TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 1981cb2972548ffe33953b70a2c65d3730f683b2 / . / library / ssl_tls13_keys.c
blob: 20cca3103158aadb47086595eef31e264276ce41 [file] [log] [blame]
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]1/*
2 * TLS 1.3 key schedule
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 ( the "License" ); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
Hanno Becker58c5cea2020-09-08 10:31:33 +0100[diff] [blame]20#include "common.h"
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]21
22#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
23
24#include "mbedtls/hkdf.h"
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]25#include "mbedtls/ssl_internal.h"
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]26#include "ssl_tls13_keys.h"
27
28#include <stdint.h>
29#include <string.h>
30
31struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels =
32{
33 /* This seems to work in C, despite the string literal being one
34 * character too long due to the 0-termination. */
35 .finished = "finished",
36 .resumption = "resumption",
37 .traffic_upd = "traffic upd",
Hanno Becker1981cb22020-09-08 10:36:29 +0100[diff] [blame^]38 .exporter = "exporter",
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]39 .key = "key",
40 .iv = "iv",
41 .sn = "sn",
42 .c_hs_traffic = "c hs traffic",
43 .c_ap_traffic = "c ap traffic",
44 .c_e_traffic = "c e traffic",
45 .s_hs_traffic = "s hs traffic",
46 .s_ap_traffic = "s ap traffic",
47 .s_e_traffic = "s e traffic",
48 .exp_master = "exp master",
49 .res_master = "res master",
50 .ext_binder = "ext binder",
51 .res_binder = "res binder",
52 .derived = "derived"
53};
54
55/*
56 * This function creates a HkdfLabel structure used in the TLS 1.3 key schedule.
57 *
58 * The HkdfLabel is specified in RFC 8446 as follows:
59 *
60 * struct HkdfLabel {
61 * uint16 length; // Length of expanded key material
62 * opaque label<7..255>; // Always prefixed by "tls13 "
63 * opaque context<0..255>; // Usually a communication transcript hash
64 * };
65 *
66 * Parameters:
67 * - desired_length: Length of expanded key material
68 * Even though the standard allows expansion to up to
69 * 2**16 Bytes, TLS 1.3 never uses expansion to more than
70 * 255 Bytes, so we require `desired_length` to be at most
71 * 255. This allows us to save a few Bytes of code by
72 * hardcoding the writing of the high bytes.
73 * - (label, llen): label + label length, without "tls13 " prefix
74 * The label length MUST be
75 * <= MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN
76 * It is the caller's responsiblity to ensure this.
77 * - (ctx, clen): context + context length
78 * The context length MUST be
79 * <= MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN
80 * It is the caller's responsiblity to ensure this.
81 * - dst: Target buffer for HkdfLabel structure,
82 * This MUST be a writable buffer of size
83 * at least SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN Bytes.
84 * - dlen: Pointer at which to store the actual length of
85 * the HkdfLabel structure on success.
86 */
87
88#define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \
89 ( 2 /* expansion length */ \
90 + 1 /* label length */ \
91 + MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN \
92 + 1 /* context length */ \
93 + MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
94
95static void ssl_tls1_3_hkdf_encode_label(
96 size_t desired_length,
97 const unsigned char *label, size_t llen,
98 const unsigned char *ctx, size_t clen,
99 unsigned char *dst, size_t *dlen )
100{
101 const char label_prefix[6] = { 't', 'l', 's', '1', '3', ' ' };
102 size_t total_label_len = sizeof( label_prefix ) + llen;
103 size_t total_hkdf_lbl_len =
104 2 /* length of expanded key material */
105 + 1 /* label length */
106 + total_label_len /* actual label, incl. prefix */
107 + 1 /* context length */
108 + clen; /* actual context */
109
110 unsigned char *p = dst;
111
112 /* Add total length. */
113 *p++ = 0;
114 *p++ = (unsigned char)( ( desired_length >> 0 ) & 0xFF );
115
116 /* Add label incl. prefix */
117 *p++ = (unsigned char)( total_label_len & 0xFF );
118 memcpy( p, label_prefix, sizeof(label_prefix) );
119 p += sizeof(label_prefix);
120 memcpy( p, label, llen );
121 p += llen;
122
123 /* Add context value */
124 *p++ = (unsigned char)( clen & 0xFF );
125 if( ctx != NULL )
126 memcpy( p, ctx, clen );
127
128 /* Return total length to the caller. */
129 *dlen = total_hkdf_lbl_len;
130}
131
132int mbedtls_ssl_tls1_3_hkdf_expand_label(
133 mbedtls_md_type_t hash_alg,
134 const unsigned char *secret, size_t slen,
135 const unsigned char *label, size_t llen,
136 const unsigned char *ctx, size_t clen,
137 unsigned char *buf, size_t blen )
138{
139 const mbedtls_md_info_t *md;
140 unsigned char hkdf_label[ SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN ];
141 size_t hkdf_label_len;
142
143 if( llen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN )
144 {
145 /* Should never happen since this is an internal
146 * function, and we know statically which labels
147 * are allowed. */
148 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
149 }
150
151 if( clen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
152 {
153 /* Should not happen, as above. */
154 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
155 }
156
157 if( blen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN )
158 {
159 /* Should not happen, as above. */
160 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
161 }
162
163 md = mbedtls_md_info_from_type( hash_alg );
164 if( md == NULL )
165 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
166
167 ssl_tls1_3_hkdf_encode_label( blen,
168 label, llen,
169 ctx, clen,
170 hkdf_label,
171 &hkdf_label_len );
172
173 return( mbedtls_hkdf_expand( md,
174 secret, slen,
175 hkdf_label, hkdf_label_len,
176 buf, blen ) );
177}
178
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]179/*
180 * The traffic keying material is generated from the following inputs:
181 *
182 * - One secret value per sender.
183 * - A purpose value indicating the specific value being generated
184 * - The desired lengths of key and IV.
185 *
186 * The expansion itself is based on HKDF:
187 *
188 * [sender]_write_key = HKDF-Expand-Label( Secret, "key", "", key_length )
189 * [sender]_write_iv = HKDF-Expand-Label( Secret, "iv" , "", iv_length )
190 *
191 * [sender] denotes the sending side and the Secret value is provided
192 * by the function caller. Note that we generate server and client side
193 * keys in a single function call.
194 */
195int mbedtls_ssl_tls1_3_make_traffic_keys(
196 mbedtls_md_type_t hash_alg,
197 const unsigned char *client_secret,
198 const unsigned char *server_secret,
199 size_t slen, size_t keyLen, size_t ivLen,
200 mbedtls_ssl_key_set *keys )
201{
202 int ret = 0;
203
204 ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
205 client_secret, slen,
206 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
207 NULL, 0,
208 keys->client_write_key, keyLen );
209 if( ret != 0 )
210 return( ret );
211
212 ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
213 server_secret, slen,
214 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
215 NULL, 0,
216 keys->server_write_key, keyLen );
217 if( ret != 0 )
218 return( ret );
219
220 ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
221 client_secret, slen,
222 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
223 NULL, 0,
224 keys->client_write_iv, ivLen );
225 if( ret != 0 )
226 return( ret );
227
228 ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
229 server_secret, slen,
230 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
231 NULL, 0,
232 keys->server_write_iv, ivLen );
233 if( ret != 0 )
234 return( ret );
235
236 keys->keyLen = keyLen;
237 keys->ivLen = ivLen;
238
239 return( 0 );
240}
241
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]242int mbedtls_ssl_tls1_3_derive_secret(
243 mbedtls_md_type_t hash_alg,
244 const unsigned char *secret, size_t slen,
245 const unsigned char *label, size_t llen,
246 const unsigned char *ctx, size_t clen,
247 int context_already_hashed,
248 unsigned char *dstbuf, size_t buflen )
249{
250 int ret;
251 unsigned char hashed_context[ MBEDTLS_MD_MAX_SIZE ];
252
253 const mbedtls_md_info_t *md;
254 md = mbedtls_md_info_from_type( hash_alg );
255 if( md == NULL )
256 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
257
258 if( context_already_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED )
259 {
260 ret = mbedtls_md( md, ctx, clen, hashed_context );
261 if( ret != 0 )
262 return( ret );
263 clen = mbedtls_md_get_size( md );
264 }
265 else
266 {
267 /* This should never happen since this function is internal
268 * and the code sets `context_already_hashed` correctly.
269 * Let's double-check nonetheless to not run at the risk
270 * of getting a stack overflow. */
271 if( clen > sizeof(hashed_context) )
272 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
273
274 memcpy( hashed_context, ctx, clen );
275 }
276
277 return( mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
278 secret, slen,
279 label, llen,
280 hashed_context, clen,
281 dstbuf, buflen ) );
282}
283
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]284int mbedtls_ssl_tls1_3_evolve_secret(
285 mbedtls_md_type_t hash_alg,
286 const unsigned char *secret_old,
287 const unsigned char *input, size_t input_len,
288 unsigned char *secret_new )
289{
290 int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
291 size_t hlen, ilen;
292 unsigned char _secret[ MBEDTLS_MD_MAX_SIZE ] = { 0 };
293 unsigned char _input [ MBEDTLS_MD_MAX_SIZE ] = { 0 };
294
295 const mbedtls_md_info_t *md;
296 md = mbedtls_md_info_from_type( hash_alg );
297 if( md == NULL )
298 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
299
300 hlen = mbedtls_md_get_size( md );
301
302 /* For non-initial runs, call Derive-Secret( ., "derived", "")
303 * on the old secreet. */
304 if( secret_old != NULL )
305 {
306 ret = mbedtls_ssl_tls1_3_derive_secret(
307 hash_alg,
308 secret_old, hlen,
309 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( derived ),
310 NULL, 0, /* context */
311 MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
312 _secret, hlen );
313 if( ret != 0 )
314 goto cleanup;
315 }
316
317 if( input != NULL )
318 {
319 memcpy( _input, input, input_len );
320 ilen = input_len;
321 }
322 else
323 {
324 ilen = hlen;
325 }
326
327 /* HKDF-Extract takes a salt and input key material.
328 * The salt is the old secret, and the input key material
329 * is the input secret (PSK / ECDHE). */
330 ret = mbedtls_hkdf_extract( md,
331 _secret, hlen,
332 _input, ilen,
333 secret_new );
334 if( ret != 0 )
335 goto cleanup;
336
337 ret = 0;
338
339 cleanup:
340
341 mbedtls_platform_zeroize( _secret, sizeof(_secret) );
342 mbedtls_platform_zeroize( _input, sizeof(_input) );
343 return( ret );
344}
345
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]346#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */