From 84a6edac10ef263c030c957716cd7b69430388e3 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 4 Nov 2022 11:17:35 +0800 Subject: [PATCH 01/10] change signature of get_cipher_key_info - it is a static function. The name is not follow nameing ruler - move the position. Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 66 ++++++++++++++++++++-------------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index ec84a996cc..1b76996bce 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1052,6 +1052,35 @@ int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform, return( 0 ); } +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_get_cipher_key_info( + const mbedtls_ssl_ciphersuite_t *ciphersuite_info, + size_t *key_len, size_t *iv_len ) +{ + psa_key_type_t key_type; + psa_algorithm_t alg; + size_t taglen; + size_t key_bits; + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + + if( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) + taglen = 8; + else + taglen = 16; + + status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher, taglen, + &alg, &key_type, &key_bits ); + if( status != PSA_SUCCESS ) + return psa_ssl_status_to_mbedtls( status ); + + *key_len = PSA_BITS_TO_BYTES( key_bits ); + + /* TLS 1.3 only have AEAD ciphers, IV length is unconditionally 12 bytes */ + *iv_len = 12; + + return 0; +} + int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -1098,35 +1127,6 @@ int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ) return( 0 ); } -MBEDTLS_CHECK_RETURN_CRITICAL -static int mbedtls_ssl_tls13_get_cipher_key_info( - const mbedtls_ssl_ciphersuite_t *ciphersuite_info, - size_t *key_len, size_t *iv_len ) -{ - psa_key_type_t key_type; - psa_algorithm_t alg; - size_t taglen; - size_t key_bits; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - - if( ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ) - taglen = 8; - else - taglen = 16; - - status = mbedtls_ssl_cipher_to_psa( ciphersuite_info->cipher, taglen, - &alg, &key_type, &key_bits ); - if( status != PSA_SUCCESS ) - return psa_ssl_status_to_mbedtls( status ); - - *key_len = PSA_BITS_TO_BYTES( key_bits ); - - /* TLS 1.3 only have AEAD ciphers, IV length is unconditionally 12 bytes */ - *iv_len = 12; - - return 0; -} - /* mbedtls_ssl_tls13_generate_handshake_keys() generates keys necessary for * protecting the handshake messages, as described in Section 7 of TLS 1.3. */ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, @@ -1150,11 +1150,11 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) ); - ret = mbedtls_ssl_tls13_get_cipher_key_info( ciphersuite_info, + ret = ssl_tls13_get_cipher_key_info( ciphersuite_info, &key_len, &iv_len ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_get_cipher_key_info", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); return ret; } @@ -1370,11 +1370,11 @@ int mbedtls_ssl_tls13_generate_application_keys( /* Extract basic information about hash and ciphersuite */ - ret = mbedtls_ssl_tls13_get_cipher_key_info( handshake->ciphersuite_info, + ret = ssl_tls13_get_cipher_key_info( handshake->ciphersuite_info, &key_len, &iv_len ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_get_cipher_key_info", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); goto cleanup; } From 3d9b590f0281e90d23ce6e8017d1826a7f6fb26b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 4 Nov 2022 14:07:25 +0800 Subject: [PATCH 02/10] guards transform_earlydata Signed-off-by: Jerry Yu --- library/ssl_misc.h | 14 +++++++------- library/ssl_tls.c | 6 +++++- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 1902d715d2..32e2b16d7e 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -890,13 +890,6 @@ struct mbedtls_ssl_handshake_params uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */ #endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - /*! TLS 1.3 transforms for 0-RTT and encrypted handshake messages. - * Those pointers own the transforms they reference. */ - mbedtls_ssl_transform *transform_handshake; - mbedtls_ssl_transform *transform_earlydata; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ - /* * Checksum contexts */ @@ -981,6 +974,8 @@ struct mbedtls_ssl_handshake_params unsigned char *certificate_request_context; #endif + /** TLS 1.3 transform for encrypted handshake messages. */ + mbedtls_ssl_transform *transform_handshake; union { unsigned char early [MBEDTLS_TLS1_3_MD_MAX_SIZE]; @@ -989,6 +984,11 @@ struct mbedtls_ssl_handshake_params } tls13_master_secrets; mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets; +#if defined(MBEDTLS_SSL_EARLY_DATA) + mbedtls_ssl_tls13_early_secrets tls13_early_secrets; + /** TLS 1.3 transform for 0-RTT application and handshake messages. */ + mbedtls_ssl_transform *transform_earlydata; +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 3d3491bc6c..83f2b3c3ee 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1447,9 +1447,11 @@ void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl, if( ssl->handshake != NULL ) { +#if defined(MBEDTLS_SSL_EARLY_DATA) mbedtls_ssl_transform_free( ssl->handshake->transform_earlydata ); mbedtls_free( ssl->handshake->transform_earlydata ); ssl->handshake->transform_earlydata = NULL; +#endif mbedtls_ssl_transform_free( ssl->handshake->transform_handshake ); mbedtls_free( ssl->handshake->transform_handshake ); @@ -4067,9 +4069,11 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_ssl_transform_free( handshake->transform_handshake ); + mbedtls_free( handshake->transform_handshake ); +#if defined(MBEDTLS_SSL_EARLY_DATA) mbedtls_ssl_transform_free( handshake->transform_earlydata ); mbedtls_free( handshake->transform_earlydata ); - mbedtls_free( handshake->transform_handshake ); +#endif #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ From 91b560f38daa0e3d3ff740885c0a9c6ebb6104dc Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 4 Nov 2022 14:10:34 +0800 Subject: [PATCH 03/10] Add compute early transform Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 150 +++++++++++++++++++++++++++++++++++++++ library/ssl_tls13_keys.h | 17 +++++ 2 files changed, 167 insertions(+) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 1b76996bce..f1791810e2 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1081,6 +1081,156 @@ static int ssl_tls13_get_cipher_key_info( return 0; } +#if defined(MBEDTLS_SSL_EARLY_DATA) +/* ssl_tls13_generate_early_keys() generates keys necessary for protecting + * the early app data messages described in section 7 RFC 8446. */ +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_generate_early_keys( mbedtls_ssl_context *ssl, + mbedtls_ssl_key_set *traffic_keys ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + mbedtls_md_type_t md_type; + + psa_algorithm_t hash_alg; + size_t hash_len; + + unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; + size_t transcript_len; + + size_t key_len, iv_len; + + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info; + mbedtls_ssl_tls13_early_secrets *tls13_early_secrets = &handshake->tls13_early_secrets; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_tls13_generate_early_keys" ) ); + + ret = ssl_tls13_get_cipher_key_info( ciphersuite_info, &key_len, &iv_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); + return ret; + } + + md_type = ciphersuite_info->mac; + + hash_alg = mbedtls_hash_info_psa_from_md( ciphersuite_info->mac ); + hash_len = PSA_HASH_LENGTH( hash_alg ); + + ret = mbedtls_ssl_get_handshake_transcript( ssl, md_type, + transcript, + sizeof( transcript ), + &transcript_len ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, + "mbedtls_ssl_get_handshake_transcript", + ret ); + return( ret ); + } + + ret = mbedtls_ssl_tls13_derive_early_secrets( hash_alg, + handshake->tls13_master_secrets.early, + transcript, transcript_len, tls13_early_secrets ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( + 1, "mbedtls_ssl_tls13_derive_early_secrets", ret ); + return( ret ); + } + + MBEDTLS_SSL_DEBUG_BUF( + 4, "Client early traffic secret", + tls13_early_secrets->client_early_traffic_secret, + hash_len ); + + /* + * Export client handshake traffic secret + */ + if( ssl->f_export_keys != NULL ) + { + ssl->f_export_keys( ssl->p_export_keys, + MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET, + tls13_early_secrets->client_early_traffic_secret, + hash_len, + handshake->randbytes, + handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, + MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); + } + + ret = mbedtls_ssl_tls13_make_traffic_keys( hash_alg, + tls13_early_secrets->client_early_traffic_secret, + tls13_early_secrets->client_early_traffic_secret, + hash_len, key_len, iv_len, traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret ); + goto exit; + } + + MBEDTLS_SSL_DEBUG_BUF( 5, "client_handshake write_key", + traffic_keys->client_write_key, + traffic_keys->key_len); + + MBEDTLS_SSL_DEBUG_BUF( 5, "client_handshake write_iv", + traffic_keys->client_write_iv, + traffic_keys->iv_len); + + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_tls13_generate_early_keys" ) ); + +exit: + + return( ret ); +} + +int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + mbedtls_ssl_key_set traffic_keys; + mbedtls_ssl_transform *transform_earlydata = NULL; + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + + /* Next evolution in key schedule: Establish early_data secret and + * key material. */ + ret = ssl_tls13_generate_early_keys( ssl, &traffic_keys ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_generate_early_keys", + ret ); + goto cleanup; + } + + transform_earlydata = mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) ); + if( transform_earlydata == NULL ) + { + ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; + goto cleanup; + } + + ret = mbedtls_ssl_tls13_populate_transform( + transform_earlydata, + ssl->conf->endpoint, + ssl->session_negotiate->ciphersuite, + &traffic_keys, + ssl ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret ); + goto cleanup; + } + handshake->transform_earlydata = transform_earlydata; + +cleanup: + mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) ); + if( ret != 0 ) + mbedtls_free( transform_earlydata ); + + return( ret ); +} +#endif /* MBEDTLS_SSL_EARLY_DATA */ + int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 966b5c5e4b..81414d84f8 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -667,6 +667,23 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl, size_t *actual_len, int which ); +#if defined(MBEDTLS_SSL_EARLY_DATA) +/** + * \brief Compute TLS 1.3 early transform + * + * \param ssl The SSL context to operate on. The early secret must have been + * computed. + * + * \returns \c 0 on success. + * \returns A negative error code on failure. + * + * \warning `early_secrets` is not computation. Caller MUST call + * mbedtls_ssl_tls13_key_schedule_stage_early() before this function. + */ +MBEDTLS_CHECK_RETURN_CRITICAL +int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl ); +#endif /* MBEDTLS_SSL_EARLY_DATA */ + /** * \brief Compute TLS 1.3 handshake transform * From b094e124f2bdf5c05aee52cb61c9e61880900eb7 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 21 Nov 2022 13:03:47 +0800 Subject: [PATCH 04/10] fix various issues - Alignments - comment words in doxygen paragraph Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 49 +++++++++++++++++++--------------------- library/ssl_tls13_keys.h | 8 +++---- 2 files changed, 27 insertions(+), 30 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index f1791810e2..8f2a74e87d 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1082,8 +1082,8 @@ static int ssl_tls13_get_cipher_key_info( } #if defined(MBEDTLS_SSL_EARLY_DATA) -/* ssl_tls13_generate_early_keys() generates keys necessary for protecting - * the early app data messages described in section 7 RFC 8446. */ +/* ssl_tls13_generate_early_keys() generates keys necessary for protecting the + early application and handshake messages described in section 7 RFC 8446. */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_generate_early_keys( mbedtls_ssl_context *ssl, mbedtls_ssl_key_set *traffic_keys ) @@ -1130,9 +1130,9 @@ static int ssl_tls13_generate_early_keys( mbedtls_ssl_context *ssl, return( ret ); } - ret = mbedtls_ssl_tls13_derive_early_secrets( hash_alg, - handshake->tls13_master_secrets.early, - transcript, transcript_len, tls13_early_secrets ); + ret = mbedtls_ssl_tls13_derive_early_secrets( + hash_alg, handshake->tls13_master_secrets.early, + transcript, transcript_len, tls13_early_secrets ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( @@ -1142,27 +1142,28 @@ static int ssl_tls13_generate_early_keys( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF( 4, "Client early traffic secret", - tls13_early_secrets->client_early_traffic_secret, - hash_len ); + tls13_early_secrets->client_early_traffic_secret, hash_len ); /* * Export client handshake traffic secret */ if( ssl->f_export_keys != NULL ) { - ssl->f_export_keys( ssl->p_export_keys, - MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET, - tls13_early_secrets->client_early_traffic_secret, - hash_len, - handshake->randbytes, - handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, - MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); + ssl->f_export_keys( + ssl->p_export_keys, + MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET, + tls13_early_secrets->client_early_traffic_secret, + hash_len, + handshake->randbytes, + handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, + MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); } - ret = mbedtls_ssl_tls13_make_traffic_keys( hash_alg, - tls13_early_secrets->client_early_traffic_secret, - tls13_early_secrets->client_early_traffic_secret, - hash_len, key_len, iv_len, traffic_keys ); + ret = mbedtls_ssl_tls13_make_traffic_keys( + hash_alg, + tls13_early_secrets->client_early_traffic_secret, + tls13_early_secrets->client_early_traffic_secret, + hash_len, key_len, iv_len, traffic_keys ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret ); @@ -1283,16 +1284,13 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, mbedtls_ssl_key_set *traffic_keys ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_md_type_t md_type; - psa_algorithm_t hash_alg; size_t hash_len; - unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; size_t transcript_len; - - size_t key_len, iv_len; + size_t key_len; + size_t iv_len; mbedtls_ssl_handshake_params *handshake = ssl->handshake; const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info; @@ -1300,8 +1298,7 @@ int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_tls13_generate_handshake_keys" ) ); - ret = ssl_tls13_get_cipher_key_info( ciphersuite_info, - &key_len, &iv_len ); + ret = ssl_tls13_get_cipher_key_info( ciphersuite_info, &key_len, &iv_len ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); @@ -1521,7 +1518,7 @@ int mbedtls_ssl_tls13_generate_application_keys( /* Extract basic information about hash and ciphersuite */ ret = ssl_tls13_get_cipher_key_info( handshake->ciphersuite_info, - &key_len, &iv_len ); + &key_len, &iv_len ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 81414d84f8..5d9b570ac1 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -671,14 +671,14 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl, /** * \brief Compute TLS 1.3 early transform * - * \param ssl The SSL context to operate on. The early secret must have been - * computed. + * \param ssl The SSL context to operate on. * * \returns \c 0 on success. * \returns A negative error code on failure. * - * \warning `early_secrets` is not computation. Caller MUST call - * mbedtls_ssl_tls13_key_schedule_stage_early() before this function. + * \warning `early_secrets` is not computed before this function. Call + * mbedtls_ssl_tls13_key_schedule_stage_early() to generate early + * secrets. */ MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl ); From 3ce61ffca66ece6e48efb15ff674ca3329c80cc5 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 21 Nov 2022 22:45:58 +0800 Subject: [PATCH 05/10] fix comments and function name issues Signed-off-by: Jerry Yu --- library/ssl_misc.h | 2 +- library/ssl_tls13_keys.c | 28 +++++++++++++++++----------- library/ssl_tls13_keys.h | 10 +++++++--- 3 files changed, 25 insertions(+), 15 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 32e2b16d7e..53d50f23c1 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -986,7 +986,7 @@ struct mbedtls_ssl_handshake_params mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets; #if defined(MBEDTLS_SSL_EARLY_DATA) mbedtls_ssl_tls13_early_secrets tls13_early_secrets; - /** TLS 1.3 transform for 0-RTT application and handshake messages. */ + /** TLS 1.3 transform for early data and handshake messages. */ mbedtls_ssl_transform *transform_earlydata; #endif #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 8f2a74e87d..da4e5da35e 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1082,11 +1082,18 @@ static int ssl_tls13_get_cipher_key_info( } #if defined(MBEDTLS_SSL_EARLY_DATA) -/* ssl_tls13_generate_early_keys() generates keys necessary for protecting the - early application and handshake messages described in section 7 RFC 8446. */ +/* + * ssl_tls13_generate_early_key() generates the key necessary for protecting + * the early application data and the EndOfEarlyData handshake message + * as described in section 7 of RFC 8446. + * + * NOTE: That only one key is generated, the key for the traffic from the + * client to the server. The TLS 1.3 specification does not define a secret + * and thus a key for server early traffic. + */ MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_generate_early_keys( mbedtls_ssl_context *ssl, - mbedtls_ssl_key_set *traffic_keys ) +static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, + mbedtls_ssl_key_set *traffic_keys ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -1104,7 +1111,7 @@ static int ssl_tls13_generate_early_keys( mbedtls_ssl_context *ssl, const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info; mbedtls_ssl_tls13_early_secrets *tls13_early_secrets = &handshake->tls13_early_secrets; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_tls13_generate_early_keys" ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_tls13_generate_early_key" ) ); ret = ssl_tls13_get_cipher_key_info( ciphersuite_info, &key_len, &iv_len ); if( ret != 0 ) @@ -1170,16 +1177,15 @@ static int ssl_tls13_generate_early_keys( mbedtls_ssl_context *ssl, goto exit; } - MBEDTLS_SSL_DEBUG_BUF( 5, "client_handshake write_key", + MBEDTLS_SSL_DEBUG_BUF( 4, "client early write_key", traffic_keys->client_write_key, traffic_keys->key_len); - MBEDTLS_SSL_DEBUG_BUF( 5, "client_handshake write_iv", + MBEDTLS_SSL_DEBUG_BUF( 4, "client early write_iv", traffic_keys->client_write_iv, traffic_keys->iv_len); - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_tls13_generate_early_keys" ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_tls13_generate_early_key" ) ); exit: @@ -1195,10 +1201,10 @@ int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl ) /* Next evolution in key schedule: Establish early_data secret and * key material. */ - ret = ssl_tls13_generate_early_keys( ssl, &traffic_keys ); + ret = ssl_tls13_generate_early_key( ssl, &traffic_keys ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_generate_early_keys", + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_generate_early_key", ret ); goto cleanup; } diff --git a/library/ssl_tls13_keys.h b/library/ssl_tls13_keys.h index 5d9b570ac1..fc64737cd3 100644 --- a/library/ssl_tls13_keys.h +++ b/library/ssl_tls13_keys.h @@ -676,9 +676,13 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl, * \returns \c 0 on success. * \returns A negative error code on failure. * - * \warning `early_secrets` is not computed before this function. Call - * mbedtls_ssl_tls13_key_schedule_stage_early() to generate early - * secrets. + * \warning The function does not compute the early master secret. Call + * mbedtls_ssl_tls13_key_schedule_stage_early() before to + * call this function to generate the early master secret. + * \note For a client/server endpoint, the function computes only the + * encryption/decryption part of the transform as the decryption/ + * encryption part is not defined by the specification (no early + * traffic from the server to the client). */ MBEDTLS_CHECK_RETURN_CRITICAL int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl ); From a8771839e835bad9d9a9a69f6a804310e1954a78 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 21 Nov 2022 23:16:54 +0800 Subject: [PATCH 06/10] Refactor make_traffic_keys Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 66 ++++++++++++++++++++++------------------ 1 file changed, 37 insertions(+), 29 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index da4e5da35e..c01da956a5 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -215,6 +215,30 @@ cleanup: return( psa_ssl_status_to_mbedtls ( status ) ); } +static int ssl_tls13_make_traffic_key( + psa_algorithm_t hash_alg, + const unsigned char *secret, size_t secret_len, + unsigned char *key, size_t key_len, + unsigned char *iv, size_t iv_len ) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, + secret, secret_len, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), + NULL, 0, + key, key_len ); + if( ret != 0 ) + return( ret ); + + ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, + secret, secret_len, + MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), + NULL, 0, + iv, iv_len ); + return( ret ); +} + /* * The traffic keying material is generated from the following inputs: * @@ -240,35 +264,17 @@ int mbedtls_ssl_tls13_make_traffic_keys( { int ret = 0; - ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, - client_secret, secret_len, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), - NULL, 0, - keys->client_write_key, key_len ); + ret = ssl_tls13_make_traffic_key( + hash_alg, client_secret, secret_len, + keys->client_write_key, key_len, + keys->client_write_iv, iv_len ); if( ret != 0 ) return( ret ); - ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, - server_secret, secret_len, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), - NULL, 0, - keys->server_write_key, key_len ); - if( ret != 0 ) - return( ret ); - - ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, - client_secret, secret_len, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), - NULL, 0, - keys->client_write_iv, iv_len ); - if( ret != 0 ) - return( ret ); - - ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, - server_secret, secret_len, - MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), - NULL, 0, - keys->server_write_iv, iv_len ); + ret = ssl_tls13_make_traffic_key( + hash_alg, server_secret, secret_len, + keys->server_write_key, key_len, + keys->server_write_iv, iv_len ); if( ret != 0 ) return( ret ); @@ -1166,16 +1172,18 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */ ); } - ret = mbedtls_ssl_tls13_make_traffic_keys( + ret = ssl_tls13_make_traffic_key( hash_alg, tls13_early_secrets->client_early_traffic_secret, - tls13_early_secrets->client_early_traffic_secret, - hash_len, key_len, iv_len, traffic_keys ); + hash_len, traffic_keys->client_write_key, key_len, + traffic_keys->client_write_iv, iv_len ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret ); goto exit; } + traffic_keys->key_len = key_len; + traffic_keys->iv_len = iv_len; MBEDTLS_SSL_DEBUG_BUF( 4, "client early write_key", traffic_keys->client_write_key, From e31688b7fa00c6f286c6f02e35b7cc92ec7459c4 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 22 Nov 2022 21:55:56 +0800 Subject: [PATCH 07/10] fix comments issue Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index c01da956a5..57c1843e41 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1090,12 +1090,12 @@ static int ssl_tls13_get_cipher_key_info( #if defined(MBEDTLS_SSL_EARLY_DATA) /* * ssl_tls13_generate_early_key() generates the key necessary for protecting - * the early application data and the EndOfEarlyData handshake message - * as described in section 7 of RFC 8446. + * the early application data and handshake messages as described in section 7 + * of RFC 8446. * - * NOTE: That only one key is generated, the key for the traffic from the - * client to the server. The TLS 1.3 specification does not define a secret - * and thus a key for server early traffic. + * NOTE: Only one key is generated, the key for the traffic from the client to + * the server. The TLS 1.3 specification does not define a secret and thus + * a key for server early traffic. */ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, From a5db6c0ce3ab6199f0a38db0138389dd63de1b76 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 23 Nov 2022 18:08:04 +0800 Subject: [PATCH 08/10] fix coding style issues. Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 57c1843e41..43f6ab6816 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -215,6 +215,7 @@ cleanup: return( psa_ssl_status_to_mbedtls ( status ) ); } +MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_make_traffic_key( psa_algorithm_t hash_alg, const unsigned char *secret, size_t secret_len, @@ -1123,7 +1124,7 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); - return ret; + return( ret ); } md_type = ciphersuite_info->mac; @@ -1179,8 +1180,8 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, traffic_keys->client_write_iv, iv_len ); if( ret != 0 ) { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_make_traffic_keys", ret ); - goto exit; + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_make_traffic_key", ret ); + return( 0 ); } traffic_keys->key_len = key_len; traffic_keys->iv_len = iv_len; @@ -1195,9 +1196,7 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_tls13_generate_early_key" ) ); -exit: - - return( ret ); + return( 0 ); } int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl ) From 3d78e08ac0d05c49fb02ce6a2a1d73b9b2a1f21a Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 23 Nov 2022 18:26:20 +0800 Subject: [PATCH 09/10] erase early secrets and transcripts Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 43f6ab6816..3d20ab7303 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1124,7 +1124,7 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_get_cipher_key_info", ret ); - return( ret ); + goto cleanup; } md_type = ciphersuite_info->mac; @@ -1141,7 +1141,7 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_handshake_transcript", ret ); - return( ret ); + goto cleanup; } ret = mbedtls_ssl_tls13_derive_early_secrets( @@ -1151,7 +1151,7 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_derive_early_secrets", ret ); - return( ret ); + goto cleanup; } MBEDTLS_SSL_DEBUG_BUF( @@ -1181,7 +1181,7 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_make_traffic_key", ret ); - return( 0 ); + goto cleanup; } traffic_keys->key_len = key_len; traffic_keys->iv_len = iv_len; @@ -1196,7 +1196,12 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_tls13_generate_early_key" ) ); - return( 0 ); +cleanup: + /* Erase secret and transcript */ + mbedtls_platform_zeroize( + tls13_early_secrets, sizeof( mbedtls_ssl_tls13_early_secrets ) ); + mbedtls_platform_zeroize( transcript, sizeof( transcript ) ); + return( ret ); } int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl ) From aec08b3f42ac3d21f2134c4e0ce243e05cde3db0 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 29 Nov 2022 15:19:27 +0800 Subject: [PATCH 10/10] fix various format issues Signed-off-by: Jerry Yu --- library/ssl_tls13_keys.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index 3d20ab7303..cef61449b3 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -224,7 +224,8 @@ static int ssl_tls13_make_traffic_key( { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, + ret = mbedtls_ssl_tls13_hkdf_expand_label( + hash_alg, secret, secret_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( key ), NULL, 0, @@ -232,7 +233,8 @@ static int ssl_tls13_make_traffic_key( if( ret != 0 ) return( ret ); - ret = mbedtls_ssl_tls13_hkdf_expand_label( hash_alg, + ret = mbedtls_ssl_tls13_hkdf_expand_label( + hash_alg, secret, secret_len, MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( iv ), NULL, 0, @@ -1103,16 +1105,13 @@ static int ssl_tls13_generate_early_key( mbedtls_ssl_context *ssl, mbedtls_ssl_key_set *traffic_keys ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_md_type_t md_type; - psa_algorithm_t hash_alg; size_t hash_len; - unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE]; size_t transcript_len; - - size_t key_len, iv_len; + size_t key_len; + size_t iv_len; mbedtls_ssl_handshake_params *handshake = ssl->handshake; const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info;