From 61e35e0047271167720935ecf458778c1bd9ffae Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 16 Sep 2021 18:59:08 +0800 Subject: [PATCH] tls13: add generate handshake keys Signed-off-by: Jerry Yu --- library/ssl_misc.h | 23 ++++++++ library/ssl_tls13_keys.c | 117 +++++++++++++++++++++++++++++++++++++++ library/ssl_tls13_keys.h | 36 +++++------- 3 files changed, 155 insertions(+), 21 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 9041c51d2c..b801499ca1 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -508,6 +508,27 @@ struct mbedtls_ssl_key_set }; typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set; +typedef struct +{ + unsigned char binder_key [ MBEDTLS_MD_MAX_SIZE ]; + unsigned char client_early_traffic_secret [ MBEDTLS_MD_MAX_SIZE ]; + unsigned char early_exporter_master_secret[ MBEDTLS_MD_MAX_SIZE ]; +} mbedtls_ssl_tls1_3_early_secrets; + +typedef struct +{ + unsigned char client_handshake_traffic_secret[ MBEDTLS_MD_MAX_SIZE ]; + unsigned char server_handshake_traffic_secret[ MBEDTLS_MD_MAX_SIZE ]; +} mbedtls_ssl_tls1_3_handshake_secrets; + +typedef struct +{ + unsigned char client_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; + unsigned char server_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; + unsigned char exporter_master_secret [ MBEDTLS_MD_MAX_SIZE ]; + unsigned char resumption_master_secret [ MBEDTLS_MD_MAX_SIZE ]; +} mbedtls_ssl_tls1_3_application_secrets; + /* * This structure contains the parameters only needed during handshake. */ @@ -715,6 +736,8 @@ struct mbedtls_ssl_handshake_params unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE]; unsigned char app [MBEDTLS_TLS1_3_MD_MAX_SIZE]; } tls1_3_master_secrets; + + mbedtls_ssl_tls1_3_handshake_secrets tls1_3_hs_secrets; #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index b07c1c3b9e..a20fa51507 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -846,4 +846,121 @@ int mbedtls_ssl_tls1_3_key_schedule_stage_early( mbedtls_ssl_context *ssl ) return( 0 ); } +/* mbedtls_ssl_tls1_3_generate_handshake_keys() generates keys necessary for + * protecting the handshake messages, as described in Section 7 of TLS 1.3. */ +int mbedtls_ssl_tls1_3_generate_handshake_keys( mbedtls_ssl_context *ssl, + mbedtls_ssl_key_set *traffic_keys ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + mbedtls_md_type_t md_type; + mbedtls_md_info_t const *md_info; + size_t md_size; + + unsigned char transcript[MBEDTLS_MD_MAX_SIZE]; + size_t transcript_len; + + mbedtls_cipher_info_t const *cipher_info; + size_t keylen, ivlen; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls1_3_generate_handshake_keys" ) ); + + cipher_info = mbedtls_cipher_info_from_type( + ssl->handshake->ciphersuite_info->cipher ); + keylen = cipher_info->key_bitlen >> 3; + ivlen = cipher_info->iv_size; + + md_type = ssl->handshake->ciphersuite_info->mac; + md_info = mbedtls_md_info_from_type( md_type ); + md_size = mbedtls_md_get_size( md_info ); + + ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, + transcript, + sizeof( transcript ), + &transcript_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_get_handshake_transcript", + ret ); + return( ret ); + } + + ret = mbedtls_ssl_tls1_3_derive_handshake_secrets( md_type, + ssl->handshake->tls1_3_master_secrets.handshake, + transcript, transcript_len, + &ssl->handshake->tls1_3_hs_secrets ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_derive_handshake_secrets", + ret ); + return( ret ); + } + + MBEDTLS_SSL_DEBUG_BUF( 4, "Client handshake traffic secret", + ssl->handshake->tls1_3_hs_secrets.client_handshake_traffic_secret, + md_size ); + + MBEDTLS_SSL_DEBUG_BUF( 4, "Server handshake traffic secret", + ssl->handshake->tls1_3_hs_secrets.server_handshake_traffic_secret, + md_size ); + + /* + * Export client handshake traffic secret + */ +#if defined(MBEDTLS_SSL_EXPORT_KEYS) + if( ssl->f_export_keys != NULL ) + { + ssl->f_export_keys( ssl->p_export_keys, + MBEDTLS_SSL_KEY_EXPORT_TLS13_CLIENT_HANDSHAKE_TRAFFIC_SECRET, + ssl->handshake->tls1_3_hs_secrets.client_handshake_traffic_secret, + md_size, + ssl->handshake->randbytes + 32, + ssl->handshake->randbytes, + MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); + + ssl->f_export_keys( ssl->p_export_keys, + MBEDTLS_SSL_KEY_EXPORT_TLS13_SERVER_HANDSHAKE_TRAFFIC_SECRET, + ssl->handshake->tls1_3_hs_secrets.server_handshake_traffic_secret, + md_size, + ssl->handshake->randbytes + 32, + ssl->handshake->randbytes, + MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); + } +#endif /* MBEDTLS_SSL_EXPORT_KEYS */ + + ret = mbedtls_ssl_tls1_3_make_traffic_keys( md_type, + ssl->handshake->tls1_3_hs_secrets.client_handshake_traffic_secret, + ssl->handshake->tls1_3_hs_secrets.server_handshake_traffic_secret, + md_size, + keylen, ivlen, traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls1_3_make_traffic_keys", ret ); + goto exit; + } + + MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_key", + traffic_keys->client_write_key, + traffic_keys->key_len); + + MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_key", + traffic_keys->server_write_key, + traffic_keys->key_len); + + MBEDTLS_SSL_DEBUG_BUF( 4, "client_handshake write_iv", + traffic_keys->client_write_iv, + traffic_keys->iv_len); + + MBEDTLS_SSL_DEBUG_BUF( 4, "server_handshake write_iv", + traffic_keys->server_write_iv, + traffic_keys->iv_len); + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_tls1_3_generate_handshake_keys" ) ); + +exit: + + return( ret ); +} + #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 866aae9117..602d06def4 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -70,27 +70,6 @@ extern const struct mbedtls_ssl_tls1_3_labels_struct mbedtls_ssl_tls1_3_labels; #define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN \ MBEDTLS_MD_MAX_SIZE -typedef struct -{ - unsigned char binder_key [ MBEDTLS_MD_MAX_SIZE ]; - unsigned char client_early_traffic_secret [ MBEDTLS_MD_MAX_SIZE ]; - unsigned char early_exporter_master_secret[ MBEDTLS_MD_MAX_SIZE ]; -} mbedtls_ssl_tls1_3_early_secrets; - -typedef struct -{ - unsigned char client_handshake_traffic_secret[ MBEDTLS_MD_MAX_SIZE ]; - unsigned char server_handshake_traffic_secret[ MBEDTLS_MD_MAX_SIZE ]; -} mbedtls_ssl_tls1_3_handshake_secrets; - -typedef struct -{ - unsigned char client_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; - unsigned char server_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ]; - unsigned char exporter_master_secret [ MBEDTLS_MD_MAX_SIZE ]; - unsigned char resumption_master_secret [ MBEDTLS_MD_MAX_SIZE ]; -} mbedtls_ssl_tls1_3_application_secrets; - /* Maximum desired length for expanded key material generated * by HKDF-Expand-Label. * @@ -553,4 +532,19 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, */ int mbedtls_ssl_tls1_3_key_schedule_stage_early( mbedtls_ssl_context *ssl ); +/** + * \brief Compute TLS 1.3 handshake traffic keys. + * + * \param ssl The SSL context to operate on. This must be in + * key schedule stage \c Handshake, see + * mbedtls_ssl_tls13_key_schedule_stage_handshake(). + * \param traffic_keys The address at which to store the handshake traffic key + * keys. This must be writable but may be uninitialized. + * + * \returns \c 0 on success. + * \returns A negative error code on failure. + */ +int mbedtls_ssl_tls1_3_generate_handshake_keys( mbedtls_ssl_context *ssl, + mbedtls_ssl_key_set *traffic_keys ); + #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */