TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ef5235bc2e611cf83457d857b4ea53e99387a518 / . / library / ssl_tls13_keys.c
blob: ce551f6fc935a800c8b4c9e0cc0cd48eedafd0a3 [file] [log] [blame]
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]1/*
2 * TLS 1.3 key schedule
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 ( the "License" ); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
Hanno Becker58c5cea2020-09-08 10:31:33 +0100[diff] [blame]20#include "common.h"
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]21
22#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
23
24#include "mbedtls/hkdf.h"
Chris Jones84a773f2021-03-05 18:38:47 +0000[diff] [blame]25#include "ssl_misc.h"
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]26#include "ssl_tls13_keys.h"
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame^]27#include "mbedtls/debug.h"
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]28
29#include <stdint.h>
30#include <string.h>
31
Hanno Becker1413bd82020-09-09 12:46:09 +0100[diff] [blame]32#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]33 .name = string,
34
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]35struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels =
36{
37 /* This seems to work in C, despite the string literal being one
38 * character too long due to the 0-termination. */
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]39 MBEDTLS_SSL_TLS1_3_LABEL_LIST
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]40};
41
Hanno Beckera3a5a4e2020-09-08 11:33:48 +0100[diff] [blame]42#undef MBEDTLS_SSL_TLS1_3_LABEL
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]43
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]44/*
45 * This function creates a HkdfLabel structure used in the TLS 1.3 key schedule.
46 *
47 * The HkdfLabel is specified in RFC 8446 as follows:
48 *
49 * struct HkdfLabel {
50 * uint16 length; // Length of expanded key material
51 * opaque label<7..255>; // Always prefixed by "tls13 "
52 * opaque context<0..255>; // Usually a communication transcript hash
53 * };
54 *
55 * Parameters:
56 * - desired_length: Length of expanded key material
57 * Even though the standard allows expansion to up to
58 * 2**16 Bytes, TLS 1.3 never uses expansion to more than
59 * 255 Bytes, so we require `desired_length` to be at most
60 * 255. This allows us to save a few Bytes of code by
61 * hardcoding the writing of the high bytes.
62 * - (label, llen): label + label length, without "tls13 " prefix
Hanno Becker61baae72020-09-16 09:24:14 +0100[diff] [blame]63 * The label length MUST be less than or equal to
64 * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN
65 * It is the caller's responsibility to ensure this.
Hanno Becker815869a2020-09-08 11:16:16 +0100[diff] [blame]66 * All (label, label length) pairs used in TLS 1.3
67 * can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN().
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]68 * - (ctx, clen): context + context length
Hanno Becker61baae72020-09-16 09:24:14 +0100[diff] [blame]69 * The context length MUST be less than or equal to
70 * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN
71 * It is the caller's responsibility to ensure this.
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]72 * - dst: Target buffer for HkdfLabel structure,
73 * This MUST be a writable buffer of size
74 * at least SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN Bytes.
75 * - dlen: Pointer at which to store the actual length of
76 * the HkdfLabel structure on success.
77 */
78
Hanno Becker2dfe1322020-09-10 09:23:12 +0100[diff] [blame]79static const char tls1_3_label_prefix[6] = "tls13 ";
80
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]81#define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( label_len, context_len ) \
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]82 ( 2 /* expansion length */ \
83 + 1 /* label length */ \
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]84 + label_len \
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]85 + 1 /* context length */ \
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]86 + context_len )
87
88#define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \
89 SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \
Hanno Becker2dfe1322020-09-10 09:23:12 +0100[diff] [blame]90 sizeof(tls1_3_label_prefix) + \
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]91 MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN, \
92 MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]93
94static void ssl_tls1_3_hkdf_encode_label(
95 size_t desired_length,
96 const unsigned char *label, size_t llen,
97 const unsigned char *ctx, size_t clen,
98 unsigned char *dst, size_t *dlen )
99{
Hanno Becker2dfe1322020-09-10 09:23:12 +0100[diff] [blame]100 size_t total_label_len =
101 sizeof(tls1_3_label_prefix) + llen;
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]102 size_t total_hkdf_lbl_len =
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]103 SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( total_label_len, clen );
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]104
105 unsigned char *p = dst;
106
Hanno Becker531fe302020-09-16 09:45:27 +0100[diff] [blame]107 /* Add the size of the expanded key material.
108 * We're hardcoding the high byte to 0 here assuming that we never use
109 * TLS 1.3 HKDF key expansion to more than 255 Bytes. */
110#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255
111#error "The implementation of ssl_tls1_3_hkdf_encode_label() is not fit for the \
112 value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN"
113#endif
114
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]115 *p++ = 0;
116 *p++ = (unsigned char)( ( desired_length >> 0 ) & 0xFF );
117
118 /* Add label incl. prefix */
119 *p++ = (unsigned char)( total_label_len & 0xFF );
Hanno Becker2dfe1322020-09-10 09:23:12 +0100[diff] [blame]120 memcpy( p, tls1_3_label_prefix, sizeof(tls1_3_label_prefix) );
121 p += sizeof(tls1_3_label_prefix);
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]122 memcpy( p, label, llen );
123 p += llen;
124
125 /* Add context value */
126 *p++ = (unsigned char)( clen & 0xFF );
Hanno Becker00debc72020-09-08 11:12:24 +0100[diff] [blame]127 if( clen != 0 )
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]128 memcpy( p, ctx, clen );
129
130 /* Return total length to the caller. */
131 *dlen = total_hkdf_lbl_len;
132}
133
134int mbedtls_ssl_tls1_3_hkdf_expand_label(
135 mbedtls_md_type_t hash_alg,
136 const unsigned char *secret, size_t slen,
137 const unsigned char *label, size_t llen,
138 const unsigned char *ctx, size_t clen,
139 unsigned char *buf, size_t blen )
140{
141 const mbedtls_md_info_t *md;
142 unsigned char hkdf_label[ SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN ];
143 size_t hkdf_label_len;
144
145 if( llen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN )
146 {
147 /* Should never happen since this is an internal
148 * function, and we know statically which labels
149 * are allowed. */
150 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
151 }
152
153 if( clen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
154 {
155 /* Should not happen, as above. */
156 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
157 }
158
159 if( blen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN )
160 {
161 /* Should not happen, as above. */
162 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
163 }
164
165 md = mbedtls_md_info_from_type( hash_alg );
166 if( md == NULL )
167 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
168
169 ssl_tls1_3_hkdf_encode_label( blen,
170 label, llen,
171 ctx, clen,
172 hkdf_label,
173 &hkdf_label_len );
174
175 return( mbedtls_hkdf_expand( md,
176 secret, slen,
177 hkdf_label, hkdf_label_len,
178 buf, blen ) );
179}
180
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]181/*
182 * The traffic keying material is generated from the following inputs:
183 *
184 * - One secret value per sender.
185 * - A purpose value indicating the specific value being generated
186 * - The desired lengths of key and IV.
187 *
188 * The expansion itself is based on HKDF:
189 *
190 * [sender]_write_key = HKDF-Expand-Label( Secret, "key", "", key_length )
191 * [sender]_write_iv = HKDF-Expand-Label( Secret, "iv" , "", iv_length )
192 *
193 * [sender] denotes the sending side and the Secret value is provided
194 * by the function caller. Note that we generate server and client side
195 * keys in a single function call.
196 */
197int mbedtls_ssl_tls1_3_make_traffic_keys(
198 mbedtls_md_type_t hash_alg,
199 const unsigned char *client_secret,
200 const unsigned char *server_secret,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]201 size_t slen, size_t key_len, size_t iv_len,
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]202 mbedtls_ssl_key_set *keys )
203{
204 int ret = 0;
205
206 ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
207 client_secret, slen,
208 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
209 NULL, 0,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]210 keys->client_write_key, key_len );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]211 if( ret != 0 )
212 return( ret );
213
214 ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
215 server_secret, slen,
216 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
217 NULL, 0,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]218 keys->server_write_key, key_len );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]219 if( ret != 0 )
220 return( ret );
221
222 ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
223 client_secret, slen,
224 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
225 NULL, 0,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]226 keys->client_write_iv, iv_len );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]227 if( ret != 0 )
228 return( ret );
229
230 ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
231 server_secret, slen,
232 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
233 NULL, 0,
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]234 keys->server_write_iv, iv_len );
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]235 if( ret != 0 )
236 return( ret );
237
Hanno Becker493ea7f2020-09-08 11:01:00 +0100[diff] [blame]238 keys->key_len = key_len;
239 keys->iv_len = iv_len;
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]240
241 return( 0 );
242}
243
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]244int mbedtls_ssl_tls1_3_derive_secret(
245 mbedtls_md_type_t hash_alg,
246 const unsigned char *secret, size_t slen,
247 const unsigned char *label, size_t llen,
248 const unsigned char *ctx, size_t clen,
Hanno Becker0c42fd92020-09-09 12:58:29 +0100[diff] [blame]249 int ctx_hashed,
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]250 unsigned char *dstbuf, size_t buflen )
251{
252 int ret;
253 unsigned char hashed_context[ MBEDTLS_MD_MAX_SIZE ];
254
255 const mbedtls_md_info_t *md;
256 md = mbedtls_md_info_from_type( hash_alg );
257 if( md == NULL )
258 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
259
Hanno Becker0c42fd92020-09-09 12:58:29 +0100[diff] [blame]260 if( ctx_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED )
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]261 {
262 ret = mbedtls_md( md, ctx, clen, hashed_context );
263 if( ret != 0 )
264 return( ret );
265 clen = mbedtls_md_get_size( md );
266 }
267 else
268 {
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]269 if( clen > sizeof(hashed_context) )
Hanno Becker97a21562020-09-09 12:57:16 +0100[diff] [blame]270 {
271 /* This should never happen since this function is internal
Hanno Becker0c42fd92020-09-09 12:58:29 +0100[diff] [blame]272 * and the code sets `ctx_hashed` correctly.
Hanno Becker97a21562020-09-09 12:57:16 +0100[diff] [blame]273 * Let's double-check nonetheless to not run at the risk
274 * of getting a stack overflow. */
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]275 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
Hanno Becker97a21562020-09-09 12:57:16 +0100[diff] [blame]276 }
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]277
278 memcpy( hashed_context, ctx, clen );
279 }
280
281 return( mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
282 secret, slen,
283 label, llen,
284 hashed_context, clen,
285 dstbuf, buflen ) );
286}
287
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]288int mbedtls_ssl_tls1_3_evolve_secret(
289 mbedtls_md_type_t hash_alg,
290 const unsigned char *secret_old,
291 const unsigned char *input, size_t input_len,
292 unsigned char *secret_new )
293{
294 int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
295 size_t hlen, ilen;
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]296 unsigned char tmp_secret[ MBEDTLS_MD_MAX_SIZE ] = { 0 };
297 unsigned char tmp_input [ MBEDTLS_MD_MAX_SIZE ] = { 0 };
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]298
299 const mbedtls_md_info_t *md;
300 md = mbedtls_md_info_from_type( hash_alg );
301 if( md == NULL )
302 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
303
304 hlen = mbedtls_md_get_size( md );
305
306 /* For non-initial runs, call Derive-Secret( ., "derived", "")
Hanno Becker61baae72020-09-16 09:24:14 +0100[diff] [blame]307 * on the old secret. */
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]308 if( secret_old != NULL )
309 {
310 ret = mbedtls_ssl_tls1_3_derive_secret(
311 hash_alg,
312 secret_old, hlen,
313 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( derived ),
314 NULL, 0, /* context */
315 MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]316 tmp_secret, hlen );
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]317 if( ret != 0 )
318 goto cleanup;
319 }
320
321 if( input != NULL )
322 {
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]323 memcpy( tmp_input, input, input_len );
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]324 ilen = input_len;
325 }
326 else
327 {
328 ilen = hlen;
329 }
330
331 /* HKDF-Extract takes a salt and input key material.
332 * The salt is the old secret, and the input key material
333 * is the input secret (PSK / ECDHE). */
334 ret = mbedtls_hkdf_extract( md,
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]335 tmp_secret, hlen,
336 tmp_input, ilen,
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]337 secret_new );
338 if( ret != 0 )
339 goto cleanup;
340
341 ret = 0;
342
343 cleanup:
344
Hanno Becker59b50a12020-09-09 10:56:56 +0100[diff] [blame]345 mbedtls_platform_zeroize( tmp_secret, sizeof(tmp_secret) );
346 mbedtls_platform_zeroize( tmp_input, sizeof(tmp_input) );
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]347 return( ret );
348}
349
Hanno Beckeref5235b2021-05-24 06:39:41 +0100[diff] [blame^]350int mbedtls_ssl_tls1_3_derive_early_secrets(
351 mbedtls_md_type_t md_type,
352 unsigned char const *early_secret,
353 unsigned char const *transcript, size_t transcript_len,
354 mbedtls_ssl_tls1_3_early_secrets *derived )
355{
356 int ret;
357 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
358 size_t const md_size = mbedtls_md_get_size( md_info );
359
360 /* We should never call this function with an unknown hash,
361 * but add an assertion anyway. */
362 if( md_info == 0 )
363 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
364
365 /*
366 * 0
367 * |
368 * v
369 * PSK -> HKDF-Extract = Early Secret
370 * |
371 * +-----> Derive-Secret(., "ext binder" | "res binder", "")
372 * | = binder_key
373 * |
374 * +-----> Derive-Secret(., "c e traffic", ClientHello)
375 * | = client_early_traffic_secret
376 * |
377 * +-----> Derive-Secret(., "e exp master", ClientHello)
378 * | = early_exporter_master_secret
379 * v
380 */
381
382 /* Create client_early_traffic_secret */
383 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
384 early_secret, md_size,
385 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_e_traffic ),
386 transcript, transcript_len,
387 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
388 derived->client_early_traffic_secret,
389 md_size );
390 if( ret != 0 )
391 return( ret );
392
393 /* Create early exporter */
394 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
395 early_secret, md_size,
396 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( e_exp_master ),
397 transcript, transcript_len,
398 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
399 derived->early_exporter_master_secret,
400 md_size );
401 if( ret != 0 )
402 return( ret );
403
404 return( 0 );
405}
406
407int mbedtls_ssl_tls1_3_derive_handshake_secrets(
408 mbedtls_md_type_t md_type,
409 unsigned char const *handshake_secret,
410 unsigned char const *transcript, size_t transcript_len,
411 mbedtls_ssl_tls1_3_handshake_secrets *derived )
412{
413 int ret;
414 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
415 size_t const md_size = mbedtls_md_get_size( md_info );
416
417 /* We should never call this function with an unknown hash,
418 * but add an assertion anyway. */
419 if( md_info == 0 )
420 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
421
422 /*
423 *
424 * Handshake Secret
425 * |
426 * +-----> Derive-Secret( ., "c hs traffic",
427 * | ClientHello...ServerHello )
428 * | = client_handshake_traffic_secret
429 * |
430 * +-----> Derive-Secret( ., "s hs traffic",
431 * | ClientHello...ServerHello )
432 * | = server_handshake_traffic_secret
433 *
434 */
435
436 /*
437 * Compute client_handshake_traffic_secret with
438 * Derive-Secret( ., "c hs traffic", ClientHello...ServerHello )
439 */
440
441 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
442 handshake_secret, md_size,
443 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_hs_traffic ),
444 transcript, transcript_len,
445 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
446 derived->client_handshake_traffic_secret,
447 md_size );
448 if( ret != 0 )
449 return( ret );
450
451 /*
452 * Compute server_handshake_traffic_secret with
453 * Derive-Secret( ., "s hs traffic", ClientHello...ServerHello )
454 */
455
456 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
457 handshake_secret, md_size,
458 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( s_hs_traffic ),
459 transcript, transcript_len,
460 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
461 derived->server_handshake_traffic_secret,
462 md_size );
463 if( ret != 0 )
464 return( ret );
465
466 return( 0 );
467}
468
469int mbedtls_ssl_tls1_3_derive_application_secrets(
470 mbedtls_md_type_t md_type,
471 unsigned char const *application_secret,
472 unsigned char const *transcript, size_t transcript_len,
473 mbedtls_ssl_tls1_3_application_secrets *derived )
474{
475 int ret;
476 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
477 size_t const md_size = mbedtls_md_get_size( md_info );
478
479 /* We should never call this function with an unknown hash,
480 * but add an assertion anyway. */
481 if( md_info == 0 )
482 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
483
484 /* Generate {client,server}_application_traffic_secret_0
485 *
486 * Master Secret
487 * |
488 * +-----> Derive-Secret( ., "c ap traffic",
489 * | ClientHello...server Finished )
490 * | = client_application_traffic_secret_0
491 * |
492 * +-----> Derive-Secret( ., "s ap traffic",
493 * | ClientHello...Server Finished )
494 * | = server_application_traffic_secret_0
495 * |
496 * +-----> Derive-Secret( ., "exp master",
497 * | ClientHello...server Finished)
498 * | = exporter_master_secret
499 *
500 */
501
502 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
503 application_secret, md_size,
504 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( c_ap_traffic ),
505 transcript, transcript_len,
506 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
507 derived->client_application_traffic_secret_N,
508 md_size );
509 if( ret != 0 )
510 return( ret );
511
512 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
513 application_secret, md_size,
514 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( s_ap_traffic ),
515 transcript, transcript_len,
516 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
517 derived->server_application_traffic_secret_N,
518 md_size );
519 if( ret != 0 )
520 return( ret );
521
522 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
523 application_secret, md_size,
524 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( exp_master ),
525 transcript, transcript_len,
526 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
527 derived->exporter_master_secret,
528 md_size );
529 if( ret != 0 )
530 return( ret );
531
532 return( 0 );
533}
534
535/* Generate resumption_master_secret for use with the ticket exchange.
536 *
537 * This is not integrated with mbedtls_ssl_tls1_3_derive_application_secrets()
538 * because it uses the transcript hash up to and including ClientFinished. */
539int mbedtls_ssl_tls1_3_derive_resumption_master_secret(
540 mbedtls_md_type_t md_type,
541 unsigned char const *application_secret,
542 unsigned char const *transcript, size_t transcript_len,
543 mbedtls_ssl_tls1_3_application_secrets *derived )
544{
545 int ret;
546 mbedtls_md_info_t const * const md_info = mbedtls_md_info_from_type( md_type );
547 size_t const md_size = mbedtls_md_get_size( md_info );
548
549 /* We should never call this function with an unknown hash,
550 * but add an assertion anyway. */
551 if( md_info == 0 )
552 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
553
554 ret = mbedtls_ssl_tls1_3_derive_secret( md_type,
555 application_secret, md_size,
556 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( res_master ),
557 transcript, transcript_len,
558 MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
559 derived->resumption_master_secret,
560 md_size );
561
562 if( ret != 0 )
563 return( ret );
564
565 return( 0 );
566}
567
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]568#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */