diff --git a/library/ssl_tls13_invasive.h b/library/ssl_tls13_invasive.h new file mode 100644 index 0000000000..aa35784010 --- /dev/null +++ b/library/ssl_tls13_invasive.h @@ -0,0 +1,63 @@ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef MBEDTLS_SSL_TLS13_INVASIVE_H +#define MBEDTLS_SSL_TLS13_INVASIVE_H + +#include "common.h" + +#if defined(MBEDTLS_PSA_CRYPTO_C) +#include "psa/crypto.h" +#endif + +#if defined(MBEDTLS_TEST_HOOKS) + +#if defined(MBEDTLS_PSA_CRYPTO_C) + +/** + * \brief Expand the supplied \p prk into several additional pseudorandom + * keys, which is the output of the HKDF. + * + * \param alg The HMAC algorithm to use (\c #PSA_ALG_HMAC( PSA_ALG_XXX ) + * value such that PSA_ALG_XXX is a hash algorithm and + * #PSA_ALG_IS_HMAC(\p alg) is true). + * \param prk A pseudorandom key of \p prk_len bytes. \p prk is + * usually the output from the HKDF extract step. + * \param prk_len The length in bytes of \p prk. + * \param info An optional context and application specific information + * string. This can be a zero-length string. + * \param info_len The length of \p info in bytes. + * \param okm The output keying material of \p okm_len bytes. + * \param okm_len The length of the output keying material in bytes. This + * must be less than or equal to + * 255 * #PSA_HASH_LENGTH( \p alg ) bytes. + * + * \return 0 on success. + * \return #PSA_ERROR_INVALID_ARGUMENT when the parameters are invalid. + * \return An PSA_ERROR_* error for errors returned from the underlying + * PSA layer. + */ +psa_status_t mbedtls_psa_hkdf_expand( psa_algorithm_t alg, + const unsigned char *prk, size_t prk_len, + const unsigned char *info, size_t info_len, + unsigned char *okm, size_t okm_len ); + +#endif /* MBEDTLS_PSA_CRYPTO_C */ + +#endif /* MBEDTLS_TEST_HOOKS */ + +#endif /* MBEDTLS_SSL_TLS13_INVASIVE_H */ diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 5615386781..33c2d1c66c 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -30,6 +30,9 @@ #include "ssl_misc.h" #include "ssl_tls13_keys.h" +#include "ssl_tls13_invasive.h" + +#include "psa/crypto.h" #define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ .name = string, @@ -133,6 +136,125 @@ static void ssl_tls13_hkdf_encode_label( *dst_len = total_hkdf_lbl_len; } +MBEDTLS_STATIC_TESTABLE +psa_status_t mbedtls_psa_hkdf_expand( psa_algorithm_t alg, + const unsigned char *prk, size_t prk_len, + const unsigned char *info, size_t info_len, + unsigned char *okm, size_t okm_len ) +{ + size_t hash_len; + size_t where = 0; + size_t n; + size_t t_len = 0; + size_t i; + mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; + psa_status_t ret = PSA_ERROR_CORRUPTION_DETECTED; + unsigned char t[PSA_MAC_MAX_SIZE]; + + if( okm == NULL ) + { + return( PSA_ERROR_INVALID_ARGUMENT ); + } + + hash_len = PSA_HASH_LENGTH( alg ); + + if( prk_len < hash_len || hash_len == 0 ) + { + return( PSA_ERROR_INVALID_ARGUMENT ); + } + + if( info == NULL ) + { + info = (const unsigned char *) ""; + info_len = 0; + } + + n = okm_len / hash_len; + + if( okm_len % hash_len != 0 ) + { + n++; + } + + /* + * Per RFC 5869 Section 2.3, okm_len must not exceed + * 255 times the hash length + */ + if( n > 255 ) + { + return( PSA_ERROR_INVALID_ARGUMENT ); + } + + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC ); + + ret = psa_import_key( &attributes, prk, prk_len, &key ); + if( PSA_SUCCESS != ret ) + { + goto cleanup; + } + + memset( t, 0, hash_len ); + + /* + * Compute T = T(1) | T(2) | T(3) | ... | T(N) + * Where T(N) is defined in RFC 5869 Section 2.3 + */ + for( i = 1; i <= n; i++ ) + { + size_t num_to_copy; + unsigned char c = i & 0xff; + size_t len; + + ret = psa_mac_sign_setup( &operation, key, alg ); + if( PSA_SUCCESS != ret ) + { + goto cleanup; + } + + ret = psa_mac_update( &operation, t, t_len ); + if( PSA_SUCCESS != ret ) + { + goto cleanup; + } + + ret = psa_mac_update( &operation, info, info_len ); + if( PSA_SUCCESS != ret ) + { + goto cleanup; + } + + /* The constant concatenated to the end of each T(n) is a single octet. + * */ + ret = psa_mac_update( &operation, &c, 1 ); + if( PSA_SUCCESS != ret ) + { + goto cleanup; + } + + ret = psa_mac_sign_finish( &operation, t, PSA_MAC_MAX_SIZE, &len ); + if( PSA_SUCCESS != ret ) + { + goto cleanup; + } + + num_to_copy = i != n ? hash_len : okm_len - where; + memcpy( okm + where, t, num_to_copy ); + where += hash_len; + t_len = hash_len; + } + +cleanup: + psa_destroy_key( key ); + mbedtls_platform_zeroize( t, sizeof( t ) ); + psa_mac_abort( &operation ); + + return( ret ); +} + int mbedtls_ssl_tls13_hkdf_expand_label( mbedtls_md_type_t hash_alg, const unsigned char *secret, size_t secret_len,