec.h"
27 #include "hs_kx.h"
28 #include "hs_common.h"
29 #include "transcript_hash.h"
30 #include "config_type.h"
31
HS_TLS13DeriveSecret(CRYPT_KeyDeriveParameters * deriveInfo,bool isHashed,uint8_t * outSecret,uint32_t outLen)32 int32_t HS_TLS13DeriveSecret(CRYPT_KeyDeriveParameters *deriveInfo, bool isHashed, uint8_t *outSecret, uint32_t outLen)
33 {
34 int32_t ret;
35 uint8_t transcriptHash[MAX_DIGEST_SIZE] = {0};
36 uint32_t hashLen = SAL_CRYPT_DigestSize(deriveInfo->hashAlgo);
37 if (hashLen == 0) {
38 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16888, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "DigestSize err", 0, 0, 0, 0);
39 return HITLS_CRYPT_ERR_DIGEST;
40 }
41 if (!isHashed) {
42 ret = SAL_CRYPT_Digest(deriveInfo->libCtx, deriveInfo->attrName,
43 deriveInfo->hashAlgo, deriveInfo->seed, deriveInfo->seedLen, transcriptHash, &hashLen);
44 if (ret != HITLS_SUCCESS) {
45 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16889, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
46 "Digest fail", 0, 0, 0, 0);
47 return ret;
48 }
49
50 deriveInfo->seed = transcriptHash;
51 deriveInfo->seedLen = hashLen;
52 }
53
54 return SAL_CRYPT_HkdfExpandLabel(deriveInfo, outSecret, outLen);
55 }
56
TLS13HkdfExtract(HITLS_Lib_Ctx * libCtx,const char * attrName,HITLS_CRYPT_HkdfExtractInput * extractInput,uint8_t * prk,uint32_t * prkLen)57 int32_t TLS13HkdfExtract(HITLS_Lib_Ctx *libCtx, const char *attrName,
58 HITLS_CRYPT_HkdfExtractInput *extractInput, uint8_t *prk, uint32_t *prkLen)
59 {
60 uint32_t hashLen = SAL_CRYPT_DigestSize(extractInput->hashAlgo);
61 if (hashLen == 0) {
62 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16890, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "DigestSize err", 0, 0, 0, 0);
63 return HITLS_CRYPT_ERR_DIGEST;
64 }
65 uint8_t zeros[MAX_DIGEST_SIZE] = {0};
66
67 if (extractInput->salt == NULL) {
68 extractInput->salt = zeros;
69 extractInput->saltLen = hashLen;
70 }
71
72 if (extractInput->inputKeyMaterial == NULL) {
73 extractInput->inputKeyMaterial = zeros;
74 extractInput->inputKeyMaterialLen = hashLen;
75 }
76
77 return SAL_CRYPT_HkdfExtract(libCtx, attrName, extractInput, prk, prkLen);
78 }
79
80 /*
81 0
82 |
83 v
84 PSK -> HKDF-Extract = Early Secret
85 */
HS_TLS13DeriveEarlySecret(HITLS_Lib_Ctx * libCtx,const char * attrName,HITLS_HashAlgo hashAlgo,uint8_t * psk,uint32_t pskLen,uint8_t * earlySecret,uint32_t * outLen)86 int32_t HS_TLS13DeriveEarlySecret(HITLS_Lib_Ctx *libCtx, const char *attrName, HITLS_HashAlgo hashAlgo, uint8_t *psk, uint32_t pskLen,
87 uint8_t *earlySecret, uint32_t *outLen)
88 {
89 HITLS_CRYPT_HkdfExtractInput extractInput = {0};
90 extractInput.hashAlgo = hashAlgo;
91 extractInput.salt = NULL;
92 extractInput.saltLen = 0;
93 extractInput.inputKeyMaterial = psk;
94 extractInput.inputKeyMaterialLen = pskLen;
95
96 return TLS13HkdfExtract(libCtx, attrName, &extractInput, earlySecret, outLen);
97 }
98
HS_TLS13DeriveBinderKey(HITLS_Lib_Ctx * libCtx,const char * attrName,HITLS_HashAlgo hashAlgo,bool isExternalPsk,uint8_t * earlySecret,uint32_t secretLen,uint8_t * binderKey,uint32_t keyLen)99 int32_t HS_TLS13DeriveBinderKey(HITLS_Lib_Ctx *libCtx, const char *attrName,
100 HITLS_HashAlgo hashAlgo, bool isExternalPsk,
101 uint8_t *earlySecret, uint32_t secretLen, uint8_t *binderKey, uint32_t keyLen)
102 {
103 uint8_t *binderLabel;
104 uint32_t labelLen;
105 uint8_t extBinderLabel[] = "ext binder";
106 uint8_t resBinderLabel[] = "res binder";
107 if (isExternalPsk) {
108 binderLabel = extBinderLabel;
109 labelLen = sizeof(extBinderLabel) - 1;
110 } else {
111 binderLabel = resBinderLabel;
112 labelLen = sizeof(resBinderLabel) - 1;
113 }
114
115 CRYPT_KeyDeriveParameters deriveInfo = {0};
116 deriveInfo.hashAlgo = hashAlgo;
117 deriveInfo.secret = earlySecret;
118 deriveInfo.secretLen = secretLen;
119 deriveInfo.label = binderLabel;
120 deriveInfo.labelLen = labelLen;
121 deriveInfo.seed = NULL;
122 deriveInfo.seedLen = 0;
123 deriveInfo.libCtx = libCtx;
124 deriveInfo.attrName = attrName;
125 return HS_TLS13DeriveSecret(&deriveInfo, false, binderKey, keyLen);
126 }
127
128 /*
129 Early Secret
130 |
131 v
132 Derive-Secret(., "derived", "")
133 |
134 v
135 (EC)DHE -> HKDF-Extract = Handshake Secret
136 |
137 v
138 Derive-Secret(., "derived", "")
139 |
140 v
141 0 -> HKDF-Extract = Master Secret
142 */
HS_TLS13DeriveNextStageSecret(HITLS_Lib_Ctx * libCtx,const char * attrName,HITLS_HashAlgo hashAlgo,uint8_t * inSecret,uint32_t inLen,uint8_t * givenSecret,uint32_t givenLen,uint8_t * outSecret,uint32_t * outLen)143 int32_t HS_TLS13DeriveNextStageSecret(HITLS_Lib_Ctx *libCtx, const char *attrName,
144 HITLS_HashAlgo hashAlgo, uint8_t *inSecret, uint32_t inLen,
145 uint8_t *givenSecret, uint32_t givenLen, uint8_t *outSecret, uint32_t *outLen)
146 {
147 int32_t ret;
148 uint8_t label[] = "derived";
149 uint8_t tmpSecret[MAX_DIGEST_SIZE];
150 uint32_t hashLen = SAL_CRYPT_DigestSize(hashAlgo);
151 if (hashLen == 0) {
152 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16891, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "DigestSize err", 0, 0, 0, 0);
153 return HITLS_CRYPT_ERR_DIGEST;
154 }
155 CRYPT_KeyDeriveParameters deriveInfo = {0};
156 deriveInfo.hashAlgo = hashAlgo;
157 deriveInfo.secret = inSecret;
158 deriveInfo.secretLen = inLen;
159 deriveInfo.label = label;
160 deriveInfo.labelLen = sizeof(label) - 1;
161 deriveInfo.seed = NULL;
162 deriveInfo.seedLen = 0;
163 deriveInfo.libCtx = libCtx;
164 deriveInfo.attrName = attrName;
165 ret = HS_TLS13DeriveSecret(&deriveInfo, false, tmpSecret, hashLen);
166 if (ret != HITLS_SUCCESS) {
167 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16892, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
168 "DeriveSecret fail", 0, 0, 0, 0);
169 return ret;
170 }
171
172 HITLS_CRYPT_HkdfExtractInput extractInput = {0};
173 extractInput.hashAlgo = hashAlgo;
174 extractInput.salt = tmpSecret;
175 extractInput.saltLen = hashLen;
176 extractInput.inputKeyMaterial = givenSecret;
177 extractInput.inputKeyMaterialLen = givenLen;
178 ret = TLS13HkdfExtract(libCtx, attrName, &extractInput, outSecret, outLen);
179 BSL_SAL_CleanseData(tmpSecret, MAX_DIGEST_SIZE);
180 return ret;
181 }
182
TLS13DeriveDheSecret(TLS_Ctx * ctx,uint8_t * preMasterSecret,uint32_t * preMasterSecretLen,uint32_t hashLen)183 int32_t TLS13DeriveDheSecret(TLS_Ctx *ctx, uint8_t *preMasterSecret, uint32_t *preMasterSecretLen, uint32_t hashLen)
184 {
185 KeyExchCtx *keyCtx = ctx->hsCtx->kxCtx;
186 if (keyCtx->peerPubkey == NULL) {
187 *preMasterSecretLen = hashLen;
188 return HITLS_SUCCESS;
189 }
190
191 const TLS_GroupInfo *groupInfo = ConfigGetGroupInfo(&ctx->config.tlsConfig, ctx->negotiatedInfo.negotiatedGroup);
192 if (groupInfo == NULL) {
193 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16244, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
194 "group info not found", 0, 0, 0, 0);
195 return HITLS_INVALID_INPUT;
196 }
197 if (!groupInfo->isKem) {
198 return SAL_CRYPT_CalcEcdhSharedSecret(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
199 keyCtx->key, keyCtx->peerPubkey, keyCtx->pubKeyLen,
200 preMasterSecret, preMasterSecretLen);
201 }
202 #ifdef HITLS_TLS_FEATURE_KEM
203 if (ctx->isClient) {
204 return SAL_CRYPT_KemDecapsulate(keyCtx->key, keyCtx->peerPubkey, keyCtx->pubKeyLen,
205 preMasterSecret, preMasterSecretLen);
206 }
207 BSL_SAL_Free(keyCtx->ciphertext);
208 keyCtx->ciphertext = BSL_SAL_Calloc(1, groupInfo->ciphertextLen);
209 if (keyCtx->ciphertext == NULL) {
210 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16245, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
211 "ciphertext malloc fail", 0, 0, 0, 0);
212 return HITLS_MEMALLOC_FAIL;
213 }
214 keyCtx->ciphertextLen = groupInfo->ciphertextLen;
215 return SAL_CRYPT_KemEncapsulate(ctx,
216 &(HITLS_KemEncapsulateParams){
217 .groupId = ctx->negotiatedInfo.negotiatedGroup,
218 .peerPubkey = keyCtx->peerPubkey,
219 .pubKeyLen = keyCtx->pubKeyLen,
220 .ciphertext = keyCtx->ciphertext,
221 .ciphertextLen = &keyCtx->ciphertextLen,
222 .sharedSecret = preMasterSecret,
223 .sharedSecretLen = preMasterSecretLen,
224 });
225 #else
226 return HITLS_INTERNAL_EXCEPTION;
227 #endif
228 }
229 /*
230 Early Secret
231 |
232 v
233 Derive-Secret(., "derived", "")
234 |
235 v
236 (EC)DHE -> HKDF-Extract = Handshake Secret
237 */
TLS13DeriveHandshakeSecret(TLS_Ctx * ctx)238 int32_t TLS13DeriveHandshakeSecret(TLS_Ctx *ctx)
239 {
240 uint16_t hashAlg = ctx->negotiatedInfo.cipherSuiteInfo.hashAlg;
241 uint32_t hashLen = SAL_CRYPT_DigestSize(hashAlg);
242 if (hashLen == 0) {
243 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16893, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "DigestSize err", 0, 0, 0, 0);
244 return HITLS_CRYPT_ERR_DIGEST;
245 }
246 uint8_t preMasterSecret[MAX_PRE_MASTER_SECRET_SIZE] = {0};
247 uint32_t preMasterSecretLen = MAX_PRE_MASTER_SECRET_SIZE;
248 int32_t ret = TLS13DeriveDheSecret(ctx, preMasterSecret, &preMasterSecretLen, hashLen);
249 if (ret != HITLS_SUCCESS) {
250 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16894, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
251 "DeriveDheSecret fail", 0, 0, 0, 0);
252 return ret;
253 }
254 uint32_t handshakeSecretLen = hashLen;
255 ret = HS_TLS13DeriveNextStageSecret(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
256 hashAlg, ctx->hsCtx->earlySecret, hashLen,
257 preMasterSecret, preMasterSecretLen, ctx->hsCtx->handshakeSecret, &handshakeSecretLen);
258 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16895, BSL_LOG_LEVEL_INFO, BSL_LOG_BINLOG_TYPE_RUN,
259 "DeriveNextStageSecret finish", 0, 0, 0, 0);
260 BSL_SAL_CleanseData(preMasterSecret, MAX_PRE_MASTER_SECRET_SIZE);
261 return ret;
262 }
263
264 /*
265 (EC)DHE -> HKDF-Extract = Handshake Secret
266 |
267 v
268 Derive-Secret(., "derived", "")
269 |
270 v
271 0 -> HKDF-Extract = Master Secret
272 */
TLS13DeriveMasterSecret(TLS_Ctx * ctx)273 int32_t TLS13DeriveMasterSecret(TLS_Ctx *ctx)
274 {
275 uint16_t hashAlg = ctx->negotiatedInfo.cipherSuiteInfo.hashAlg;
276 uint32_t hashLen = (uint32_t)SAL_CRYPT_DigestSize(hashAlg);
277 if (hashLen == 0) {
278 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16896, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "DigestSize err", 0, 0, 0, 0);
279 return HITLS_CRYPT_ERR_DIGEST;
280 }
281 uint32_t masterKeyLen = hashLen;
282
283 return HS_TLS13DeriveNextStageSecret(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
284 hashAlg, ctx->hsCtx->handshakeSecret, hashLen,
285 NULL, 0, ctx->hsCtx->masterKey, &masterKeyLen);
286 }
287
288 /*
289 finished_key = HKDF-Expand-Label(BaseKey, "finished", "", Hash.length)
290 */
HS_TLS13DeriveFinishedKey(HITLS_Lib_Ctx * libCtx,const char * attrName,HITLS_HashAlgo hashAlgo,uint8_t * baseKey,uint32_t baseKeyLen,uint8_t * finishedkey,uint32_t finishedkeyLen)291 int32_t HS_TLS13DeriveFinishedKey(HITLS_Lib_Ctx *libCtx, const char *attrName,
292 HITLS_HashAlgo hashAlgo, uint8_t *baseKey, uint32_t baseKeyLen,
293 uint8_t *finishedkey, uint32_t finishedkeyLen)
294 {
295 uint8_t label[] = "finished";
296
297 CRYPT_KeyDeriveParameters deriveInfo = {0};
298 deriveInfo.hashAlgo = hashAlgo;
299 deriveInfo.secret = baseKey;
300 deriveInfo.secretLen = baseKeyLen;
301 deriveInfo.label = label;
302 deriveInfo.labelLen = sizeof(label) - 1;
303 deriveInfo.seed = NULL;
304 deriveInfo.seedLen = 0;
305 deriveInfo.libCtx = libCtx;
306 deriveInfo.attrName = attrName;
307 return SAL_CRYPT_HkdfExpandLabel(&deriveInfo, finishedkey, finishedkeyLen);
308 }
309
310 /*
311 HKDF-Expand-Label(resumption_master_secret, "resumption", ticket_nonce, Hash.length)
312 */
HS_TLS13DeriveResumePsk(TLS_Ctx * ctx,const uint8_t * ticketNonce,uint32_t ticketNonceSize,uint8_t * resumePsk,uint32_t resumePskLen)313 int32_t HS_TLS13DeriveResumePsk(TLS_Ctx *ctx, const uint8_t *ticketNonce, uint32_t ticketNonceSize,
314 uint8_t *resumePsk, uint32_t resumePskLen)
315 {
316 const uint8_t label[] = "resumption";
317 HITLS_HashAlgo hashAlg = ctx->negotiatedInfo.cipherSuiteInfo.hashAlg;
318 uint32_t hashLen = SAL_CRYPT_DigestSize(hashAlg);
319 if (hashLen == 0) {
320 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16897, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "DigestSize err", 0, 0, 0, 0);
321 return HITLS_CRYPT_ERR_DIGEST;
322 }
323 CRYPT_KeyDeriveParameters deriveInfo = {0};
324 deriveInfo.hashAlgo = hashAlg;
325 deriveInfo.secret = ctx->resumptionMasterSecret;
326 deriveInfo.secretLen = hashLen;
327 deriveInfo.label = label;
328 deriveInfo.labelLen = sizeof(label) - 1;
329 deriveInfo.seed = ticketNonce;
330 deriveInfo.seedLen = ticketNonceSize;
331 deriveInfo.libCtx = LIBCTX_FROM_CTX(ctx);
332 deriveInfo.attrName = ATTRIBUTE_FROM_CTX(ctx);
333 return SAL_CRYPT_HkdfExpandLabel(&deriveInfo, resumePsk, resumePskLen);
334 }
335
TLS13GetTrafficSecretDeriveInfo(TLS_Ctx * ctx,CRYPT_KeyDeriveParameters * deriveInfo,uint8_t * seed,uint32_t seedLen)336 int32_t TLS13GetTrafficSecretDeriveInfo(TLS_Ctx *ctx, CRYPT_KeyDeriveParameters *deriveInfo,
337 uint8_t *seed, uint32_t seedLen)
338 {
339 uint32_t tmpSeedLen = seedLen;
340 int32_t ret;
341 ret = VERIFY_CalcSessionHash(ctx->hsCtx->verifyCtx, seed, &tmpSeedLen);
342 if (ret != HITLS_SUCCESS) {
343 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16898, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
344 "CalcSessionHash fail", 0, 0, 0, 0);
345 return ret;
346 }
347 uint16_t hashAlg = ctx->negotiatedInfo.cipherSuiteInfo.hashAlg;
348 uint32_t hashLen = SAL_CRYPT_DigestSize(hashAlg);
349 if (hashLen == 0) {
350 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16899, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "DigestSize err", 0, 0, 0, 0);
351 return HITLS_CRYPT_ERR_DIGEST;
352 }
353 deriveInfo->hashAlgo = hashAlg;
354 deriveInfo->seed = seed;
355 deriveInfo->seedLen = tmpSeedLen;
356 deriveInfo->secretLen = hashLen;
357 return HITLS_SUCCESS;
358 }
359
360 /*
361 Derive-Secret(Handshake Secret, label, ClientHello...ServerHello)
362 */
HS_TLS13DeriveHandshakeTrafficSecret(TLS_Ctx * ctx)363 int32_t HS_TLS13DeriveHandshakeTrafficSecret(TLS_Ctx *ctx)
364 {
365 uint8_t seed[MAX_DIGEST_SIZE] = {0};
366 uint32_t seedLen = MAX_DIGEST_SIZE;
367 CRYPT_KeyDeriveParameters deriveInfo = {0};
368 int32_t ret;
369 ret = TLS13GetTrafficSecretDeriveInfo(ctx, &deriveInfo, seed, seedLen);
370 if (ret != HITLS_SUCCESS) {
371 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16900, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
372 "GetTrafficSecretDeriveInfo fail", 0, 0, 0, 0);
373 return ret;
374 }
375
376 deriveInfo.secret = ctx->hsCtx->handshakeSecret;
377 uint32_t hashLen = deriveInfo.secretLen;
378 uint8_t clientLabel[] = "c hs traffic";
379 deriveInfo.label = clientLabel;
380 deriveInfo.labelLen = sizeof(clientLabel) - 1;
381 deriveInfo.libCtx = LIBCTX_FROM_CTX(ctx);
382 deriveInfo.attrName = ATTRIBUTE_FROM_CTX(ctx);
383 ret = HS_TLS13DeriveSecret(&deriveInfo, true, ctx->hsCtx->clientHsTrafficSecret, hashLen);
384 if (ret != HITLS_SUCCESS) {
385 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16901, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
386 "DeriveSecret fail", 0, 0, 0, 0);
387 return ret;
388 }
389 #ifdef HITLS_TLS_MAINTAIN_KEYLOG
390 HITLS_LogSecret(ctx, CLIENT_HANDSHAKE_LABEL, ctx->hsCtx->clientHsTrafficSecret,
391 deriveInfo.secretLen);
392 #endif /* HITLS_TLS_MAINTAIN_KEYLOG */
393 uint8_t serverLabel[] = "s hs traffic";
394 deriveInfo.label = serverLabel;
395 deriveInfo.labelLen = sizeof(serverLabel) - 1;
396 ret = HS_TLS13DeriveSecret(&deriveInfo, true, ctx->hsCtx->serverHsTrafficSecret, hashLen);
397 #ifdef HITLS_TLS_MAINTAIN_KEYLOG
398 HITLS_LogSecret(ctx, SERVER_HANDSHAKE_LABEL, ctx->hsCtx->serverHsTrafficSecret,
399 deriveInfo.secretLen);
400 #endif /* HITLS_TLS_MAINTAIN_KEYLOG */
401 return ret;
402 }
403
404 /*
405 Derive-Secret(Master Secret, label, ClientHello...ServerHello)
406 */
TLS13DeriveApplicationTrafficSecret(TLS_Ctx * ctx)407 int32_t TLS13DeriveApplicationTrafficSecret(TLS_Ctx *ctx)
408 {
409 uint8_t seed[MAX_DIGEST_SIZE] = {0};
410 uint32_t seedLen = MAX_DIGEST_SIZE;
411 CRYPT_KeyDeriveParameters deriveInfo = {0};
412 int32_t ret;
413 ret = TLS13GetTrafficSecretDeriveInfo(ctx, &deriveInfo, seed, seedLen);
414 if (ret != HITLS_SUCCESS) {
415 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16902, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
416 "GetTrafficSecretDeriveInfo fail", 0, 0, 0, 0);
417 return ret;
418 }
419
420 deriveInfo.secret = ctx->hsCtx->masterKey;
421 uint32_t hashLen = deriveInfo.secretLen;
422 uint8_t clientLabel[] = "c ap traffic";
423 deriveInfo.label = clientLabel;
424 deriveInfo.labelLen = sizeof(clientLabel) - 1;
425 deriveInfo.libCtx = LIBCTX_FROM_CTX(ctx);
426 deriveInfo.attrName = ATTRIBUTE_FROM_CTX(ctx);
427 ret = HS_TLS13DeriveSecret(&deriveInfo, true, ctx->clientAppTrafficSecret, hashLen);
428 if (ret != HITLS_SUCCESS) {
429 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16903, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
430 "DeriveSecret fail", 0, 0, 0, 0);
431 return ret;
432 }
433 #ifdef HITLS_TLS_MAINTAIN_KEYLOG
434 HITLS_LogSecret(ctx, CLIENT_APPLICATION_LABEL, ctx->clientAppTrafficSecret,
435 deriveInfo.secretLen);
436 #endif /* HITLS_TLS_MAINTAIN_KEYLOG */
437 uint8_t serverLabel[] = "s ap traffic";
438 deriveInfo.label = serverLabel;
439 deriveInfo.labelLen = sizeof(serverLabel) - 1;
440 ret = HS_TLS13DeriveSecret(&deriveInfo, true, ctx->serverAppTrafficSecret, hashLen);
441 #ifdef HITLS_TLS_MAINTAIN_KEYLOG
442 HITLS_LogSecret(ctx, SERVER_APPLICATION_LABEL, ctx->serverAppTrafficSecret,
443 deriveInfo.secretLen);
444 #endif /* HITLS_TLS_MAINTAIN_KEYLOG */
445 return ret;
446 }
447
448 /*
449 Derive-Secret(., "res master", ClientHello...client Finished) = resumption_master_secret
450 */
451 #ifdef HITLS_TLS_FEATURE_SESSION
HS_TLS13DeriveResumptionMasterSecret(TLS_Ctx * ctx)452 int32_t HS_TLS13DeriveResumptionMasterSecret(TLS_Ctx *ctx)
453 {
454 uint8_t seed[MAX_DIGEST_SIZE] = {0};
455 uint32_t seedLen = MAX_DIGEST_SIZE;
456 CRYPT_KeyDeriveParameters deriveInfo = {0};
457 int32_t ret;
458
459 ret = TLS13GetTrafficSecretDeriveInfo(ctx, &deriveInfo, seed, seedLen);
460 if (ret != HITLS_SUCCESS) {
461 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16904, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
462 "GetTrafficSecretDeriveInfo fail", 0, 0, 0, 0);
463 return ret;
464 }
465
466 deriveInfo.secret = ctx->hsCtx->masterKey;
467 uint32_t hashLen = deriveInfo.secretLen;
468
469 const uint8_t resLabel[] = "res master";
470 deriveInfo.label = resLabel;
471 deriveInfo.labelLen = sizeof(resLabel) - 1;
472 deriveInfo.libCtx = LIBCTX_FROM_CTX(ctx);
473 deriveInfo.attrName = ATTRIBUTE_FROM_CTX(ctx);
474 return HS_TLS13DeriveSecret(&deriveInfo, true, ctx->resumptionMasterSecret, hashLen);
475 }
476 #endif /* HITLS_TLS_FEATURE_SESSION */
477
HS_TLS13CalcServerHelloProcessSecret(TLS_Ctx * ctx)478 int32_t HS_TLS13CalcServerHelloProcessSecret(TLS_Ctx *ctx)
479 {
480 PskInfo13 *pskInfo = &ctx->hsCtx->kxCtx->pskInfo13;
481 uint16_t hashAlg = ctx->negotiatedInfo.cipherSuiteInfo.hashAlg;
482 uint32_t hashLen = SAL_CRYPT_DigestSize(hashAlg);
483 if (hashLen == 0 || hashLen > MAX_DIGEST_SIZE) {
484 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16906, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "DigestSize err", 0, 0, 0, 0);
485 return HITLS_CRYPT_ERR_DIGEST;
486 }
487 uint8_t zero[MAX_DIGEST_SIZE] = {0};
488 uint8_t *psk = NULL;
489 uint32_t pskLen = 0;
490
491 if (pskInfo->psk != NULL) {
492 psk = pskInfo->psk;
493 pskLen = pskInfo->pskLen;
494 } else {
495 psk = zero;
496 pskLen = hashLen;
497 }
498
499 uint32_t earlySecretLen = hashLen;
500 int32_t ret = HS_TLS13DeriveEarlySecret(LIBCTX_FROM_CTX(ctx), ATTRIBUTE_FROM_CTX(ctx),
501 hashAlg, psk, pskLen, ctx->hsCtx->earlySecret, &earlySecretLen);
502 BSL_SAL_CleanseData(psk, pskLen);
503 if (ret != HITLS_SUCCESS) {
504 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16907, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
505 "DeriveEarlySecret fail", 0, 0, 0, 0);
506 return ret;
507 }
508
509 return TLS13DeriveHandshakeSecret(ctx);
510 }
511
HS_TLS13CalcServerFinishProcessSecret(TLS_Ctx * ctx)512 int32_t HS_TLS13CalcServerFinishProcessSecret(TLS_Ctx *ctx)
513 {
514 int32_t ret;
515 ret = TLS13DeriveMasterSecret(ctx);
516 if (ret != HITLS_SUCCESS) {
517 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16908, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
518 "DeriveMasterSecret fail", 0, 0, 0, 0);
519 return ret;
520 }
521
522 ret = TLS13DeriveApplicationTrafficSecret(ctx);
523 if (ret != HITLS_SUCCESS) {
524 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16909, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
525 "DeriveApplicationTrafficSecret fail", 0, 0, 0, 0);
526 }
527 return ret;
528 }
529
HS_SwitchTrafficKey(TLS_Ctx * ctx,uint8_t * secret,uint32_t secretLen,bool isOut)530 int32_t HS_SwitchTrafficKey(TLS_Ctx *ctx, uint8_t *secret, uint32_t secretLen, bool isOut)
531 {
532 int32_t ret;
533 CipherSuiteInfo *cipherSuiteInfo = &(ctx->negotiatedInfo.cipherSuiteInfo);
534 uint32_t hashLen = SAL_CRYPT_DigestSize(cipherSuiteInfo->hashAlg);
535 if (hashLen == 0) {
536 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16910, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "DigestSize err", 0, 0, 0, 0);
537 return HITLS_CRYPT_ERR_DIGEST;
538 }
539 REC_SecParameters keyPara = {0};
540 ret = HS_SetInitPendingStateParam(ctx, ctx->isClient, &keyPara);
541 if (ret != HITLS_SUCCESS) {
542 return ret;
543 }
544
545 if (hashLen > sizeof(keyPara.masterSecret)) {
546 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16911, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "hashLen err", 0, 0, 0, 0);
547 BSL_ERR_PUSH_ERROR(HITLS_INTERNAL_EXCEPTION);
548 return HITLS_INTERNAL_EXCEPTION;
549 }
550
551 if (memcpy_s(keyPara.masterSecret, sizeof(keyPara.masterSecret), secret, secretLen) != EOK) {
552 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16912, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "memcpy fail", 0, 0, 0, 0);
553 BSL_ERR_PUSH_ERROR(HITLS_MEMCPY_FAIL);
554 return HITLS_MEMCPY_FAIL;
555 }
556
557 ret = REC_TLS13InitPendingState(ctx, &keyPara, isOut);
558 (void)memset_s(keyPara.masterSecret, sizeof(keyPara.masterSecret), 0, sizeof(keyPara.masterSecret));
559 if (ret != HITLS_SUCCESS) {
560 return ret;
561 }
562
563 /** enable key specification */
564 return REC_ActivePendingState(ctx, isOut);
565 }
566
567 /*
568 application_traffic_secret_N+1 = HKDF-Expand-Label(application_traffic_secret_N, "traffic upd", "", Hash.length)
569 */
570 #ifdef HITLS_TLS_FEATURE_KEY_UPDATE
HS_TLS13UpdateTrafficSecret(TLS_Ctx * ctx,bool isOut)571 int32_t HS_TLS13UpdateTrafficSecret(TLS_Ctx *ctx, bool isOut)
572 {
573 HITLS_HashAlgo hashAlg = ctx->negotiatedInfo.cipherSuiteInfo.hashAlg;
574 uint32_t hashLen = SAL_CRYPT_DigestSize(hashAlg);
575 if (hashLen == 0) {
576 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16913, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "DigestSize err", 0, 0, 0, 0);
577 return HITLS_CRYPT_ERR_DIGEST;
578 }
579 uint8_t trafficSecret[MAX_DIGEST_SIZE] = {0};
580 uint8_t *trafficSecretPointer = trafficSecret;
581 uint32_t trafficSecretLen = hashLen;
582 uint8_t *baseKey = NULL;
583 uint32_t baseKeyLen = hashLen;
584 if ((ctx->isClient && isOut) || (!ctx->isClient && !isOut)) {
585 baseKey = ctx->clientAppTrafficSecret;
586 } else {
587 baseKey = ctx->serverAppTrafficSecret;
588 }
589
590 uint8_t label[] = "traffic upd";
591 CRYPT_KeyDeriveParameters deriveInfo = {0};
592 deriveInfo.hashAlgo = hashAlg;
593 deriveInfo.secret = baseKey;
594 deriveInfo.secretLen = baseKeyLen;
595 deriveInfo.label = label;
596 deriveInfo.labelLen = sizeof(label) - 1;
597 deriveInfo.seed = NULL;
598 deriveInfo.seedLen = 0;
599 deriveInfo.libCtx = LIBCTX_FROM_CTX(ctx);
600 deriveInfo.attrName = ATTRIBUTE_FROM_CTX(ctx);
601 int32_t ret = SAL_CRYPT_HkdfExpandLabel(&deriveInfo, trafficSecretPointer, trafficSecretLen);
602 if (ret != HITLS_SUCCESS) {
603 BSL_SAL_CleanseData(trafficSecret, MAX_DIGEST_SIZE);
604 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16914, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
605 "HkdfExpandLabel fail", 0, 0, 0, 0);
606 return ret;
607 }
608 ret = memcpy_s(baseKey, baseKeyLen, trafficSecret, trafficSecretLen);
609 BSL_SAL_CleanseData(trafficSecret, MAX_DIGEST_SIZE);
610 if (ret != EOK) {
611 BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16915, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, "memcpy fail", 0, 0, 0, 0);
612 return HITLS_MEMCPY_FAIL;
613 }
614
615 return HS_SwitchTrafficKey(ctx, baseKey, baseKeyLen, isOut);
616 }
617 #endif /* HITLS_TLS_FEATURE_KEY_UPDATE */
618 #endif /* HITLS_TLS_PROTO_TLS13 */