1/* 2 * TLS 1.3 key schedule 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 ( the "License" ); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19#if !defined(MBEDTLS_SSL_TLS1_3_KEYS_H) 20#define MBEDTLS_SSL_TLS1_3_KEYS_H 21 22/* This requires MBEDTLS_SSL_TLS1_3_LABEL( idx, name, string ) to be defined at 23 * the point of use. See e.g. the definition of mbedtls_ssl_tls13_labels_union 24 * below. */ 25#define MBEDTLS_SSL_TLS1_3_LABEL_LIST \ 26 MBEDTLS_SSL_TLS1_3_LABEL(finished, "finished") \ 27 MBEDTLS_SSL_TLS1_3_LABEL(resumption, "resumption") \ 28 MBEDTLS_SSL_TLS1_3_LABEL(traffic_upd, "traffic upd") \ 29 MBEDTLS_SSL_TLS1_3_LABEL(exporter, "exporter") \ 30 MBEDTLS_SSL_TLS1_3_LABEL(key, "key") \ 31 MBEDTLS_SSL_TLS1_3_LABEL(iv, "iv") \ 32 MBEDTLS_SSL_TLS1_3_LABEL(c_hs_traffic, "c hs traffic") \ 33 MBEDTLS_SSL_TLS1_3_LABEL(c_ap_traffic, "c ap traffic") \ 34 MBEDTLS_SSL_TLS1_3_LABEL(c_e_traffic, "c e traffic") \ 35 MBEDTLS_SSL_TLS1_3_LABEL(s_hs_traffic, "s hs traffic") \ 36 MBEDTLS_SSL_TLS1_3_LABEL(s_ap_traffic, "s ap traffic") \ 37 MBEDTLS_SSL_TLS1_3_LABEL(s_e_traffic, "s e traffic") \ 38 MBEDTLS_SSL_TLS1_3_LABEL(e_exp_master, "e exp master") \ 39 MBEDTLS_SSL_TLS1_3_LABEL(res_master, "res master") \ 40 MBEDTLS_SSL_TLS1_3_LABEL(exp_master, "exp master") \ 41 MBEDTLS_SSL_TLS1_3_LABEL(ext_binder, "ext binder") \ 42 MBEDTLS_SSL_TLS1_3_LABEL(res_binder, "res binder") \ 43 MBEDTLS_SSL_TLS1_3_LABEL(derived, "derived") \ 44 MBEDTLS_SSL_TLS1_3_LABEL(client_cv, "TLS 1.3, client CertificateVerify") \ 45 MBEDTLS_SSL_TLS1_3_LABEL(server_cv, "TLS 1.3, server CertificateVerify") 46 47#define MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED 0 48#define MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED 1 49 50#define MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL 0 51#define MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION 1 52 53#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 54 55#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \ 56 const unsigned char name [sizeof(string) - 1]; 57 58union mbedtls_ssl_tls13_labels_union { 59 MBEDTLS_SSL_TLS1_3_LABEL_LIST 60}; 61struct mbedtls_ssl_tls13_labels_struct { 62 MBEDTLS_SSL_TLS1_3_LABEL_LIST 63}; 64#undef MBEDTLS_SSL_TLS1_3_LABEL 65 66extern const struct mbedtls_ssl_tls13_labels_struct mbedtls_ssl_tls13_labels; 67 68#define MBEDTLS_SSL_TLS1_3_LBL_LEN(LABEL) \ 69 sizeof(mbedtls_ssl_tls13_labels.LABEL) 70 71#define MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(LABEL) \ 72 mbedtls_ssl_tls13_labels.LABEL, \ 73 MBEDTLS_SSL_TLS1_3_LBL_LEN(LABEL) 74 75#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_LABEL_LEN \ 76 sizeof(union mbedtls_ssl_tls13_labels_union) 77 78/* The maximum length of HKDF contexts used in the TLS 1.3 standard. 79 * Since contexts are always hashes of message transcripts, this can 80 * be approximated from above by the maximum hash size. */ 81#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_CONTEXT_LEN \ 82 PSA_HASH_MAX_SIZE 83 84/* Maximum desired length for expanded key material generated 85 * by HKDF-Expand-Label. 86 * 87 * Warning: If this ever needs to be increased, the implementation 88 * ssl_tls13_hkdf_encode_label() in ssl_tls13_keys.c needs to be 89 * adjusted since it currently assumes that HKDF key expansion 90 * is never used with more than 255 Bytes of output. */ 91#define MBEDTLS_SSL_TLS1_3_KEY_SCHEDULE_MAX_EXPANSION_LEN 255 92 93/** 94 * \brief The \c HKDF-Expand-Label function from 95 * the TLS 1.3 standard RFC 8446. 96 * 97 * <tt> 98 * HKDF-Expand-Label( Secret, Label, Context, Length ) = 99 * HKDF-Expand( Secret, HkdfLabel, Length ) 100 * </tt> 101 * 102 * \param hash_alg The identifier for the hash algorithm to use. 103 * \param secret The \c Secret argument to \c HKDF-Expand-Label. 104 * This must be a readable buffer of length 105 * \p secret_len Bytes. 106 * \param secret_len The length of \p secret in Bytes. 107 * \param label The \c Label argument to \c HKDF-Expand-Label. 108 * This must be a readable buffer of length 109 * \p label_len Bytes. 110 * \param label_len The length of \p label in Bytes. 111 * \param ctx The \c Context argument to \c HKDF-Expand-Label. 112 * This must be a readable buffer of length \p ctx_len Bytes. 113 * \param ctx_len The length of \p context in Bytes. 114 * \param buf The destination buffer to hold the expanded secret. 115 * This must be a writable buffer of length \p buf_len Bytes. 116 * \param buf_len The desired size of the expanded secret in Bytes. 117 * 118 * \returns \c 0 on success. 119 * \return A negative error code on failure. 120 */ 121 122MBEDTLS_CHECK_RETURN_CRITICAL 123int mbedtls_ssl_tls13_hkdf_expand_label( 124 psa_algorithm_t hash_alg, 125 const unsigned char *secret, size_t secret_len, 126 const unsigned char *label, size_t label_len, 127 const unsigned char *ctx, size_t ctx_len, 128 unsigned char *buf, size_t buf_len); 129 130/** 131 * \brief This function is part of the TLS 1.3 key schedule. 132 * It extracts key and IV for the actual client/server traffic 133 * from the client/server traffic secrets. 134 * 135 * From RFC 8446: 136 * 137 * <tt> 138 * [sender]_write_key = HKDF-Expand-Label(Secret, "key", "", key_length) 139 * [sender]_write_iv = HKDF-Expand-Label(Secret, "iv", "", iv_length)* 140 * </tt> 141 * 142 * \param hash_alg The identifier for the hash algorithm to be used 143 * for the HKDF-based expansion of the secret. 144 * \param client_secret The client traffic secret. 145 * This must be a readable buffer of size 146 * \p secret_len Bytes 147 * \param server_secret The server traffic secret. 148 * This must be a readable buffer of size 149 * \p secret_len Bytes 150 * \param secret_len Length of the secrets \p client_secret and 151 * \p server_secret in Bytes. 152 * \param key_len The desired length of the key to be extracted in Bytes. 153 * \param iv_len The desired length of the IV to be extracted in Bytes. 154 * \param keys The address of the structure holding the generated 155 * keys and IVs. 156 * 157 * \returns \c 0 on success. 158 * \returns A negative error code on failure. 159 */ 160 161MBEDTLS_CHECK_RETURN_CRITICAL 162int mbedtls_ssl_tls13_make_traffic_keys( 163 psa_algorithm_t hash_alg, 164 const unsigned char *client_secret, 165 const unsigned char *server_secret, size_t secret_len, 166 size_t key_len, size_t iv_len, 167 mbedtls_ssl_key_set *keys); 168 169/** 170 * \brief The \c Derive-Secret function from the TLS 1.3 standard RFC 8446. 171 * 172 * <tt> 173 * Derive-Secret( Secret, Label, Messages ) = 174 * HKDF-Expand-Label( Secret, Label, 175 * Hash( Messages ), 176 * Hash.Length ) ) 177 * </tt> 178 * 179 * \param hash_alg The identifier for the hash function used for the 180 * applications of HKDF. 181 * \param secret The \c Secret argument to the \c Derive-Secret function. 182 * This must be a readable buffer of length 183 * \p secret_len Bytes. 184 * \param secret_len The length of \p secret in Bytes. 185 * \param label The \c Label argument to the \c Derive-Secret function. 186 * This must be a readable buffer of length 187 * \p label_len Bytes. 188 * \param label_len The length of \p label in Bytes. 189 * \param ctx The hash of the \c Messages argument to the 190 * \c Derive-Secret function, or the \c Messages argument 191 * itself, depending on \p ctx_hashed. 192 * \param ctx_len The length of \p ctx in Bytes. 193 * \param ctx_hashed This indicates whether the \p ctx contains the hash of 194 * the \c Messages argument in the application of the 195 * \c Derive-Secret function 196 * (value MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED), or whether 197 * it is the content of \c Messages itself, in which case 198 * the function takes care of the hashing 199 * (value MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED). 200 * \param dstbuf The target buffer to write the output of 201 * \c Derive-Secret to. This must be a writable buffer of 202 * size \p dtsbuf_len Bytes. 203 * \param dstbuf_len The length of \p dstbuf in Bytes. 204 * 205 * \returns \c 0 on success. 206 * \returns A negative error code on failure. 207 */ 208MBEDTLS_CHECK_RETURN_CRITICAL 209int mbedtls_ssl_tls13_derive_secret( 210 psa_algorithm_t hash_alg, 211 const unsigned char *secret, size_t secret_len, 212 const unsigned char *label, size_t label_len, 213 const unsigned char *ctx, size_t ctx_len, 214 int ctx_hashed, 215 unsigned char *dstbuf, size_t dstbuf_len); 216 217/** 218 * \brief Derive TLS 1.3 early data key material from early secret. 219 * 220 * This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret() 221 * with the appropriate labels. 222 * 223 * <tt> 224 * Early Secret 225 * | 226 * +-----> Derive-Secret(., "c e traffic", ClientHello) 227 * | = client_early_traffic_secret 228 * | 229 * +-----> Derive-Secret(., "e exp master", ClientHello) 230 * . = early_exporter_master_secret 231 * . 232 * . 233 * </tt> 234 * 235 * \note To obtain the actual key and IV for the early data traffic, 236 * the client secret derived by this function need to be 237 * further processed by mbedtls_ssl_tls13_make_traffic_keys(). 238 * 239 * \note The binder key, which is also generated from the early secret, 240 * is omitted here. Its calculation is part of the separate routine 241 * mbedtls_ssl_tls13_create_psk_binder(). 242 * 243 * \param hash_alg The hash algorithm associated with the PSK for which 244 * early data key material is being derived. 245 * \param early_secret The early secret from which the early data key material 246 * should be derived. This must be a readable buffer whose 247 * length is the digest size of the hash algorithm 248 * represented by \p md_size. 249 * \param transcript The transcript of the handshake so far, calculated with 250 * respect to \p hash_alg. This must be a readable buffer 251 * whose length is the digest size of the hash algorithm 252 * represented by \p md_size. 253 * \param derived The address of the structure in which to store 254 * the early data key material. 255 * 256 * \returns \c 0 on success. 257 * \returns A negative error code on failure. 258 */ 259MBEDTLS_CHECK_RETURN_CRITICAL 260int mbedtls_ssl_tls13_derive_early_secrets( 261 psa_algorithm_t hash_alg, 262 unsigned char const *early_secret, 263 unsigned char const *transcript, size_t transcript_len, 264 mbedtls_ssl_tls13_early_secrets *derived); 265 266/** 267 * \brief Derive TLS 1.3 handshake key material from the handshake secret. 268 * 269 * This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret() 270 * with the appropriate labels from the standard. 271 * 272 * <tt> 273 * Handshake Secret 274 * | 275 * +-----> Derive-Secret( ., "c hs traffic", 276 * | ClientHello...ServerHello ) 277 * | = client_handshake_traffic_secret 278 * | 279 * +-----> Derive-Secret( ., "s hs traffic", 280 * . ClientHello...ServerHello ) 281 * . = server_handshake_traffic_secret 282 * . 283 * </tt> 284 * 285 * \note To obtain the actual key and IV for the encrypted handshake traffic, 286 * the client and server secret derived by this function need to be 287 * further processed by mbedtls_ssl_tls13_make_traffic_keys(). 288 * 289 * \param hash_alg The hash algorithm associated with the ciphersuite 290 * that's being used for the connection. 291 * \param handshake_secret The handshake secret from which the handshake key 292 * material should be derived. This must be a readable 293 * buffer whose length is the digest size of the hash 294 * algorithm represented by \p md_size. 295 * \param transcript The transcript of the handshake so far, calculated 296 * with respect to \p hash_alg. This must be a readable 297 * buffer whose length is the digest size of the hash 298 * algorithm represented by \p md_size. 299 * \param derived The address of the structure in which to 300 * store the handshake key material. 301 * 302 * \returns \c 0 on success. 303 * \returns A negative error code on failure. 304 */ 305MBEDTLS_CHECK_RETURN_CRITICAL 306int mbedtls_ssl_tls13_derive_handshake_secrets( 307 psa_algorithm_t hash_alg, 308 unsigned char const *handshake_secret, 309 unsigned char const *transcript, size_t transcript_len, 310 mbedtls_ssl_tls13_handshake_secrets *derived); 311 312/** 313 * \brief Derive TLS 1.3 application key material from the master secret. 314 * 315 * This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret() 316 * with the appropriate labels from the standard. 317 * 318 * <tt> 319 * Master Secret 320 * | 321 * +-----> Derive-Secret( ., "c ap traffic", 322 * | ClientHello...server Finished ) 323 * | = client_application_traffic_secret_0 324 * | 325 * +-----> Derive-Secret( ., "s ap traffic", 326 * | ClientHello...Server Finished ) 327 * | = server_application_traffic_secret_0 328 * | 329 * +-----> Derive-Secret( ., "exp master", 330 * . ClientHello...server Finished) 331 * . = exporter_master_secret 332 * . 333 * </tt> 334 * 335 * \note To obtain the actual key and IV for the (0-th) application traffic, 336 * the client and server secret derived by this function need to be 337 * further processed by mbedtls_ssl_tls13_make_traffic_keys(). 338 * 339 * \param hash_alg The hash algorithm associated with the ciphersuite 340 * that's being used for the connection. 341 * \param master_secret The master secret from which the application key 342 * material should be derived. This must be a readable 343 * buffer whose length is the digest size of the hash 344 * algorithm represented by \p md_size. 345 * \param transcript The transcript of the handshake up to and including 346 * the ServerFinished message, calculated with respect 347 * to \p hash_alg. This must be a readable buffer whose 348 * length is the digest size of the hash algorithm 349 * represented by \p hash_alg. 350 * \param derived The address of the structure in which to 351 * store the application key material. 352 * 353 * \returns \c 0 on success. 354 * \returns A negative error code on failure. 355 */ 356MBEDTLS_CHECK_RETURN_CRITICAL 357int mbedtls_ssl_tls13_derive_application_secrets( 358 psa_algorithm_t hash_alg, 359 unsigned char const *master_secret, 360 unsigned char const *transcript, size_t transcript_len, 361 mbedtls_ssl_tls13_application_secrets *derived); 362 363/** 364 * \brief Derive TLS 1.3 resumption master secret from the master secret. 365 * 366 * This is a small wrapper invoking mbedtls_ssl_tls13_derive_secret() 367 * with the appropriate labels from the standard. 368 * 369 * \param hash_alg The hash algorithm used in the application for which 370 * key material is being derived. 371 * \param application_secret The application secret from which the resumption master 372 * secret should be derived. This must be a readable 373 * buffer whose length is the digest size of the hash 374 * algorithm represented by \p md_size. 375 * \param transcript The transcript of the handshake up to and including 376 * the ClientFinished message, calculated with respect 377 * to \p hash_alg. This must be a readable buffer whose 378 * length is the digest size of the hash algorithm 379 * represented by \p hash_alg. 380 * \param transcript_len The length of \p transcript in Bytes. 381 * \param derived The address of the structure in which to 382 * store the resumption master secret. 383 * 384 * \returns \c 0 on success. 385 * \returns A negative error code on failure. 386 */ 387MBEDTLS_CHECK_RETURN_CRITICAL 388int mbedtls_ssl_tls13_derive_resumption_master_secret( 389 psa_algorithm_t hash_alg, 390 unsigned char const *application_secret, 391 unsigned char const *transcript, size_t transcript_len, 392 mbedtls_ssl_tls13_application_secrets *derived); 393 394/** 395 * \brief Compute the next secret in the TLS 1.3 key schedule 396 * 397 * The TLS 1.3 key schedule proceeds as follows to compute 398 * the three main secrets during the handshake: The early 399 * secret for early data, the handshake secret for all 400 * other encrypted handshake messages, and the master 401 * secret for all application traffic. 402 * 403 * <tt> 404 * 0 405 * | 406 * v 407 * PSK -> HKDF-Extract = Early Secret 408 * | 409 * v 410 * Derive-Secret( ., "derived", "" ) 411 * | 412 * v 413 * (EC)DHE -> HKDF-Extract = Handshake Secret 414 * | 415 * v 416 * Derive-Secret( ., "derived", "" ) 417 * | 418 * v 419 * 0 -> HKDF-Extract = Master Secret 420 * </tt> 421 * 422 * Each of the three secrets in turn is the basis for further 423 * key derivations, such as the derivation of traffic keys and IVs; 424 * see e.g. mbedtls_ssl_tls13_make_traffic_keys(). 425 * 426 * This function implements one step in this evolution of secrets: 427 * 428 * <tt> 429 * old_secret 430 * | 431 * v 432 * Derive-Secret( ., "derived", "" ) 433 * | 434 * v 435 * input -> HKDF-Extract = new_secret 436 * </tt> 437 * 438 * \param hash_alg The identifier for the hash function used for the 439 * applications of HKDF. 440 * \param secret_old The address of the buffer holding the old secret 441 * on function entry. If not \c NULL, this must be a 442 * readable buffer whose size matches the output size 443 * of the hash function represented by \p hash_alg. 444 * If \c NULL, an all \c 0 array will be used instead. 445 * \param input The address of the buffer holding the additional 446 * input for the key derivation (e.g., the PSK or the 447 * ephemeral (EC)DH secret). If not \c NULL, this must be 448 * a readable buffer whose size \p input_len Bytes. 449 * If \c NULL, an all \c 0 array will be used instead. 450 * \param input_len The length of \p input in Bytes. 451 * \param secret_new The address of the buffer holding the new secret 452 * on function exit. This must be a writable buffer 453 * whose size matches the output size of the hash 454 * function represented by \p hash_alg. 455 * This may be the same as \p secret_old. 456 * 457 * \returns \c 0 on success. 458 * \returns A negative error code on failure. 459 */ 460 461MBEDTLS_CHECK_RETURN_CRITICAL 462int mbedtls_ssl_tls13_evolve_secret( 463 psa_algorithm_t hash_alg, 464 const unsigned char *secret_old, 465 const unsigned char *input, size_t input_len, 466 unsigned char *secret_new); 467 468/** 469 * \brief Calculate a TLS 1.3 PSK binder. 470 * 471 * \param ssl The SSL context. This is used for debugging only and may 472 * be \c NULL if MBEDTLS_DEBUG_C is disabled. 473 * \param hash_alg The hash algorithm associated to the PSK \p psk. 474 * \param psk The buffer holding the PSK for which to create a binder. 475 * \param psk_len The size of \p psk in bytes. 476 * \param psk_type This indicates whether the PSK \p psk is externally 477 * provisioned (#MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL) or a 478 * resumption PSK (#MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION). 479 * \param transcript The handshake transcript up to the point where the 480 * PSK binder calculation happens. This must be readable, 481 * and its size must be equal to the digest size of 482 * the hash algorithm represented by \p hash_alg. 483 * \param result The address at which to store the PSK binder on success. 484 * This must be writable, and its size must be equal to the 485 * digest size of the hash algorithm represented by 486 * \p hash_alg. 487 * 488 * \returns \c 0 on success. 489 * \returns A negative error code on failure. 490 */ 491MBEDTLS_CHECK_RETURN_CRITICAL 492int mbedtls_ssl_tls13_create_psk_binder(mbedtls_ssl_context *ssl, 493 const psa_algorithm_t hash_alg, 494 unsigned char const *psk, size_t psk_len, 495 int psk_type, 496 unsigned char const *transcript, 497 unsigned char *result); 498 499/** 500 * \bref Setup an SSL transform structure representing the 501 * record protection mechanism used by TLS 1.3 502 * 503 * \param transform The SSL transform structure to be created. This must have 504 * been initialized through mbedtls_ssl_transform_init() and 505 * not used in any other way prior to calling this function. 506 * In particular, this function does not clean up the 507 * transform structure prior to installing the new keys. 508 * \param endpoint Indicates whether the transform is for the client 509 * (value #MBEDTLS_SSL_IS_CLIENT) or the server 510 * (value #MBEDTLS_SSL_IS_SERVER). 511 * \param ciphersuite The numerical identifier for the ciphersuite to use. 512 * This must be one of the identifiers listed in 513 * ssl_ciphersuites.h. 514 * \param traffic_keys The key material to use. No reference is stored in 515 * the SSL transform being generated, and the caller 516 * should destroy the key material afterwards. 517 * \param ssl (Debug-only) The SSL context to use for debug output 518 * in case of failure. This parameter is only needed if 519 * #MBEDTLS_DEBUG_C is set, and is ignored otherwise. 520 * 521 * \return \c 0 on success. In this case, \p transform is ready to 522 * be used with mbedtls_ssl_transform_decrypt() and 523 * mbedtls_ssl_transform_encrypt(). 524 * \return A negative error code on failure. 525 */ 526MBEDTLS_CHECK_RETURN_CRITICAL 527int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform, 528 int endpoint, 529 int ciphersuite, 530 mbedtls_ssl_key_set const *traffic_keys, 531 mbedtls_ssl_context *ssl); 532 533/* 534 * TLS 1.3 key schedule evolutions 535 * 536 * Early -> Handshake -> Application 537 * 538 * Small wrappers around mbedtls_ssl_tls13_evolve_secret(). 539 */ 540 541/** 542 * \brief Begin TLS 1.3 key schedule by calculating early secret. 543 * 544 * The TLS 1.3 key schedule can be viewed as a simple state machine 545 * with states Initial -> Early -> Handshake -> Application, and 546 * this function represents the Initial -> Early transition. 547 * 548 * \param ssl The SSL context to operate on. 549 * 550 * \returns \c 0 on success. 551 * \returns A negative error code on failure. 552 */ 553MBEDTLS_CHECK_RETURN_CRITICAL 554int mbedtls_ssl_tls13_key_schedule_stage_early(mbedtls_ssl_context *ssl); 555 556/** 557 * \brief Compute TLS 1.3 resumption master secret. 558 * 559 * \param ssl The SSL context to operate on. This must be in 560 * key schedule stage \c Application, see 561 * mbedtls_ssl_tls13_key_schedule_stage_application(). 562 * 563 * \returns \c 0 on success. 564 * \returns A negative error code on failure. 565 */ 566MBEDTLS_CHECK_RETURN_CRITICAL 567int mbedtls_ssl_tls13_compute_resumption_master_secret(mbedtls_ssl_context *ssl); 568 569/** 570 * \brief Calculate the verify_data value for the client or server TLS 1.3 571 * Finished message. 572 * 573 * \param ssl The SSL context to operate on. This must be in 574 * key schedule stage \c Handshake, see 575 * mbedtls_ssl_tls13_key_schedule_stage_application(). 576 * \param dst The address at which to write the verify_data value. 577 * \param dst_len The size of \p dst in bytes. 578 * \param actual_len The address at which to store the amount of data 579 * actually written to \p dst upon success. 580 * \param which The message to calculate the `verify_data` for: 581 * - #MBEDTLS_SSL_IS_CLIENT for the Client's Finished message 582 * - #MBEDTLS_SSL_IS_SERVER for the Server's Finished message 583 * 584 * \note Both client and server call this function twice, once to 585 * generate their own Finished message, and once to verify the 586 * peer's Finished message. 587 588 * \returns \c 0 on success. 589 * \returns A negative error code on failure. 590 */ 591MBEDTLS_CHECK_RETURN_CRITICAL 592int mbedtls_ssl_tls13_calculate_verify_data(mbedtls_ssl_context *ssl, 593 unsigned char *dst, 594 size_t dst_len, 595 size_t *actual_len, 596 int which); 597 598#if defined(MBEDTLS_SSL_EARLY_DATA) 599/** 600 * \brief Compute TLS 1.3 early transform 601 * 602 * \param ssl The SSL context to operate on. 603 * 604 * \returns \c 0 on success. 605 * \returns A negative error code on failure. 606 * 607 * \warning The function does not compute the early master secret. Call 608 * mbedtls_ssl_tls13_key_schedule_stage_early() before to 609 * call this function to generate the early master secret. 610 * \note For a client/server endpoint, the function computes only the 611 * encryption/decryption part of the transform as the decryption/ 612 * encryption part is not defined by the specification (no early 613 * traffic from the server to the client). 614 */ 615MBEDTLS_CHECK_RETURN_CRITICAL 616int mbedtls_ssl_tls13_compute_early_transform(mbedtls_ssl_context *ssl); 617#endif /* MBEDTLS_SSL_EARLY_DATA */ 618 619/** 620 * \brief Compute TLS 1.3 handshake transform 621 * 622 * \param ssl The SSL context to operate on. The early secret must have been 623 * computed. 624 * 625 * \returns \c 0 on success. 626 * \returns A negative error code on failure. 627 */ 628MBEDTLS_CHECK_RETURN_CRITICAL 629int mbedtls_ssl_tls13_compute_handshake_transform(mbedtls_ssl_context *ssl); 630 631/** 632 * \brief Compute TLS 1.3 application transform 633 * 634 * \param ssl The SSL context to operate on. The early secret must have been 635 * computed. 636 * 637 * \returns \c 0 on success. 638 * \returns A negative error code on failure. 639 */ 640MBEDTLS_CHECK_RETURN_CRITICAL 641int mbedtls_ssl_tls13_compute_application_transform(mbedtls_ssl_context *ssl); 642 643#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 644/** 645 * \brief Export TLS 1.3 PSK from handshake context 646 * 647 * \param[in] ssl The SSL context to operate on. 648 * \param[out] psk PSK output pointer. 649 * \param[out] psk_len Length of PSK. 650 * 651 * \returns \c 0 if there is a configured PSK and it was exported 652 * successfully. 653 * \returns A negative error code on failure. 654 */ 655MBEDTLS_CHECK_RETURN_CRITICAL 656int mbedtls_ssl_tls13_export_handshake_psk(mbedtls_ssl_context *ssl, 657 unsigned char **psk, 658 size_t *psk_len); 659#endif 660 661#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 662 663#endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */ 664