yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #6538 from yuhaoth/pr/tls13-add-early-data-transform-computation

Browse source
This commit is contained in:
Ronald Cron 2022-11-30 09:56:00 +01:00 committed by GitHub
commit 7df787c019
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 263 additions and 74 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
library/ssl_misc.h
View file

@ -890,13 +890,6 @@ struct mbedtls_ssl_handshake_params
uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
/*! TLS 1.3 transforms for 0-RTT and encrypted handshake messages.
* Those pointers own the transforms they reference. */
mbedtls_ssl_transform *transform_handshake;
mbedtls_ssl_transform *transform_earlydata;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
/*
* Checksum contexts
*/
@ -981,6 +974,8 @@ struct mbedtls_ssl_handshake_params
unsigned char *certificate_request_context;
#endif
/** TLS 1.3 transform for encrypted handshake messages. */
mbedtls_ssl_transform *transform_handshake;
union
{
unsigned char early [MBEDTLS_TLS1_3_MD_MAX_SIZE];
@ -989,6 +984,11 @@ struct mbedtls_ssl_handshake_params
} tls13_master_secrets;
mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
#if defined(MBEDTLS_SSL_EARLY_DATA)
mbedtls_ssl_tls13_early_secrets tls13_early_secrets;
/** TLS 1.3 transform for early data and handshake messages. */
mbedtls_ssl_transform *transform_earlydata;
#endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)

6
library/ssl_tls.c
View file

@ -1447,9 +1447,11 @@ void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
if( ssl->handshake != NULL )
{
#if defined(MBEDTLS_SSL_EARLY_DATA)
mbedtls_ssl_transform_free( ssl->handshake->transform_earlydata );
mbedtls_free( ssl->handshake->transform_earlydata );
ssl->handshake->transform_earlydata = NULL;
#endif
mbedtls_ssl_transform_free( ssl->handshake->transform_handshake );
mbedtls_free( ssl->handshake->transform_handshake );
@ -4067,9 +4069,11 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_transform_free( handshake->transform_handshake );
mbedtls_free( handshake->transform_handshake );
#if defined(MBEDTLS_SSL_EARLY_DATA)
mbedtls_ssl_transform_free( handshake->transform_earlydata );
mbedtls_free( handshake->transform_earlydata );
mbedtls_free( handshake->transform_handshake );
#endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */

296
library/ssl_tls13_keys.c
View file

@ -215,6 +215,33 @@ cleanup:
return( psa_ssl_status_to_mbedtls ( status ) );
}
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_make_traffic_key(
psa_algorithm_t hash_alg,
const unsigned char *secret, size_t secret_len,
unsigned char *key, size_t key_len,
unsigned char *iv, size_t iv_len )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
ret = mbedtls_ssl_tls13_hkdf_expand_label(
hash_alg,
secret, secret_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
NULL, 0,
key, key_len );
if( ret != 0 )
return( ret );
ret = mbedtls_ssl_tls13_hkdf_expand_label(
hash_alg,
secret, secret_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
NULL, 0,
iv, iv_len );
return( ret );
}
/*
* The traffic keying material is generated from the following inputs:
*
@ -240,35 +267,17 @@ int mbedtls_ssl_tls13_make_traffic_keys(
{
int ret = 0;
ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
client_secret, secret_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
NULL, 0,
keys->client_write_key, key_len );
ret = ssl_tls13_make_traffic_key(
hash_alg, client_secret, secret_len,
keys->client_write_key, key_len,
keys->client_write_iv, iv_len );
if( ret != 0 )
return( ret );
ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
server_secret, secret_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ),
NULL, 0,
keys->server_write_key, key_len );
if( ret != 0 )
return( ret );
ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
client_secret, secret_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
NULL, 0,
keys->client_write_iv, iv_len );
if( ret != 0 )
return( ret );
ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg,
server_secret, secret_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ),
NULL, 0,
keys->server_write_iv, iv_len );
ret = ssl_tls13_make_traffic_key(
hash_alg, server_secret, secret_len,
keys->server_write_key, key_len,
keys->server_write_iv, iv_len );
if( ret != 0 )
return( ret );
@ -1052,6 +1061,194 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
return( 0 );
}
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_get_cipher_key_info(
const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
size_t *key_len, size_t *iv_len )
{
psa_key_type_t key_type;
psa_algorithm_t alg;
size_t taglen;
size_t key_bits;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
if( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG )
taglen = 8;
else
taglen = 16;
status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher, taglen,
&alg, &key_type, &key_bits );
if( status != PSA_SUCCESS )
return psa_ssl_status_to_mbedtls( status );
*key_len = PSA_BITS_TO_BYTES( key_bits );
/* TLS 1.3 only have AEAD ciphers, IV length is unconditionally 12 bytes */
*iv_len = 12;
return 0;
}
#if defined(MBEDTLS_SSL_EARLY_DATA)
/*
* ssl_tls13_generate_early_key() generates the key necessary for protecting
* the early application data and handshake messages as described in section 7
* of RFC 8446.
*
* NOTE: Only one key is generated, the key for the traffic from the client to
* the server. The TLS 1.3 specification does not define a secret and thus
* a key for server early traffic.
*/
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl,
mbedtls_ssl_key_set *traffic_keys )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_md_type_t md_type;
psa_algorithm_t hash_alg;
size_t hash_len;
unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
size_t transcript_len;
size_t key_len;
size_t iv_len;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info;
mbedtls_ssl_tls13_early_secrets *tls13_early_secrets = &handshake->tls13_early_secrets;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_tls13_generate_early_key" ) );
ret = ssl_tls13_get_cipher_key_info( ciphersuite_info, &key_len, &iv_len );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret );
goto cleanup;
}
md_type = ciphersuite_info->mac;
hash_alg = mbedtls_hash_info_psa_from_md( ciphersuite_info->mac );
hash_len = PSA_HASH_LENGTH( hash_alg );
ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type,
transcript,
sizeof( transcript ),
&transcript_len );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1,
"mbedtls_ssl_get_handshake_transcript",
ret );
goto cleanup;
}
ret = mbedtls_ssl_tls13_derive_early_secrets(
hash_alg, handshake->tls13_master_secrets.early,
transcript, transcript_len, tls13_early_secrets );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET(
1, "mbedtls_ssl_tls13_derive_early_secrets", ret );
goto cleanup;
}
MBEDTLS_SSL_DEBUG_BUF(
4, "Client early traffic secret",
tls13_early_secrets->client_early_traffic_secret, hash_len );
/*
* Export client handshake traffic secret
*/
if( ssl->f_export_keys != NULL )
{
ssl->f_export_keys(
ssl->p_export_keys,
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET,
tls13_early_secrets->client_early_traffic_secret,
hash_len,
handshake->randbytes,
handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ );
}
ret = ssl_tls13_make_traffic_key(
hash_alg,
tls13_early_secrets->client_early_traffic_secret,
hash_len, traffic_keys->client_write_key, key_len,
traffic_keys->client_write_iv, iv_len );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_make_traffic_key", ret );
goto cleanup;
}
traffic_keys->key_len = key_len;
traffic_keys->iv_len = iv_len;
MBEDTLS_SSL_DEBUG_BUF( 4, "client early write_key",
traffic_keys->client_write_key,
traffic_keys->key_len);
MBEDTLS_SSL_DEBUG_BUF( 4, "client early write_iv",
traffic_keys->client_write_iv,
traffic_keys->iv_len);
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_tls13_generate_early_key" ) );
cleanup:
/* Erase secret and transcript */
mbedtls_platform_zeroize(
tls13_early_secrets, sizeof( mbedtls_ssl_tls13_early_secrets ) );
mbedtls_platform_zeroize( transcript, sizeof( transcript ) );
return( ret );
}
int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_key_set traffic_keys;
mbedtls_ssl_transform *transform_earlydata = NULL;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
/* Next evolution in key schedule: Establish early_data secret and
* key material. */
ret = ssl_tls13_generate_early_key( ssl, &traffic_keys );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_generate_early_key",
ret );
goto cleanup;
}
transform_earlydata = mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
if( transform_earlydata == NULL )
{
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
goto cleanup;
}
ret = mbedtls_ssl_tls13_populate_transform(
transform_earlydata,
ssl->conf->endpoint,
ssl->session_negotiate->ciphersuite,
&traffic_keys,
ssl );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
goto cleanup;
}
handshake->transform_earlydata = transform_earlydata;
cleanup:
mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
if( ret != 0 )
mbedtls_free( transform_earlydata );
return( ret );
}
#endif /* MBEDTLS_SSL_EARLY_DATA */
int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1098,51 +1295,19 @@ int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl )
return( 0 );
}
MBEDTLS_CHECK_RETURN_CRITICAL
static int mbedtls_ssl_tls13_get_cipher_key_info(
const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
size_t *key_len, size_t *iv_len )
{
psa_key_type_t key_type;
psa_algorithm_t alg;
size_t taglen;
size_t key_bits;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
if( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG )
taglen = 8;
else
taglen = 16;
status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher, taglen,
&alg, &key_type, &key_bits );
if( status != PSA_SUCCESS )
return psa_ssl_status_to_mbedtls( status );
*key_len = PSA_BITS_TO_BYTES( key_bits );
/* TLS 1.3 only have AEAD ciphers, IV length is unconditionally 12 bytes */
*iv_len = 12;
return 0;
}
/* mbedtls_ssl_tls13_generate_handshake_keys() generates keys necessary for
* protecting the handshake messages, as described in Section 7 of TLS 1.3. */
int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl,
mbedtls_ssl_key_set *traffic_keys )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_md_type_t md_type;
psa_algorithm_t hash_alg;
size_t hash_len;
unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
size_t transcript_len;
size_t key_len, iv_len;
size_t key_len;
size_t iv_len;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info;
@ -1150,11 +1315,10 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) );
ret = mbedtls_ssl_tls13_get_cipher_key_info( ciphersuite_info,
&key_len, &iv_len );
ret = ssl_tls13_get_cipher_key_info( ciphersuite_info, &key_len, &iv_len );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_get_cipher_key_info", ret );
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret );
return ret;
}
@ -1370,11 +1534,11 @@ int mbedtls_ssl_tls13_generate_application_keys(
/* Extract basic information about hash and ciphersuite */
ret = mbedtls_ssl_tls13_get_cipher_key_info( handshake->ciphersuite_info,
&key_len, &iv_len );
ret = ssl_tls13_get_cipher_key_info( handshake->ciphersuite_info,
&key_len, &iv_len );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_get_cipher_key_info", ret );
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret );
goto cleanup;
}

21
library/ssl_tls13_keys.h
View file

@ -667,6 +667,27 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl,
size_t *actual_len,
int which );
#if defined(MBEDTLS_SSL_EARLY_DATA)
/**
* \brief Compute TLS 1.3 early transform
*
* \param ssl The SSL context to operate on.
*
* \returns \c 0 on success.
* \returns A negative error code on failure.
*
* \warning The function does not compute the early master secret. Call
* mbedtls_ssl_tls13_key_schedule_stage_early() before to
* call this function to generate the early master secret.
* \note For a client/server endpoint, the function computes only the
* encryption/decryption part of the transform as the decryption/
* encryption part is not defined by the specification (no early
* traffic from the server to the client).
*/
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_EARLY_DATA */
/**
* \brief Compute TLS 1.3 handshake transform
*