Key schedule rework, pt 1

include/mbedtls/config.h

@@ -3324,7 +3324,7 @@
  *
  * This module adds support for SHA-384 and SHA-512.
  */
-// #define MBEDTLS_SHA512_C
+ #define MBEDTLS_SHA512_C
 
 /**
  * \def MBEDTLS_SSL_CACHE_C

include/mbedtls/ssl.h

@@ -1084,6 +1084,16 @@ typedef void mbedtls_ssl_async_cancel_t( mbedtls_ssl_context *ssl );
 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED &&
           !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 
+typedef struct
+{
+    unsigned char client_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ];
+    unsigned char server_application_traffic_secret_N[ MBEDTLS_MD_MAX_SIZE ];
+    unsigned char exporter_master_secret             [ MBEDTLS_MD_MAX_SIZE ];
+#if defined(MBEDTLS_SSL_NEW_SESSION_TICKET)
+    unsigned char resumption_master_secret           [ MBEDTLS_MD_MAX_SIZE ];
+#endif /* MBEDTLS_SSL_NEW_SESSION_TICKET */
+} mbedtls_ssl_tls1_3_application_secrets;
+
 /*
  * This structure is used for storing current session data.
  *
@@ -1108,13 +1118,8 @@ struct mbedtls_ssl_session
     size_t id_len;              /*!< session id length  */
     unsigned char id[32];       /*!< session identifier */
     unsigned char master[48];   /*!< the master secret  */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
-#if defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C)
-    unsigned char resumption_master_secret[32];
-#else /* MBEDTLS_SHA512_C */
-    unsigned char resumption_master_secret[48];
-#endif /* MBEDTLS_SHA256_C && !MBEDTLS_SHA512_C */
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+
+    mbedtls_ssl_tls1_3_application_secrets app_secrets;
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)

include/mbedtls/ssl_internal.h

@@ -481,6 +481,19 @@ struct mbedtls_ssl_key_set
 };
 typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
 
+typedef struct
+{
+    unsigned char binder_key                  [ MBEDTLS_MD_MAX_SIZE ];
+    unsigned char client_early_traffic_secret [ MBEDTLS_MD_MAX_SIZE ];
+    unsigned char early_exporter_master_secret[ MBEDTLS_MD_MAX_SIZE ];
+} mbedtls_ssl_tls1_3_early_secrets;
+
+typedef struct
+{
+    unsigned char client_handshake_traffic_secret[ MBEDTLS_MD_MAX_SIZE ];
+    unsigned char server_handshake_traffic_secret[ MBEDTLS_MD_MAX_SIZE ];
+} mbedtls_ssl_tls1_3_handshake_secrets;
+
 /*
  * This structure contains the parameters only needed during handshake.
  */
@@ -685,11 +698,6 @@ struct mbedtls_ssl_handshake_params
 
     mbedtls_ssl_tls_prf_cb *tls_prf;
 
-   /* Buffer holding the digest up to, and including,
-     * the Finished message sent by the server.
-     */
-    unsigned char server_finished_digest[MBEDTLS_MD_MAX_SIZE];
-
     /*
      * State-local variables used during the processing
      * of a specific handshake state.
@@ -817,17 +825,14 @@ struct mbedtls_ssl_handshake_params
     unsigned char exporter_secret[MBEDTLS_MD_MAX_SIZE];
     unsigned char early_secret[MBEDTLS_MD_MAX_SIZE];
     unsigned char handshake_secret[MBEDTLS_MD_MAX_SIZE];
-    unsigned char client_handshake_traffic_secret[MBEDTLS_MD_MAX_SIZE];
-    unsigned char server_handshake_traffic_secret[MBEDTLS_MD_MAX_SIZE];
+    mbedtls_ssl_tls1_3_handshake_secrets hs_secrets;
     unsigned char master_secret[MBEDTLS_MD_MAX_SIZE];
-    unsigned char client_traffic_secret[MBEDTLS_MD_MAX_SIZE];
-    unsigned char server_traffic_secret[MBEDTLS_MD_MAX_SIZE];
     unsigned char client_finished_key[MBEDTLS_MD_MAX_SIZE];
     unsigned char server_finished_key[MBEDTLS_MD_MAX_SIZE];
 
 #if defined(MBEDTLS_ZERO_RTT)
+    mbedtls_ssl_tls1_3_early_secrets early_secrets;
     unsigned char binder_key[MBEDTLS_MD_MAX_SIZE];
-    unsigned char client_early_traffic_secret[MBEDTLS_MD_MAX_SIZE];
 
     /*!< Early data indication:
     0  -- MBEDTLS_SSL_EARLY_DATA_DISABLED (for no early data), and

library/ssl_tls13_client.c

@@ -953,6 +953,10 @@ int mbedtls_ssl_write_pre_shared_key_ext( mbedtls_ssl_context *ssl,
     else if( part == SSL_WRITE_PSK_EXT_ADD_PSK_BINDERS )
     {
         int external_psk;
+
+        unsigned char transcript[MBEDTLS_MD_MAX_SIZE];
+        size_t transcript_len;
+
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding PSK binder list" ) );
 
         /* 2 bytes length field for array of psk binders */
@@ -967,11 +971,18 @@ int mbedtls_ssl_write_pre_shared_key_ext( mbedtls_ssl_context *ssl,
         else
             external_psk = 1;
 
-        ret = mbedtls_ssl_create_binder( ssl,
+        /* Get current state of handshake transcript. */
+        ret = mbedtls_ssl_get_handshake_transcript( ssl, suite_info->mac,
+                                                    transcript, sizeof( transcript ),
+                                                    &transcript_len );
+        if( ret != 0 )
+            return( ret );
+
+        ret = mbedtls_ssl_tls1_3_create_psk_binder( ssl,
                   external_psk,
                   psk, psk_len,
-                  mbedtls_md_info_from_type( suite_info->mac ),
-                  suite_info, p );
+                  suite_info->mac,
+                  transcript, transcript_len, p );
 
         if( ret != 0 )
         {

library/ssl_tls13_generic.c

@@ -2503,25 +2503,6 @@ static int ssl_finished_out_postprocess( mbedtls_ssl_context* ssl )
 #if defined(MBEDTLS_SSL_SRV_C)
     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
     {
-        size_t transcript_len;
-
-        ret = mbedtls_ssl_get_handshake_transcript( ssl,
-                              ssl->handshake->ciphersuite_info->mac,
-                              ssl->handshake->server_finished_digest,
-                              sizeof(ssl->handshake->server_finished_digest),
-                              &transcript_len );
-        if( ret != 0 )
-        {
-            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_handshake_transcript",
-                                   ret );
-            return( ret );
-        }
-
-        MBEDTLS_SSL_DEBUG_BUF( 3, "Transcript hash (incl. Server.Finished):",
-                               ssl->handshake->server_finished_digest,
-                               transcript_len );
-
-
         mbedtls_ssl_key_set traffic_keys;
         ret = mbedtls_ssl_generate_application_traffic_keys( ssl,
                                                              &traffic_keys );
@@ -2789,94 +2770,6 @@ static int ssl_finished_in_parse( mbedtls_ssl_context* ssl,
 static int ssl_finished_in_postprocess_cli( mbedtls_ssl_context *ssl )
 {
     int ret = 0;
-
-    const mbedtls_ssl_ciphersuite_t *suite_info =
-        mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
-    const mbedtls_cipher_info_t *cipher_info;
-
-    mbedtls_md_type_t hash_type;
-
-    /* Compute hash over transcript of all messages sent up to the Finished
-     * message sent by the server and store it in the digest variable of the
-     * handshake state. This digest will be needed later when computing the
-     * application traffic secrets. */
-    cipher_info = mbedtls_cipher_info_from_type(
-                                ssl->handshake->ciphersuite_info->cipher );
-    if( cipher_info == NULL )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
-                                  ssl->handshake->ciphersuite_info->cipher ) );
-        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
-    }
-
-    if( suite_info == NULL )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_ssl_ciphersuite_from_id in "
-                                  "mbedtls_ssl_generate_handshake_traffic_keys failed" ) );
-        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
-    }
-
-    hash_type = suite_info->mac;
-
-#if defined(MBEDTLS_SHA256_C)
-    if( hash_type == MBEDTLS_MD_SHA256 )
-    {
-        mbedtls_sha256_context sha256;
-        mbedtls_sha256_init( &sha256 );
-
-        if( ( ret = mbedtls_sha256_starts_ret( &sha256, 0 ) ) != 0 )
-        {
-            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha256_starts_ret", ret );
-            goto exit;
-        }
-
-        mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
-
-        ret = mbedtls_sha256_finish_ret( &sha256,
-                               ssl->handshake->server_finished_digest );
-
-        mbedtls_sha256_free( &sha256 );
-
-        if( ret != 0 )
-        {
-            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha256_finish_ret", ret );
-            goto exit;
-        }
-    }
-    else
-#endif /* MBEDTLS_SHA256_C */
-#if defined(MBEDTLS_SHA512_C)
-    if( hash_type == MBEDTLS_MD_SHA384 )
-    {
-        mbedtls_sha512_context sha512;
-        mbedtls_sha512_init( &sha512 );
-
-        if( ( ret = mbedtls_sha512_starts_ret( &sha512, 1 ) ) != 0 )
-        {
-            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha512_starts_ret", ret );
-            goto exit;
-        }
-
-        mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
-
-        ret = mbedtls_sha512_finish_ret( &sha512,
-                                  ssl->handshake->server_finished_digest );
-
-        mbedtls_sha512_free( &sha512 );
-
-        if( ret != 0 )
-        {
-            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha512_finish_ret", ret );
-            goto exit;
-        }
-    }
-    else
-#endif /* MBEDTLS_SHA512_C */
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
-    }
-
     mbedtls_ssl_key_set traffic_keys;
     ret = mbedtls_ssl_generate_application_traffic_keys( ssl, &traffic_keys );
 
@@ -2921,16 +2814,7 @@ static int ssl_finished_in_postprocess_cli( mbedtls_ssl_context *ssl )
     }
 #endif /* MBEDTLS_SSL_USE_MPS */
 
-exit:
-
-    if( ret == 0 )
-    {
-        MBEDTLS_SSL_DEBUG_BUF( 3, "Transcript hash (incl. Srv.Finished):",
-                             ssl->handshake->server_finished_digest,
-                             mbedtls_hash_size_for_ciphersuite( suite_info ) );
-    }
-
-    return( ret );
+    return( 0 );
 }
 #endif /* MBEDTLS_SSL_CLI_C */
 
@@ -3217,7 +3101,7 @@ static int ssl_new_session_ticket_parse( mbedtls_ssl_context* ssl,
         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "resumption_master_secret",
-                           ssl->session->resumption_master_secret,
+                           ssl->session->app_secrets.resumption_master_secret,
                            hash_length );
 
     /* Computer resumption key
@@ -3226,7 +3110,7 @@ static int ssl_new_session_ticket_parse( mbedtls_ssl_context* ssl,
      *                    "resumption", ticket_nonce, Hash.length )
      */
     ret = mbedtls_ssl_tls1_3_hkdf_expand_label( suite_info->mac,
-                    ssl->session->resumption_master_secret,
+                    ssl->session->app_secrets.resumption_master_secret,
                     hash_length,
                     MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN( resumption ),
                     ssl->session->ticket_nonce,