TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / a3a5a4e1f9fd57364c34ddb42aba00db7b78df95 / . / library / ssl_tls13_keys.h
blob: 2b15859ea21ce2068f5507df42e394132fdf3fab [file] [log] [blame]
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]1/*
2 * TLS 1.3 key schedule
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 ( the "License" ); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19#if !defined(MBEDTLS_SSL_TLS1_3_KEYS_H)
20#define MBEDTLS_SSL_TLS1_3_KEYS_H
21
22#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]23
Hanno Beckera3a5a4e2020-09-08 11:33:48 +0100[diff] [blame^]24/* This requires MBEDTLS_SSL_TLS1_3_LABEL( name, string ) to be defined at
25 * the point of use. See e.g. the definition of mbedtls_ssl_tls1_3_labels_union
26 * below. */
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]27#define MBEDTLS_SSL_TLS1_3_LABEL_LIST \
Hanno Beckera3a5a4e2020-09-08 11:33:48 +0100[diff] [blame^]28 MBEDTLS_SSL_TLS1_3_LABEL( finished , "finished" ) \
29 MBEDTLS_SSL_TLS1_3_LABEL( resumption , "resumption" ) \
30 MBEDTLS_SSL_TLS1_3_LABEL( traffic_upd , "traffic upd" ) \
31 MBEDTLS_SSL_TLS1_3_LABEL( export , "exporter" ) \
32 MBEDTLS_SSL_TLS1_3_LABEL( key , "key" ) \
33 MBEDTLS_SSL_TLS1_3_LABEL( iv , "iv" ) \
34 MBEDTLS_SSL_TLS1_3_LABEL( sn , "sn" ) \
35 MBEDTLS_SSL_TLS1_3_LABEL( c_hs_traffic, "c hs traffic" ) \
36 MBEDTLS_SSL_TLS1_3_LABEL( c_ap_traffic, "c ap traffic" ) \
37 MBEDTLS_SSL_TLS1_3_LABEL( c_e_traffic , "c e traffic" ) \
38 MBEDTLS_SSL_TLS1_3_LABEL( s_hs_traffic, "s hs traffic" ) \
39 MBEDTLS_SSL_TLS1_3_LABEL( s_ap_traffic, "s ap traffic" ) \
40 MBEDTLS_SSL_TLS1_3_LABEL( s_e_traffic , "s e traffic" ) \
41 MBEDTLS_SSL_TLS1_3_LABEL( exp_master , "exp master" ) \
42 MBEDTLS_SSL_TLS1_3_LABEL( res_master , "res master" ) \
43 MBEDTLS_SSL_TLS1_3_LABEL( ext_binder , "ext binder" ) \
44 MBEDTLS_SSL_TLS1_3_LABEL( res_binder , "res binder" ) \
45 MBEDTLS_SSL_TLS1_3_LABEL( derived , "derived" )
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]46
Hanno Beckera3a5a4e2020-09-08 11:33:48 +0100[diff] [blame^]47#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]48 const unsigned char name [ sizeof(string) - 1 ];
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]49
50union mbedtls_ssl_tls1_3_labels_union
51{
52 MBEDTLS_SSL_TLS1_3_LABEL_LIST
53};
54struct mbedtls_ssl_tls1_3_labels_struct
55{
56 MBEDTLS_SSL_TLS1_3_LABEL_LIST
57};
Hanno Beckera3a5a4e2020-09-08 11:33:48 +0100[diff] [blame^]58#undef MBEDTLS_SSL_TLS1_3_LABEL
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]59
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]60extern const struct mbedtls_ssl_tls1_3_labels_struct mbedtls_ssl_tls1_3_labels;
61
62#define MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( LABEL ) \
63 mbedtls_ssl_tls1_3_labels.LABEL, \
64 sizeof(mbedtls_ssl_tls1_3_labels.LABEL)
65
66#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN \
67 sizeof( union mbedtls_ssl_tls1_3_labels_union )
68
69/* The maximum length of HKDF contexts used in the TLS 1.3 standad.
70 * Since contexts are always hashes of message transcripts, this can
71 * be approximated from above by the maximum hash size. */
72#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN \
73 MBEDTLS_MD_MAX_SIZE
74
75/* Maximum desired length for expanded key material generated
76 * by HKDF-Expand-Label. */
77#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN 255
78
79/**
80 * \brief The \c HKDF-Expand-Label function from
81 * the TLS 1.3 standard RFC 8446.
82 *
83 * <tt>
84 * HKDF-Expand-Label( Secret, Label, Context, Length ) =
85 * HKDF-Expand( Secret, HkdfLabel, Length )
86 * </tt>
87 *
88 * \param hash_alg The identifier for the hash algorithm to use.
89 * \param secret The \c Secret argument to \c HKDF-Expand-Label.
90 * This must be a readable buffer of length \p slen Bytes.
91 * \param slen The length of \p secret in Bytes.
92 * \param label The \c Label argument to \c HKDF-Expand-Label.
93 * This must be a readable buffer of length \p llen Bytes.
94 * \param llen The length of \p label in Bytes.
95 * \param ctx The \c Context argument to \c HKDF-Expand-Label.
96 * This must be a readable buffer of length \p clen Bytes.
97 * \param clen The length of \p context in Bytes.
98 * \param buf The destination buffer to hold the expanded secret.
99 * This must be a writable buffe of length \p blen Bytes.
100 * \param blen The desired size of the expanded secret in Bytes.
101 *
102 * \returns \c 0 on success.
103 * \return A negative error code on failure.
104 */
105
106int mbedtls_ssl_tls1_3_hkdf_expand_label(
107 mbedtls_md_type_t hash_alg,
108 const unsigned char *secret, size_t slen,
109 const unsigned char *label, size_t llen,
110 const unsigned char *ctx, size_t clen,
111 unsigned char *buf, size_t blen );
112
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]113/**
114 * \brief This function is part of the TLS 1.3 key schedule.
115 * It extracts key and IV for the actual client/server traffic
116 * from the client/server traffic secrets.
117 *
118 * From RFC 8446:
119 *
120 * <tt>
121 * [sender]_write_key = HKDF-Expand-Label(Secret, "key", "", key_length)
122 * [sender]_write_iv = HKDF-Expand-Label(Secret, "iv", "", iv_length)*
123 * </tt>
124 *
125 * \param hash_alg The identifier for the hash algorithm to be used
126 * for the HKDF-based expansion of the secret.
127 * \param client_secret The client traffic secret.
128 * This must be a readable buffer of size \p slen Bytes
129 * \param server_secret The server traffic secret.
130 * This must be a readable buffer of size \p slen Bytes
131 * \param slen Length of the secrets \p client_secret and
132 * \p server_secret in Bytes.
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]133 * \param key_len The desired length of the key to be extracted in Bytes.
134 * \param iv_len The desired length of the IV to be extracted in Bytes.
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]135 * \param keys The address of the structure holding the generated
136 * keys and IVs.
137 *
138 * \returns \c 0 on success.
139 * \returns A negative error code on failure.
140 */
141
142int mbedtls_ssl_tls1_3_make_traffic_keys(
143 mbedtls_md_type_t hash_alg,
144 const unsigned char *client_secret,
145 const unsigned char *server_secret,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]146 size_t slen, size_t key_len, size_t iv_len,
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]147 mbedtls_ssl_key_set *keys );
148
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]149/**
150 * \brief The \c Derive-Secret function from the TLS 1.3 standard RFC 8446.
151 *
152 * <tt>
153 * Derive-Secret( Secret, Label, Messages ) =
154 * HKDF-Expand-Label( Secret, Label,
155 * Hash( Messages ),
156 * Hash.Length ) )
157 * </tt>
158 *
159 * Note: In this implementation of the function we assume that
160 * the parameter message contains the already hashed value and
161 * the Derive-Secret function does not need to hash it again.
162 *
163 * \param hash_alg The identifier for the hash function used for the
164 * applications of HKDF.
165 * \param secret The \c Secret argument to the \c Derive-Secret function.
166 * This must be a readable buffer of length \p slen Bytes.
167 * \param slen The length of \p secret in Bytes.
168 * \param label The \c Label argument to the \c Derive-Secret function.
169 * This must be a readable buffer of length \p llen Bytes.
170 * \param llen The length of \p label in Bytes.
171 * \param hash The hash of the \c Messages argument to the \c Derive-Secret
172 * function. This must be a readable buffer of length \p mlen
173 * hlen Bytes.
174 * \param hlen The length of \p hash.
175 * \param dstbuf The target buffer to write the output of \c Derive-Secret to.
176 * This must be a writable buffer of size \p buflen Bytes.
177 * \param buflen The length of \p dstbuf in Bytes.
178 *
179 * \returns \c 0 on success.
180 * \returns A negative error code on failure.
181 */
182
183#define MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED 0
184#define MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED 1
185
186int mbedtls_ssl_tls1_3_derive_secret(
187 mbedtls_md_type_t hash_alg,
188 const unsigned char *secret, size_t slen,
189 const unsigned char *label, size_t llen,
190 const unsigned char *ctx, size_t clen,
191 int context_already_hashed,
192 unsigned char *dstbuf, size_t buflen );
193
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]194/**
195 * \brief Compute the next secret in the TLS 1.3 key schedule
196 *
197 * The TLS 1.3 key schedule proceeds as follows to compute
198 * the three main secrets during the handshake: The early
199 * secret for early data, the handshake secret for all
200 * other encrypted handshake messages, and the master
201 * secret for all application traffic.
202 *
203 * <tt>
204 * 0
205 * |
206 * v
207 * PSK -> HKDF-Extract = Early Secret
208 * |
209 * v
210 * Derive-Secret( ., "derived", "" )
211 * |
212 * v
213 * (EC)DHE -> HKDF-Extract = Handshake Secret
214 * |
215 * v
216 * Derive-Secret( ., "derived", "" )
217 * |
218 * v
219 * 0 -> HKDF-Extract = Master Secret
220 * </tt>
221 *
222 * Each of the three secrets in turn is the basis for further
223 * key derivations, such as the derivation of traffic keys and IVs;
224 * see e.g. mbedtls_ssl_tls1_3_make_traffic_keys().
225 *
226 * This function implements one step in this evolution of secrets:
227 *
228 * <tt>
229 * old_secret
230 * |
231 * v
232 * Derive-Secret( ., "derived", "" )
233 * |
234 * v
235 * input -> HKDF-Extract = new_secret
236 * </tt>
237 *
238 * \param hash_alg The identifier for the hash function used for the
239 * applications of HKDF.
240 * \param secret_old The address of the buffer holding the old secret
241 * on function entry. If not \c NULL, this must be a
242 * readable buffer whose size matches the output size
243 * of the hash function represented by \p hash_alg.
244 * If \c NULL, an all \c 0 array will be used instead.
245 * \param input The address of the buffer holding the additional
246 * input for the key derivation (e.g., the PSK or the
247 * ephemeral (EC)DH secret). If not \c NULL, this must be
248 * a readable buffer whose size \p input_len Bytes.
249 * If \c NULL, an all \c 0 array will be used instead.
250 * \param input_len The length of \p input in Bytes.
251 * \param secret_new The address of the buffer holding the new secret
252 * on function exit. This must be a writable buffer
253 * whose size matches the output size of the hash
254 * function represented by \p hash_alg.
255 * This may be the same as \p secret_old.
256 *
257 * \returns \c 0 on success.
258 * \returns A negative error code on failure.
259 */
260
261int mbedtls_ssl_tls1_3_evolve_secret(
262 mbedtls_md_type_t hash_alg,
263 const unsigned char *secret_old,
264 const unsigned char *input, size_t input_len,
265 unsigned char *secret_new );
266
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]267#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
268
269#endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */