TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / fb08096b9b477a461d0c81d7a35455d86a0ec723 / . / library / ssl_tls13_keys.c
blob: 76c939846ff68d1674a1ec125db164b8a8bd3c53 [file] [log] [blame]
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]1/*
2 * TLS 1.3 key schedule
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 ( the "License" ); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19
Hanno Becker58c5cea2020-09-08 10:31:33 +0100[diff] [blame]20#include "common.h"
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]21
22#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
23
24#include "mbedtls/hkdf.h"
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]25#include "mbedtls/ssl_internal.h"
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]26#include "ssl_tls13_keys.h"
27
28#include <stdint.h>
29#include <string.h>
30
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]31#define LABEL( name, string ) \
32 .name = string,
33
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]34struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels =
35{
36 /* This seems to work in C, despite the string literal being one
37 * character too long due to the 0-termination. */
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]38 MBEDTLS_SSL_TLS1_3_LABEL_LIST
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]39};
40
Hanno Beckere4435ea2020-09-08 10:43:52 +0100[diff] [blame]41#undef LABEL
42
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]43/*
44 * This function creates a HkdfLabel structure used in the TLS 1.3 key schedule.
45 *
46 * The HkdfLabel is specified in RFC 8446 as follows:
47 *
48 * struct HkdfLabel {
49 * uint16 length; // Length of expanded key material
50 * opaque label<7..255>; // Always prefixed by "tls13 "
51 * opaque context<0..255>; // Usually a communication transcript hash
52 * };
53 *
54 * Parameters:
55 * - desired_length: Length of expanded key material
56 * Even though the standard allows expansion to up to
57 * 2**16 Bytes, TLS 1.3 never uses expansion to more than
58 * 255 Bytes, so we require `desired_length` to be at most
59 * 255. This allows us to save a few Bytes of code by
60 * hardcoding the writing of the high bytes.
61 * - (label, llen): label + label length, without "tls13 " prefix
62 * The label length MUST be
63 * <= MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN
64 * It is the caller's responsiblity to ensure this.
65 * - (ctx, clen): context + context length
66 * The context length MUST be
67 * <= MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN
68 * It is the caller's responsiblity to ensure this.
69 * - dst: Target buffer for HkdfLabel structure,
70 * This MUST be a writable buffer of size
71 * at least SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN Bytes.
72 * - dlen: Pointer at which to store the actual length of
73 * the HkdfLabel structure on success.
74 */
75
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]76#define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( label_len, context_len ) \
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]77 ( 2 /* expansion length */ \
78 + 1 /* label length */ \
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]79 + label_len \
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]80 + 1 /* context length */ \
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]81 + context_len )
82
83#define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \
84 SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \
85 MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN, \
86 MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]87
88static void ssl_tls1_3_hkdf_encode_label(
89 size_t desired_length,
90 const unsigned char *label, size_t llen,
91 const unsigned char *ctx, size_t clen,
92 unsigned char *dst, size_t *dlen )
93{
Hanno Becker939bb4d2020-09-08 10:48:55 +0100[diff] [blame]94 const char label_prefix[6] = "tls13 ";
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]95 size_t total_label_len = sizeof( label_prefix ) + llen;
96 size_t total_hkdf_lbl_len =
Hanno Becker9cb0a142020-09-08 10:48:14 +0100[diff] [blame]97 SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( total_label_len, clen );
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]98
99 unsigned char *p = dst;
100
101 /* Add total length. */
102 *p++ = 0;
103 *p++ = (unsigned char)( ( desired_length >> 0 ) & 0xFF );
104
105 /* Add label incl. prefix */
106 *p++ = (unsigned char)( total_label_len & 0xFF );
107 memcpy( p, label_prefix, sizeof(label_prefix) );
108 p += sizeof(label_prefix);
109 memcpy( p, label, llen );
110 p += llen;
111
112 /* Add context value */
113 *p++ = (unsigned char)( clen & 0xFF );
114 if( ctx != NULL )
115 memcpy( p, ctx, clen );
116
117 /* Return total length to the caller. */
118 *dlen = total_hkdf_lbl_len;
119}
120
121int mbedtls_ssl_tls1_3_hkdf_expand_label(
122 mbedtls_md_type_t hash_alg,
123 const unsigned char *secret, size_t slen,
124 const unsigned char *label, size_t llen,
125 const unsigned char *ctx, size_t clen,
126 unsigned char *buf, size_t blen )
127{
128 const mbedtls_md_info_t *md;
129 unsigned char hkdf_label[ SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN ];
130 size_t hkdf_label_len;
131
132 if( llen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN )
133 {
134 /* Should never happen since this is an internal
135 * function, and we know statically which labels
136 * are allowed. */
137 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
138 }
139
140 if( clen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN )
141 {
142 /* Should not happen, as above. */
143 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
144 }
145
146 if( blen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN )
147 {
148 /* Should not happen, as above. */
149 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
150 }
151
152 md = mbedtls_md_info_from_type( hash_alg );
153 if( md == NULL )
154 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
155
156 ssl_tls1_3_hkdf_encode_label( blen,
157 label, llen,
158 ctx, clen,
159 hkdf_label,
160 &hkdf_label_len );
161
162 return( mbedtls_hkdf_expand( md,
163 secret, slen,
164 hkdf_label, hkdf_label_len,
165 buf, blen ) );
166}
167
Hanno Becker3385a4d2020-08-21 13:03:34 +0100[diff] [blame]168/*
169 * The traffic keying material is generated from the following inputs:
170 *
171 * - One secret value per sender.
172 * - A purpose value indicating the specific value being generated
173 * - The desired lengths of key and IV.
174 *
175 * The expansion itself is based on HKDF:
176 *
177 * [sender]_write_key = HKDF-Expand-Label( Secret, "key", "", key_length )
178 * [sender]_write_iv = HKDF-Expand-Label( Secret, "iv" , "", iv_length )
179 *
180 * [sender] denotes the sending side and the Secret value is provided
181 * by the function caller. Note that we generate server and client side
182 * keys in a single function call.
183 */
184int mbedtls_ssl_tls1_3_make_traffic_keys(
185 mbedtls_md_type_t hash_alg,
186 const unsigned char *client_secret,
187 const unsigned char *server_secret,
188 size_t slen, size_t keyLen, size_t ivLen,
189 mbedtls_ssl_key_set *keys )
190{
191 int ret = 0;
192
193 ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
194 client_secret, slen,
195 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
196 NULL, 0,
197 keys->client_write_key, keyLen );
198 if( ret != 0 )
199 return( ret );
200
201 ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
202 server_secret, slen,
203 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
204 NULL, 0,
205 keys->server_write_key, keyLen );
206 if( ret != 0 )
207 return( ret );
208
209 ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
210 client_secret, slen,
211 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
212 NULL, 0,
213 keys->client_write_iv, ivLen );
214 if( ret != 0 )
215 return( ret );
216
217 ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
218 server_secret, slen,
219 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
220 NULL, 0,
221 keys->server_write_iv, ivLen );
222 if( ret != 0 )
223 return( ret );
224
225 keys->keyLen = keyLen;
226 keys->ivLen = ivLen;
227
228 return( 0 );
229}
230
Hanno Beckerb35d5222020-08-21 13:27:44 +0100[diff] [blame]231int mbedtls_ssl_tls1_3_derive_secret(
232 mbedtls_md_type_t hash_alg,
233 const unsigned char *secret, size_t slen,
234 const unsigned char *label, size_t llen,
235 const unsigned char *ctx, size_t clen,
236 int context_already_hashed,
237 unsigned char *dstbuf, size_t buflen )
238{
239 int ret;
240 unsigned char hashed_context[ MBEDTLS_MD_MAX_SIZE ];
241
242 const mbedtls_md_info_t *md;
243 md = mbedtls_md_info_from_type( hash_alg );
244 if( md == NULL )
245 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
246
247 if( context_already_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED )
248 {
249 ret = mbedtls_md( md, ctx, clen, hashed_context );
250 if( ret != 0 )
251 return( ret );
252 clen = mbedtls_md_get_size( md );
253 }
254 else
255 {
256 /* This should never happen since this function is internal
257 * and the code sets `context_already_hashed` correctly.
258 * Let's double-check nonetheless to not run at the risk
259 * of getting a stack overflow. */
260 if( clen > sizeof(hashed_context) )
261 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
262
263 memcpy( hashed_context, ctx, clen );
264 }
265
266 return( mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg,
267 secret, slen,
268 label, llen,
269 hashed_context, clen,
270 dstbuf, buflen ) );
271}
272
Hanno Beckere9cccb42020-08-20 13:42:46 +0100[diff] [blame]273int mbedtls_ssl_tls1_3_evolve_secret(
274 mbedtls_md_type_t hash_alg,
275 const unsigned char *secret_old,
276 const unsigned char *input, size_t input_len,
277 unsigned char *secret_new )
278{
279 int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
280 size_t hlen, ilen;
281 unsigned char _secret[ MBEDTLS_MD_MAX_SIZE ] = { 0 };
282 unsigned char _input [ MBEDTLS_MD_MAX_SIZE ] = { 0 };
283
284 const mbedtls_md_info_t *md;
285 md = mbedtls_md_info_from_type( hash_alg );
286 if( md == NULL )
287 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
288
289 hlen = mbedtls_md_get_size( md );
290
291 /* For non-initial runs, call Derive-Secret( ., "derived", "")
292 * on the old secreet. */
293 if( secret_old != NULL )
294 {
295 ret = mbedtls_ssl_tls1_3_derive_secret(
296 hash_alg,
297 secret_old, hlen,
298 MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( derived ),
299 NULL, 0, /* context */
300 MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
301 _secret, hlen );
302 if( ret != 0 )
303 goto cleanup;
304 }
305
306 if( input != NULL )
307 {
308 memcpy( _input, input, input_len );
309 ilen = input_len;
310 }
311 else
312 {
313 ilen = hlen;
314 }
315
316 /* HKDF-Extract takes a salt and input key material.
317 * The salt is the old secret, and the input key material
318 * is the input secret (PSK / ECDHE). */
319 ret = mbedtls_hkdf_extract( md,
320 _secret, hlen,
321 _input, ilen,
322 secret_new );
323 if( ret != 0 )
324 goto cleanup;
325
326 ret = 0;
327
328 cleanup:
329
330 mbedtls_platform_zeroize( _secret, sizeof(_secret) );
331 mbedtls_platform_zeroize( _input, sizeof(_input) );
332 return( ret );
333}
334
Hanno Beckerbe9d6642020-08-21 13:20:06 +0100[diff] [blame]335#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */