1 /*
2  *  TLS 1.3 key schedule
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 ( the "License" ); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 #if !defined(MBEDTLS_SSL_TLS1_3_KEYS_H)
20 #define MBEDTLS_SSL_TLS1_3_KEYS_H
21 
22 /* This requires MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) to be defined at
23  * the point of use. See e.g. the definition of mbedtls_ssl_tls13_labels_union
24  * below. */
25 #define MBEDTLS_SSL_TLS1_3_LABEL_LIST                                             \
26     MBEDTLS_SSL_TLS1_3_LABEL( finished    , "finished"                          ) \
27     MBEDTLS_SSL_TLS1_3_LABEL( resumption  , "resumption"                        ) \
28     MBEDTLS_SSL_TLS1_3_LABEL( traffic_upd , "traffic upd"                       ) \
29     MBEDTLS_SSL_TLS1_3_LABEL( exporter    , "exporter"                          ) \
30     MBEDTLS_SSL_TLS1_3_LABEL( key         , "key"                               ) \
31     MBEDTLS_SSL_TLS1_3_LABEL( iv          , "iv"                                ) \
32     MBEDTLS_SSL_TLS1_3_LABEL( c_hs_traffic, "c hs traffic"                      ) \
33     MBEDTLS_SSL_TLS1_3_LABEL( c_ap_traffic, "c ap traffic"                      ) \
34     MBEDTLS_SSL_TLS1_3_LABEL( c_e_traffic , "c e traffic"                       ) \
35     MBEDTLS_SSL_TLS1_3_LABEL( s_hs_traffic, "s hs traffic"                      ) \
36     MBEDTLS_SSL_TLS1_3_LABEL( s_ap_traffic, "s ap traffic"                      ) \
37     MBEDTLS_SSL_TLS1_3_LABEL( s_e_traffic , "s e traffic"                       ) \
38     MBEDTLS_SSL_TLS1_3_LABEL( e_exp_master, "e exp master"                      ) \
39     MBEDTLS_SSL_TLS1_3_LABEL( res_master  , "res master"                        ) \
40     MBEDTLS_SSL_TLS1_3_LABEL( exp_master  , "exp master"                        ) \
41     MBEDTLS_SSL_TLS1_3_LABEL( ext_binder  , "ext binder"                        ) \
42     MBEDTLS_SSL_TLS1_3_LABEL( res_binder  , "res binder"                        ) \
43     MBEDTLS_SSL_TLS1_3_LABEL( derived     , "derived"                           ) \
44     MBEDTLS_SSL_TLS1_3_LABEL( client_cv   , "TLS 1.3, client CertificateVerify" ) \
45     MBEDTLS_SSL_TLS1_3_LABEL( server_cv   , "TLS 1.3, server CertificateVerify" )
46 
47 #define MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED 0
48 #define MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED   1
49 
50 #define MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL   0
51 #define MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION 1
52 
53 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
54 
55 #define MBEDTLS_SSL_TLS1_3_LABEL( name, string )       \
56     const unsigned char name    [ sizeof(string) - 1 ];
57 
58 union mbedtls_ssl_tls13_labels_union
59 {
60     MBEDTLS_SSL_TLS1_3_LABEL_LIST
61 };
62 struct mbedtls_ssl_tls13_labels_struct
63 {
64     MBEDTLS_SSL_TLS1_3_LABEL_LIST
65 };
66 #undef MBEDTLS_SSL_TLS1_3_LABEL
67 
68 extern const struct mbedtls_ssl_tls13_labels_struct mbedtls_ssl_tls13_labels;
69 
70 #define MBEDTLS_SSL_TLS1_3_LBL_LEN( LABEL )  \
71     sizeof(mbedtls_ssl_tls13_labels.LABEL)
72 
73 #define MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( LABEL )  \
74     mbedtls_ssl_tls13_labels.LABEL,              \
75     MBEDTLS_SSL_TLS1_3_LBL_LEN( LABEL )
76 
77 #define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN  \
78     sizeof( union mbedtls_ssl_tls13_labels_union )
79 
80 /* The maximum length of HKDF contexts used in the TLS 1.3 standard.
81  * Since contexts are always hashes of message transcripts, this can
82  * be approximated from above by the maximum hash size. */
83 #define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN  \
84     PSA_HASH_MAX_SIZE
85 
86 /* Maximum desired length for expanded key material generated
87  * by HKDF-Expand-Label.
88  *
89  * Warning: If this ever needs to be increased, the implementation
90  * ssl_tls13_hkdf_encode_label() in ssl_tls13_keys.c needs to be
91  * adjusted since it currently assumes that HKDF key expansion
92  * is never used with more than 255 Bytes of output. */
93 #define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN 255
94 
95 /**
96  * \brief            The \c HKDF-Expand-Label function from
97  *                   the TLS 1.3 standard RFC 8446.
98  *
99  * <tt>
100  *                   HKDF-Expand-Label( Secret, Label, Context, Length ) =
101  *                       HKDF-Expand( Secret, HkdfLabel, Length )
102  * </tt>
103  *
104  * \param hash_alg   The identifier for the hash algorithm to use.
105  * \param secret     The \c Secret argument to \c HKDF-Expand-Label.
106  *                   This must be a readable buffer of length
107  *                   \p secret_len Bytes.
108  * \param secret_len The length of \p secret in Bytes.
109  * \param label      The \c Label argument to \c HKDF-Expand-Label.
110  *                   This must be a readable buffer of length
111  *                   \p label_len Bytes.
112  * \param label_len  The length of \p label in Bytes.
113  * \param ctx        The \c Context argument to \c HKDF-Expand-Label.
114  *                   This must be a readable buffer of length \p ctx_len Bytes.
115  * \param ctx_len    The length of \p context in Bytes.
116  * \param buf        The destination buffer to hold the expanded secret.
117  *                   This must be a writable buffer of length \p buf_len Bytes.
118  * \param buf_len    The desired size of the expanded secret in Bytes.
119  *
120  * \returns          \c 0 on success.
121  * \return           A negative error code on failure.
122  */
123 
124 MBEDTLS_CHECK_RETURN_CRITICAL
125 int mbedtls_ssl_tls13_hkdf_expand_label(
126                      psa_algorithm_t hash_alg,
127                      const unsigned char *secret, size_t secret_len,
128                      const unsigned char *label, size_t label_len,
129                      const unsigned char *ctx, size_t ctx_len,
130                      unsigned char *buf, size_t buf_len );
131 
132 /**
133  * \brief           This function is part of the TLS 1.3 key schedule.
134  *                  It extracts key and IV for the actual client/server traffic
135  *                  from the client/server traffic secrets.
136  *
137  * From RFC 8446:
138  *
139  * <tt>
140  *   [sender]_write_key = HKDF-Expand-Label(Secret, "key", "", key_length)
141  *   [sender]_write_iv  = HKDF-Expand-Label(Secret, "iv", "", iv_length)*
142  * </tt>
143  *
144  * \param hash_alg      The identifier for the hash algorithm to be used
145  *                      for the HKDF-based expansion of the secret.
146  * \param client_secret The client traffic secret.
147  *                      This must be a readable buffer of size
148  *                      \p secret_len Bytes
149  * \param server_secret The server traffic secret.
150  *                      This must be a readable buffer of size
151  *                      \p secret_len Bytes
152  * \param secret_len    Length of the secrets \p client_secret and
153  *                      \p server_secret in Bytes.
154  * \param key_len       The desired length of the key to be extracted in Bytes.
155  * \param iv_len        The desired length of the IV to be extracted in Bytes.
156  * \param keys          The address of the structure holding the generated
157  *                      keys and IVs.
158  *
159  * \returns             \c 0 on success.
160  * \returns             A negative error code on failure.
161  */
162 
163 MBEDTLS_CHECK_RETURN_CRITICAL
164 int mbedtls_ssl_tls13_make_traffic_keys(
165                      psa_algorithm_t hash_alg,
166                      const unsigned char *client_secret,
167                      const unsigned char *server_secret, size_t secret_len,
168                      size_t key_len, size_t iv_len,
169                      mbedtls_ssl_key_set *keys );
170 
171 /**
172  * \brief The \c Derive-Secret function from the TLS 1.3 standard RFC 8446.
173  *
174  * <tt>
175  *   Derive-Secret( Secret, Label, Messages ) =
176  *      HKDF-Expand-Label( Secret, Label,
177  *                         Hash( Messages ),
178  *                         Hash.Length ) )
179  * </tt>
180  *
181  * \param hash_alg   The identifier for the hash function used for the
182  *                   applications of HKDF.
183  * \param secret     The \c Secret argument to the \c Derive-Secret function.
184  *                   This must be a readable buffer of length
185  *                   \p secret_len Bytes.
186  * \param secret_len The length of \p secret in Bytes.
187  * \param label      The \c Label argument to the \c Derive-Secret function.
188  *                   This must be a readable buffer of length
189  *                   \p label_len Bytes.
190  * \param label_len  The length of \p label in Bytes.
191  * \param ctx        The hash of the \c Messages argument to the
192  *                   \c Derive-Secret function, or the \c Messages argument
193  *                   itself, depending on \p ctx_hashed.
194  * \param ctx_len    The length of \p ctx in Bytes.
195  * \param ctx_hashed This indicates whether the \p ctx contains the hash of
196  *                   the \c Messages argument in the application of the
197  *                   \c Derive-Secret function
198  *                   (value MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED), or whether
199  *                   it is the content of \c Messages itself, in which case
200  *                   the function takes care of the hashing
201  *                   (value MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED).
202  * \param dstbuf     The target buffer to write the output of
203  *                   \c Derive-Secret to. This must be a writable buffer of
204  *                   size \p dtsbuf_len Bytes.
205  * \param dstbuf_len The length of \p dstbuf in Bytes.
206  *
207  * \returns        \c 0 on success.
208  * \returns        A negative error code on failure.
209  */
210 MBEDTLS_CHECK_RETURN_CRITICAL
211 int mbedtls_ssl_tls13_derive_secret(
212                    psa_algorithm_t hash_alg,
213                    const unsigned char *secret, size_t secret_len,
214                    const unsigned char *label, size_t label_len,
215                    const unsigned char *ctx, size_t ctx_len,
216                    int ctx_hashed,
217                    unsigned char *dstbuf, size_t dstbuf_len );
218 
219 /**
220  * \brief Derive TLS 1.3 early data key material from early secret.
221  *
222  *        This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret()
223  *        with the appropriate labels.
224  *
225  * <tt>
226  *        Early Secret
227  *             |
228  *             +-----> Derive-Secret(., "c e traffic", ClientHello)
229  *             |                      = client_early_traffic_secret
230  *             |
231  *             +-----> Derive-Secret(., "e exp master", ClientHello)
232  *             .                      = early_exporter_master_secret
233  *             .
234  *             .
235  * </tt>
236  *
237  * \note  To obtain the actual key and IV for the early data traffic,
238  *        the client secret derived by this function need to be
239  *        further processed by mbedtls_ssl_tls13_make_traffic_keys().
240  *
241  * \note  The binder key, which is also generated from the early secret,
242  *        is omitted here. Its calculation is part of the separate routine
243  *        mbedtls_ssl_tls13_create_psk_binder().
244  *
245  * \param hash_alg     The hash algorithm associated with the PSK for which
246  *                     early data key material is being derived.
247  * \param early_secret The early secret from which the early data key material
248  *                     should be derived. This must be a readable buffer whose
249  *                     length is the digest size of the hash algorithm
250  *                     represented by \p md_size.
251  * \param transcript   The transcript of the handshake so far, calculated with
252  *                     respect to \p hash_alg. This must be a readable buffer
253  *                     whose length is the digest size of the hash algorithm
254  *                     represented by \p md_size.
255  * \param derived      The address of the structure in which to store
256  *                     the early data key material.
257  *
258  * \returns        \c 0 on success.
259  * \returns        A negative error code on failure.
260  */
261 MBEDTLS_CHECK_RETURN_CRITICAL
262 int mbedtls_ssl_tls13_derive_early_secrets(
263           psa_algorithm_t hash_alg,
264           unsigned char const *early_secret,
265           unsigned char const *transcript, size_t transcript_len,
266           mbedtls_ssl_tls13_early_secrets *derived );
267 
268 /**
269  * \brief Derive TLS 1.3 handshake key material from the handshake secret.
270  *
271  *        This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret()
272  *        with the appropriate labels from the standard.
273  *
274  * <tt>
275  *        Handshake Secret
276  *              |
277  *              +-----> Derive-Secret( ., "c hs traffic",
278  *              |                      ClientHello...ServerHello )
279  *              |                      = client_handshake_traffic_secret
280  *              |
281  *              +-----> Derive-Secret( ., "s hs traffic",
282  *              .                      ClientHello...ServerHello )
283  *              .                      = server_handshake_traffic_secret
284  *              .
285  * </tt>
286  *
287  * \note  To obtain the actual key and IV for the encrypted handshake traffic,
288  *        the client and server secret derived by this function need to be
289  *        further processed by mbedtls_ssl_tls13_make_traffic_keys().
290  *
291  * \param hash_alg          The hash algorithm associated with the ciphersuite
292  *                          that's being used for the connection.
293  * \param handshake_secret  The handshake secret from which the handshake key
294  *                          material should be derived. This must be a readable
295  *                          buffer whose length is the digest size of the hash
296  *                          algorithm represented by \p md_size.
297  * \param transcript        The transcript of the handshake so far, calculated
298  *                          with respect to \p hash_alg. This must be a readable
299  *                          buffer whose length is the digest size of the hash
300  *                          algorithm represented by \p md_size.
301  * \param derived           The address of the structure in which to
302  *                          store the handshake key material.
303  *
304  * \returns        \c 0 on success.
305  * \returns        A negative error code on failure.
306  */
307 MBEDTLS_CHECK_RETURN_CRITICAL
308 int mbedtls_ssl_tls13_derive_handshake_secrets(
309           psa_algorithm_t hash_alg,
310           unsigned char const *handshake_secret,
311           unsigned char const *transcript, size_t transcript_len,
312           mbedtls_ssl_tls13_handshake_secrets *derived );
313 
314 /**
315  * \brief Derive TLS 1.3 application key material from the master secret.
316  *
317  *        This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret()
318  *        with the appropriate labels from the standard.
319  *
320  * <tt>
321  *        Master Secret
322  *              |
323  *              +-----> Derive-Secret( ., "c ap traffic",
324  *              |                      ClientHello...server Finished )
325  *              |                      = client_application_traffic_secret_0
326  *              |
327  *              +-----> Derive-Secret( ., "s ap traffic",
328  *              |                      ClientHello...Server Finished )
329  *              |                      = server_application_traffic_secret_0
330  *              |
331  *              +-----> Derive-Secret( ., "exp master",
332  *              .                      ClientHello...server Finished)
333  *              .                      = exporter_master_secret
334  *              .
335  * </tt>
336  *
337  * \note  To obtain the actual key and IV for the (0-th) application traffic,
338  *        the client and server secret derived by this function need to be
339  *        further processed by mbedtls_ssl_tls13_make_traffic_keys().
340  *
341  * \param hash_alg          The hash algorithm associated with the ciphersuite
342  *                          that's being used for the connection.
343  * \param master_secret     The master secret from which the application key
344  *                          material should be derived. This must be a readable
345  *                          buffer whose length is the digest size of the hash
346  *                          algorithm represented by \p md_size.
347  * \param transcript        The transcript of the handshake up to and including
348  *                          the ServerFinished message, calculated with respect
349  *                          to \p hash_alg. This must be a readable buffer whose
350  *                          length is the digest size of the hash algorithm
351  *                          represented by \p hash_alg.
352  * \param derived           The address of the structure in which to
353  *                          store the application key material.
354  *
355  * \returns        \c 0 on success.
356  * \returns        A negative error code on failure.
357  */
358 MBEDTLS_CHECK_RETURN_CRITICAL
359 int mbedtls_ssl_tls13_derive_application_secrets(
360           psa_algorithm_t hash_alg,
361           unsigned char const *master_secret,
362           unsigned char const *transcript, size_t transcript_len,
363           mbedtls_ssl_tls13_application_secrets *derived );
364 
365 /**
366  * \brief Derive TLS 1.3 resumption master secret from the master secret.
367  *
368  *        This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret()
369  *        with the appropriate labels from the standard.
370  *
371  * \param hash_alg          The hash algorithm used in the application for which
372  *                          key material is being derived.
373  * \param application_secret The application secret from which the resumption master
374  *                          secret should be derived. This must be a readable
375  *                          buffer whose length is the digest size of the hash
376  *                          algorithm represented by \p md_size.
377  * \param transcript        The transcript of the handshake up to and including
378  *                          the ClientFinished message, calculated with respect
379  *                          to \p hash_alg. This must be a readable buffer whose
380  *                          length is the digest size of the hash algorithm
381  *                          represented by \p hash_alg.
382  * \param transcript_len    The length of \p transcript in Bytes.
383  * \param derived           The address of the structure in which to
384  *                          store the resumption master secret.
385  *
386  * \returns        \c 0 on success.
387  * \returns        A negative error code on failure.
388  */
389 MBEDTLS_CHECK_RETURN_CRITICAL
390 int mbedtls_ssl_tls13_derive_resumption_master_secret(
391           psa_algorithm_t hash_alg,
392           unsigned char const *application_secret,
393           unsigned char const *transcript, size_t transcript_len,
394           mbedtls_ssl_tls13_application_secrets *derived );
395 
396 /**
397  * \brief Compute the next secret in the TLS 1.3 key schedule
398  *
399  * The TLS 1.3 key schedule proceeds as follows to compute
400  * the three main secrets during the handshake: The early
401  * secret for early data, the handshake secret for all
402  * other encrypted handshake messages, and the master
403  * secret for all application traffic.
404  *
405  * <tt>
406  *                    0
407  *                    |
408  *                    v
409  *     PSK ->  HKDF-Extract = Early Secret
410  *                    |
411  *                    v
412  *     Derive-Secret( ., "derived", "" )
413  *                    |
414  *                    v
415  *  (EC)DHE -> HKDF-Extract = Handshake Secret
416  *                    |
417  *                    v
418  *     Derive-Secret( ., "derived", "" )
419  *                    |
420  *                    v
421  *     0 -> HKDF-Extract = Master Secret
422  * </tt>
423  *
424  * Each of the three secrets in turn is the basis for further
425  * key derivations, such as the derivation of traffic keys and IVs;
426  * see e.g. mbedtls_ssl_tls13_make_traffic_keys().
427  *
428  * This function implements one step in this evolution of secrets:
429  *
430  * <tt>
431  *                old_secret
432  *                    |
433  *                    v
434  *     Derive-Secret( ., "derived", "" )
435  *                    |
436  *                    v
437  *     input -> HKDF-Extract = new_secret
438  * </tt>
439  *
440  * \param hash_alg    The identifier for the hash function used for the
441  *                    applications of HKDF.
442  * \param secret_old  The address of the buffer holding the old secret
443  *                    on function entry. If not \c NULL, this must be a
444  *                    readable buffer whose size matches the output size
445  *                    of the hash function represented by \p hash_alg.
446  *                    If \c NULL, an all \c 0 array will be used instead.
447  * \param input       The address of the buffer holding the additional
448  *                    input for the key derivation (e.g., the PSK or the
449  *                    ephemeral (EC)DH secret). If not \c NULL, this must be
450  *                    a readable buffer whose size \p input_len Bytes.
451  *                    If \c NULL, an all \c 0 array will be used instead.
452  * \param input_len   The length of \p input in Bytes.
453  * \param secret_new  The address of the buffer holding the new secret
454  *                    on function exit. This must be a writable buffer
455  *                    whose size matches the output size of the hash
456  *                    function represented by \p hash_alg.
457  *                    This may be the same as \p secret_old.
458  *
459  * \returns           \c 0 on success.
460  * \returns           A negative error code on failure.
461  */
462 
463 MBEDTLS_CHECK_RETURN_CRITICAL
464 int mbedtls_ssl_tls13_evolve_secret(
465                    psa_algorithm_t hash_alg,
466                    const unsigned char *secret_old,
467                    const unsigned char *input, size_t input_len,
468                    unsigned char *secret_new );
469 
470 /**
471  * \brief             Calculate a TLS 1.3 PSK binder.
472  *
473  * \param ssl         The SSL context. This is used for debugging only and may
474  *                    be \c NULL if MBEDTLS_DEBUG_C is disabled.
475  * \param hash_alg    The hash algorithm associated to the PSK \p psk.
476  * \param psk         The buffer holding the PSK for which to create a binder.
477  * \param psk_len     The size of \p psk in bytes.
478  * \param psk_type    This indicates whether the PSK \p psk is externally
479  *                    provisioned (#MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL) or a
480  *                    resumption PSK (#MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION).
481  * \param transcript  The handshake transcript up to the point where the
482  *                    PSK binder calculation happens. This must be readable,
483  *                    and its size must be equal to the digest size of
484  *                    the hash algorithm represented by \p hash_alg.
485  * \param result      The address at which to store the PSK binder on success.
486  *                    This must be writable, and its size must be equal to the
487  *                    digest size of  the hash algorithm represented by
488  *                    \p hash_alg.
489  *
490  * \returns           \c 0 on success.
491  * \returns           A negative error code on failure.
492  */
493 MBEDTLS_CHECK_RETURN_CRITICAL
494 int mbedtls_ssl_tls13_create_psk_binder( mbedtls_ssl_context *ssl,
495                                const psa_algorithm_t hash_alg,
496                                unsigned char const *psk, size_t psk_len,
497                                int psk_type,
498                                unsigned char const *transcript,
499                                unsigned char *result );
500 
501 /**
502  * \bref Setup an SSL transform structure representing the
503  *       record protection mechanism used by TLS 1.3
504  *
505  * \param transform    The SSL transform structure to be created. This must have
506  *                     been initialized through mbedtls_ssl_transform_init() and
507  *                     not used in any other way prior to calling this function.
508  *                     In particular, this function does not clean up the
509  *                     transform structure prior to installing the new keys.
510  * \param endpoint     Indicates whether the transform is for the client
511  *                     (value #MBEDTLS_SSL_IS_CLIENT) or the server
512  *                     (value #MBEDTLS_SSL_IS_SERVER).
513  * \param ciphersuite  The numerical identifier for the ciphersuite to use.
514  *                     This must be one of the identifiers listed in
515  *                     ssl_ciphersuites.h.
516  * \param traffic_keys The key material to use. No reference is stored in
517  *                     the SSL transform being generated, and the caller
518  *                     should destroy the key material afterwards.
519  * \param ssl          (Debug-only) The SSL context to use for debug output
520  *                     in case of failure. This parameter is only needed if
521  *                     #MBEDTLS_DEBUG_C is set, and is ignored otherwise.
522  *
523  * \return             \c 0 on success. In this case, \p transform is ready to
524  *                     be used with mbedtls_ssl_transform_decrypt() and
525  *                     mbedtls_ssl_transform_encrypt().
526  * \return             A negative error code on failure.
527  */
528 MBEDTLS_CHECK_RETURN_CRITICAL
529 int mbedtls_ssl_tls13_populate_transform( mbedtls_ssl_transform *transform,
530                                           int endpoint,
531                                           int ciphersuite,
532                                           mbedtls_ssl_key_set const *traffic_keys,
533                                           mbedtls_ssl_context *ssl );
534 
535 /*
536  * TLS 1.3 key schedule evolutions
537  *
538  *   Early -> Handshake -> Application
539  *
540  * Small wrappers around mbedtls_ssl_tls13_evolve_secret().
541  */
542 
543 /**
544  * \brief Begin TLS 1.3 key schedule by calculating early secret.
545  *
546  *        The TLS 1.3 key schedule can be viewed as a simple state machine
547  *        with states Initial -> Early -> Handshake -> Application, and
548  *        this function represents the Initial -> Early transition.
549  *
550  * \param ssl  The SSL context to operate on.
551  *
552  * \returns    \c 0 on success.
553  * \returns    A negative error code on failure.
554  */
555 MBEDTLS_CHECK_RETURN_CRITICAL
556 int mbedtls_ssl_tls13_key_schedule_stage_early( mbedtls_ssl_context *ssl );
557 
558 /**
559  * \brief Transition into handshake stage of TLS 1.3 key schedule.
560  *
561  *        The TLS 1.3 key schedule can be viewed as a simple state machine
562  *        with states Initial -> Early -> Handshake -> Application, and
563  *        this function represents the Early -> Handshake transition.
564  *
565  *        In the handshake stage, mbedtls_ssl_tls13_generate_handshake_keys()
566  *        can be used to derive the handshake traffic keys.
567  *
568  * \param ssl  The SSL context to operate on. This must be in key schedule
569  *             stage \c Early.
570  *
571  * \returns    \c 0 on success.
572  * \returns    A negative error code on failure.
573  */
574 MBEDTLS_CHECK_RETURN_CRITICAL
575 int mbedtls_ssl_tls13_key_schedule_stage_handshake( mbedtls_ssl_context *ssl );
576 
577 /**
578  * \brief Compute TLS 1.3 handshake traffic keys.
579  *
580  * \param ssl  The SSL context to operate on. This must be in
581  *             key schedule stage \c Handshake, see
582  *             mbedtls_ssl_tls13_key_schedule_stage_handshake().
583  * \param traffic_keys The address at which to store the handshake traffic key
584  *                     keys. This must be writable but may be uninitialized.
585  *
586  * \returns    \c 0 on success.
587  * \returns    A negative error code on failure.
588  */
589 MBEDTLS_CHECK_RETURN_CRITICAL
590 int mbedtls_ssl_tls13_generate_handshake_keys( mbedtls_ssl_context *ssl,
591                                                mbedtls_ssl_key_set *traffic_keys );
592 
593 /**
594  * \brief Transition into application stage of TLS 1.3 key schedule.
595  *
596  *        The TLS 1.3 key schedule can be viewed as a simple state machine
597  *        with states Initial -> Early -> Handshake -> Application, and
598  *        this function represents the Handshake -> Application transition.
599  *
600  *        In the handshake stage, mbedtls_ssl_tls13_generate_application_keys()
601  *        can be used to derive the handshake traffic keys.
602  *
603  * \param ssl  The SSL context to operate on. This must be in key schedule
604  *             stage \c Handshake.
605  *
606  * \returns    \c 0 on success.
607  * \returns    A negative error code on failure.
608  */
609 MBEDTLS_CHECK_RETURN_CRITICAL
610 int mbedtls_ssl_tls13_key_schedule_stage_application( mbedtls_ssl_context *ssl );
611 
612 /**
613  * \brief Compute TLS 1.3 application traffic keys.
614  *
615  * \param ssl  The SSL context to operate on. This must be in
616  *             key schedule stage \c Application, see
617  *             mbedtls_ssl_tls13_key_schedule_stage_application().
618  * \param traffic_keys The address at which to store the application traffic key
619  *                     keys. This must be writable but may be uninitialized.
620  *
621  * \returns    \c 0 on success.
622  * \returns    A negative error code on failure.
623  */
624 MBEDTLS_CHECK_RETURN_CRITICAL
625 int mbedtls_ssl_tls13_generate_application_keys(
626     mbedtls_ssl_context* ssl, mbedtls_ssl_key_set *traffic_keys );
627 
628 /**
629  * \brief Compute TLS 1.3 resumption master secret.
630  *
631  * \param ssl  The SSL context to operate on. This must be in
632  *             key schedule stage \c Application, see
633  *             mbedtls_ssl_tls13_key_schedule_stage_application().
634  *
635  * \returns    \c 0 on success.
636  * \returns    A negative error code on failure.
637  */
638 MBEDTLS_CHECK_RETURN_CRITICAL
639 int mbedtls_ssl_tls13_compute_resumption_master_secret( mbedtls_ssl_context *ssl );
640 
641 /**
642  * \brief Calculate the verify_data value for the client or server TLS 1.3
643  * Finished message.
644  *
645  * \param ssl  The SSL context to operate on. This must be in
646  *             key schedule stage \c Handshake, see
647  *             mbedtls_ssl_tls13_key_schedule_stage_application().
648  * \param dst        The address at which to write the verify_data value.
649  * \param dst_len    The size of \p dst in bytes.
650  * \param actual_len The address at which to store the amount of data
651  *                   actually written to \p dst upon success.
652  * \param which      The message to calculate the `verify_data` for:
653  *                   - #MBEDTLS_SSL_IS_CLIENT for the Client's Finished message
654  *                   - #MBEDTLS_SSL_IS_SERVER for the Server's Finished message
655  *
656  * \note       Both client and server call this function twice, once to
657  *             generate their own Finished message, and once to verify the
658  *             peer's Finished message.
659 
660  * \returns    \c 0 on success.
661  * \returns    A negative error code on failure.
662  */
663 MBEDTLS_CHECK_RETURN_CRITICAL
664 int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl,
665                                              unsigned char *dst,
666                                              size_t dst_len,
667                                              size_t *actual_len,
668                                              int which );
669 
670 #if defined(MBEDTLS_SSL_EARLY_DATA)
671 /**
672  * \brief Compute TLS 1.3 early transform
673  *
674  * \param ssl  The SSL context to operate on.
675  *
676  * \returns    \c 0 on success.
677  * \returns    A negative error code on failure.
678  *
679  * \warning    The function does not compute the early master secret. Call
680  *             mbedtls_ssl_tls13_key_schedule_stage_early() before to
681  *             call this function to generate the early master secret.
682  * \note       For a client/server endpoint, the function computes only the
683  *             encryption/decryption part of the transform as the decryption/
684  *             encryption part is not defined by the specification (no early
685  *             traffic from the server to the client).
686  */
687 MBEDTLS_CHECK_RETURN_CRITICAL
688 int mbedtls_ssl_tls13_compute_early_transform( mbedtls_ssl_context *ssl );
689 #endif /* MBEDTLS_SSL_EARLY_DATA */
690 
691 /**
692  * \brief Compute TLS 1.3 handshake transform
693  *
694  * \param ssl  The SSL context to operate on. The early secret must have been
695  *             computed.
696  *
697  * \returns    \c 0 on success.
698  * \returns    A negative error code on failure.
699  */
700 MBEDTLS_CHECK_RETURN_CRITICAL
701 int mbedtls_ssl_tls13_compute_handshake_transform( mbedtls_ssl_context *ssl );
702 
703 /**
704  * \brief Compute TLS 1.3 application transform
705  *
706  * \param ssl  The SSL context to operate on. The early secret must have been
707  *             computed.
708  *
709  * \returns    \c 0 on success.
710  * \returns    A negative error code on failure.
711  */
712 MBEDTLS_CHECK_RETURN_CRITICAL
713 int mbedtls_ssl_tls13_compute_application_transform( mbedtls_ssl_context *ssl );
714 
715 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
716 /**
717  * \brief Export TLS 1.3 PSK from handshake context
718  *
719  * \param[in]   ssl  The SSL context to operate on.
720  * \param[out]  psk  PSK output pointer.
721  * \param[out]  psk_len Length of PSK.
722  *
723  * \returns     \c 0 if there is a configured PSK and it was exported
724  *              successfully.
725  * \returns     A negative error code on failure.
726  */
727 MBEDTLS_CHECK_RETURN_CRITICAL
728 int mbedtls_ssl_tls13_export_handshake_psk( mbedtls_ssl_context *ssl,
729                                             unsigned char **psk,
730                                             size_t *psk_len );
731 #endif
732 
733 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
734 
735 #endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */
736