Added TLS 1.3 HKDF key derivation functionality

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

diff --git a/lib/Makefile.am b/lib/Makefile.am
index 1b4f4fd6aab4868fc0144d8439d8369d23dc8bf5..e6ca91a9462c0e442c4591d863317e394758bfaa 100644 (file)
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -79,7 +79,7 @@ COBJECTS = range.c record.c compress.c debug.c cipher.c gthreads.h    \
        safe-memfuncs.c system/inet_pton.c atfork.c atfork.h randomart.c \
        system-keys.h urls.c urls.h prf.c auto-verify.c dh-session.c \
        cert-session.c handshake-checks.c dtls-sw.c dh-primes.c openpgp_compat.c \
-       crypto-selftests.c crypto-selftests-pk.c
+       crypto-selftests.c crypto-selftests-pk.c secrets.c
 
 if WINDOWS
 COBJECTS += system/keys-win.c
@@ -110,7 +110,7 @@ HFILES = abstract_int.h debug.h cipher.h    \
        srp.h auth/srp_kx.h auth/srp_passwd.h   \
        file.h supplemental.h crypto.h random.h system.h\
        locks.h mbuffers.h ecc.h pin.h fips.h \
-       priority_options.h
+       priority_options.h secrets.h
 
 if ENABLE_PKCS11
 HFILES += pkcs11_int.h pkcs11x.h

diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index b970da289a5bbadf1a36afe8911784aed765817e..5676f72a5625764a7ff43f9d62f808e7b005b779 100644 (file)
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -402,6 +402,11 @@ struct gnutls_key_st {
        gnutls_pk_params_st kshare_ecdhx_params;
        gnutls_pk_params_st kshare_dh_params;
 
+       /* the current (depending on state) secret, can be
+        * early_secret, client_early_traffic_secret, ... */
+       uint8_t temp_secret[MAX_CIPHER_KEY_SIZE];
+       unsigned temp_secret_size;
+
        /* For ECDH KX */
        gnutls_pk_params_st ecdh_params; /* private part */
 

diff --git a/lib/handshake.h b/lib/handshake.h
index 3f9b55faa0f2a7ba8720d45bf9f1df43ce3f077e..6934b0d6fd12321d7941e131bda986f9cd89d18c 100644 (file)
--- a/lib/handshake.h
+++ b/lib/handshake.h
@@ -76,4 +76,16 @@ int _gnutls_handshake_get_session_hash(gnutls_session_t session, gnutls_datum_t
 int _gnutls_check_id_for_change(gnutls_session_t session);
 int _gnutls_check_if_cert_hash_is_same(gnutls_session_t session, gnutls_certificate_credentials_t cred);
 
+#define EARLY_TRAFFIC_LABEL "c e traffic"
+#define EXT_BINDER_LABEL "ext binder"
+#define RES_BINDER_LABEL "res binder"
+#define EARLY_EXPORTER_LABEL "e exp master"
+#define HANDSHAKE_CLIENT_TRAFFIC_LABEL "c hs traffic"
+#define HANDSHAKE_SERVER_TRAFFIC_LABEL "s hs traffic"
+#define DERIVED_LABEL "derived"
+#define APPLICATION_CLIENT_TRAFFIC_LABEL "c ap traffic"
+#define APPLICATION_SERVER_TRAFFIC_LABEL "s ap traffic"
+#define EXPORTER_LABEL "exp master"
+#define RES_LABEL "res master"
+
 #endif

diff --git a/lib/secrets.c b/lib/secrets.c
new file mode 100644 (file)
index 0000000..adffd8b
--- /dev/null
+++ b/lib/secrets.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2017 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+/* TLS 1.3 secret key derivation handling.
+ */
+
+#include <config.h>
+#include "gnutls_int.h"
+#include "nettle/int/hkdf.h"
+#include <nettle/hmac.h>
+#include "secrets.h"
+
+/* HKDF-Extract(0,0) or HKDF-Extract(0, PSK) */
+int _tls13_init_secret(gnutls_session_t session, const uint8_t *psk, size_t psk_size)
+{
+       char buf[128];
+
+       session->key.temp_secret_size = gnutls_hmac_get_len(session->security_parameters.prf_mac);
+
+       /* when no PSK, use the zero-value */
+       if (psk == NULL) {
+               psk_size = session->key.temp_secret_size;
+               if (unlikely(psk_size >= sizeof(buf)))
+                       return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
+
+               memset(buf, 0, psk_size);
+               psk = (uint8_t*)buf;
+       }
+
+       return gnutls_hmac_fast(session->security_parameters.prf_mac,
+                               "", 0,
+                               psk, psk_size,
+                               session->key.temp_secret);
+}
+
+/* HKDF-Extract(Prev-Secret, key) */
+int _tls13_update_secret(gnutls_session_t session, const uint8_t *key, size_t key_size)
+{
+       return gnutls_hmac_fast(session->security_parameters.prf_mac,
+                               session->key.temp_secret, session->key.temp_secret_size,
+                               key, key_size,
+                               session->key.temp_secret);
+}
+
+static
+int _tls13_expand_hash_secret(gnutls_session_t session,
+                        const char *label, unsigned label_size,
+                        const uint8_t *tbh, size_t tbh_size,
+                        const uint8_t secret[MAX_CIPHER_KEY_SIZE],
+                        unsigned out_size,
+                        void *out)
+{
+       uint8_t digest[MAX_HASH_SIZE];
+       int ret;
+       unsigned digest_size = gnutls_hmac_get_len(session->security_parameters.prf_mac);
+
+       if (unlikely(label_size >= sizeof(digest)))
+               return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+       ret = gnutls_hash_fast((gnutls_digest_algorithm_t)session->security_parameters.prf_mac,
+                               tbh, tbh_size, digest);
+       if (ret < 0)
+               return gnutls_assert_val(ret);
+
+       return _tls13_expand_secret(session, label, label_size, digest, digest_size, secret, out_size, out);
+}
+
+/* HKDF-Expand-Label(Secret, Label, HashValue, Length) */
+int _tls13_expand_secret(gnutls_session_t session,
+                        const char *label, unsigned label_size,
+                        const uint8_t *msg, size_t msg_size,
+                        const uint8_t secret[MAX_CIPHER_KEY_SIZE],
+                        unsigned out_size,
+                        void *out)
+{
+       uint8_t tmp[256] = "tls13 ";
+       gnutls_buffer_st str;
+       int ret;
+
+       if (unlikely(label_size >= sizeof(tmp)-6))
+               return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+       _gnutls_buffer_init(&str);
+
+       ret = _gnutls_buffer_append_prefix(&str, 16, out_size);
+       if (ret < 0) {
+               gnutls_assert();
+               goto cleanup;
+       }
+
+       memcpy(&tmp[6], label, label_size);
+       ret = _gnutls_buffer_append_data_prefix(&str, 8, tmp, label_size+6);
+       if (ret < 0) {
+               gnutls_assert();
+               goto cleanup;
+       }
+
+       ret = _gnutls_buffer_append_data_prefix(&str, 8, msg, msg_size);
+       if (ret < 0) {
+               gnutls_assert();
+               goto cleanup;
+       }
+
+       switch(session->security_parameters.prf_mac) {
+       case GNUTLS_MAC_SHA256:{
+               struct hmac_sha256_ctx ctx;
+
+               hmac_sha256_set_key(&ctx, SHA256_DIGEST_SIZE, secret);
+               hkdf_expand(&ctx, (nettle_hash_update_func*)hmac_sha256_update,
+                       (nettle_hash_digest_func*)hmac_sha256_digest, SHA256_DIGEST_SIZE,
+                       str.length, str.data, out_size, out);
+               break;
+       }
+       case GNUTLS_MAC_SHA384:{
+               struct hmac_sha384_ctx ctx;
+
+               hmac_sha384_set_key(&ctx, SHA384_DIGEST_SIZE, secret);
+               hkdf_expand(&ctx, (nettle_hash_update_func*)hmac_sha384_update,
+                       (nettle_hash_digest_func*)hmac_sha384_digest, SHA384_DIGEST_SIZE,
+                       str.length, str.data, out_size, out);
+               break;
+       }
+       default:
+               gnutls_assert();
+               ret = GNUTLS_E_INTERNAL_ERROR;
+               goto cleanup;
+       }
+
+#if 0
+        _gnutls_hard_log("INT: secret expanded for '%.*s': %d,%s\n", 
+                         (int)label_size, label, out_size,
+                         _gnutls_bin2hex(out, out_size,
+                                         (char*)tmp, sizeof(tmp), NULL));
+#endif
+
+       ret = 0;
+ cleanup:
+       _gnutls_buffer_clear(&str);
+       return ret;
+}
+
+/* Derive-Secret(Secret, Label, Messages) */
+int _tls13_derive_secret(gnutls_session_t session,
+                        const char *label, unsigned label_size,
+                        const uint8_t *msg, size_t msg_size,
+                        void *out)
+{
+       return _tls13_expand_hash_secret(session, label, label_size, msg, msg_size,
+                                        session->key.temp_secret,
+                                        session->key.temp_secret_size,
+                                        out);
+}

diff --git a/lib/secrets.h b/lib/secrets.h
new file mode 100644 (file)
index 0000000..b80af97
--- /dev/null
+++ b/lib/secrets.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2017 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+#ifndef SECRETS_H
+#define SECRETS_H
+
+int _tls13_init_secret(gnutls_session_t session, const uint8_t *psk, size_t psk_size);
+int _tls13_update_secret(gnutls_session_t session, const uint8_t *key, size_t key_size);
+int _tls13_derive_secret(gnutls_session_t session,
+                         const char *label, unsigned label_size,
+                         const uint8_t *msg, size_t msg_size,
+                         void *out /* of enough length to hold PRF MAC */);
+
+int _tls13_expand_secret(gnutls_session_t session,
+                        const char *label, unsigned label_size,
+                        const uint8_t *msg, size_t msg_size,
+                        const uint8_t secret[MAX_CIPHER_KEY_SIZE],
+                        unsigned out_size,
+                        void *out);
+
+#endif