Implement HKDF expand in TLS 1.3 based on PSA HMAC
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
diff --git a/library/ssl_tls13_invasive.h b/library/ssl_tls13_invasive.h
new file mode 100644
index 0000000..aa35784
--- /dev/null
+++ b/library/ssl_tls13_invasive.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef MBEDTLS_SSL_TLS13_INVASIVE_H
+#define MBEDTLS_SSL_TLS13_INVASIVE_H
+
+#include "common.h"
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+#include "psa/crypto.h"
+#endif
+
+#if defined(MBEDTLS_TEST_HOOKS)
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+/**
+ * \brief Expand the supplied \p prk into several additional pseudorandom
+ * keys, which is the output of the HKDF.
+ *
+ * \param alg The HMAC algorithm to use (\c #PSA_ALG_HMAC( PSA_ALG_XXX )
+ * value such that PSA_ALG_XXX is a hash algorithm and
+ * #PSA_ALG_IS_HMAC(\p alg) is true).
+ * \param prk A pseudorandom key of \p prk_len bytes. \p prk is
+ * usually the output from the HKDF extract step.
+ * \param prk_len The length in bytes of \p prk.
+ * \param info An optional context and application specific information
+ * string. This can be a zero-length string.
+ * \param info_len The length of \p info in bytes.
+ * \param okm The output keying material of \p okm_len bytes.
+ * \param okm_len The length of the output keying material in bytes. This
+ * must be less than or equal to
+ * 255 * #PSA_HASH_LENGTH( \p alg ) bytes.
+ *
+ * \return 0 on success.
+ * \return #PSA_ERROR_INVALID_ARGUMENT when the parameters are invalid.
+ * \return An PSA_ERROR_* error for errors returned from the underlying
+ * PSA layer.
+ */
+psa_status_t mbedtls_psa_hkdf_expand( psa_algorithm_t alg,
+ const unsigned char *prk, size_t prk_len,
+ const unsigned char *info, size_t info_len,
+ unsigned char *okm, size_t okm_len );
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
+#endif /* MBEDTLS_TEST_HOOKS */
+
+#endif /* MBEDTLS_SSL_TLS13_INVASIVE_H */
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index 5615386..33c2d1c 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -30,6 +30,9 @@
#include "ssl_misc.h"
#include "ssl_tls13_keys.h"
+#include "ssl_tls13_invasive.h"
+
+#include "psa/crypto.h"
#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \
.name = string,
@@ -133,6 +136,125 @@
*dst_len = total_hkdf_lbl_len;
}
+MBEDTLS_STATIC_TESTABLE
+psa_status_t mbedtls_psa_hkdf_expand( psa_algorithm_t alg,
+ const unsigned char *prk, size_t prk_len,
+ const unsigned char *info, size_t info_len,
+ unsigned char *okm, size_t okm_len )
+{
+ size_t hash_len;
+ size_t where = 0;
+ size_t n;
+ size_t t_len = 0;
+ size_t i;
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
+ psa_status_t ret = PSA_ERROR_CORRUPTION_DETECTED;
+ unsigned char t[PSA_MAC_MAX_SIZE];
+
+ if( okm == NULL )
+ {
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+
+ hash_len = PSA_HASH_LENGTH( alg );
+
+ if( prk_len < hash_len || hash_len == 0 )
+ {
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+
+ if( info == NULL )
+ {
+ info = (const unsigned char *) "";
+ info_len = 0;
+ }
+
+ n = okm_len / hash_len;
+
+ if( okm_len % hash_len != 0 )
+ {
+ n++;
+ }
+
+ /*
+ * Per RFC 5869 Section 2.3, okm_len must not exceed
+ * 255 times the hash length
+ */
+ if( n > 255 )
+ {
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+
+ psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE );
+ psa_set_key_algorithm( &attributes, alg );
+ psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC );
+
+ ret = psa_import_key( &attributes, prk, prk_len, &key );
+ if( PSA_SUCCESS != ret )
+ {
+ goto cleanup;
+ }
+
+ memset( t, 0, hash_len );
+
+ /*
+ * Compute T = T(1) | T(2) | T(3) | ... | T(N)
+ * Where T(N) is defined in RFC 5869 Section 2.3
+ */
+ for( i = 1; i <= n; i++ )
+ {
+ size_t num_to_copy;
+ unsigned char c = i & 0xff;
+ size_t len;
+
+ ret = psa_mac_sign_setup( &operation, key, alg );
+ if( PSA_SUCCESS != ret )
+ {
+ goto cleanup;
+ }
+
+ ret = psa_mac_update( &operation, t, t_len );
+ if( PSA_SUCCESS != ret )
+ {
+ goto cleanup;
+ }
+
+ ret = psa_mac_update( &operation, info, info_len );
+ if( PSA_SUCCESS != ret )
+ {
+ goto cleanup;
+ }
+
+ /* The constant concatenated to the end of each T(n) is a single octet.
+ * */
+ ret = psa_mac_update( &operation, &c, 1 );
+ if( PSA_SUCCESS != ret )
+ {
+ goto cleanup;
+ }
+
+ ret = psa_mac_sign_finish( &operation, t, PSA_MAC_MAX_SIZE, &len );
+ if( PSA_SUCCESS != ret )
+ {
+ goto cleanup;
+ }
+
+ num_to_copy = i != n ? hash_len : okm_len - where;
+ memcpy( okm + where, t, num_to_copy );
+ where += hash_len;
+ t_len = hash_len;
+ }
+
+cleanup:
+ psa_destroy_key( key );
+ mbedtls_platform_zeroize( t, sizeof( t ) );
+ psa_mac_abort( &operation );
+
+ return( ret );
+}
+
int mbedtls_ssl_tls13_hkdf_expand_label(
mbedtls_md_type_t hash_alg,
const unsigned char *secret, size_t secret_len,