Lines Matching +full:runs +full:- +full:on
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
43 * character too long due to the 0-termination. */
61 * - desired_length: Length of expanded key material.
68 * - (label, label_len): label + label length, without "tls13 " prefix
74 * - (ctx, ctx_len): context + context length
78 * - dst: Target buffer for HkdfLabel structure,
81 * - dst_len: Pointer at which to store the actual length of
82 * the HkdfLabel structure on success.
251 * - One secret value per sender.
252 * - A purpose value indicating the specific value being generated
253 * - The desired lengths of key and IV.
255 * The expansion itself is based on HKDF:
257 * [sender]_write_key = HKDF-Expand-Label( Secret, "key", "", key_length )
258 * [sender]_write_iv = HKDF-Expand-Label( Secret, "iv" , "", iv_length )
275 keys->client_write_key, key_len, in mbedtls_ssl_tls13_make_traffic_keys()
276 keys->client_write_iv, iv_len); in mbedtls_ssl_tls13_make_traffic_keys()
283 keys->server_write_key, key_len, in mbedtls_ssl_tls13_make_traffic_keys()
284 keys->server_write_iv, iv_len); in mbedtls_ssl_tls13_make_traffic_keys()
289 keys->key_len = key_len; in mbedtls_ssl_tls13_make_traffic_keys()
290 keys->iv_len = iv_len; in mbedtls_ssl_tls13_make_traffic_keys()
318 * Let's double-check nonetheless to not run at the risk in mbedtls_ssl_tls13_derive_secret()
358 /* For non-initial runs, call Derive-Secret( ., "derived", "") in mbedtls_ssl_tls13_evolve_secret()
359 * on the old secret. */ in mbedtls_ssl_tls13_evolve_secret()
442 * PSK -> HKDF-Extract = Early Secret in mbedtls_ssl_tls13_derive_early_secrets()
444 * +-----> Derive-Secret(., "c e traffic", ClientHello) in mbedtls_ssl_tls13_derive_early_secrets()
447 * +-----> Derive-Secret(., "e exp master", ClientHello) in mbedtls_ssl_tls13_derive_early_secrets()
459 derived->client_early_traffic_secret, in mbedtls_ssl_tls13_derive_early_secrets()
472 derived->early_exporter_master_secret, in mbedtls_ssl_tls13_derive_early_secrets()
500 * +-----> Derive-Secret( ., "c hs traffic", in mbedtls_ssl_tls13_derive_handshake_secrets()
504 * +-----> Derive-Secret( ., "s hs traffic", in mbedtls_ssl_tls13_derive_handshake_secrets()
512 * Derive-Secret( ., "c hs traffic", ClientHello...ServerHello ) in mbedtls_ssl_tls13_derive_handshake_secrets()
521 derived->client_handshake_traffic_secret, in mbedtls_ssl_tls13_derive_handshake_secrets()
529 * Derive-Secret( ., "s hs traffic", ClientHello...ServerHello ) in mbedtls_ssl_tls13_derive_handshake_secrets()
538 derived->server_handshake_traffic_secret, in mbedtls_ssl_tls13_derive_handshake_secrets()
566 * +-----> Derive-Secret( ., "c ap traffic", in mbedtls_ssl_tls13_derive_application_secrets()
570 * +-----> Derive-Secret( ., "s ap traffic", in mbedtls_ssl_tls13_derive_application_secrets()
574 * +-----> Derive-Secret( ., "exp master", in mbedtls_ssl_tls13_derive_application_secrets()
586 derived->client_application_traffic_secret_N, in mbedtls_ssl_tls13_derive_application_secrets()
598 derived->server_application_traffic_secret_N, in mbedtls_ssl_tls13_derive_application_secrets()
610 derived->exporter_master_secret, in mbedtls_ssl_tls13_derive_application_secrets()
644 derived->resumption_master_secret, in mbedtls_ssl_tls13_derive_resumption_master_secret()
658 * with states Initial -> Early -> Handshake -> Application, and
659 * this function represents the Handshake -> Application transition.
664 * \param ssl The SSL context to operate on. This must be in key schedule
667 * \returns \c 0 on success.
668 * \returns A negative error code on failure.
674 mbedtls_ssl_handshake_params *handshake = ssl->handshake; in ssl_tls13_key_schedule_stage_application()
676 (mbedtls_md_type_t) handshake->ciphersuite_info->mac); in ssl_tls13_key_schedule_stage_application()
683 handshake->tls13_master_secrets.handshake, in ssl_tls13_key_schedule_stage_application()
685 handshake->tls13_master_secrets.app); in ssl_tls13_key_schedule_stage_application()
693 handshake->tls13_master_secrets.app, PSA_HASH_LENGTH(hash_alg)); in ssl_tls13_key_schedule_stage_application()
733 * HKDF-Expand-Label( BaseKey, "finished", "", Hash.length ) in ssl_tls13_calc_finished_core()
786 &ssl->handshake->tls13_hs_secrets; in mbedtls_ssl_tls13_calculate_verify_data()
788 mbedtls_md_type_t const md_type = (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac; in mbedtls_ssl_tls13_calculate_verify_data()
791 (mbedtls_md_type_t) ssl->handshake->ciphersuite_info->mac); in mbedtls_ssl_tls13_calculate_verify_data()
797 base_key = tls13_hs_secrets->client_handshake_traffic_secret; in mbedtls_ssl_tls13_calculate_verify_data()
798 base_key_len = sizeof(tls13_hs_secrets->client_handshake_traffic_secret); in mbedtls_ssl_tls13_calculate_verify_data()
800 base_key = tls13_hs_secrets->server_handshake_traffic_secret; in mbedtls_ssl_tls13_calculate_verify_data()
801 base_key_len = sizeof(tls13_hs_secrets->server_handshake_traffic_secret); in mbedtls_ssl_tls13_calculate_verify_data()
862 * PSK -> HKDF-Extract = Early Secret in mbedtls_ssl_tls13_create_psk_binder()
864 * +-----> Derive-Secret(., "ext binder" | "res binder", "") in mbedtls_ssl_tls13_create_psk_binder()
961 cipher_info = mbedtls_cipher_info_from_type(ciphersuite_info->cipher); in mbedtls_ssl_tls13_populate_transform()
964 ciphersuite_info->cipher)); in mbedtls_ssl_tls13_populate_transform()
971 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc, in mbedtls_ssl_tls13_populate_transform()
977 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec, in mbedtls_ssl_tls13_populate_transform()
986 key_enc = traffic_keys->server_write_key; in mbedtls_ssl_tls13_populate_transform()
987 key_dec = traffic_keys->client_write_key; in mbedtls_ssl_tls13_populate_transform()
988 iv_enc = traffic_keys->server_write_iv; in mbedtls_ssl_tls13_populate_transform()
989 iv_dec = traffic_keys->client_write_iv; in mbedtls_ssl_tls13_populate_transform()
994 key_enc = traffic_keys->client_write_key; in mbedtls_ssl_tls13_populate_transform()
995 key_dec = traffic_keys->server_write_key; in mbedtls_ssl_tls13_populate_transform()
996 iv_enc = traffic_keys->client_write_iv; in mbedtls_ssl_tls13_populate_transform()
997 iv_dec = traffic_keys->server_write_iv; in mbedtls_ssl_tls13_populate_transform()
1005 memcpy(transform->iv_enc, iv_enc, traffic_keys->iv_len); in mbedtls_ssl_tls13_populate_transform()
1006 memcpy(transform->iv_dec, iv_dec, traffic_keys->iv_len); in mbedtls_ssl_tls13_populate_transform()
1009 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, in mbedtls_ssl_tls13_populate_transform()
1016 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, in mbedtls_ssl_tls13_populate_transform()
1028 if ((ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG) != 0) { in mbedtls_ssl_tls13_populate_transform()
1029 transform->taglen = 8; in mbedtls_ssl_tls13_populate_transform()
1031 transform->taglen = 16; in mbedtls_ssl_tls13_populate_transform()
1034 transform->ivlen = traffic_keys->iv_len; in mbedtls_ssl_tls13_populate_transform()
1035 transform->maclen = 0; in mbedtls_ssl_tls13_populate_transform()
1036 transform->fixed_ivlen = transform->ivlen; in mbedtls_ssl_tls13_populate_transform()
1037 transform->tls_version = MBEDTLS_SSL_VERSION_TLS1_3; in mbedtls_ssl_tls13_populate_transform()
1041 * type-extended and padded plaintext is therefore the padding in mbedtls_ssl_tls13_populate_transform()
1043 transform->minlen = in mbedtls_ssl_tls13_populate_transform()
1044 transform->taglen + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY; in mbedtls_ssl_tls13_populate_transform()
1050 if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher, in mbedtls_ssl_tls13_populate_transform()
1051 transform->taglen, in mbedtls_ssl_tls13_populate_transform()
1060 transform->psa_alg = alg; in mbedtls_ssl_tls13_populate_transform()
1070 &transform->psa_key_enc)) != PSA_SUCCESS) { in mbedtls_ssl_tls13_populate_transform()
1081 &transform->psa_key_dec)) != PSA_SUCCESS) { in mbedtls_ssl_tls13_populate_transform()
1103 if (ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG) { in ssl_tls13_get_cipher_key_info()
1109 status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher, taglen, in ssl_tls13_get_cipher_key_info()
1147 mbedtls_ssl_handshake_params *handshake = ssl->handshake; in ssl_tls13_generate_early_key()
1149 handshake->ciphersuite_info; in ssl_tls13_generate_early_key()
1159 md_type = (mbedtls_md_type_t) ciphersuite_info->mac; in ssl_tls13_generate_early_key()
1161 hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac); in ssl_tls13_generate_early_key()
1176 hash_alg, handshake->tls13_master_secrets.early, in ssl_tls13_generate_early_key()
1191 if (ssl->f_export_keys != NULL) { in ssl_tls13_generate_early_key()
1192 ssl->f_export_keys( in ssl_tls13_generate_early_key()
1193 ssl->p_export_keys, in ssl_tls13_generate_early_key()
1197 handshake->randbytes, in ssl_tls13_generate_early_key()
1198 handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, in ssl_tls13_generate_early_key()
1205 hash_len, traffic_keys->client_write_key, key_len, in ssl_tls13_generate_early_key()
1206 traffic_keys->client_write_iv, iv_len); in ssl_tls13_generate_early_key()
1211 traffic_keys->key_len = key_len; in ssl_tls13_generate_early_key()
1212 traffic_keys->iv_len = iv_len; in ssl_tls13_generate_early_key()
1215 traffic_keys->client_write_key, in ssl_tls13_generate_early_key()
1216 traffic_keys->key_len); in ssl_tls13_generate_early_key()
1219 traffic_keys->client_write_iv, in ssl_tls13_generate_early_key()
1220 traffic_keys->iv_len); in ssl_tls13_generate_early_key()
1237 mbedtls_ssl_handshake_params *handshake = ssl->handshake; in mbedtls_ssl_tls13_compute_early_transform()
1256 ssl->conf->endpoint, in mbedtls_ssl_tls13_compute_early_transform()
1257 handshake->ciphersuite_info->id, in mbedtls_ssl_tls13_compute_early_transform()
1264 handshake->transform_earlydata = transform_earlydata; in mbedtls_ssl_tls13_compute_early_transform()
1280 mbedtls_ssl_handshake_params *handshake = ssl->handshake; in mbedtls_ssl_tls13_key_schedule_stage_early()
1284 if (handshake->ciphersuite_info == NULL) { in mbedtls_ssl_tls13_key_schedule_stage_early()
1289 hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) handshake->ciphersuite_info->mac); in mbedtls_ssl_tls13_key_schedule_stage_early()
1302 handshake->tls13_master_secrets.early); in mbedtls_ssl_tls13_key_schedule_stage_early()
1313 handshake->tls13_master_secrets.early, in mbedtls_ssl_tls13_key_schedule_stage_early()
1325 * \param ssl The SSL context to operate on. This must be in
1331 * \returns \c 0 on success.
1332 * \returns A negative error code on failure.
1347 mbedtls_ssl_handshake_params *handshake = ssl->handshake; in ssl_tls13_generate_handshake_keys()
1349 handshake->ciphersuite_info; in ssl_tls13_generate_handshake_keys()
1351 &handshake->tls13_hs_secrets; in ssl_tls13_generate_handshake_keys()
1361 md_type = (mbedtls_md_type_t) ciphersuite_info->mac; in ssl_tls13_generate_handshake_keys()
1363 hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac); in ssl_tls13_generate_handshake_keys()
1378 hash_alg, handshake->tls13_master_secrets.handshake, in ssl_tls13_generate_handshake_keys()
1387 tls13_hs_secrets->client_handshake_traffic_secret, in ssl_tls13_generate_handshake_keys()
1390 tls13_hs_secrets->server_handshake_traffic_secret, in ssl_tls13_generate_handshake_keys()
1396 if (ssl->f_export_keys != NULL) { in ssl_tls13_generate_handshake_keys()
1397 ssl->f_export_keys( in ssl_tls13_generate_handshake_keys()
1398 ssl->p_export_keys, in ssl_tls13_generate_handshake_keys()
1400 tls13_hs_secrets->client_handshake_traffic_secret, in ssl_tls13_generate_handshake_keys()
1402 handshake->randbytes, in ssl_tls13_generate_handshake_keys()
1403 handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, in ssl_tls13_generate_handshake_keys()
1406 ssl->f_export_keys( in ssl_tls13_generate_handshake_keys()
1407 ssl->p_export_keys, in ssl_tls13_generate_handshake_keys()
1409 tls13_hs_secrets->server_handshake_traffic_secret, in ssl_tls13_generate_handshake_keys()
1411 handshake->randbytes, in ssl_tls13_generate_handshake_keys()
1412 handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, in ssl_tls13_generate_handshake_keys()
1418 tls13_hs_secrets->client_handshake_traffic_secret, in ssl_tls13_generate_handshake_keys()
1419 tls13_hs_secrets->server_handshake_traffic_secret, in ssl_tls13_generate_handshake_keys()
1427 traffic_keys->client_write_key, in ssl_tls13_generate_handshake_keys()
1428 traffic_keys->key_len); in ssl_tls13_generate_handshake_keys()
1431 traffic_keys->server_write_key, in ssl_tls13_generate_handshake_keys()
1432 traffic_keys->key_len); in ssl_tls13_generate_handshake_keys()
1435 traffic_keys->client_write_iv, in ssl_tls13_generate_handshake_keys()
1436 traffic_keys->iv_len); in ssl_tls13_generate_handshake_keys()
1439 traffic_keys->server_write_iv, in ssl_tls13_generate_handshake_keys()
1440 traffic_keys->iv_len); in ssl_tls13_generate_handshake_keys()
1453 * with states Initial -> Early -> Handshake -> Application, and
1454 * this function represents the Early -> Handshake transition.
1459 * \param ssl The SSL context to operate on. This must be in key schedule
1462 * \returns \c 0 on success.
1463 * \returns A negative error code on failure.
1469 mbedtls_ssl_handshake_params *handshake = ssl->handshake; in ssl_tls13_key_schedule_stage_handshake()
1471 (mbedtls_md_type_t) handshake->ciphersuite_info->mac); in ssl_tls13_key_schedule_stage_handshake()
1482 if (mbedtls_ssl_tls13_named_group_is_ecdhe(handshake->offered_group_id) || in ssl_tls13_key_schedule_stage_handshake()
1483 mbedtls_ssl_tls13_named_group_is_ffdh(handshake->offered_group_id)) { in ssl_tls13_key_schedule_stage_handshake()
1486 mbedtls_ssl_tls13_named_group_is_ecdhe(handshake->offered_group_id) ? in ssl_tls13_key_schedule_stage_handshake()
1493 status = psa_get_key_attributes(handshake->xxdh_psa_privkey, in ssl_tls13_key_schedule_stage_handshake()
1507 alg, handshake->xxdh_psa_privkey, in ssl_tls13_key_schedule_stage_handshake()
1508 handshake->xxdh_psa_peerkey, handshake->xxdh_psa_peerkey_len, in ssl_tls13_key_schedule_stage_handshake()
1516 status = psa_destroy_key(handshake->xxdh_psa_privkey); in ssl_tls13_key_schedule_stage_handshake()
1523 handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; in ssl_tls13_key_schedule_stage_handshake()
1536 hash_alg, handshake->tls13_master_secrets.early, in ssl_tls13_key_schedule_stage_handshake()
1538 handshake->tls13_master_secrets.handshake); in ssl_tls13_key_schedule_stage_handshake()
1545 handshake->tls13_master_secrets.handshake, in ssl_tls13_key_schedule_stage_handshake()
1560 * keys, since any record following a 1-RTT Finished message MUST be
1563 * \param ssl The SSL context to operate on. This must be in
1569 * \returns \c 0 on success.
1570 * \returns A negative error code on failure.
1578 mbedtls_ssl_handshake_params *handshake = ssl->handshake; in ssl_tls13_generate_application_keys()
1582 &ssl->session_negotiate->app_secrets; in ssl_tls13_generate_application_keys()
1601 ret = ssl_tls13_get_cipher_key_info(handshake->ciphersuite_info, in ssl_tls13_generate_application_keys()
1608 md_type = (mbedtls_md_type_t) handshake->ciphersuite_info->mac; in ssl_tls13_generate_application_keys()
1610 hash_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) handshake->ciphersuite_info->mac); in ssl_tls13_generate_application_keys()
1626 hash_alg, handshake->tls13_master_secrets.app, in ssl_tls13_generate_application_keys()
1638 app_secrets->client_application_traffic_secret_N, in ssl_tls13_generate_application_keys()
1639 app_secrets->server_application_traffic_secret_N, in ssl_tls13_generate_application_keys()
1647 app_secrets->client_application_traffic_secret_N, in ssl_tls13_generate_application_keys()
1651 app_secrets->server_application_traffic_secret_N, in ssl_tls13_generate_application_keys()
1657 if (ssl->f_export_keys != NULL) { in ssl_tls13_generate_application_keys()
1658 ssl->f_export_keys( in ssl_tls13_generate_application_keys()
1659 ssl->p_export_keys, in ssl_tls13_generate_application_keys()
1661 app_secrets->client_application_traffic_secret_N, hash_len, in ssl_tls13_generate_application_keys()
1662 handshake->randbytes, in ssl_tls13_generate_application_keys()
1663 handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, in ssl_tls13_generate_application_keys()
1667 ssl->f_export_keys( in ssl_tls13_generate_application_keys()
1668 ssl->p_export_keys, in ssl_tls13_generate_application_keys()
1670 app_secrets->server_application_traffic_secret_N, hash_len, in ssl_tls13_generate_application_keys()
1671 handshake->randbytes, in ssl_tls13_generate_application_keys()
1672 handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, in ssl_tls13_generate_application_keys()
1678 traffic_keys->client_write_key, key_len); in ssl_tls13_generate_application_keys()
1680 traffic_keys->server_write_key, key_len); in ssl_tls13_generate_application_keys()
1682 traffic_keys->client_write_iv, iv_len); in ssl_tls13_generate_application_keys()
1684 traffic_keys->server_write_iv, iv_len); in ssl_tls13_generate_application_keys()
1690 mbedtls_platform_zeroize(ssl->handshake->randbytes, in ssl_tls13_generate_application_keys()
1691 sizeof(ssl->handshake->randbytes)); in ssl_tls13_generate_application_keys()
1702 mbedtls_ssl_handshake_params *handshake = ssl->handshake; in mbedtls_ssl_tls13_compute_handshake_transform()
1728 ssl->conf->endpoint, in mbedtls_ssl_tls13_compute_handshake_transform()
1729 handshake->ciphersuite_info->id, in mbedtls_ssl_tls13_compute_handshake_transform()
1736 handshake->transform_handshake = transform_handshake; in mbedtls_ssl_tls13_compute_handshake_transform()
1751 mbedtls_ssl_handshake_params *handshake = ssl->handshake; in mbedtls_ssl_tls13_compute_resumption_master_secret()
1758 md_type = (mbedtls_md_type_t) handshake->ciphersuite_info->mac; in mbedtls_ssl_tls13_compute_resumption_master_secret()
1769 handshake->tls13_master_secrets.app, in mbedtls_ssl_tls13_compute_resumption_master_secret()
1771 &ssl->session_negotiate->app_secrets); in mbedtls_ssl_tls13_compute_resumption_master_secret()
1777 mbedtls_platform_zeroize(&handshake->tls13_master_secrets, in mbedtls_ssl_tls13_compute_resumption_master_secret()
1778 sizeof(handshake->tls13_master_secrets)); in mbedtls_ssl_tls13_compute_resumption_master_secret()
1782 ssl->session_negotiate->app_secrets.resumption_master_secret, in mbedtls_ssl_tls13_compute_resumption_master_secret()
1819 ssl->conf->endpoint, in mbedtls_ssl_tls13_compute_application_transform()
1820 ssl->handshake->ciphersuite_info->id, in mbedtls_ssl_tls13_compute_application_transform()
1828 ssl->transform_application = transform_application; in mbedtls_ssl_tls13_compute_application_transform()
1851 if (mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { in mbedtls_ssl_tls13_export_handshake_psk()
1855 status = psa_get_key_attributes(ssl->handshake->psk_opaque, &key_attributes); in mbedtls_ssl_tls13_export_handshake_psk()
1866 status = psa_export_key(ssl->handshake->psk_opaque, in mbedtls_ssl_tls13_export_handshake_psk()
1875 *psk = ssl->handshake->psk; in mbedtls_ssl_tls13_export_handshake_psk()
1876 *psk_len = ssl->handshake->psk_len; in mbedtls_ssl_tls13_export_handshake_psk()