diff --git a/library/ssl_tls13_invasive.h b/library/ssl_tls13_invasive.h index 4e39f90cf..f874a8821 100644 --- a/library/ssl_tls13_invasive.h +++ b/library/ssl_tls13_invasive.h @@ -26,60 +26,6 @@ #if defined(MBEDTLS_TEST_HOOKS) -/** - * \brief Take the input keying material \p ikm and extract from it a - * fixed-length pseudorandom key \p prk. - * - * \param hash_alg Hash algorithm to use. - * \param salt An optional salt value (a non-secret random value); - * if the salt is not provided, a string of all zeros - * of the length of the hash provided by \p alg is used - * as the salt. - * \param salt_len The length in bytes of the optional \p salt. - * \param ikm The input keying material. - * \param ikm_len The length in bytes of \p ikm. - * \param[out] prk A pseudorandom key of \p prk_len bytes. - * \param prk_size Size of the \p prk buffer in bytes. - * \param[out] prk_len On success, the length in bytes of the - * pseudorandom key in \p prk. - * - * \return 0 on success. - * \return #PSA_ERROR_INVALID_ARGUMENT when the parameters are invalid. - * \return An PSA_ERROR_* error for errors returned from the underlying - * PSA layer. - */ -psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t hash_alg, - const unsigned char *salt, size_t salt_len, - const unsigned char *ikm, size_t ikm_len, - unsigned char *prk, size_t prk_size, - size_t *prk_len ); - -/** - * \brief Expand the supplied \p prk into several additional pseudorandom - * keys, which is the output of the HKDF. - * - * \param hash_alg Hash algorithm to use. - * \param prk A pseudorandom key of \p prk_len bytes. \p prk is - * usually the output from the HKDF extract step. - * \param prk_len The length in bytes of \p prk. - * \param info An optional context and application specific information - * string. This can be a zero-length string. - * \param info_len The length of \p info in bytes. - * \param okm The output keying material of \p okm_len bytes. - * \param okm_len The length of the output keying material in bytes. This - * must be less than or equal to - * 255 * #PSA_HASH_LENGTH( \p alg ) bytes. - * - * \return 0 on success. - * \return #PSA_ERROR_INVALID_ARGUMENT when the parameters are invalid. - * \return An PSA_ERROR_* error for errors returned from the underlying - * PSA layer. - */ -psa_status_t mbedtls_psa_hkdf_expand( psa_algorithm_t hash_alg, - const unsigned char *prk, size_t prk_len, - const unsigned char *info, size_t info_len, - unsigned char *okm, size_t okm_len ); - #endif /* MBEDTLS_TEST_HOOKS */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 91cc4d9fc..f6bea3403 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -137,182 +137,6 @@ static void ssl_tls13_hkdf_encode_label( *dst_len = total_hkdf_lbl_len; } -MBEDTLS_STATIC_TESTABLE -psa_status_t mbedtls_psa_hkdf_extract( psa_algorithm_t hash_alg, - const unsigned char *salt, size_t salt_len, - const unsigned char *ikm, size_t ikm_len, - unsigned char *prk, size_t prk_size, - size_t *prk_len ) -{ - unsigned char null_salt[PSA_MAC_MAX_SIZE] = { '\0' }; - mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_status_t destroy_status = PSA_ERROR_CORRUPTION_DETECTED; - psa_algorithm_t alg = PSA_ALG_HMAC( hash_alg ); - - if( salt == NULL || salt_len == 0 ) - { - size_t hash_len; - - if( salt_len != 0 ) - { - return( PSA_ERROR_INVALID_ARGUMENT ); - } - - hash_len = PSA_HASH_LENGTH( alg ); - - if( hash_len == 0 ) - { - return( PSA_ERROR_INVALID_ARGUMENT ); - } - - /* salt_len <= sizeof( salt ) because - PSA_HASH_LENGTH( alg ) <= PSA_MAC_MAX_SIZE. */ - salt = null_salt; - salt_len = hash_len; - } - - psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE ); - psa_set_key_algorithm( &attributes, alg ); - psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC ); - - status = psa_import_key( &attributes, salt, salt_len, &key ); - if( status != PSA_SUCCESS ) - { - goto cleanup; - } - - status = psa_mac_compute( key, alg, ikm, ikm_len, prk, prk_size, prk_len ); - -cleanup: - destroy_status = psa_destroy_key( key ); - - return( ( status == PSA_SUCCESS ) ? destroy_status : status ); -} - -MBEDTLS_STATIC_TESTABLE -psa_status_t mbedtls_psa_hkdf_expand( psa_algorithm_t hash_alg, - const unsigned char *prk, size_t prk_len, - const unsigned char *info, size_t info_len, - unsigned char *okm, size_t okm_len ) -{ - size_t hash_len; - size_t where = 0; - size_t n; - size_t t_len = 0; - size_t i; - mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_status_t destroy_status = PSA_ERROR_CORRUPTION_DETECTED; - unsigned char t[PSA_MAC_MAX_SIZE]; - psa_algorithm_t alg = PSA_ALG_HMAC( hash_alg ); - - if( okm == NULL ) - { - return( PSA_ERROR_INVALID_ARGUMENT ); - } - - hash_len = PSA_HASH_LENGTH( alg ); - - if( prk_len < hash_len || hash_len == 0 ) - { - return( PSA_ERROR_INVALID_ARGUMENT ); - } - - if( info == NULL ) - { - info = (const unsigned char *) ""; - info_len = 0; - } - - n = okm_len / hash_len; - - if( okm_len % hash_len != 0 ) - { - n++; - } - - /* - * Per RFC 5869 Section 2.3, okm_len must not exceed - * 255 times the hash length - */ - if( n > 255 ) - { - return( PSA_ERROR_INVALID_ARGUMENT ); - } - - psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE ); - psa_set_key_algorithm( &attributes, alg ); - psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC ); - - status = psa_import_key( &attributes, prk, prk_len, &key ); - if( status != PSA_SUCCESS ) - { - goto cleanup; - } - - memset( t, 0, hash_len ); - - /* - * Compute T = T(1) | T(2) | T(3) | ... | T(N) - * Where T(N) is defined in RFC 5869 Section 2.3 - */ - for( i = 1; i <= n; i++ ) - { - size_t num_to_copy; - unsigned char c = i & 0xff; - size_t len; - - status = psa_mac_sign_setup( &operation, key, alg ); - if( status != PSA_SUCCESS ) - { - goto cleanup; - } - - status = psa_mac_update( &operation, t, t_len ); - if( status != PSA_SUCCESS ) - { - goto cleanup; - } - - status = psa_mac_update( &operation, info, info_len ); - if( status != PSA_SUCCESS ) - { - goto cleanup; - } - - /* The constant concatenated to the end of each T(n) is a single octet. */ - status = psa_mac_update( &operation, &c, 1 ); - if( status != PSA_SUCCESS ) - { - goto cleanup; - } - - status = psa_mac_sign_finish( &operation, t, PSA_MAC_MAX_SIZE, &len ); - if( status != PSA_SUCCESS ) - { - goto cleanup; - } - - num_to_copy = i != n ? hash_len : okm_len - where; - memcpy( okm + where, t, num_to_copy ); - where += hash_len; - t_len = hash_len; - } - -cleanup: - if( status != PSA_SUCCESS ) - psa_mac_abort( &operation ); - destroy_status = psa_destroy_key( key ); - - mbedtls_platform_zeroize( t, sizeof( t ) ); - - return( ( status == PSA_SUCCESS ) ? destroy_status : status ); -} - int mbedtls_ssl_tls13_hkdf_expand_label( psa_algorithm_t hash_alg, const unsigned char *secret, size_t secret_len,