From 27a2688fbbe2bff37030bcbd5e9b18d5951e6d6f Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 7 Aug 2020 11:30:05 +0100 Subject: [PATCH 01/43] Introduce public macro for maximum symmetric cipher key length This commit introduces the public macro MBEDTLS_MAX_KEY_LENGTH, which evaluates to an upper bound for the key lengths of all enabled ciphers, in Bytes. This is analogous to the already existing macros MBEDTLS_MAX_IV_LENGTH and MBEDTLS_MAX_BLOCK_LENGTH, which provide upper bounds for the IV and block length, respectively. For now, MBEDTLS_MAX_KEY_LENGTH is 32 Bytes by default, and 64 in case XTS is enabled. This is a strict overapproximation for some restricted configurations. Ideally, the upper bound should be calculated exactly and automatically from the list of enabled ciphers. The same applies to the existing macros MBEDTLS_MAX_IV_LENGTH and MBEDTLS_MAX_BLOCK_LENGTH, though, and is left for future work. Signed-off-by: Hanno Becker --- include/mbedtls/cipher.h | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index 014786ad51..8a6c8ebdbc 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -227,10 +227,23 @@ enum { }; /** Maximum length of any IV, in Bytes. */ +/* This should ideally be derived automatically from list of ciphers. */ #define MBEDTLS_MAX_IV_LENGTH 16 + /** Maximum block size of any cipher, in Bytes. */ +/* This should ideally be derived automatically from list of ciphers. */ #define MBEDTLS_MAX_BLOCK_LENGTH 16 +/** Maximum key length, in Bytes. */ +/* This should ideally be derived automatically from list of ciphers. + * For now, only check whether XTS is enabled which uses 64 Byte keys, + * and use 32 Bytes as an upper bound for the maximum key length otherwise. */ +#if defined(MBEDTLS_CIPHER_MODE_XTS) +#define MBEDTLS_MAX_KEY_LENGTH 64 +#else +#define MBEDTLS_MAX_KEY_LENGTH 32 +#endif /* MBEDTLS_CIPHER_MODE_XTS */ + /** * Base cipher information (opaque struct). */ From be9d6648f81497172440efd6785f9339271168ae Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 21 Aug 2020 13:20:06 +0100 Subject: [PATCH 02/43] Implement TLS 1.3 key derivation function HKDF-Expand-Label This commit introduces a new file library/ssl_tls13_key.c which will subsequently be populated with functionality relating to the TLS 1.3 key schedule. Those functions are expected to be internal and are documented in the internal header library/ssl_tls13_keys.h. The first function to be implemented is the key expansion function `HKDF-Expand-Label`. See the documentation in library/ssl_tls13_keys.h for more information. Signed-off-by: Hanno Becker --- library/CMakeLists.txt | 1 + library/Makefile | 1 + library/ssl_tls13_keys.c | 182 +++++++++++++++++++++++++++++++++ library/ssl_tls13_keys.h | 106 +++++++++++++++++++ visualc/VS2010/mbedTLS.vcxproj | 2 + 5 files changed, 292 insertions(+) create mode 100644 library/ssl_tls13_keys.c create mode 100644 library/ssl_tls13_keys.h diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 33e2cfc855..7e11816f10 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -103,6 +103,7 @@ set(src_tls ssl_srv.c ssl_ticket.c ssl_tls.c + ssl_tls13_keys.c ) if(CMAKE_COMPILER_IS_GNUCC) diff --git a/library/Makefile b/library/Makefile index b76a84bdd2..bd5274de44 100644 --- a/library/Makefile +++ b/library/Makefile @@ -162,6 +162,7 @@ OBJS_TLS= \ ssl_srv.o \ ssl_ticket.o \ ssl_tls.o \ + ssl_tls13_keys.o \ # This line is intentionally left blank .SILENT: diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c new file mode 100644 index 0000000000..448d03a61a --- /dev/null +++ b/library/ssl_tls13_keys.c @@ -0,0 +1,182 @@ +/* + * TLS 1.3 key schedule + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 ( the "License" ); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#if !defined(MBEDTLS_CONFIG_FILE) +#include "mbedtls/config.h" +#else +#include MBEDTLS_CONFIG_FILE +#endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + +#include "mbedtls/hkdf.h" +#include "ssl_tls13_keys.h" + +#include +#include + +struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels = +{ + /* This seems to work in C, despite the string literal being one + * character too long due to the 0-termination. */ + .finished = "finished", + .resumption = "resumption", + .traffic_upd = "traffic upd", + .export = "exporter", + .key = "key", + .iv = "iv", + .sn = "sn", + .c_hs_traffic = "c hs traffic", + .c_ap_traffic = "c ap traffic", + .c_e_traffic = "c e traffic", + .s_hs_traffic = "s hs traffic", + .s_ap_traffic = "s ap traffic", + .s_e_traffic = "s e traffic", + .exp_master = "exp master", + .res_master = "res master", + .ext_binder = "ext binder", + .res_binder = "res binder", + .derived = "derived" +}; + +/* + * This function creates a HkdfLabel structure used in the TLS 1.3 key schedule. + * + * The HkdfLabel is specified in RFC 8446 as follows: + * + * struct HkdfLabel { + * uint16 length; // Length of expanded key material + * opaque label<7..255>; // Always prefixed by "tls13 " + * opaque context<0..255>; // Usually a communication transcript hash + * }; + * + * Parameters: + * - desired_length: Length of expanded key material + * Even though the standard allows expansion to up to + * 2**16 Bytes, TLS 1.3 never uses expansion to more than + * 255 Bytes, so we require `desired_length` to be at most + * 255. This allows us to save a few Bytes of code by + * hardcoding the writing of the high bytes. + * - (label, llen): label + label length, without "tls13 " prefix + * The label length MUST be + * <= MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN + * It is the caller's responsiblity to ensure this. + * - (ctx, clen): context + context length + * The context length MUST be + * <= MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN + * It is the caller's responsiblity to ensure this. + * - dst: Target buffer for HkdfLabel structure, + * This MUST be a writable buffer of size + * at least SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN Bytes. + * - dlen: Pointer at which to store the actual length of + * the HkdfLabel structure on success. + */ + +#define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \ + ( 2 /* expansion length */ \ + + 1 /* label length */ \ + + MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN \ + + 1 /* context length */ \ + + MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN ) + +static void ssl_tls1_3_hkdf_encode_label( + size_t desired_length, + const unsigned char *label, size_t llen, + const unsigned char *ctx, size_t clen, + unsigned char *dst, size_t *dlen ) +{ + const char label_prefix[6] = { 't', 'l', 's', '1', '3', ' ' }; + size_t total_label_len = sizeof( label_prefix ) + llen; + size_t total_hkdf_lbl_len = + 2 /* length of expanded key material */ + + 1 /* label length */ + + total_label_len /* actual label, incl. prefix */ + + 1 /* context length */ + + clen; /* actual context */ + + unsigned char *p = dst; + + /* Add total length. */ + *p++ = 0; + *p++ = (unsigned char)( ( desired_length >> 0 ) & 0xFF ); + + /* Add label incl. prefix */ + *p++ = (unsigned char)( total_label_len & 0xFF ); + memcpy( p, label_prefix, sizeof(label_prefix) ); + p += sizeof(label_prefix); + memcpy( p, label, llen ); + p += llen; + + /* Add context value */ + *p++ = (unsigned char)( clen & 0xFF ); + if( ctx != NULL ) + memcpy( p, ctx, clen ); + + /* Return total length to the caller. */ + *dlen = total_hkdf_lbl_len; +} + +int mbedtls_ssl_tls1_3_hkdf_expand_label( + mbedtls_md_type_t hash_alg, + const unsigned char *secret, size_t slen, + const unsigned char *label, size_t llen, + const unsigned char *ctx, size_t clen, + unsigned char *buf, size_t blen ) +{ + const mbedtls_md_info_t *md; + unsigned char hkdf_label[ SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN ]; + size_t hkdf_label_len; + + if( llen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN ) + { + /* Should never happen since this is an internal + * function, and we know statically which labels + * are allowed. */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + if( clen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN ) + { + /* Should not happen, as above. */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + if( blen > MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN ) + { + /* Should not happen, as above. */ + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + md = mbedtls_md_info_from_type( hash_alg ); + if( md == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + ssl_tls1_3_hkdf_encode_label( blen, + label, llen, + ctx, clen, + hkdf_label, + &hkdf_label_len ); + + return( mbedtls_hkdf_expand( md, + secret, slen, + hkdf_label, hkdf_label_len, + buf, blen ) ); +} + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h new file mode 100644 index 0000000000..49f4121137 --- /dev/null +++ b/library/ssl_tls13_keys.h @@ -0,0 +1,106 @@ +/* + * TLS 1.3 key schedule + * + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 ( the "License" ); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#if !defined(MBEDTLS_SSL_TLS1_3_KEYS_H) +#define MBEDTLS_SSL_TLS1_3_KEYS_H + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +#define MBEDTLS_SSL_TLS1_3_LABEL_LIST \ + const unsigned char finished [ sizeof("finished") - 1 ]; \ + const unsigned char resumption [ sizeof("resumption") - 1 ]; \ + const unsigned char traffic_upd [ sizeof("traffic upd") - 1 ]; \ + const unsigned char export [ sizeof("exporter") - 1 ]; \ + const unsigned char key [ sizeof("key") - 1 ]; \ + const unsigned char iv [ sizeof("iv") - 1 ]; \ + const unsigned char sn [ sizeof("sn") - 1 ]; \ + const unsigned char c_hs_traffic[ sizeof("c hs traffic") - 1 ]; \ + const unsigned char c_ap_traffic[ sizeof("c ap traffic") - 1 ]; \ + const unsigned char c_e_traffic [ sizeof("c e traffic") - 1 ]; \ + const unsigned char s_hs_traffic[ sizeof("s hs traffic") - 1 ]; \ + const unsigned char s_ap_traffic[ sizeof("s ap traffic") - 1 ]; \ + const unsigned char s_e_traffic [ sizeof("s e traffic") - 1 ]; \ + const unsigned char exp_master [ sizeof("exp master") - 1 ]; \ + const unsigned char res_master [ sizeof("res master") - 1 ]; \ + const unsigned char ext_binder [ sizeof("ext binder") - 1 ]; \ + const unsigned char res_binder [ sizeof("res binder") - 1 ]; \ + const unsigned char derived [ sizeof("derived") - 1 ]; \ + +union mbedtls_ssl_tls1_3_labels_union +{ + MBEDTLS_SSL_TLS1_3_LABEL_LIST +}; +struct mbedtls_ssl_tls1_3_labels_struct +{ + MBEDTLS_SSL_TLS1_3_LABEL_LIST +}; +extern const struct mbedtls_ssl_tls1_3_labels_struct mbedtls_ssl_tls1_3_labels; + +#define MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( LABEL ) \ + mbedtls_ssl_tls1_3_labels.LABEL, \ + sizeof(mbedtls_ssl_tls1_3_labels.LABEL) + +#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN \ + sizeof( union mbedtls_ssl_tls1_3_labels_union ) + +/* The maximum length of HKDF contexts used in the TLS 1.3 standad. + * Since contexts are always hashes of message transcripts, this can + * be approximated from above by the maximum hash size. */ +#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN \ + MBEDTLS_MD_MAX_SIZE + +/* Maximum desired length for expanded key material generated + * by HKDF-Expand-Label. */ +#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN 255 + +/** + * \brief The \c HKDF-Expand-Label function from + * the TLS 1.3 standard RFC 8446. + * + * + * HKDF-Expand-Label( Secret, Label, Context, Length ) = + * HKDF-Expand( Secret, HkdfLabel, Length ) + * + * + * \param hash_alg The identifier for the hash algorithm to use. + * \param secret The \c Secret argument to \c HKDF-Expand-Label. + * This must be a readable buffer of length \p slen Bytes. + * \param slen The length of \p secret in Bytes. + * \param label The \c Label argument to \c HKDF-Expand-Label. + * This must be a readable buffer of length \p llen Bytes. + * \param llen The length of \p label in Bytes. + * \param ctx The \c Context argument to \c HKDF-Expand-Label. + * This must be a readable buffer of length \p clen Bytes. + * \param clen The length of \p context in Bytes. + * \param buf The destination buffer to hold the expanded secret. + * This must be a writable buffe of length \p blen Bytes. + * \param blen The desired size of the expanded secret in Bytes. + * + * \returns \c 0 on success. + * \return A negative error code on failure. + */ + +int mbedtls_ssl_tls1_3_hkdf_expand_label( + mbedtls_md_type_t hash_alg, + const unsigned char *secret, size_t slen, + const unsigned char *label, size_t llen, + const unsigned char *ctx, size_t clen, + unsigned char *buf, size_t blen ); + +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + +#endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */ diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj index 578289f17f..14d978ec62 100644 --- a/visualc/VS2010/mbedTLS.vcxproj +++ b/visualc/VS2010/mbedTLS.vcxproj @@ -247,6 +247,7 @@ + @@ -325,6 +326,7 @@ + From 39ff4928ffac0834697ff15b0ef2b3336d54669f Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 21 Aug 2020 13:36:56 +0100 Subject: [PATCH 03/43] Add test vectors for TLS 1.3 HKDF-Expand-Label Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.data | 55 ++++++++++++++++++++++++++++ tests/suites/test_suite_ssl.function | 27 ++++++++++++++ 2 files changed, 82 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 1b79191040..257e3cf223 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -10398,6 +10398,61 @@ Decrypt CBC !EtM, 3DES SHA384 trunc, padlen=255 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:255 +SSL TLS 1.3 Key schedule: HKDF Expand Label #1 +# Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) +# Server handshake traffic secret -> Server traffic key +# HKDF-Expand-Label(server_handshake_secret, "key", "", 16) +depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"6b6579":"":16:"844780a7acad9f980fa25c114e43402a" + +SSL TLS 1.3 Key schedule: HKDF Expand Label #2 +# Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) +# Server handshake traffic secret -> Server traffic IV +# HKDF-Expand-Label(server_handshake_secret, "iv", "", 12) +depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"6976":"":12:"4c042ddc120a38d1417fc815" + +SSL TLS 1.3 Key schedule: HKDF Expand Label #3 +# Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) +# Client handshake traffic secret -> Client traffic key +# HKDF-Expand-Label(client_handshake_secret, "key", "", 16) +depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":"6b6579":"":16:"7154f314e6be7dc008df2c832baa1d39" + +SSL TLS 1.3 Key schedule: HKDF Expand Label #4 +# Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) +# Client handshake traffic secret -> Client traffic IV +# HKDF-Expand-Label(client_handshake_secret, "iv", "", 12) +depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":"6976":"":12:"71abc2cae4c699d47c600268" + +SSL TLS 1.3 Key schedule: HKDF Expand Label #5 (RFC 8448) +# Vector from RFC 8448 +# Server handshake traffic secret -> Server traffic IV +# HKDF-Expand-Label(server_handshake_secret, "iv", "", 12) +depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b67b7d690cc16c4e75e54213cb2d37b4e9c912bcded9105d42befd59d391ad38":"6976":"":12:"5d313eb2671276ee13000b30" + +SSL TLS 1.3 Key schedule: HKDF Expand Label #6 (RFC 8448) +# Vector from RFC 8448 +# Server handshake traffic secret -> Server traffic Key +# HKDF-Expand-Label(server_handshake_secret, "key", "", 16) +depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b67b7d690cc16c4e75e54213cb2d37b4e9c912bcded9105d42befd59d391ad38":"6b6579":"":16:"3fce516009c21727d0f2e4e86ee403bc" + +SSL TLS 1.3 Key schedule: HKDF Expand Label #7 (RFC 8448) +# Vector from RFC 8448 +# Client handshake traffic secret -> Client traffic IV +# HKDF-Expand-Label(client_handshake_secret, "iv", "", 12) +depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":"6976":"":12:"5bd3c71b836e0b76bb73265f" + +SSL TLS 1.3 Key schedule: HKDF Expand Label #8 (RFC 8448) +# Vector from RFC 8448 +# Client handshake traffic secret -> Client traffic Key +# HKDF-Expand-Label(client_handshake_secret, "key", "", 16) +depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":"6b6579":"":16:"dbfaa693d1762c5b666af5d950258d01" SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 7c4f865e92..8f5c9edda0 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -6,6 +6,7 @@ #include #include #include +#include <../library/ssl_tls13_keys.h> #include @@ -3669,6 +3670,32 @@ exit: } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +void ssl_tls1_3_hkdf_expand_label( int hash_alg, + data_t *secret, + data_t *label, + data_t *ctx, + int desired_length, + data_t *expected ) +{ + unsigned char dst[ 100 ]; + + + /* Check sanity of test parameters. */ + TEST_ASSERT( (size_t) desired_length <= sizeof(dst) ); + TEST_ASSERT( (size_t) desired_length == expected->len ); + + TEST_ASSERT( mbedtls_ssl_tls1_3_hkdf_expand_label( + (mbedtls_md_type_t) hash_alg, + secret->x, secret->len, + label->x, label->len, + ctx->x, ctx->len, + dst, desired_length ) == 0 ); + + TEST_ASSERT( memcmp( dst, expected->x, desired_length ) == 0 ); +} +/* END_CASE */ + /* BEGIN_CASE */ void ssl_tls_prf( int type, data_t * secret, data_t * random, char *label, data_t *result_hex_str, int exp_ret ) From 3385a4d5cf6a19adc89d31eee85805874267917b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 21 Aug 2020 13:03:34 +0100 Subject: [PATCH 04/43] Implement TLS 1.3 traffic key generation See the documentation in library/ssl_tls13_keys.h. Signed-off-by: Hanno Becker --- include/mbedtls/ssl_internal.h | 25 +++++++++++++ library/ssl_tls13_keys.c | 64 ++++++++++++++++++++++++++++++++++ library/ssl_tls13_keys.h | 36 +++++++++++++++++++ 3 files changed, 125 insertions(+) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index b3d53d34ae..6167f567c1 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -378,6 +378,31 @@ typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen, const char *label, const unsigned char *random, size_t rlen, unsigned char *dstbuf, size_t dlen ); + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +/** + * \brief The data structure holding the cryptographic material (key and IV) + * used for record protection in TLS 1.3. + */ +struct mbedtls_ssl_key_set +{ + /*! The key for client->server records. */ + unsigned char client_write_key[ MBEDTLS_MAX_KEY_LENGTH ]; + /*! The key for server->client records. */ + unsigned char server_write_key[ MBEDTLS_MAX_KEY_LENGTH ]; + /*! The IV for client->server records. */ + unsigned char client_write_iv[ MBEDTLS_MAX_IV_LENGTH ]; + /*! The IV for server->client records. */ + unsigned char server_write_iv[ MBEDTLS_MAX_IV_LENGTH ]; + + size_t keyLen; /*!< The length of client_write_key and + * server_write_key, in Bytes. */ + size_t ivLen; /*!< The length of client_write_iv and + * server_write_iv, in Bytes. */ +}; +typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set; +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + /* * This structure contains the parameters only needed during handshake. */ diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 448d03a61a..4b07aa7f47 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -26,6 +26,7 @@ #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) #include "mbedtls/hkdf.h" +#include "mbedtls/ssl_internal.h" #include "ssl_tls13_keys.h" #include @@ -179,4 +180,67 @@ int mbedtls_ssl_tls1_3_hkdf_expand_label( buf, blen ) ); } +/* + * The traffic keying material is generated from the following inputs: + * + * - One secret value per sender. + * - A purpose value indicating the specific value being generated + * - The desired lengths of key and IV. + * + * The expansion itself is based on HKDF: + * + * [sender]_write_key = HKDF-Expand-Label( Secret, "key", "", key_length ) + * [sender]_write_iv = HKDF-Expand-Label( Secret, "iv" , "", iv_length ) + * + * [sender] denotes the sending side and the Secret value is provided + * by the function caller. Note that we generate server and client side + * keys in a single function call. + */ +int mbedtls_ssl_tls1_3_make_traffic_keys( + mbedtls_md_type_t hash_alg, + const unsigned char *client_secret, + const unsigned char *server_secret, + size_t slen, size_t keyLen, size_t ivLen, + mbedtls_ssl_key_set *keys ) +{ + int ret = 0; + + ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg, + client_secret, slen, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), + NULL, 0, + keys->client_write_key, keyLen ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg, + server_secret, slen, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), + NULL, 0, + keys->server_write_key, keyLen ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg, + client_secret, slen, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), + NULL, 0, + keys->client_write_iv, ivLen ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg, + server_secret, slen, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), + NULL, 0, + keys->server_write_iv, ivLen ); + if( ret != 0 ) + return( ret ); + + keys->keyLen = keyLen; + keys->ivLen = ivLen; + + return( 0 ); +} + #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 49f4121137..996a1c79f0 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -101,6 +101,42 @@ int mbedtls_ssl_tls1_3_hkdf_expand_label( const unsigned char *ctx, size_t clen, unsigned char *buf, size_t blen ); +/** + * \brief This function is part of the TLS 1.3 key schedule. + * It extracts key and IV for the actual client/server traffic + * from the client/server traffic secrets. + * + * From RFC 8446: + * + * + * [sender]_write_key = HKDF-Expand-Label(Secret, "key", "", key_length) + * [sender]_write_iv = HKDF-Expand-Label(Secret, "iv", "", iv_length)* + * + * + * \param hash_alg The identifier for the hash algorithm to be used + * for the HKDF-based expansion of the secret. + * \param client_secret The client traffic secret. + * This must be a readable buffer of size \p slen Bytes + * \param server_secret The server traffic secret. + * This must be a readable buffer of size \p slen Bytes + * \param slen Length of the secrets \p client_secret and + * \p server_secret in Bytes. + * \param keyLen The desired length of the key to be extracted in Bytes. + * \param ivLen The desired length of the IV to be extracted in Bytes. + * \param keys The address of the structure holding the generated + * keys and IVs. + * + * \returns \c 0 on success. + * \returns A negative error code on failure. + */ + +int mbedtls_ssl_tls1_3_make_traffic_keys( + mbedtls_md_type_t hash_alg, + const unsigned char *client_secret, + const unsigned char *server_secret, + size_t slen, size_t keyLen, size_t ivLen, + mbedtls_ssl_key_set *keys ); + #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */ From 19498f8fbd0a525edf191355bf4cbeabde5ddd87 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 21 Aug 2020 13:37:08 +0100 Subject: [PATCH 05/43] Add test vectors for TLS 1.3 traffic key generation Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.data | 12 ++++++++ tests/suites/test_suite_ssl.function | 46 ++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 257e3cf223..a14925c6e2 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -10454,6 +10454,18 @@ SSL TLS 1.3 Key schedule: HKDF Expand Label #8 (RFC 8448) depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":"6b6579":"":16:"dbfaa693d1762c5b666af5d950258d01" +SSL TLS 1.3 Key schedule: Traffic key generation #1 +# Vector from TLS 1.3 Byte by Byte ((https://tls13.ulfheim.net/) +# Client/Server handshake traffic secrets -> Client/Server traffic {Key,IV} +depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +ssl_tls1_3_traffic_key_generation:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":12:16:"844780a7acad9f980fa25c114e43402a":"4c042ddc120a38d1417fc815":"7154f314e6be7dc008df2c832baa1d39":"71abc2cae4c699d47c600268" + +SSL TLS 1.3 Key schedule: Traffic key generation #2 (RFC 8448) +# Vector RFC 8448 +# Client/Server handshake traffic secrets -> Client/Server traffic {Key,IV} +depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +ssl_tls1_3_traffic_key_generation:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":12:16:"844780a7acad9f980fa25c114e43402a":"4c042ddc120a38d1417fc815":"7154f314e6be7dc008df2c832baa1d39":"71abc2cae4c699d47c600268" + SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 8f5c9edda0..36f10ca61f 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3696,6 +3696,52 @@ void ssl_tls1_3_hkdf_expand_label( int hash_alg, } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +void ssl_tls1_3_traffic_key_generation( int hash_alg, + data_t *server_secret, + data_t *client_secret, + int desired_iv_len, + int desired_key_len, + data_t *expected_server_write_key, + data_t *expected_server_write_iv, + data_t *expected_client_write_key, + data_t *expected_client_write_iv ) +{ + mbedtls_ssl_key_set keys; + + /* Check sanity of test parameters. */ + TEST_ASSERT( client_secret->len == server_secret->len ); + TEST_ASSERT( expected_client_write_iv->len == expected_server_write_iv->len && + expected_client_write_iv->len == (size_t) desired_iv_len ); + TEST_ASSERT( expected_client_write_key->len == expected_server_write_key->len && + expected_client_write_key->len == (size_t) desired_key_len ); + + TEST_ASSERT( mbedtls_ssl_tls1_3_make_traffic_keys( + (mbedtls_md_type_t) hash_alg, + client_secret->x, + server_secret->x, + client_secret->len /* == server_secret->len */, + desired_key_len, desired_iv_len, + &keys ) == 0 ); + + TEST_ASSERT( keys.keyLen == (size_t) desired_key_len ); + TEST_ASSERT( keys.ivLen == (size_t) desired_iv_len ); + + TEST_ASSERT( memcmp( keys.client_write_key, + expected_client_write_key->x, + desired_key_len ) == 0 ); + TEST_ASSERT( memcmp( keys.server_write_key, + expected_server_write_key->x, + desired_key_len ) == 0 ); + TEST_ASSERT( memcmp( keys.client_write_iv, + expected_client_write_iv->x, + desired_iv_len ) == 0 ); + TEST_ASSERT( memcmp( keys.server_write_iv, + expected_server_write_iv->x, + desired_iv_len ) == 0 ); +} +/* END_CASE */ + /* BEGIN_CASE */ void ssl_tls_prf( int type, data_t * secret, data_t * random, char *label, data_t *result_hex_str, int exp_ret ) From b35d52240b2b466b9f493f288cae900ec7cc0182 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 21 Aug 2020 13:27:44 +0100 Subject: [PATCH 06/43] Implement TLS 1.3 key derivation function Derive-Secret Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 42 +++++++++++++++++++++++++++++++++++++ library/ssl_tls13_keys.h | 45 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 4b07aa7f47..d9d5d9846a 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -243,4 +243,46 @@ int mbedtls_ssl_tls1_3_make_traffic_keys( return( 0 ); } +int mbedtls_ssl_tls1_3_derive_secret( + mbedtls_md_type_t hash_alg, + const unsigned char *secret, size_t slen, + const unsigned char *label, size_t llen, + const unsigned char *ctx, size_t clen, + int context_already_hashed, + unsigned char *dstbuf, size_t buflen ) +{ + int ret; + unsigned char hashed_context[ MBEDTLS_MD_MAX_SIZE ]; + + const mbedtls_md_info_t *md; + md = mbedtls_md_info_from_type( hash_alg ); + if( md == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + if( context_already_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED ) + { + ret = mbedtls_md( md, ctx, clen, hashed_context ); + if( ret != 0 ) + return( ret ); + clen = mbedtls_md_get_size( md ); + } + else + { + /* This should never happen since this function is internal + * and the code sets `context_already_hashed` correctly. + * Let's double-check nonetheless to not run at the risk + * of getting a stack overflow. */ + if( clen > sizeof(hashed_context) ) + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + + memcpy( hashed_context, ctx, clen ); + } + + return( mbedtls_ssl_tls1_3_hkdf_expand_label( hash_alg, + secret, slen, + label, llen, + hashed_context, clen, + dstbuf, buflen ) ); +} + #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 996a1c79f0..c877c06d41 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -137,6 +137,51 @@ int mbedtls_ssl_tls1_3_make_traffic_keys( size_t slen, size_t keyLen, size_t ivLen, mbedtls_ssl_key_set *keys ); +/** + * \brief The \c Derive-Secret function from the TLS 1.3 standard RFC 8446. + * + * + * Derive-Secret( Secret, Label, Messages ) = + * HKDF-Expand-Label( Secret, Label, + * Hash( Messages ), + * Hash.Length ) ) + * + * + * Note: In this implementation of the function we assume that + * the parameter message contains the already hashed value and + * the Derive-Secret function does not need to hash it again. + * + * \param hash_alg The identifier for the hash function used for the + * applications of HKDF. + * \param secret The \c Secret argument to the \c Derive-Secret function. + * This must be a readable buffer of length \p slen Bytes. + * \param slen The length of \p secret in Bytes. + * \param label The \c Label argument to the \c Derive-Secret function. + * This must be a readable buffer of length \p llen Bytes. + * \param llen The length of \p label in Bytes. + * \param hash The hash of the \c Messages argument to the \c Derive-Secret + * function. This must be a readable buffer of length \p mlen + * hlen Bytes. + * \param hlen The length of \p hash. + * \param dstbuf The target buffer to write the output of \c Derive-Secret to. + * This must be a writable buffer of size \p buflen Bytes. + * \param buflen The length of \p dstbuf in Bytes. + * + * \returns \c 0 on success. + * \returns A negative error code on failure. + */ + +#define MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED 0 +#define MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED 1 + +int mbedtls_ssl_tls1_3_derive_secret( + mbedtls_md_type_t hash_alg, + const unsigned char *secret, size_t slen, + const unsigned char *label, size_t llen, + const unsigned char *ctx, size_t clen, + int context_already_hashed, + unsigned char *dstbuf, size_t buflen ); + #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */ From e4849d10a6416037f0df7a5d0927d40708ee5d44 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 21 Aug 2020 14:14:14 +0100 Subject: [PATCH 07/43] Add test vectors for TLS 1.3 Derive-Secret Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.data | 16 ++++++++++++++++ tests/suites/test_suite_ssl.function | 27 +++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index a14925c6e2..4db9cfed11 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -10466,6 +10466,22 @@ SSL TLS 1.3 Key schedule: Traffic key generation #2 (RFC 8448) depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ssl_tls1_3_traffic_key_generation:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":12:16:"844780a7acad9f980fa25c114e43402a":"4c042ddc120a38d1417fc815":"7154f314e6be7dc008df2c832baa1d39":"71abc2cae4c699d47c600268" +SSL TLS 1.3 Key schedule: Derive-Secret( ., "derived", "") +# Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) +# Derive-Secret( Early-Secret, "derived", "") +# Tests the case where context isn't yet hashed (empty string here, +# but still needs to be hashed) +# 64657269766564 = hex("derived") +depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":"64657269766564":"":32:0:"6f2615a108c702c5678f54fc9dbab69716c076189c48250cebeac3576c3611ba" + +SSL TLS 1.3 Key schedule: Derive-Secret( ., "s ap traffic", hash) +# Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) +# Derive-Secret( MasterSecret, "s ap traffic", hash) +# Tests the case where context is already hashed +depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d":"732061702074726166666963":"22844b930e5e0a59a09d5ac35fc032fc91163b193874a265236e568077378d8b":32:1:"3fc35ea70693069a277956afa23b8f4543ce68ac595f2aace05cd7a1c92023d5" + SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 36f10ca61f..b488b23b06 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3742,6 +3742,33 @@ void ssl_tls1_3_traffic_key_generation( int hash_alg, } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +void ssl_tls1_3_derive_secret( int hash_alg, + data_t *secret, + data_t *label, + data_t *ctx, + int desired_length, + int already_hashed, + data_t *expected ) +{ + unsigned char dst[ 100 ]; + + /* Check sanity of test parameters. */ + TEST_ASSERT( (size_t) desired_length <= sizeof(dst) ); + TEST_ASSERT( (size_t) desired_length == expected->len ); + + TEST_ASSERT( mbedtls_ssl_tls1_3_derive_secret( + (mbedtls_md_type_t) hash_alg, + secret->x, secret->len, + label->x, label->len, + ctx->x, ctx->len, + already_hashed, + dst, desired_length ) == 0 ); + + TEST_ASSERT( memcmp( dst, expected->x, desired_length ) == 0 ); +} +/* END_CASE */ + /* BEGIN_CASE */ void ssl_tls_prf( int type, data_t * secret, data_t * random, char *label, data_t *result_hex_str, int exp_ret ) From e9cccb440ce99d12f7ac65b7402e8ba40568c9c1 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 20 Aug 2020 13:42:46 +0100 Subject: [PATCH 08/43] Implement TLS 1.3 key evolution function Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 62 ++++++++++++++++++++++++++++++++++ library/ssl_tls13_keys.h | 73 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 135 insertions(+) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index d9d5d9846a..1d614556a6 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -285,4 +285,66 @@ int mbedtls_ssl_tls1_3_derive_secret( dstbuf, buflen ) ); } +int mbedtls_ssl_tls1_3_evolve_secret( + mbedtls_md_type_t hash_alg, + const unsigned char *secret_old, + const unsigned char *input, size_t input_len, + unsigned char *secret_new ) +{ + int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + size_t hlen, ilen; + unsigned char _secret[ MBEDTLS_MD_MAX_SIZE ] = { 0 }; + unsigned char _input [ MBEDTLS_MD_MAX_SIZE ] = { 0 }; + + const mbedtls_md_info_t *md; + md = mbedtls_md_info_from_type( hash_alg ); + if( md == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + + hlen = mbedtls_md_get_size( md ); + + /* For non-initial runs, call Derive-Secret( ., "derived", "") + * on the old secreet. */ + if( secret_old != NULL ) + { + ret = mbedtls_ssl_tls1_3_derive_secret( + hash_alg, + secret_old, hlen, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( derived ), + NULL, 0, /* context */ + MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, + _secret, hlen ); + if( ret != 0 ) + goto cleanup; + } + + if( input != NULL ) + { + memcpy( _input, input, input_len ); + ilen = input_len; + } + else + { + ilen = hlen; + } + + /* HKDF-Extract takes a salt and input key material. + * The salt is the old secret, and the input key material + * is the input secret (PSK / ECDHE). */ + ret = mbedtls_hkdf_extract( md, + _secret, hlen, + _input, ilen, + secret_new ); + if( ret != 0 ) + goto cleanup; + + ret = 0; + + cleanup: + + mbedtls_platform_zeroize( _secret, sizeof(_secret) ); + mbedtls_platform_zeroize( _input, sizeof(_input) ); + return( ret ); +} + #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index c877c06d41..a35e08597d 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -182,6 +182,79 @@ int mbedtls_ssl_tls1_3_derive_secret( int context_already_hashed, unsigned char *dstbuf, size_t buflen ); +/** + * \brief Compute the next secret in the TLS 1.3 key schedule + * + * The TLS 1.3 key schedule proceeds as follows to compute + * the three main secrets during the handshake: The early + * secret for early data, the handshake secret for all + * other encrypted handshake messages, and the master + * secret for all application traffic. + * + * + * 0 + * | + * v + * PSK -> HKDF-Extract = Early Secret + * | + * v + * Derive-Secret( ., "derived", "" ) + * | + * v + * (EC)DHE -> HKDF-Extract = Handshake Secret + * | + * v + * Derive-Secret( ., "derived", "" ) + * | + * v + * 0 -> HKDF-Extract = Master Secret + * + * + * Each of the three secrets in turn is the basis for further + * key derivations, such as the derivation of traffic keys and IVs; + * see e.g. mbedtls_ssl_tls1_3_make_traffic_keys(). + * + * This function implements one step in this evolution of secrets: + * + * + * old_secret + * | + * v + * Derive-Secret( ., "derived", "" ) + * | + * v + * input -> HKDF-Extract = new_secret + * + * + * \param hash_alg The identifier for the hash function used for the + * applications of HKDF. + * \param secret_old The address of the buffer holding the old secret + * on function entry. If not \c NULL, this must be a + * readable buffer whose size matches the output size + * of the hash function represented by \p hash_alg. + * If \c NULL, an all \c 0 array will be used instead. + * \param input The address of the buffer holding the additional + * input for the key derivation (e.g., the PSK or the + * ephemeral (EC)DH secret). If not \c NULL, this must be + * a readable buffer whose size \p input_len Bytes. + * If \c NULL, an all \c 0 array will be used instead. + * \param input_len The length of \p input in Bytes. + * \param secret_new The address of the buffer holding the new secret + * on function exit. This must be a writable buffer + * whose size matches the output size of the hash + * function represented by \p hash_alg. + * This may be the same as \p secret_old. + * + * \returns \c 0 on success. + * \returns A negative error code on failure. + */ + +int mbedtls_ssl_tls1_3_evolve_secret( + mbedtls_md_type_t hash_alg, + const unsigned char *secret_old, + const unsigned char *input, size_t input_len, + unsigned char *secret_new ); + #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */ From 2d2c3eb687b90a788c04a037550bac905bbaf326 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 20 Aug 2020 14:54:24 +0100 Subject: [PATCH 09/43] Add tests for TLS 1.3 key evolution function Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.data | 18 ++++++++++++++++++ tests/suites/test_suite_ssl.function | 18 ++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 4db9cfed11..0dd4455086 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -10398,6 +10398,24 @@ Decrypt CBC !EtM, 3DES SHA384 trunc, padlen=255 depends_on:MBEDTLS_DES_C:MBEDTLS_SHA512_C:!MBEDTLS_SHA512_NO_SHA384 ssl_decrypt_non_etm_cbc:MBEDTLS_CIPHER_DES_EDE3_CBC:MBEDTLS_MD_SHA384:1:255 +SSL TLS 1.3 Key schedule: Secret evolution #1 +# Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) +# Initial secret to Early Secret +depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +ssl_tls1_3_key_evolution:MBEDTLS_MD_SHA256:"":"":"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a" + +SSL TLS 1.3 Key schedule: Secret evolution #2 +# Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) +# Early secret to Handshake Secret +depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +ssl_tls1_3_key_evolution:MBEDTLS_MD_SHA256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":"df4a291baa1eb7cfa6934b29b474baad2697e29f1f920dcc77c8a0a088447624":"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a" + +SSL TLS 1.3 Key schedule: Secret evolution #3 +# Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) +# Handshake secret to Master Secret +depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL +ssl_tls1_3_key_evolution:MBEDTLS_MD_SHA256:"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a":"":"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d" + SSL TLS 1.3 Key schedule: HKDF Expand Label #1 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Server handshake traffic secret -> Server traffic key diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index b488b23b06..e0588f7f77 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3769,6 +3769,24 @@ void ssl_tls1_3_derive_secret( int hash_alg, } /* END_CASE */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ +void ssl_tls1_3_key_evolution( int hash_alg, + data_t *secret, + data_t *input, + data_t *expected ) +{ + unsigned char secret_new[ MBEDTLS_MD_MAX_SIZE ]; + + TEST_ASSERT( mbedtls_ssl_tls1_3_evolve_secret( + (mbedtls_md_type_t) hash_alg, + secret->len ? secret->x : NULL, + input->len ? input->x : NULL, input->len, + secret_new ) == 0 ); + + TEST_ASSERT( memcmp( secret_new, expected->x, expected->len ) == 0 ); +} +/* END_CASE */ + /* BEGIN_CASE */ void ssl_tls_prf( int type, data_t * secret, data_t * random, char *label, data_t *result_hex_str, int exp_ret ) From b11c3097a57ce51d2ab1eb87c4c77ad6d1b1cf6b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 10 Aug 2020 17:00:19 +0100 Subject: [PATCH 10/43] Update state of TLS 1.3 functionality in architecture document Signed-off-by: Hanno Becker --- docs/architecture/tls13-experimental.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/architecture/tls13-experimental.md b/docs/architecture/tls13-experimental.md index bcf3e34f96..3db16e0a62 100644 --- a/docs/architecture/tls13-experimental.md +++ b/docs/architecture/tls13-experimental.md @@ -38,3 +38,12 @@ together with their level of testing: - The HKDF key derivation function on which the TLS 1.3 key schedule is based, is already present as an independent module controlled by `MBEDTLS_HKDF_C` independently of the development of the TLS 1.3 prototype. + +- The TLS 1.3-specific HKDF-based key derivation functions (see RFC 8446): + * HKDF-Expand-Label + * Derive-Secret + - Secret evolution + * The traffic {Key,IV} generation from secret + Those functions are implemented in `library/ssl_tls13_keys.c` and + tested in `test_suite_ssl` using test vectors from RFC 8448 and + https://tls13.ulfheim.net/. From 58c5cea73b7763f714f056263a40da56aeb84ca5 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Sep 2020 10:31:33 +0100 Subject: [PATCH 11/43] Include common.h from ssl_tls13_keys.c `common.h` takes care of the logic of chosing the correct configuration file, so we don't need to replicate it in each source file. Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 1d614556a6..53044baed1 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -17,11 +17,7 @@ * limitations under the License. */ -#if !defined(MBEDTLS_CONFIG_FILE) -#include "mbedtls/config.h" -#else -#include MBEDTLS_CONFIG_FILE -#endif +#include "common.h" #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) From 1981cb2972548ffe33953b70a2c65d3730f683b2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Sep 2020 10:36:29 +0100 Subject: [PATCH 12/43] Use uniform naming for TLS 1.3 label fields Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 53044baed1..20cca31031 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -35,7 +35,7 @@ struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels = .finished = "finished", .resumption = "resumption", .traffic_upd = "traffic upd", - .export = "exporter", + .exporter = "exporter", .key = "key", .iv = "iv", .sn = "sn", From e4435ea777bbecc453c447e0785cffea7bb27f2e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Sep 2020 10:43:52 +0100 Subject: [PATCH 13/43] Introduce TLS 1.3 labels in a single place Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 24 ++++++--------------- library/ssl_tls13_keys.h | 46 +++++++++++++++++++++++----------------- 2 files changed, 33 insertions(+), 37 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 20cca31031..c985aafb57 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -28,30 +28,18 @@ #include #include +#define LABEL( name, string ) \ + .name = string, + struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels = { /* This seems to work in C, despite the string literal being one * character too long due to the 0-termination. */ - .finished = "finished", - .resumption = "resumption", - .traffic_upd = "traffic upd", - .exporter = "exporter", - .key = "key", - .iv = "iv", - .sn = "sn", - .c_hs_traffic = "c hs traffic", - .c_ap_traffic = "c ap traffic", - .c_e_traffic = "c e traffic", - .s_hs_traffic = "s hs traffic", - .s_ap_traffic = "s ap traffic", - .s_e_traffic = "s e traffic", - .exp_master = "exp master", - .res_master = "res master", - .ext_binder = "ext binder", - .res_binder = "res binder", - .derived = "derived" + MBEDTLS_SSL_TLS1_3_LABEL_LIST }; +#undef LABEL + /* * This function creates a HkdfLabel structure used in the TLS 1.3 key schedule. * diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index a35e08597d..9efeb0458c 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -20,25 +20,31 @@ #define MBEDTLS_SSL_TLS1_3_KEYS_H #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -#define MBEDTLS_SSL_TLS1_3_LABEL_LIST \ - const unsigned char finished [ sizeof("finished") - 1 ]; \ - const unsigned char resumption [ sizeof("resumption") - 1 ]; \ - const unsigned char traffic_upd [ sizeof("traffic upd") - 1 ]; \ - const unsigned char export [ sizeof("exporter") - 1 ]; \ - const unsigned char key [ sizeof("key") - 1 ]; \ - const unsigned char iv [ sizeof("iv") - 1 ]; \ - const unsigned char sn [ sizeof("sn") - 1 ]; \ - const unsigned char c_hs_traffic[ sizeof("c hs traffic") - 1 ]; \ - const unsigned char c_ap_traffic[ sizeof("c ap traffic") - 1 ]; \ - const unsigned char c_e_traffic [ sizeof("c e traffic") - 1 ]; \ - const unsigned char s_hs_traffic[ sizeof("s hs traffic") - 1 ]; \ - const unsigned char s_ap_traffic[ sizeof("s ap traffic") - 1 ]; \ - const unsigned char s_e_traffic [ sizeof("s e traffic") - 1 ]; \ - const unsigned char exp_master [ sizeof("exp master") - 1 ]; \ - const unsigned char res_master [ sizeof("res master") - 1 ]; \ - const unsigned char ext_binder [ sizeof("ext binder") - 1 ]; \ - const unsigned char res_binder [ sizeof("res binder") - 1 ]; \ - const unsigned char derived [ sizeof("derived") - 1 ]; \ + +/* This requires LABEL( name, string ) to be defined at the point of use. + * See e.g. the definition of mbedtls_ssl_tls1_3_labels_union below. */ +#define MBEDTLS_SSL_TLS1_3_LABEL_LIST \ + LABEL( finished , "finished" ) \ + LABEL( resumption , "resumption" ) \ + LABEL( traffic_upd , "traffic upd" ) \ + LABEL( export , "exporter" ) \ + LABEL( key , "key" ) \ + LABEL( iv , "iv" ) \ + LABEL( sn , "sn" ) \ + LABEL( c_hs_traffic, "c hs traffic" ) \ + LABEL( c_ap_traffic, "c ap traffic" ) \ + LABEL( c_e_traffic , "c e traffic" ) \ + LABEL( s_hs_traffic, "s hs traffic" ) \ + LABEL( s_ap_traffic, "s ap traffic" ) \ + LABEL( s_e_traffic , "s e traffic" ) \ + LABEL( exp_master , "exp master" ) \ + LABEL( res_master , "res master" ) \ + LABEL( ext_binder , "ext binder" ) \ + LABEL( res_binder , "res binder" ) \ + LABEL( derived , "derived" ) + +#define LABEL( name, string ) \ + const unsigned char name [ sizeof(string) - 1 ]; union mbedtls_ssl_tls1_3_labels_union { @@ -48,6 +54,8 @@ struct mbedtls_ssl_tls1_3_labels_struct { MBEDTLS_SSL_TLS1_3_LABEL_LIST }; +#undef LABEL + extern const struct mbedtls_ssl_tls1_3_labels_struct mbedtls_ssl_tls1_3_labels; #define MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( LABEL ) \ From 9cb0a146f1621a3a4132e71ef61ef69fbc87b72a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Sep 2020 10:48:14 +0100 Subject: [PATCH 14/43] Remove duplicated computation of TLS 1.3 HKDF label length Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index c985aafb57..a899b7b9f6 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -73,12 +73,17 @@ struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels = * the HkdfLabel structure on success. */ -#define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \ +#define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( label_len, context_len ) \ ( 2 /* expansion length */ \ + 1 /* label length */ \ - + MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN \ + + label_len \ + 1 /* context length */ \ - + MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN ) + + context_len ) + +#define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \ + SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \ + MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN, \ + MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN ) static void ssl_tls1_3_hkdf_encode_label( size_t desired_length, @@ -89,11 +94,7 @@ static void ssl_tls1_3_hkdf_encode_label( const char label_prefix[6] = { 't', 'l', 's', '1', '3', ' ' }; size_t total_label_len = sizeof( label_prefix ) + llen; size_t total_hkdf_lbl_len = - 2 /* length of expanded key material */ - + 1 /* label length */ - + total_label_len /* actual label, incl. prefix */ - + 1 /* context length */ - + clen; /* actual context */ + SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( total_label_len, clen ); unsigned char *p = dst; From 939bb4d8f6f10dd79f8fec3f6b1b4b8a9d4fd928 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Sep 2020 10:48:55 +0100 Subject: [PATCH 15/43] Initialize TLS 1.3 label prefix with string literal This is in line with how the entries of the TLS 1.3 label structure `mbedtls_ssl_tls1_3_labels` are initialized. Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index a899b7b9f6..76c939846f 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -91,7 +91,7 @@ static void ssl_tls1_3_hkdf_encode_label( const unsigned char *ctx, size_t clen, unsigned char *dst, size_t *dlen ) { - const char label_prefix[6] = { 't', 'l', 's', '1', '3', ' ' }; + const char label_prefix[6] = "tls13 "; size_t total_label_len = sizeof( label_prefix ) + llen; size_t total_hkdf_lbl_len = SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( total_label_len, clen ); From 73c825ae4fb6a83f2986d7adb2c21122fb548403 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Sep 2020 10:52:58 +0100 Subject: [PATCH 16/43] Shorten include path in test_suite_ssl.function Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index e0588f7f77..8a24320f0c 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -6,7 +6,7 @@ #include #include #include -#include <../library/ssl_tls13_keys.h> +#include #include From f376cee8b4bf2078025188c01c7fa5b050b31b26 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Sep 2020 10:53:45 +0100 Subject: [PATCH 17/43] Remove redundant dependency in TLS 1.3 key generation tests The relevant test functions are already marked as depending on `MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL`, so there's no need to re-state this dependency for each test case. Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.data | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 0dd4455086..e896c019f8 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -10407,81 +10407,69 @@ ssl_tls1_3_key_evolution:MBEDTLS_MD_SHA256:"":"":"33ad0a1c607ec03b09e6cd9893680c SSL TLS 1.3 Key schedule: Secret evolution #2 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Early secret to Handshake Secret -depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ssl_tls1_3_key_evolution:MBEDTLS_MD_SHA256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":"df4a291baa1eb7cfa6934b29b474baad2697e29f1f920dcc77c8a0a088447624":"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a" SSL TLS 1.3 Key schedule: Secret evolution #3 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Handshake secret to Master Secret -depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ssl_tls1_3_key_evolution:MBEDTLS_MD_SHA256:"fb9fc80689b3a5d02c33243bf69a1b1b20705588a794304a6e7120155edf149a":"":"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d" SSL TLS 1.3 Key schedule: HKDF Expand Label #1 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Server handshake traffic secret -> Server traffic key # HKDF-Expand-Label(server_handshake_secret, "key", "", 16) -depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"6b6579":"":16:"844780a7acad9f980fa25c114e43402a" SSL TLS 1.3 Key schedule: HKDF Expand Label #2 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Server handshake traffic secret -> Server traffic IV # HKDF-Expand-Label(server_handshake_secret, "iv", "", 12) -depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"6976":"":12:"4c042ddc120a38d1417fc815" SSL TLS 1.3 Key schedule: HKDF Expand Label #3 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Client handshake traffic secret -> Client traffic key # HKDF-Expand-Label(client_handshake_secret, "key", "", 16) -depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":"6b6579":"":16:"7154f314e6be7dc008df2c832baa1d39" SSL TLS 1.3 Key schedule: HKDF Expand Label #4 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Client handshake traffic secret -> Client traffic IV # HKDF-Expand-Label(client_handshake_secret, "iv", "", 12) -depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":"6976":"":12:"71abc2cae4c699d47c600268" SSL TLS 1.3 Key schedule: HKDF Expand Label #5 (RFC 8448) # Vector from RFC 8448 # Server handshake traffic secret -> Server traffic IV # HKDF-Expand-Label(server_handshake_secret, "iv", "", 12) -depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b67b7d690cc16c4e75e54213cb2d37b4e9c912bcded9105d42befd59d391ad38":"6976":"":12:"5d313eb2671276ee13000b30" SSL TLS 1.3 Key schedule: HKDF Expand Label #6 (RFC 8448) # Vector from RFC 8448 # Server handshake traffic secret -> Server traffic Key # HKDF-Expand-Label(server_handshake_secret, "key", "", 16) -depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b67b7d690cc16c4e75e54213cb2d37b4e9c912bcded9105d42befd59d391ad38":"6b6579":"":16:"3fce516009c21727d0f2e4e86ee403bc" SSL TLS 1.3 Key schedule: HKDF Expand Label #7 (RFC 8448) # Vector from RFC 8448 # Client handshake traffic secret -> Client traffic IV # HKDF-Expand-Label(client_handshake_secret, "iv", "", 12) -depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":"6976":"":12:"5bd3c71b836e0b76bb73265f" SSL TLS 1.3 Key schedule: HKDF Expand Label #8 (RFC 8448) # Vector from RFC 8448 # Client handshake traffic secret -> Client traffic Key # HKDF-Expand-Label(client_handshake_secret, "key", "", 16) -depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":"6b6579":"":16:"dbfaa693d1762c5b666af5d950258d01" SSL TLS 1.3 Key schedule: Traffic key generation #1 # Vector from TLS 1.3 Byte by Byte ((https://tls13.ulfheim.net/) # Client/Server handshake traffic secrets -> Client/Server traffic {Key,IV} -depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ssl_tls1_3_traffic_key_generation:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":12:16:"844780a7acad9f980fa25c114e43402a":"4c042ddc120a38d1417fc815":"7154f314e6be7dc008df2c832baa1d39":"71abc2cae4c699d47c600268" SSL TLS 1.3 Key schedule: Traffic key generation #2 (RFC 8448) # Vector RFC 8448 # Client/Server handshake traffic secrets -> Client/Server traffic {Key,IV} -depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ssl_tls1_3_traffic_key_generation:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":12:16:"844780a7acad9f980fa25c114e43402a":"4c042ddc120a38d1417fc815":"7154f314e6be7dc008df2c832baa1d39":"71abc2cae4c699d47c600268" SSL TLS 1.3 Key schedule: Derive-Secret( ., "derived", "") @@ -10490,14 +10478,12 @@ SSL TLS 1.3 Key schedule: Derive-Secret( ., "derived", "") # Tests the case where context isn't yet hashed (empty string here, # but still needs to be hashed) # 64657269766564 = hex("derived") -depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":"64657269766564":"":32:0:"6f2615a108c702c5678f54fc9dbab69716c076189c48250cebeac3576c3611ba" SSL TLS 1.3 Key schedule: Derive-Secret( ., "s ap traffic", hash) # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Derive-Secret( MasterSecret, "s ap traffic", hash) # Tests the case where context is already hashed -depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d":"732061702074726166666963":"22844b930e5e0a59a09d5ac35fc032fc91163b193874a265236e568077378d8b":32:1:"3fc35ea70693069a277956afa23b8f4543ce68ac595f2aace05cd7a1c92023d5" SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE From fb08096b9b477a461d0c81d7a35455d86a0ec723 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Sep 2020 10:58:42 +0100 Subject: [PATCH 18/43] Use ASSERT_COMPARE instead of TEST_ASSERT( memcmp( ... ) == 0 ) Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.function | 40 +++++++++++++++------------- 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 8a24320f0c..6a2871f8b0 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3692,7 +3692,8 @@ void ssl_tls1_3_hkdf_expand_label( int hash_alg, ctx->x, ctx->len, dst, desired_length ) == 0 ); - TEST_ASSERT( memcmp( dst, expected->x, desired_length ) == 0 ); + ASSERT_COMPARE( dst, (size_t) desired_length, + expected->x, (size_t) expected->len ); } /* END_CASE */ @@ -3724,21 +3725,22 @@ void ssl_tls1_3_traffic_key_generation( int hash_alg, desired_key_len, desired_iv_len, &keys ) == 0 ); - TEST_ASSERT( keys.keyLen == (size_t) desired_key_len ); - TEST_ASSERT( keys.ivLen == (size_t) desired_iv_len ); - - TEST_ASSERT( memcmp( keys.client_write_key, - expected_client_write_key->x, - desired_key_len ) == 0 ); - TEST_ASSERT( memcmp( keys.server_write_key, - expected_server_write_key->x, - desired_key_len ) == 0 ); - TEST_ASSERT( memcmp( keys.client_write_iv, - expected_client_write_iv->x, - desired_iv_len ) == 0 ); - TEST_ASSERT( memcmp( keys.server_write_iv, - expected_server_write_iv->x, - desired_iv_len ) == 0 ); + ASSERT_COMPARE( keys.client_write_key, + keys.keyLen, + expected_client_write_key->x, + (size_t) desired_key_len ); + ASSERT_COMPARE( keys.server_write_key, + keys.keyLen, + expected_server_write_key->x, + (size_t) desired_key_len ); + ASSERT_COMPARE( keys.client_write_iv, + keys.ivLen, + expected_client_write_iv->x, + (size_t) desired_iv_len ); + ASSERT_COMPARE( keys.server_write_iv, + keys.ivLen, + expected_server_write_iv->x, + (size_t) desired_iv_len ); } /* END_CASE */ @@ -3765,7 +3767,8 @@ void ssl_tls1_3_derive_secret( int hash_alg, already_hashed, dst, desired_length ) == 0 ); - TEST_ASSERT( memcmp( dst, expected->x, desired_length ) == 0 ); + ASSERT_COMPARE( dst, desired_length, + expected->x, desired_length ); } /* END_CASE */ @@ -3783,7 +3786,8 @@ void ssl_tls1_3_key_evolution( int hash_alg, input->len ? input->x : NULL, input->len, secret_new ) == 0 ); - TEST_ASSERT( memcmp( secret_new, expected->x, expected->len ) == 0 ); + ASSERT_COMPARE( secret_new, (size_t) expected->len, + expected->x, (size_t) expected->len ); } /* END_CASE */ From 493ea7f4ae7afa79b8be7a7bd23767abed03014e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Sep 2020 11:01:00 +0100 Subject: [PATCH 19/43] Remove instances of camelCase in TLS 1.3 key schedule Signed-off-by: Hanno Becker --- include/mbedtls/ssl_internal.h | 8 ++++---- library/ssl_tls13_keys.c | 14 +++++++------- library/ssl_tls13_keys.h | 6 +++--- tests/suites/test_suite_ssl.function | 8 ++++---- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 6167f567c1..617bdc74f7 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -395,10 +395,10 @@ struct mbedtls_ssl_key_set /*! The IV for server->client records. */ unsigned char server_write_iv[ MBEDTLS_MAX_IV_LENGTH ]; - size_t keyLen; /*!< The length of client_write_key and - * server_write_key, in Bytes. */ - size_t ivLen; /*!< The length of client_write_iv and - * server_write_iv, in Bytes. */ + size_t key_len; /*!< The length of client_write_key and + * server_write_key, in Bytes. */ + size_t iv_len; /*!< The length of client_write_iv and + * server_write_iv, in Bytes. */ }; typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set; #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 76c939846f..c334dbca6a 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -185,7 +185,7 @@ int mbedtls_ssl_tls1_3_make_traffic_keys( mbedtls_md_type_t hash_alg, const unsigned char *client_secret, const unsigned char *server_secret, - size_t slen, size_t keyLen, size_t ivLen, + size_t slen, size_t key_len, size_t iv_len, mbedtls_ssl_key_set *keys ) { int ret = 0; @@ -194,7 +194,7 @@ int mbedtls_ssl_tls1_3_make_traffic_keys( client_secret, slen, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), NULL, 0, - keys->client_write_key, keyLen ); + keys->client_write_key, key_len ); if( ret != 0 ) return( ret ); @@ -202,7 +202,7 @@ int mbedtls_ssl_tls1_3_make_traffic_keys( server_secret, slen, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), NULL, 0, - keys->server_write_key, keyLen ); + keys->server_write_key, key_len ); if( ret != 0 ) return( ret ); @@ -210,7 +210,7 @@ int mbedtls_ssl_tls1_3_make_traffic_keys( client_secret, slen, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), NULL, 0, - keys->client_write_iv, ivLen ); + keys->client_write_iv, iv_len ); if( ret != 0 ) return( ret ); @@ -218,12 +218,12 @@ int mbedtls_ssl_tls1_3_make_traffic_keys( server_secret, slen, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), NULL, 0, - keys->server_write_iv, ivLen ); + keys->server_write_iv, iv_len ); if( ret != 0 ) return( ret ); - keys->keyLen = keyLen; - keys->ivLen = ivLen; + keys->key_len = key_len; + keys->iv_len = iv_len; return( 0 ); } diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 9efeb0458c..62e94d3601 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -129,8 +129,8 @@ int mbedtls_ssl_tls1_3_hkdf_expand_label( * This must be a readable buffer of size \p slen Bytes * \param slen Length of the secrets \p client_secret and * \p server_secret in Bytes. - * \param keyLen The desired length of the key to be extracted in Bytes. - * \param ivLen The desired length of the IV to be extracted in Bytes. + * \param key_len The desired length of the key to be extracted in Bytes. + * \param iv_len The desired length of the IV to be extracted in Bytes. * \param keys The address of the structure holding the generated * keys and IVs. * @@ -142,7 +142,7 @@ int mbedtls_ssl_tls1_3_make_traffic_keys( mbedtls_md_type_t hash_alg, const unsigned char *client_secret, const unsigned char *server_secret, - size_t slen, size_t keyLen, size_t ivLen, + size_t slen, size_t key_len, size_t iv_len, mbedtls_ssl_key_set *keys ); /** diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 6a2871f8b0..58abef8460 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3726,19 +3726,19 @@ void ssl_tls1_3_traffic_key_generation( int hash_alg, &keys ) == 0 ); ASSERT_COMPARE( keys.client_write_key, - keys.keyLen, + keys.key_len, expected_client_write_key->x, (size_t) desired_key_len ); ASSERT_COMPARE( keys.server_write_key, - keys.keyLen, + keys.key_len, expected_server_write_key->x, (size_t) desired_key_len ); ASSERT_COMPARE( keys.client_write_iv, - keys.ivLen, + keys.iv_len, expected_client_write_iv->x, (size_t) desired_iv_len ); ASSERT_COMPARE( keys.server_write_iv, - keys.ivLen, + keys.iv_len, expected_server_write_iv->x, (size_t) desired_iv_len ); } From ab2ce23f92df2d90dcc9a81fac0cf9621fea9713 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Sep 2020 11:09:32 +0100 Subject: [PATCH 20/43] Fix typo in SSL test suite Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index e896c019f8..8a2b96a037 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -10463,7 +10463,7 @@ SSL TLS 1.3 Key schedule: HKDF Expand Label #8 (RFC 8448) ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":"6b6579":"":16:"dbfaa693d1762c5b666af5d950258d01" SSL TLS 1.3 Key schedule: Traffic key generation #1 -# Vector from TLS 1.3 Byte by Byte ((https://tls13.ulfheim.net/) +# Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Client/Server handshake traffic secrets -> Client/Server traffic {Key,IV} ssl_tls1_3_traffic_key_generation:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":12:16:"844780a7acad9f980fa25c114e43402a":"4c042ddc120a38d1417fc815":"7154f314e6be7dc008df2c832baa1d39":"71abc2cae4c699d47c600268" From 00debc734b18bad0e9d7a1e4b5bf969add448d6e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Sep 2020 11:12:24 +0100 Subject: [PATCH 21/43] Minor improvement in ssl_tls13_keys.c Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index c334dbca6a..8725d14950 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -111,7 +111,7 @@ static void ssl_tls1_3_hkdf_encode_label( /* Add context value */ *p++ = (unsigned char)( clen & 0xFF ); - if( ctx != NULL ) + if( clen != 0 ) memcpy( p, ctx, clen ); /* Return total length to the caller. */ From 815869ac9c5d04d81095d1919cbb1adb84e8f9e2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Sep 2020 11:16:16 +0100 Subject: [PATCH 22/43] Improve documentation of ssl_tls1_3_hkdf_encode_label() Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 8725d14950..ec2fe3b235 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -62,6 +62,8 @@ struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels = * The label length MUST be * <= MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN * It is the caller's responsiblity to ensure this. + * All (label, label length) pairs used in TLS 1.3 + * can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(). * - (ctx, clen): context + context length * The context length MUST be * <= MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN From 1588983ef0828df82a71db33b5ed5eeb574c94bc Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Sep 2020 11:29:11 +0100 Subject: [PATCH 23/43] Introduce macros for max-{IV,block,key}-size for ciphers used in TLS See the documentation in ssl_internal.h that this commit introduces for more information. Signed-off-by: Hanno Becker --- include/mbedtls/cipher.h | 13 ++++++++++--- include/mbedtls/ssl_internal.h | 30 ++++++++++++++++++++++++++---- 2 files changed, 36 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index 8a6c8ebdbc..8827e0b799 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -227,17 +227,24 @@ enum { }; /** Maximum length of any IV, in Bytes. */ -/* This should ideally be derived automatically from list of ciphers. */ +/* This should ideally be derived automatically from list of ciphers. + * This should be kept in sync with MBEDTLS_SSL_MAX_IV_LENGTH defined + * in ssl_internal.h. */ #define MBEDTLS_MAX_IV_LENGTH 16 /** Maximum block size of any cipher, in Bytes. */ -/* This should ideally be derived automatically from list of ciphers. */ +/* This should ideally be derived automatically from list of ciphers. + * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined + * in ssl_internal.h. */ #define MBEDTLS_MAX_BLOCK_LENGTH 16 /** Maximum key length, in Bytes. */ /* This should ideally be derived automatically from list of ciphers. * For now, only check whether XTS is enabled which uses 64 Byte keys, - * and use 32 Bytes as an upper bound for the maximum key length otherwise. */ + * and use 32 Bytes as an upper bound for the maximum key length otherwise. + * This should be kept in sync with MBEDTLS_SSL_MAX_BLOCK_LENGTH defined + * in ssl_internal.h, which however deliberately ignores the case of XTS + * since the latter isn't used in SSL/TLS. */ #if defined(MBEDTLS_CIPHER_MODE_XTS) #define MBEDTLS_MAX_KEY_LENGTH 64 #else diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 617bdc74f7..2c30855f5a 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -379,7 +379,29 @@ typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen, const unsigned char *random, size_t rlen, unsigned char *dstbuf, size_t dlen ); +/* cipher.h exports the maximum IV, key and block length from all + * all ciphers enabled in the config, regardless of whether those + * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled + * in the default configuration and uses 64 Byte keys, but it is + * not used for record protection in SSL/TLS. + * + * In order to prevent unnecessary inflation of key structures, + * we introduce SSL-specific variants of the max-{key,block,IV} + * macros here which are meant to only take those ciphers into + * account which can be negotiated in SSL/TLS. + * + * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH + * in cipher.h are rough overapproximations of the real maxima, here + * we content ourselves with defining replicating those overapproximations + * for the maximum block and IV length, and excluding XTS from the + * computation of the maximum key length. */ +#define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16 +#define MBEDTLS_SSL_MAX_IV_LENGTH 16 +#define MBEDTLS_SSL_MAX_KEY_LENGTH 32 + + #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + /** * \brief The data structure holding the cryptographic material (key and IV) * used for record protection in TLS 1.3. @@ -387,13 +409,13 @@ typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen, struct mbedtls_ssl_key_set { /*! The key for client->server records. */ - unsigned char client_write_key[ MBEDTLS_MAX_KEY_LENGTH ]; + unsigned char client_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ]; /*! The key for server->client records. */ - unsigned char server_write_key[ MBEDTLS_MAX_KEY_LENGTH ]; + unsigned char server_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ]; /*! The IV for client->server records. */ - unsigned char client_write_iv[ MBEDTLS_MAX_IV_LENGTH ]; + unsigned char client_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ]; /*! The IV for server->client records. */ - unsigned char server_write_iv[ MBEDTLS_MAX_IV_LENGTH ]; + unsigned char server_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ]; size_t key_len; /*!< The length of client_write_key and * server_write_key, in Bytes. */ From a3a5a4e1f9fd57364c34ddb42aba00db7b78df95 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 8 Sep 2020 11:33:48 +0100 Subject: [PATCH 24/43] Please check-names.sh Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 4 ++-- library/ssl_tls13_keys.h | 45 ++++++++++++++++++++-------------------- 2 files changed, 25 insertions(+), 24 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index ec2fe3b235..7befbeaee4 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -28,7 +28,7 @@ #include #include -#define LABEL( name, string ) \ +#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ .name = string, struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels = @@ -38,7 +38,7 @@ struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels = MBEDTLS_SSL_TLS1_3_LABEL_LIST }; -#undef LABEL +#undef MBEDTLS_SSL_TLS1_3_LABEL /* * This function creates a HkdfLabel structure used in the TLS 1.3 key schedule. diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 62e94d3601..2b15859ea2 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -21,29 +21,30 @@ #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -/* This requires LABEL( name, string ) to be defined at the point of use. - * See e.g. the definition of mbedtls_ssl_tls1_3_labels_union below. */ +/* This requires MBEDTLS_SSL_TLS1_3_LABEL( name, string ) to be defined at + * the point of use. See e.g. the definition of mbedtls_ssl_tls1_3_labels_union + * below. */ #define MBEDTLS_SSL_TLS1_3_LABEL_LIST \ - LABEL( finished , "finished" ) \ - LABEL( resumption , "resumption" ) \ - LABEL( traffic_upd , "traffic upd" ) \ - LABEL( export , "exporter" ) \ - LABEL( key , "key" ) \ - LABEL( iv , "iv" ) \ - LABEL( sn , "sn" ) \ - LABEL( c_hs_traffic, "c hs traffic" ) \ - LABEL( c_ap_traffic, "c ap traffic" ) \ - LABEL( c_e_traffic , "c e traffic" ) \ - LABEL( s_hs_traffic, "s hs traffic" ) \ - LABEL( s_ap_traffic, "s ap traffic" ) \ - LABEL( s_e_traffic , "s e traffic" ) \ - LABEL( exp_master , "exp master" ) \ - LABEL( res_master , "res master" ) \ - LABEL( ext_binder , "ext binder" ) \ - LABEL( res_binder , "res binder" ) \ - LABEL( derived , "derived" ) + MBEDTLS_SSL_TLS1_3_LABEL( finished , "finished" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( resumption , "resumption" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( traffic_upd , "traffic upd" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( export , "exporter" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( key , "key" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( iv , "iv" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( sn , "sn" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( c_hs_traffic, "c hs traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( c_ap_traffic, "c ap traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( c_e_traffic , "c e traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( s_hs_traffic, "s hs traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( s_ap_traffic, "s ap traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( s_e_traffic , "s e traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( exp_master , "exp master" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( res_master , "res master" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( ext_binder , "ext binder" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( res_binder , "res binder" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( derived , "derived" ) -#define LABEL( name, string ) \ +#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ const unsigned char name [ sizeof(string) - 1 ]; union mbedtls_ssl_tls1_3_labels_union @@ -54,7 +55,7 @@ struct mbedtls_ssl_tls1_3_labels_struct { MBEDTLS_SSL_TLS1_3_LABEL_LIST }; -#undef LABEL +#undef MBEDTLS_SSL_TLS1_3_LABEL extern const struct mbedtls_ssl_tls1_3_labels_struct mbedtls_ssl_tls1_3_labels; From 9a7a2ac2dec56b68f2c766ff5a47f9a829841b77 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 9 Sep 2020 09:24:54 +0100 Subject: [PATCH 25/43] Fix typo in ssl_internal.h Signed-off-by: Hanno Becker --- include/mbedtls/ssl_internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 2c30855f5a..c6847ba58e 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -392,7 +392,7 @@ typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen, * * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH * in cipher.h are rough overapproximations of the real maxima, here - * we content ourselves with defining replicating those overapproximations + * we content ourselves with replicating those overapproximations * for the maximum block and IV length, and excluding XTS from the * computation of the maximum key length. */ #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16 From 90551c7a26f798afe968011bfd2655768cbc31fd Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 9 Sep 2020 09:25:23 +0100 Subject: [PATCH 26/43] Use uniform naming scheme for TLS 1.3 label structure Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 2b15859ea2..64caa8a1bc 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -28,7 +28,7 @@ MBEDTLS_SSL_TLS1_3_LABEL( finished , "finished" ) \ MBEDTLS_SSL_TLS1_3_LABEL( resumption , "resumption" ) \ MBEDTLS_SSL_TLS1_3_LABEL( traffic_upd , "traffic upd" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( export , "exporter" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( exporter , "exporter" ) \ MBEDTLS_SSL_TLS1_3_LABEL( key , "key" ) \ MBEDTLS_SSL_TLS1_3_LABEL( iv , "iv" ) \ MBEDTLS_SSL_TLS1_3_LABEL( sn , "sn" ) \ From 70d7fb0c2df35e3086503590f5a2a48cef0a822d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 9 Sep 2020 10:11:21 +0100 Subject: [PATCH 27/43] Don't hardcode TLS 1.3 labels in test cases ssl_tls1_3_keys.c exports a structure containing all labels used in the TLS 1.3 key schedule, but the TLS 1.3 key scheduling unit tests so far replicated those labels in the test file. In particular, wrong label values in ssl_tls1_3_keys.c wouldn't have been caught by the unit tests. This commit modifies the TLS 1.3 key schedule unit tests to use the TLS 1.3 labels as exported by ssl_tls1_3_keys.c. This not only makes sure that those labels are correct, but also avoids hardcoding their hex-encoding in the test file. Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 2 +- library/ssl_tls13_keys.h | 40 ++++++++++++++-------------- tests/suites/test_suite_ssl.data | 21 +++++++-------- tests/suites/test_suite_ssl.function | 36 ++++++++++++++++++++++--- 4 files changed, 63 insertions(+), 36 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 7befbeaee4..1730501fae 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -28,7 +28,7 @@ #include #include -#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ +#define MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) \ .name = string, struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels = diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 64caa8a1bc..ee6572f280 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -21,30 +21,30 @@ #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) -/* This requires MBEDTLS_SSL_TLS1_3_LABEL( name, string ) to be defined at +/* This requires MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) to be defined at * the point of use. See e.g. the definition of mbedtls_ssl_tls1_3_labels_union * below. */ #define MBEDTLS_SSL_TLS1_3_LABEL_LIST \ - MBEDTLS_SSL_TLS1_3_LABEL( finished , "finished" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( resumption , "resumption" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( traffic_upd , "traffic upd" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( exporter , "exporter" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( key , "key" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( iv , "iv" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( sn , "sn" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( c_hs_traffic, "c hs traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( c_ap_traffic, "c ap traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( c_e_traffic , "c e traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( s_hs_traffic, "s hs traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( s_ap_traffic, "s ap traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( s_e_traffic , "s e traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( exp_master , "exp master" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( res_master , "res master" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( ext_binder , "ext binder" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( res_binder , "res binder" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( derived , "derived" ) + MBEDTLS_SSL_TLS1_3_LABEL( 0, finished , "finished" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 1, resumption , "resumption" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 2, traffic_upd , "traffic upd" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 3, exporter , "exporter" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 4, key , "key" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 5, iv , "iv" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 6, sn , "sn" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 7, c_hs_traffic, "c hs traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 8, c_ap_traffic, "c ap traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 9, c_e_traffic , "c e traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 10, s_hs_traffic, "s hs traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 11, s_ap_traffic, "s ap traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 12, s_e_traffic , "s e traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 13, exp_master , "exp master" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 14, res_master , "res master" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 15, ext_binder , "ext binder" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 16, res_binder , "res binder" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 17, derived , "derived" ) -#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ +#define MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) \ const unsigned char name [ sizeof(string) - 1 ]; union mbedtls_ssl_tls1_3_labels_union diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 8a2b96a037..badb116265 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -10418,49 +10418,49 @@ SSL TLS 1.3 Key schedule: HKDF Expand Label #1 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Server handshake traffic secret -> Server traffic key # HKDF-Expand-Label(server_handshake_secret, "key", "", 16) -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"6b6579":"":16:"844780a7acad9f980fa25c114e43402a" +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":tls1_3_label_key:"":16:"844780a7acad9f980fa25c114e43402a" SSL TLS 1.3 Key schedule: HKDF Expand Label #2 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Server handshake traffic secret -> Server traffic IV # HKDF-Expand-Label(server_handshake_secret, "iv", "", 12) -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"6976":"":12:"4c042ddc120a38d1417fc815" +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":tls1_3_label_iv:"":12:"4c042ddc120a38d1417fc815" SSL TLS 1.3 Key schedule: HKDF Expand Label #3 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Client handshake traffic secret -> Client traffic key # HKDF-Expand-Label(client_handshake_secret, "key", "", 16) -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":"6b6579":"":16:"7154f314e6be7dc008df2c832baa1d39" +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":tls1_3_label_key:"":16:"7154f314e6be7dc008df2c832baa1d39" SSL TLS 1.3 Key schedule: HKDF Expand Label #4 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Client handshake traffic secret -> Client traffic IV # HKDF-Expand-Label(client_handshake_secret, "iv", "", 12) -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":"6976":"":12:"71abc2cae4c699d47c600268" +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":tls1_3_label_iv:"":12:"71abc2cae4c699d47c600268" SSL TLS 1.3 Key schedule: HKDF Expand Label #5 (RFC 8448) # Vector from RFC 8448 # Server handshake traffic secret -> Server traffic IV # HKDF-Expand-Label(server_handshake_secret, "iv", "", 12) -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b67b7d690cc16c4e75e54213cb2d37b4e9c912bcded9105d42befd59d391ad38":"6976":"":12:"5d313eb2671276ee13000b30" +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b67b7d690cc16c4e75e54213cb2d37b4e9c912bcded9105d42befd59d391ad38":tls1_3_label_iv:"":12:"5d313eb2671276ee13000b30" SSL TLS 1.3 Key schedule: HKDF Expand Label #6 (RFC 8448) # Vector from RFC 8448 # Server handshake traffic secret -> Server traffic Key # HKDF-Expand-Label(server_handshake_secret, "key", "", 16) -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b67b7d690cc16c4e75e54213cb2d37b4e9c912bcded9105d42befd59d391ad38":"6b6579":"":16:"3fce516009c21727d0f2e4e86ee403bc" +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b67b7d690cc16c4e75e54213cb2d37b4e9c912bcded9105d42befd59d391ad38":tls1_3_label_key:"":16:"3fce516009c21727d0f2e4e86ee403bc" SSL TLS 1.3 Key schedule: HKDF Expand Label #7 (RFC 8448) # Vector from RFC 8448 # Client handshake traffic secret -> Client traffic IV # HKDF-Expand-Label(client_handshake_secret, "iv", "", 12) -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":"6976":"":12:"5bd3c71b836e0b76bb73265f" +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":tls1_3_label_iv:"":12:"5bd3c71b836e0b76bb73265f" SSL TLS 1.3 Key schedule: HKDF Expand Label #8 (RFC 8448) # Vector from RFC 8448 # Client handshake traffic secret -> Client traffic Key # HKDF-Expand-Label(client_handshake_secret, "key", "", 16) -ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":"6b6579":"":16:"dbfaa693d1762c5b666af5d950258d01" +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":tls1_3_label_key:"":16:"dbfaa693d1762c5b666af5d950258d01" SSL TLS 1.3 Key schedule: Traffic key generation #1 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) @@ -10477,14 +10477,13 @@ SSL TLS 1.3 Key schedule: Derive-Secret( ., "derived", "") # Derive-Secret( Early-Secret, "derived", "") # Tests the case where context isn't yet hashed (empty string here, # but still needs to be hashed) -# 64657269766564 = hex("derived") -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":"64657269766564":"":32:0:"6f2615a108c702c5678f54fc9dbab69716c076189c48250cebeac3576c3611ba" +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":tls1_3_label_derived:"":32:0:"6f2615a108c702c5678f54fc9dbab69716c076189c48250cebeac3576c3611ba" SSL TLS 1.3 Key schedule: Derive-Secret( ., "s ap traffic", hash) # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Derive-Secret( MasterSecret, "s ap traffic", hash) # Tests the case where context is already hashed -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d":"732061702074726166666963":"22844b930e5e0a59a09d5ac35fc032fc91163b193874a265236e568077378d8b":32:1:"3fc35ea70693069a277956afa23b8f4543ce68ac595f2aace05cd7a1c92023d5" +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d":tls1_3_label_s_ap_traffic:"22844b930e5e0a59a09d5ac35fc032fc91163b193874a265236e568077378d8b":32:1:"3fc35ea70693069a277956afa23b8f4543ce68ac595f2aace05cd7a1c92023d5" SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 58abef8460..153242925d 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -12,6 +12,11 @@ #include +#define MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) \ + const int tls1_3_label_ ## name = idx; +MBEDTLS_SSL_TLS1_3_LABEL_LIST +#undef MBEDTLS_SSL_TLS1_3_LABEL + typedef struct log_pattern { const char *pattern; @@ -3673,13 +3678,24 @@ exit: /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ void ssl_tls1_3_hkdf_expand_label( int hash_alg, data_t *secret, - data_t *label, + int label_idx, data_t *ctx, int desired_length, data_t *expected ) { unsigned char dst[ 100 ]; + unsigned char const *lbl = NULL; + size_t lbl_len; +#define MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) \ + if( label_idx == tls1_3_label_ ## name ) \ + { \ + lbl = mbedtls_ssl_tls1_3_labels.name; \ + lbl_len = sizeof( mbedtls_ssl_tls1_3_labels.name ); \ + } +MBEDTLS_SSL_TLS1_3_LABEL_LIST +#undef MBEDTLS_SSL_TLS1_3_LABEL + TEST_ASSERT( lbl != NULL ); /* Check sanity of test parameters. */ TEST_ASSERT( (size_t) desired_length <= sizeof(dst) ); @@ -3688,7 +3704,7 @@ void ssl_tls1_3_hkdf_expand_label( int hash_alg, TEST_ASSERT( mbedtls_ssl_tls1_3_hkdf_expand_label( (mbedtls_md_type_t) hash_alg, secret->x, secret->len, - label->x, label->len, + lbl, lbl_len, ctx->x, ctx->len, dst, desired_length ) == 0 ); @@ -3747,7 +3763,7 @@ void ssl_tls1_3_traffic_key_generation( int hash_alg, /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ void ssl_tls1_3_derive_secret( int hash_alg, data_t *secret, - data_t *label, + int label_idx, data_t *ctx, int desired_length, int already_hashed, @@ -3755,6 +3771,18 @@ void ssl_tls1_3_derive_secret( int hash_alg, { unsigned char dst[ 100 ]; + unsigned char const *lbl = NULL; + size_t lbl_len; +#define MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) \ + if( label_idx == tls1_3_label_ ## name ) \ + { \ + lbl = mbedtls_ssl_tls1_3_labels.name; \ + lbl_len = sizeof( mbedtls_ssl_tls1_3_labels.name ); \ + } +MBEDTLS_SSL_TLS1_3_LABEL_LIST +#undef MBEDTLS_SSL_TLS1_3_LABEL + TEST_ASSERT( lbl != NULL ); + /* Check sanity of test parameters. */ TEST_ASSERT( (size_t) desired_length <= sizeof(dst) ); TEST_ASSERT( (size_t) desired_length == expected->len ); @@ -3762,7 +3790,7 @@ void ssl_tls1_3_derive_secret( int hash_alg, TEST_ASSERT( mbedtls_ssl_tls1_3_derive_secret( (mbedtls_md_type_t) hash_alg, secret->x, secret->len, - label->x, label->len, + lbl, lbl_len, ctx->x, ctx->len, already_hashed, dst, desired_length ) == 0 ); From 00cfc1ce5260812d42d03da33cf942c6cb192354 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 9 Sep 2020 10:41:23 +0100 Subject: [PATCH 28/43] Add "e exp master" TLS 1.3 key schedule label Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.h | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index ee6572f280..b75c5cea37 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -38,11 +38,12 @@ MBEDTLS_SSL_TLS1_3_LABEL( 10, s_hs_traffic, "s hs traffic" ) \ MBEDTLS_SSL_TLS1_3_LABEL( 11, s_ap_traffic, "s ap traffic" ) \ MBEDTLS_SSL_TLS1_3_LABEL( 12, s_e_traffic , "s e traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 13, exp_master , "exp master" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 13, e_exp_master, "e exp master" ) \ MBEDTLS_SSL_TLS1_3_LABEL( 14, res_master , "res master" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 15, ext_binder , "ext binder" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 16, res_binder , "res binder" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 17, derived , "derived" ) + MBEDTLS_SSL_TLS1_3_LABEL( 15, exp_master , "exp master" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 16, ext_binder , "ext binder" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 17, res_binder , "res binder" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 18, derived , "derived" ) #define MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) \ const unsigned char name [ sizeof(string) - 1 ]; From 81e91d46adb93c6be74e3fbe29bbf05e4381bfe4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 9 Sep 2020 10:41:43 +0100 Subject: [PATCH 29/43] Add further unit tests for TLS 1.3 key schedule Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.data | 42 +++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index badb116265..9ecea11120 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -10456,12 +10456,20 @@ SSL TLS 1.3 Key schedule: HKDF Expand Label #7 (RFC 8448) # HKDF-Expand-Label(client_handshake_secret, "iv", "", 12) ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":tls1_3_label_iv:"":12:"5bd3c71b836e0b76bb73265f" -SSL TLS 1.3 Key schedule: HKDF Expand Label #8 (RFC 8448) +SSL TLS 1.3 Key schedule: HKDF Expand Label (RFC 8448) # Vector from RFC 8448 # Client handshake traffic secret -> Client traffic Key # HKDF-Expand-Label(client_handshake_secret, "key", "", 16) ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":tls1_3_label_key:"":16:"dbfaa693d1762c5b666af5d950258d01" +SSL TLS 1.3 Key schedule: HKDF Expand Label #9 (RFC 8448) +# Calculation of finished_key +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"2faac08f851d35fea3604fcb4de82dc62c9b164a70974d0462e27f1ab278700f":tls1_3_label_finished:"":32:"5ace394c26980d581243f627d1150ae27e37fa52364e0a7f20ac686d09cd0e8e" + +SSL TLS 1.3 Key schedule: HKDF Expand Label #10 (RFC 8448) +# Calculation of resumption key +ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"7df235f2031d2a051287d02b0241b0bfdaf86cc856231f2d5aba46c434ec196c":tls1_3_label_resumption:"0000":32:"4ecd0eb6ec3b4d87f5d6028f922ca4c5851a277fd41311c9e62d2c9492e1c4f3" + SSL TLS 1.3 Key schedule: Traffic key generation #1 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Client/Server handshake traffic secrets -> Client/Server traffic {Key,IV} @@ -10485,6 +10493,38 @@ SSL TLS 1.3 Key schedule: Derive-Secret( ., "s ap traffic", hash) # Tests the case where context is already hashed ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d":tls1_3_label_s_ap_traffic:"22844b930e5e0a59a09d5ac35fc032fc91163b193874a265236e568077378d8b":32:1:"3fc35ea70693069a277956afa23b8f4543ce68ac595f2aace05cd7a1c92023d5" +SSL TLS 1.3 Key schedule: Derive-Secret( ., "c e traffic", hash) +# Vector from RFC 8448 +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"9b2188e9b2fc6d64d71dc329900e20bb41915000f678aa839cbb797cb7d8332c":tls1_3_label_c_e_traffic:"08ad0fa05d7c7233b1775ba2ff9f4c5b8b59276b7f227f13a976245f5d960913":32:1:"3fbbe6a60deb66c30a32795aba0eff7eaa10105586e7be5c09678d63b6caab62" + +SSL TLS 1.3 Key schedule: Derive-Secret( ., "e exp master", hash) +# Vector from RFC 8448 +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"9b2188e9b2fc6d64d71dc329900e20bb41915000f678aa839cbb797cb7d8332c":tls1_3_label_e_exp_master:"08ad0fa05d7c7233b1775ba2ff9f4c5b8b59276b7f227f13a976245f5d960913":32:1:"b2026866610937d7423e5be90862ccf24c0e6091186d34f812089ff5be2ef7df" + +SSL TLS 1.3 Key schedule: Derive-Secret( ., "c hs traffic", hash) +# Vector from RFC 8448 +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":tls1_3_label_c_hs_traffic:"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03"::32:1:"2faac08f851d35fea3604fcb4de82dc62c9b164a70974d0462e27f1ab278700f" + +SSL TLS 1.3 Key schedule: Derive-Secret( ., "s hs traffic", hash) +# Vector from RFC 8448 +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":tls1_3_label_s_hs_traffic:"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03":32:1:"fe927ae271312e8bf0275b581c54eef020450dc4ecffaa05a1a35d27518e7803" + +SSL TLS 1.3 Key schedule: Derive-Secret( ., "c ap traffic", hash) +# Vector from RFC 8448 +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_c_ap_traffic:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:1:"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1" + +SSL TLS 1.3 Key schedule: Derive-Secret( ., "s ap traffic", hash) +# Vector from RFC 8448 +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_s_ap_traffic:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:1:"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691" + +SSL TLS 1.3 Key schedule: Derive-Secret( ., "exp master", hash) +# Vector from RFC 8448 +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_exp_master:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:1:"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4" + +SSL TLS 1.3 Key schedule: Derive-Secret( ., "res master", hash) +# Vector from RFC 8448 +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_res_master:"c3c122e0bd907a4a3ff6112d8fd53dbf89c773d9552e8b6b9d56d361b3a97bf6":32:1:"5e95bdf1f89005ea2e9aa0ba85e728e3c19c5fe0c699e3f5bee59faebd0b5406" + SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE From 9b9be006066b21d2c0c1c09869c0c3b6a463e1d4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 9 Sep 2020 10:42:10 +0100 Subject: [PATCH 30/43] Remove DTLS 1.3 specific label Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.h | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index b75c5cea37..4bd2d47a3a 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -31,19 +31,18 @@ MBEDTLS_SSL_TLS1_3_LABEL( 3, exporter , "exporter" ) \ MBEDTLS_SSL_TLS1_3_LABEL( 4, key , "key" ) \ MBEDTLS_SSL_TLS1_3_LABEL( 5, iv , "iv" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 6, sn , "sn" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 7, c_hs_traffic, "c hs traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 8, c_ap_traffic, "c ap traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 9, c_e_traffic , "c e traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 10, s_hs_traffic, "s hs traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 11, s_ap_traffic, "s ap traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 12, s_e_traffic , "s e traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 13, e_exp_master, "e exp master" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 14, res_master , "res master" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 15, exp_master , "exp master" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 16, ext_binder , "ext binder" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 17, res_binder , "res binder" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 18, derived , "derived" ) + MBEDTLS_SSL_TLS1_3_LABEL( 6, c_hs_traffic, "c hs traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 7, c_ap_traffic, "c ap traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 8, c_e_traffic , "c e traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 9, s_hs_traffic, "s hs traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 10, s_ap_traffic, "s ap traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 11, s_e_traffic , "s e traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 12, e_exp_master, "e exp master" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 13, res_master , "res master" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 14, exp_master , "exp master" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 15, ext_binder , "ext binder" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 16, res_binder , "res binder" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( 17, derived , "derived" ) #define MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) \ const unsigned char name [ sizeof(string) - 1 ]; From 59b50a19979d42c3b0b60458b6e3cb80d6cc4c6e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 9 Sep 2020 10:56:56 +0100 Subject: [PATCH 31/43] Don't use _xxx naming for local variables in ssl_tls13_keys.c Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 1730501fae..a924dc86cb 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -280,8 +280,8 @@ int mbedtls_ssl_tls1_3_evolve_secret( { int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; size_t hlen, ilen; - unsigned char _secret[ MBEDTLS_MD_MAX_SIZE ] = { 0 }; - unsigned char _input [ MBEDTLS_MD_MAX_SIZE ] = { 0 }; + unsigned char tmp_secret[ MBEDTLS_MD_MAX_SIZE ] = { 0 }; + unsigned char tmp_input [ MBEDTLS_MD_MAX_SIZE ] = { 0 }; const mbedtls_md_info_t *md; md = mbedtls_md_info_from_type( hash_alg ); @@ -300,14 +300,14 @@ int mbedtls_ssl_tls1_3_evolve_secret( MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( derived ), NULL, 0, /* context */ MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED, - _secret, hlen ); + tmp_secret, hlen ); if( ret != 0 ) goto cleanup; } if( input != NULL ) { - memcpy( _input, input, input_len ); + memcpy( tmp_input, input, input_len ); ilen = input_len; } else @@ -319,8 +319,8 @@ int mbedtls_ssl_tls1_3_evolve_secret( * The salt is the old secret, and the input key material * is the input secret (PSK / ECDHE). */ ret = mbedtls_hkdf_extract( md, - _secret, hlen, - _input, ilen, + tmp_secret, hlen, + tmp_input, ilen, secret_new ); if( ret != 0 ) goto cleanup; @@ -329,8 +329,8 @@ int mbedtls_ssl_tls1_3_evolve_secret( cleanup: - mbedtls_platform_zeroize( _secret, sizeof(_secret) ); - mbedtls_platform_zeroize( _input, sizeof(_input) ); + mbedtls_platform_zeroize( tmp_secret, sizeof(tmp_secret) ); + mbedtls_platform_zeroize( tmp_input, sizeof(tmp_input) ); return( ret ); } From 2fe043a6d1e498b24006b925cf9fe6b3fe090c74 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 9 Sep 2020 10:57:24 +0100 Subject: [PATCH 32/43] Remove guard for TLS 1.3 specific declarations We only guard the implementations of modules, not their declarations. Signed-off-by: Hanno Becker --- include/mbedtls/ssl_internal.h | 4 ---- library/ssl_tls13_keys.h | 4 ---- 2 files changed, 8 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index c6847ba58e..188b94771a 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -399,9 +399,6 @@ typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen, #define MBEDTLS_SSL_MAX_IV_LENGTH 16 #define MBEDTLS_SSL_MAX_KEY_LENGTH 32 - -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - /** * \brief The data structure holding the cryptographic material (key and IV) * used for record protection in TLS 1.3. @@ -423,7 +420,6 @@ struct mbedtls_ssl_key_set * server_write_iv, in Bytes. */ }; typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ /* * This structure contains the parameters only needed during handshake. diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 4bd2d47a3a..33becd6cc4 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -19,8 +19,6 @@ #if !defined(MBEDTLS_SSL_TLS1_3_KEYS_H) #define MBEDTLS_SSL_TLS1_3_KEYS_H -#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) - /* This requires MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) to be defined at * the point of use. See e.g. the definition of mbedtls_ssl_tls1_3_labels_union * below. */ @@ -264,6 +262,4 @@ int mbedtls_ssl_tls1_3_evolve_secret( const unsigned char *input, size_t input_len, unsigned char *secret_new ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ - #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */ From 8c82bfdf225805da2713e4cd41ace56a99b3062b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 9 Sep 2020 11:03:08 +0100 Subject: [PATCH 33/43] Use TLS1_3_CONTEXT_[UN]HASHED in 1.3 key schedule tests Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.data | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 9ecea11120..9aad56104c 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -10485,45 +10485,45 @@ SSL TLS 1.3 Key schedule: Derive-Secret( ., "derived", "") # Derive-Secret( Early-Secret, "derived", "") # Tests the case where context isn't yet hashed (empty string here, # but still needs to be hashed) -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":tls1_3_label_derived:"":32:0:"6f2615a108c702c5678f54fc9dbab69716c076189c48250cebeac3576c3611ba" +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":tls1_3_label_derived:"":32:MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED:"6f2615a108c702c5678f54fc9dbab69716c076189c48250cebeac3576c3611ba" SSL TLS 1.3 Key schedule: Derive-Secret( ., "s ap traffic", hash) # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Derive-Secret( MasterSecret, "s ap traffic", hash) # Tests the case where context is already hashed -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d":tls1_3_label_s_ap_traffic:"22844b930e5e0a59a09d5ac35fc032fc91163b193874a265236e568077378d8b":32:1:"3fc35ea70693069a277956afa23b8f4543ce68ac595f2aace05cd7a1c92023d5" +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d":tls1_3_label_s_ap_traffic:"22844b930e5e0a59a09d5ac35fc032fc91163b193874a265236e568077378d8b":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"3fc35ea70693069a277956afa23b8f4543ce68ac595f2aace05cd7a1c92023d5" SSL TLS 1.3 Key schedule: Derive-Secret( ., "c e traffic", hash) # Vector from RFC 8448 -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"9b2188e9b2fc6d64d71dc329900e20bb41915000f678aa839cbb797cb7d8332c":tls1_3_label_c_e_traffic:"08ad0fa05d7c7233b1775ba2ff9f4c5b8b59276b7f227f13a976245f5d960913":32:1:"3fbbe6a60deb66c30a32795aba0eff7eaa10105586e7be5c09678d63b6caab62" +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"9b2188e9b2fc6d64d71dc329900e20bb41915000f678aa839cbb797cb7d8332c":tls1_3_label_c_e_traffic:"08ad0fa05d7c7233b1775ba2ff9f4c5b8b59276b7f227f13a976245f5d960913":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"3fbbe6a60deb66c30a32795aba0eff7eaa10105586e7be5c09678d63b6caab62" SSL TLS 1.3 Key schedule: Derive-Secret( ., "e exp master", hash) # Vector from RFC 8448 -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"9b2188e9b2fc6d64d71dc329900e20bb41915000f678aa839cbb797cb7d8332c":tls1_3_label_e_exp_master:"08ad0fa05d7c7233b1775ba2ff9f4c5b8b59276b7f227f13a976245f5d960913":32:1:"b2026866610937d7423e5be90862ccf24c0e6091186d34f812089ff5be2ef7df" +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"9b2188e9b2fc6d64d71dc329900e20bb41915000f678aa839cbb797cb7d8332c":tls1_3_label_e_exp_master:"08ad0fa05d7c7233b1775ba2ff9f4c5b8b59276b7f227f13a976245f5d960913":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"b2026866610937d7423e5be90862ccf24c0e6091186d34f812089ff5be2ef7df" SSL TLS 1.3 Key schedule: Derive-Secret( ., "c hs traffic", hash) # Vector from RFC 8448 -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":tls1_3_label_c_hs_traffic:"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03"::32:1:"2faac08f851d35fea3604fcb4de82dc62c9b164a70974d0462e27f1ab278700f" +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":tls1_3_label_c_hs_traffic:"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03"::32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"2faac08f851d35fea3604fcb4de82dc62c9b164a70974d0462e27f1ab278700f" SSL TLS 1.3 Key schedule: Derive-Secret( ., "s hs traffic", hash) # Vector from RFC 8448 -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":tls1_3_label_s_hs_traffic:"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03":32:1:"fe927ae271312e8bf0275b581c54eef020450dc4ecffaa05a1a35d27518e7803" +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":tls1_3_label_s_hs_traffic:"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"fe927ae271312e8bf0275b581c54eef020450dc4ecffaa05a1a35d27518e7803" SSL TLS 1.3 Key schedule: Derive-Secret( ., "c ap traffic", hash) # Vector from RFC 8448 -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_c_ap_traffic:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:1:"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1" +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_c_ap_traffic:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1" SSL TLS 1.3 Key schedule: Derive-Secret( ., "s ap traffic", hash) # Vector from RFC 8448 -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_s_ap_traffic:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:1:"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691" +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_s_ap_traffic:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691" SSL TLS 1.3 Key schedule: Derive-Secret( ., "exp master", hash) # Vector from RFC 8448 -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_exp_master:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:1:"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4" +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_exp_master:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4" SSL TLS 1.3 Key schedule: Derive-Secret( ., "res master", hash) # Vector from RFC 8448 -ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_res_master:"c3c122e0bd907a4a3ff6112d8fd53dbf89c773d9552e8b6b9d56d361b3a97bf6":32:1:"5e95bdf1f89005ea2e9aa0ba85e728e3c19c5fe0c699e3f5bee59faebd0b5406" +ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_res_master:"c3c122e0bd907a4a3ff6112d8fd53dbf89c773d9552e8b6b9d56d361b3a97bf6":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"5e95bdf1f89005ea2e9aa0ba85e728e3c19c5fe0c699e3f5bee59faebd0b5406" SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE From 1413bd8ae92ba09078ad3022327c5e14396f3ea7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 9 Sep 2020 12:46:09 +0100 Subject: [PATCH 34/43] Simplify identification of TLS 1.3 labels in unit test suite Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 2 +- library/ssl_tls13_keys.h | 38 ++++++++++++++-------------- tests/suites/test_suite_ssl.function | 15 ++++++----- 3 files changed, 29 insertions(+), 26 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index a924dc86cb..88b1b8ad92 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -28,7 +28,7 @@ #include #include -#define MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) \ +#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ .name = string, struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels = diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 33becd6cc4..03235e5e1f 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -23,26 +23,26 @@ * the point of use. See e.g. the definition of mbedtls_ssl_tls1_3_labels_union * below. */ #define MBEDTLS_SSL_TLS1_3_LABEL_LIST \ - MBEDTLS_SSL_TLS1_3_LABEL( 0, finished , "finished" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 1, resumption , "resumption" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 2, traffic_upd , "traffic upd" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 3, exporter , "exporter" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 4, key , "key" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 5, iv , "iv" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 6, c_hs_traffic, "c hs traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 7, c_ap_traffic, "c ap traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 8, c_e_traffic , "c e traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 9, s_hs_traffic, "s hs traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 10, s_ap_traffic, "s ap traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 11, s_e_traffic , "s e traffic" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 12, e_exp_master, "e exp master" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 13, res_master , "res master" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 14, exp_master , "exp master" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 15, ext_binder , "ext binder" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 16, res_binder , "res binder" ) \ - MBEDTLS_SSL_TLS1_3_LABEL( 17, derived , "derived" ) + MBEDTLS_SSL_TLS1_3_LABEL( finished , "finished" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( resumption , "resumption" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( traffic_upd , "traffic upd" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( exporter , "exporter" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( key , "key" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( iv , "iv" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( c_hs_traffic, "c hs traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( c_ap_traffic, "c ap traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( c_e_traffic , "c e traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( s_hs_traffic, "s hs traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( s_ap_traffic, "s ap traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( s_e_traffic , "s e traffic" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( e_exp_master, "e exp master" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( res_master , "res master" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( exp_master , "exp master" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( ext_binder , "ext binder" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( res_binder , "res binder" ) \ + MBEDTLS_SSL_TLS1_3_LABEL( derived , "derived" ) -#define MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) \ +#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ const unsigned char name [ sizeof(string) - 1 ]; union mbedtls_ssl_tls1_3_labels_union diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 153242925d..9fcf36729b 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -12,10 +12,13 @@ #include -#define MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) \ - const int tls1_3_label_ ## name = idx; +enum +{ +#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ + tls1_3_label_ ## name, MBEDTLS_SSL_TLS1_3_LABEL_LIST #undef MBEDTLS_SSL_TLS1_3_LABEL +}; typedef struct log_pattern { @@ -3687,8 +3690,8 @@ void ssl_tls1_3_hkdf_expand_label( int hash_alg, unsigned char const *lbl = NULL; size_t lbl_len; -#define MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) \ - if( label_idx == tls1_3_label_ ## name ) \ +#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ + if( label_idx == (int) tls1_3_label_ ## name ) \ { \ lbl = mbedtls_ssl_tls1_3_labels.name; \ lbl_len = sizeof( mbedtls_ssl_tls1_3_labels.name ); \ @@ -3773,8 +3776,8 @@ void ssl_tls1_3_derive_secret( int hash_alg, unsigned char const *lbl = NULL; size_t lbl_len; -#define MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) \ - if( label_idx == tls1_3_label_ ## name ) \ +#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \ + if( label_idx == (int) tls1_3_label_ ## name ) \ { \ lbl = mbedtls_ssl_tls1_3_labels.name; \ lbl_len = sizeof( mbedtls_ssl_tls1_3_labels.name ); \ From 3eb3563c0b3f7260d78fe5596f7ec3ba52f8ea69 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 9 Sep 2020 12:47:56 +0100 Subject: [PATCH 35/43] Fix TLS 1.3 key schedule unit test case name Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 9aad56104c..73a692d8af 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -10456,7 +10456,7 @@ SSL TLS 1.3 Key schedule: HKDF Expand Label #7 (RFC 8448) # HKDF-Expand-Label(client_handshake_secret, "iv", "", 12) ssl_tls1_3_hkdf_expand_label:MBEDTLS_MD_SHA256:"b3eddb126e067f35a780b3abf45e2d8f3b1a950738f52e9600746a0e27a55a21":tls1_3_label_iv:"":12:"5bd3c71b836e0b76bb73265f" -SSL TLS 1.3 Key schedule: HKDF Expand Label (RFC 8448) +SSL TLS 1.3 Key schedule: HKDF Expand Label #8 (RFC 8448) # Vector from RFC 8448 # Client handshake traffic secret -> Client traffic Key # HKDF-Expand-Label(client_handshake_secret, "key", "", 16) From 0973ff9545f21541978e790bcddfa79293477862 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 9 Sep 2020 12:56:28 +0100 Subject: [PATCH 36/43] Remove macro definitions between Doxygen block and prototype Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 03235e5e1f..161f0a114e 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -144,6 +144,10 @@ int mbedtls_ssl_tls1_3_make_traffic_keys( size_t slen, size_t key_len, size_t iv_len, mbedtls_ssl_key_set *keys ); + +#define MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED 0 +#define MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED 1 + /** * \brief The \c Derive-Secret function from the TLS 1.3 standard RFC 8446. * @@ -177,10 +181,6 @@ int mbedtls_ssl_tls1_3_make_traffic_keys( * \returns \c 0 on success. * \returns A negative error code on failure. */ - -#define MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED 0 -#define MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED 1 - int mbedtls_ssl_tls1_3_derive_secret( mbedtls_md_type_t hash_alg, const unsigned char *secret, size_t slen, From 97a21567dfbc4cf6b70b1c10b91ca71cc3f0ddfe Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 9 Sep 2020 12:57:16 +0100 Subject: [PATCH 37/43] Move misplaced comment Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 88b1b8ad92..2128f838d4 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -255,12 +255,14 @@ int mbedtls_ssl_tls1_3_derive_secret( } else { - /* This should never happen since this function is internal - * and the code sets `context_already_hashed` correctly. - * Let's double-check nonetheless to not run at the risk - * of getting a stack overflow. */ if( clen > sizeof(hashed_context) ) + { + /* This should never happen since this function is internal + * and the code sets `context_already_hashed` correctly. + * Let's double-check nonetheless to not run at the risk + * of getting a stack overflow. */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } memcpy( hashed_context, ctx, clen ); } From 0c42fd94bb9d332079515f5a5a0ef2b1a12552d4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 9 Sep 2020 12:58:29 +0100 Subject: [PATCH 38/43] Fix Doxygen documentation of mbedtls_ssl_tls1_3_derive_secret() Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 6 +++--- library/ssl_tls13_keys.h | 40 ++++++++++++++++++++++++---------------- 2 files changed, 27 insertions(+), 19 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 2128f838d4..54742f3b48 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -235,7 +235,7 @@ int mbedtls_ssl_tls1_3_derive_secret( const unsigned char *secret, size_t slen, const unsigned char *label, size_t llen, const unsigned char *ctx, size_t clen, - int context_already_hashed, + int ctx_hashed, unsigned char *dstbuf, size_t buflen ) { int ret; @@ -246,7 +246,7 @@ int mbedtls_ssl_tls1_3_derive_secret( if( md == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - if( context_already_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED ) + if( ctx_hashed == MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED ) { ret = mbedtls_md( md, ctx, clen, hashed_context ); if( ret != 0 ) @@ -258,7 +258,7 @@ int mbedtls_ssl_tls1_3_derive_secret( if( clen > sizeof(hashed_context) ) { /* This should never happen since this function is internal - * and the code sets `context_already_hashed` correctly. + * and the code sets `ctx_hashed` correctly. * Let's double-check nonetheless to not run at the risk * of getting a stack overflow. */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 161f0a114e..9838f48cd0 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -162,21 +162,29 @@ int mbedtls_ssl_tls1_3_make_traffic_keys( * the parameter message contains the already hashed value and * the Derive-Secret function does not need to hash it again. * - * \param hash_alg The identifier for the hash function used for the - * applications of HKDF. - * \param secret The \c Secret argument to the \c Derive-Secret function. - * This must be a readable buffer of length \p slen Bytes. - * \param slen The length of \p secret in Bytes. - * \param label The \c Label argument to the \c Derive-Secret function. - * This must be a readable buffer of length \p llen Bytes. - * \param llen The length of \p label in Bytes. - * \param hash The hash of the \c Messages argument to the \c Derive-Secret - * function. This must be a readable buffer of length \p mlen - * hlen Bytes. - * \param hlen The length of \p hash. - * \param dstbuf The target buffer to write the output of \c Derive-Secret to. - * This must be a writable buffer of size \p buflen Bytes. - * \param buflen The length of \p dstbuf in Bytes. + * \param hash_alg The identifier for the hash function used for the + * applications of HKDF. + * \param secret The \c Secret argument to the \c Derive-Secret function. + * This must be a readable buffer of length \p slen Bytes. + * \param slen The length of \p secret in Bytes. + * \param label The \c Label argument to the \c Derive-Secret function. + * This must be a readable buffer of length \p llen Bytes. + * \param llen The length of \p label in Bytes. + * \param ctx The hash of the \c Messages argument to the + * \c Derive-Secret function, or the \c Messages argument + * itself, depending on \p context_already_hashed. + * \param clen The length of \p hash. + * \param ctx_hashed This indicates whether the \p ctx contains the hash of + * the \c Messages argument in the application of the + * \c Derive-Secret function + * (value MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED), or whether + * it is the content of \c Messages itself, in which case + * the function takes care of the hashing + * (value MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED). + * \param dstbuf The target buffer to write the output of + * \c Derive-Secret to. This must be a writable buffer of + * size \p buflen Bytes. + * \param buflen The length of \p dstbuf in Bytes. * * \returns \c 0 on success. * \returns A negative error code on failure. @@ -186,7 +194,7 @@ int mbedtls_ssl_tls1_3_derive_secret( const unsigned char *secret, size_t slen, const unsigned char *label, size_t llen, const unsigned char *ctx, size_t clen, - int context_already_hashed, + int ctx_hashed, unsigned char *dstbuf, size_t buflen ); /** From 5cfc7245c81f4f295a6ee3de68ca4de0fcabb8e2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 9 Sep 2020 13:00:29 +0100 Subject: [PATCH 39/43] Remove outdated documentation of mbedtls_ssl_tls1_3_derive_secret() Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.h | 4 ---- 1 file changed, 4 deletions(-) diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 9838f48cd0..7a9e5c94ac 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -158,10 +158,6 @@ int mbedtls_ssl_tls1_3_make_traffic_keys( * Hash.Length ) ) * * - * Note: In this implementation of the function we assume that - * the parameter message contains the already hashed value and - * the Derive-Secret function does not need to hash it again. - * * \param hash_alg The identifier for the hash function used for the * applications of HKDF. * \param secret The \c Secret argument to the \c Derive-Secret function. From 29ea84e906688a8f2743dcbf88895e8f58a12369 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 9 Sep 2020 13:52:40 +0100 Subject: [PATCH 40/43] Avoid duplicated test case names in TLS 1.3 key schedule unit tests Signed-off-by: Hanno Becker --- tests/suites/test_suite_ssl.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 73a692d8af..6e653ffc27 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -10487,7 +10487,7 @@ SSL TLS 1.3 Key schedule: Derive-Secret( ., "derived", "") # but still needs to be hashed) ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":tls1_3_label_derived:"":32:MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED:"6f2615a108c702c5678f54fc9dbab69716c076189c48250cebeac3576c3611ba" -SSL TLS 1.3 Key schedule: Derive-Secret( ., "s ap traffic", hash) +SSL TLS 1.3 Key schedule: Derive-Secret( ., "s ap traffic", hash) #1 # Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/) # Derive-Secret( MasterSecret, "s ap traffic", hash) # Tests the case where context is already hashed @@ -10513,7 +10513,7 @@ SSL TLS 1.3 Key schedule: Derive-Secret( ., "c ap traffic", hash) # Vector from RFC 8448 ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_c_ap_traffic:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1" -SSL TLS 1.3 Key schedule: Derive-Secret( ., "s ap traffic", hash) +SSL TLS 1.3 Key schedule: Derive-Secret( ., "s ap traffic", hash) #2 # Vector from RFC 8448 ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":tls1_3_label_s_ap_traffic:"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":32:MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED:"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691" From 2dfe1327e582694a5d6186385640d8d3d0debc9b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 10 Sep 2020 09:23:12 +0100 Subject: [PATCH 41/43] Fix miscalculation of maximum TLS 1.3 HKDF label length Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 54742f3b48..5a6204eda5 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -75,6 +75,8 @@ struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels = * the HkdfLabel structure on success. */ +static const char tls1_3_label_prefix[6] = "tls13 "; + #define SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( label_len, context_len ) \ ( 2 /* expansion length */ \ + 1 /* label length */ \ @@ -84,6 +86,7 @@ struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels = #define SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN \ SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( \ + sizeof(tls1_3_label_prefix) + \ MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN, \ MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN ) @@ -93,8 +96,8 @@ static void ssl_tls1_3_hkdf_encode_label( const unsigned char *ctx, size_t clen, unsigned char *dst, size_t *dlen ) { - const char label_prefix[6] = "tls13 "; - size_t total_label_len = sizeof( label_prefix ) + llen; + size_t total_label_len = + sizeof(tls1_3_label_prefix) + llen; size_t total_hkdf_lbl_len = SSL_TLS1_3_KEY_SCHEDULE_HKDF_LABEL_LEN( total_label_len, clen ); @@ -106,8 +109,8 @@ static void ssl_tls1_3_hkdf_encode_label( /* Add label incl. prefix */ *p++ = (unsigned char)( total_label_len & 0xFF ); - memcpy( p, label_prefix, sizeof(label_prefix) ); - p += sizeof(label_prefix); + memcpy( p, tls1_3_label_prefix, sizeof(tls1_3_label_prefix) ); + p += sizeof(tls1_3_label_prefix); memcpy( p, label, llen ); p += llen; From 61baae7c9fbf62fd8d5b80bf0835a69ddad11040 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 16 Sep 2020 09:24:14 +0100 Subject: [PATCH 42/43] Minor fixes and improvements in TLS 1.3 key schedule documentation Signed-off-by: Hanno Becker --- include/mbedtls/ssl_internal.h | 2 +- library/ssl_tls13_keys.c | 14 +++++++------- library/ssl_tls13_keys.h | 4 ++-- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 188b94771a..7b78c7310e 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -379,7 +379,7 @@ typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen, const unsigned char *random, size_t rlen, unsigned char *dstbuf, size_t dlen ); -/* cipher.h exports the maximum IV, key and block length from all +/* cipher.h exports the maximum IV, key and block length from * all ciphers enabled in the config, regardless of whether those * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled * in the default configuration and uses 64 Byte keys, but it is diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 5a6204eda5..d641b16202 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -59,15 +59,15 @@ struct mbedtls_ssl_tls1_3_labels_struct const mbedtls_ssl_tls1_3_labels = * 255. This allows us to save a few Bytes of code by * hardcoding the writing of the high bytes. * - (label, llen): label + label length, without "tls13 " prefix - * The label length MUST be - * <= MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN - * It is the caller's responsiblity to ensure this. + * The label length MUST be less than or equal to + * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN + * It is the caller's responsibility to ensure this. * All (label, label length) pairs used in TLS 1.3 * can be obtained via MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(). * - (ctx, clen): context + context length - * The context length MUST be - * <= MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN - * It is the caller's responsiblity to ensure this. + * The context length MUST be less than or equal to + * MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN + * It is the caller's responsibility to ensure this. * - dst: Target buffer for HkdfLabel structure, * This MUST be a writable buffer of size * at least SSL_TLS1_3_KEY_SCHEDULE_MAX_HKDF_LABEL_LEN Bytes. @@ -296,7 +296,7 @@ int mbedtls_ssl_tls1_3_evolve_secret( hlen = mbedtls_md_get_size( md ); /* For non-initial runs, call Derive-Secret( ., "derived", "") - * on the old secreet. */ + * on the old secret. */ if( secret_old != NULL ) { ret = mbedtls_ssl_tls1_3_derive_secret( diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 7a9e5c94ac..73b8aaf1c4 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -64,7 +64,7 @@ extern const struct mbedtls_ssl_tls1_3_labels_struct mbedtls_ssl_tls1_3_labels; #define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN \ sizeof( union mbedtls_ssl_tls1_3_labels_union ) -/* The maximum length of HKDF contexts used in the TLS 1.3 standad. +/* The maximum length of HKDF contexts used in the TLS 1.3 standard. * Since contexts are always hashes of message transcripts, this can * be approximated from above by the maximum hash size. */ #define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN \ @@ -94,7 +94,7 @@ extern const struct mbedtls_ssl_tls1_3_labels_struct mbedtls_ssl_tls1_3_labels; * This must be a readable buffer of length \p clen Bytes. * \param clen The length of \p context in Bytes. * \param buf The destination buffer to hold the expanded secret. - * This must be a writable buffe of length \p blen Bytes. + * This must be a writable buffer of length \p blen Bytes. * \param blen The desired size of the expanded secret in Bytes. * * \returns \c 0 on success. From 531fe3054ce4bf685a45cfd82e0bd695cb9f5903 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 16 Sep 2020 09:45:27 +0100 Subject: [PATCH 43/43] Comment on hardcoding of maximum HKDF key expansion of 255 Bytes Signed-off-by: Hanno Becker --- library/ssl_tls13_keys.c | 9 ++++++++- library/ssl_tls13_keys.h | 7 ++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index d641b16202..c39e0322ba 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -103,7 +103,14 @@ static void ssl_tls1_3_hkdf_encode_label( unsigned char *p = dst; - /* Add total length. */ + /* Add the size of the expanded key material. + * We're hardcoding the high byte to 0 here assuming that we never use + * TLS 1.3 HKDF key expansion to more than 255 Bytes. */ +#if MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN > 255 +#error "The implementation of ssl_tls1_3_hkdf_encode_label() is not fit for the \ + value of MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN" +#endif + *p++ = 0; *p++ = (unsigned char)( ( desired_length >> 0 ) & 0xFF ); diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 73b8aaf1c4..7089049ce2 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -71,7 +71,12 @@ extern const struct mbedtls_ssl_tls1_3_labels_struct mbedtls_ssl_tls1_3_labels; MBEDTLS_MD_MAX_SIZE /* Maximum desired length for expanded key material generated - * by HKDF-Expand-Label. */ + * by HKDF-Expand-Label. + * + * Warning: If this ever needs to be increased, the implementation + * ssl_tls1_3_hkdf_encode_label() in ssl_tls13_keys.c needs to be + * adjusted since it currently assumes that HKDF key expansion + * is never used with more than 255 Bytes of output. */ #define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN 255 /**