diff --git a/src/tls13.c b/src/tls13.c index d16a5761f..455cb10cf 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -225,10 +225,18 @@ static int Tls13HKDFExpandLabel(WOLFSSL* ssl, byte* okm, word32 okmLen, #endif (void)ssl; PRIVATE_KEY_UNLOCK(); +#if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)) + ret = wc_Tls13_HKDF_Expand_Label_ex(okm, okmLen, prk, prkLen, + protocol, protocolLen, + label, labelLen, + info, infoLen, digest, + ssl->heap, ssl->devId); +#else ret = wc_Tls13_HKDF_Expand_Label(okm, okmLen, prk, prkLen, protocol, protocolLen, label, labelLen, info, infoLen, digest); +#endif PRIVATE_KEY_LOCK(); return ret; } @@ -266,10 +274,18 @@ PRAGMA_GCC_DIAG_PUSH PRAGMA_GCC("GCC diagnostic ignored \"-Wmaybe-uninitialized\"") (void)ssl; (void)side; +#if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)) + return wc_Tls13_HKDF_Expand_Label_ex(okm, okmLen, prk, prkLen, + protocol, protocolLen, + label, labelLen, + info, infoLen, digest, + ssl->heap, ssl->devId); +#else return wc_Tls13_HKDF_Expand_Label(okm, okmLen, prk, prkLen, protocol, protocolLen, label, labelLen, info, infoLen, digest); +#endif PRAGMA_GCC_DIAG_POP } #endif /* !HAVE_FIPS || !wc_Tls13_HKDF_Expand_Label */ @@ -302,7 +318,7 @@ static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen, switch (hashAlgo) { #ifndef NO_WOLFSSL_SHA256 case sha256_mac: - ret = wc_InitSha256_ex(&digest.sha256, ssl->heap, INVALID_DEVID); + ret = wc_InitSha256_ex(&digest.sha256, ssl->heap, ssl->devId); if (ret == 0) { ret = wc_Sha256Update(&digest.sha256, msg, msgLen); if (ret == 0) @@ -315,7 +331,7 @@ static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen, #endif #ifdef WOLFSSL_SHA384 case sha384_mac: - ret = wc_InitSha384_ex(&digest.sha384, ssl->heap, INVALID_DEVID); + ret = wc_InitSha384_ex(&digest.sha384, ssl->heap, ssl->devId); if (ret == 0) { ret = wc_Sha384Update(&digest.sha384, msg, msgLen); if (ret == 0) @@ -328,7 +344,7 @@ static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen, #endif #ifdef WOLFSSL_TLS13_SHA512 case sha512_mac: - ret = wc_InitSha512_ex(&digest.sha512, ssl->heap, INVALID_DEVID); + ret = wc_InitSha512_ex(&digest.sha512, ssl->heap, ssl->devId); if (ret == 0) { ret = wc_Sha512Update(&digest.sha512, msg, msgLen); if (ret == 0) @@ -341,7 +357,7 @@ static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen, #endif #ifdef WOLFSSL_SM3 case sm3_mac: - ret = wc_InitSm3(&digest.sm3, ssl->heap, INVALID_DEVID); + ret = wc_InitSm3(&digest.sm3, ssl->heap, ssl->devId); if (ret == 0) { ret = wc_Sm3Update(&digest.sm3, msg, msgLen); if (ret == 0) @@ -1108,8 +1124,8 @@ static int DeriveTrafficSecret(WOLFSSL* ssl, byte* secret, int side) } -static int Tls13_HKDF_Extract(WOLFSSL *ssl, byte* prk, const byte* salt, int saltLen, - byte* ikm, int ikmLen, int digest) +static int Tls13_HKDF_Extract(WOLFSSL *ssl, byte* prk, const byte* salt, + int saltLen, byte* ikm, int ikmLen, int digest) { int ret; #ifdef HAVE_PK_CALLBACKS @@ -1121,8 +1137,12 @@ static int Tls13_HKDF_Extract(WOLFSSL *ssl, byte* prk, const byte* salt, int sal else #endif { - (void)ssl; + #if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)) + ret = wc_Tls13_HKDF_Extract_ex(prk, salt, saltLen, ikm, ikmLen, digest, + ssl->heap, ssl->devId); + #else ret = wc_Tls13_HKDF_Extract(prk, salt, saltLen, ikm, ikmLen, digest); + #endif } return ret; } @@ -4786,17 +4806,29 @@ static int EchCheckAcceptance(WOLFSSL* ssl, const byte* input, } } /* extract clientRandomInner with a key of all zeros */ - if (ret == 0) + if (ret == 0) { + PRIVATE_KEY_UNLOCK(); + #if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)) + ret = wc_HKDF_Extract_ex(digestType, zeros, digestSize, + ssl->arrays->clientRandomInner, RAN_LEN, expandLabelPrk, + ssl->heap, ssl->devId); + #else ret = wc_HKDF_Extract(digestType, zeros, digestSize, ssl->arrays->clientRandomInner, RAN_LEN, expandLabelPrk); + #endif + PRIVATE_KEY_LOCK(); + } /* tls expand with the confirmation label */ - if (ret == 0) - ret = wc_Tls13_HKDF_Expand_Label(acceptConfirmation, - ECH_ACCEPT_CONFIRMATION_SZ, - expandLabelPrk, digestSize, tls13ProtocolLabel, - TLS13_PROTOCOL_LABEL_SZ, echAcceptConfirmationLabel, - ECH_ACCEPT_CONFIRMATION_LABEL_SZ, transcriptEchConf, digestSize, - digestType); + if (ret == 0) { + PRIVATE_KEY_UNLOCK(); + ret = Tls13HKDFExpandKeyLabel(ssl, + acceptConfirmation, ECH_ACCEPT_CONFIRMATION_SZ, + expandLabelPrk, digestSize, + tls13ProtocolLabel, TLS13_PROTOCOL_LABEL_SZ, + echAcceptConfirmationLabel, ECH_ACCEPT_CONFIRMATION_LABEL_SZ, + transcriptEchConf, digestSize, digestType, WOLFSSL_SERVER_END); + PRIVATE_KEY_LOCK(); + } if (ret == 0) { /* last 8 bytes should match our expand output */ ret = XMEMCMP(acceptConfirmation, @@ -4913,21 +4945,27 @@ static int EchWriteAcceptance(WOLFSSL* ssl, byte* output, /* extract clientRandom with a key of all zeros */ if (ret == 0) { PRIVATE_KEY_UNLOCK(); + #if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)) + ret = wc_HKDF_Extract_ex(digestType, zeros, digestSize, + ssl->arrays->clientRandom, RAN_LEN, expandLabelPrk, + ssl->heap, ssl->devId); + #else ret = wc_HKDF_Extract(digestType, zeros, digestSize, ssl->arrays->clientRandom, RAN_LEN, expandLabelPrk); + #endif PRIVATE_KEY_LOCK(); } /* tls expand with the confirmation label */ if (ret == 0) { PRIVATE_KEY_UNLOCK(); - ret = wc_Tls13_HKDF_Expand_Label( + ret = Tls13HKDFExpandKeyLabel(ssl, output + serverRandomOffset + RAN_LEN - ECH_ACCEPT_CONFIRMATION_SZ, - ECH_ACCEPT_CONFIRMATION_SZ, - expandLabelPrk, digestSize, tls13ProtocolLabel, - TLS13_PROTOCOL_LABEL_SZ, echAcceptConfirmationLabel, - ECH_ACCEPT_CONFIRMATION_LABEL_SZ, transcriptEchConf, digestSize, - digestType); + ECH_ACCEPT_CONFIRMATION_SZ, + expandLabelPrk, digestSize, + tls13ProtocolLabel, TLS13_PROTOCOL_LABEL_SZ, + echAcceptConfirmationLabel, ECH_ACCEPT_CONFIRMATION_LABEL_SZ, + transcriptEchConf, digestSize, digestType, WOLFSSL_SERVER_END); PRIVATE_KEY_LOCK(); } diff --git a/wolfcrypt/src/hmac.c b/wolfcrypt/src/hmac.c index 83e693b25..9a80cb1e2 100644 --- a/wolfcrypt/src/hmac.c +++ b/wolfcrypt/src/hmac.c @@ -1195,8 +1195,8 @@ int wolfSSL_GetHmacMaxSize(void) * out The pseudorandom key with the length that of the hash. * returns 0 on success, otherwise failure. */ - int wc_HKDF_Extract(int type, const byte* salt, word32 saltSz, - const byte* inKey, word32 inKeySz, byte* out) + int wc_HKDF_Extract_ex(int type, const byte* salt, word32 saltSz, + const byte* inKey, word32 inKeySz, byte* out, void* heap, int devId) { byte tmp[WC_MAX_DIGEST_SIZE]; /* localSalt helper */ #ifdef WOLFSSL_SMALL_STACK @@ -1228,7 +1228,7 @@ int wolfSSL_GetHmacMaxSize(void) saltSz = hashSz; } - ret = wc_HmacInit(myHmac, NULL, INVALID_DEVID); + ret = wc_HmacInit(myHmac, heap, devId); if (ret == 0) { ret = wc_HmacSetKey(myHmac, type, localSalt, saltSz); if (ret == 0) @@ -1244,6 +1244,13 @@ int wolfSSL_GetHmacMaxSize(void) return ret; } + int wc_HKDF_Extract(int type, const byte* salt, word32 saltSz, + const byte* inKey, word32 inKeySz, byte* out) + { + return wc_HKDF_Extract_ex(type, salt, saltSz, inKey, inKeySz, out, NULL, + INVALID_DEVID); + } + /* HMAC-KDF-Expand. * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF). * @@ -1255,8 +1262,9 @@ int wolfSSL_GetHmacMaxSize(void) * out The output keying material. * returns 0 on success, otherwise failure. */ - int wc_HKDF_Expand(int type, const byte* inKey, word32 inKeySz, - const byte* info, word32 infoSz, byte* out, word32 outSz) + int wc_HKDF_Expand_ex(int type, const byte* inKey, word32 inKeySz, + const byte* info, word32 infoSz, byte* out, word32 outSz, + void* heap, int devId) { byte tmp[WC_MAX_DIGEST_SIZE]; #ifdef WOLFSSL_SMALL_STACK @@ -1289,7 +1297,7 @@ int wolfSSL_GetHmacMaxSize(void) } #endif - ret = wc_HmacInit(myHmac, NULL, INVALID_DEVID); + ret = wc_HmacInit(myHmac, heap, devId); if (ret != 0) { #ifdef WOLFSSL_SMALL_STACK XFREE(myHmac, NULL, DYNAMIC_TYPE_HMAC); @@ -1334,6 +1342,13 @@ int wolfSSL_GetHmacMaxSize(void) return ret; } + int wc_HKDF_Expand(int type, const byte* inKey, word32 inKeySz, + const byte* info, word32 infoSz, byte* out, word32 outSz) + { + return wc_HKDF_Expand_ex(type, inKey, inKeySz, info, infoSz, out, outSz, + NULL, INVALID_DEVID); + } + /* HMAC-KDF. * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF). * diff --git a/wolfcrypt/src/kdf.c b/wolfcrypt/src/kdf.c index 4921e5bb0..9b289be45 100644 --- a/wolfcrypt/src/kdf.c +++ b/wolfcrypt/src/kdf.c @@ -362,8 +362,8 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen, * digest The type of digest to use. * returns 0 on success, otherwise failure. */ - int wc_Tls13_HKDF_Extract(byte* prk, const byte* salt, word32 saltLen, - byte* ikm, word32 ikmLen, int digest) + int wc_Tls13_HKDF_Extract_ex(byte* prk, const byte* salt, word32 saltLen, + byte* ikm, word32 ikmLen, int digest, void* heap, int devId) { int ret; word32 len = 0; @@ -410,7 +410,15 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen, WOLFSSL_BUFFER(ikm, ikmLen); #endif +#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))) + ret = wc_HKDF_Extract_ex(digest, salt, saltLen, ikm, ikmLen, prk, heap, + devId); +#else ret = wc_HKDF_Extract(digest, salt, saltLen, ikm, ikmLen, prk); + (void)heap; + (void)devId; +#endif #ifdef WOLFSSL_DEBUG_TLS WOLFSSL_MSG(" PRK"); @@ -420,6 +428,13 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen, return ret; } + int wc_Tls13_HKDF_Extract(byte* prk, const byte* salt, word32 saltLen, + byte* ikm, word32 ikmLen, int digest) + { + return wc_Tls13_HKDF_Extract_ex(prk, salt, saltLen, ikm, ikmLen, digest, + NULL, INVALID_DEVID); + } + /* Expand data using HMAC, salt and label and info. * TLS v1.3 defines this function. * @@ -435,12 +450,12 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen, * digest The type of digest to use. * returns 0 on success, otherwise failure. */ - int wc_Tls13_HKDF_Expand_Label(byte* okm, word32 okmLen, + int wc_Tls13_HKDF_Expand_Label_ex(byte* okm, word32 okmLen, const byte* prk, word32 prkLen, const byte* protocol, word32 protocolLen, const byte* label, word32 labelLen, const byte* info, word32 infoLen, - int digest) + int digest, void* heap, int devId) { int ret = 0; word32 idx = 0; @@ -494,7 +509,15 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen, WOLFSSL_MSG_EX(" Digest %d", digest); #endif +#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))) + ret = wc_HKDF_Expand_ex(digest, prk, prkLen, data, idx, okm, okmLen, + heap, devId); +#else ret = wc_HKDF_Expand(digest, prk, prkLen, data, idx, okm, okmLen); + (void)heap; + (void)devId; +#endif #ifdef WOLFSSL_DEBUG_TLS WOLFSSL_MSG(" OKM"); @@ -512,6 +535,18 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen, return ret; } + int wc_Tls13_HKDF_Expand_Label(byte* okm, word32 okmLen, + const byte* prk, word32 prkLen, + const byte* protocol, word32 protocolLen, + const byte* label, word32 labelLen, + const byte* info, word32 infoLen, + int digest) + { + return wc_Tls13_HKDF_Expand_Label_ex(okm, okmLen, prk, prkLen, protocol, + protocolLen, label, labelLen, info, infoLen, digest, + NULL, INVALID_DEVID); + } + #if defined(WOLFSSL_TICKET_NONCE_MALLOC) && \ (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))) /* Expand data using HMAC, salt and label and info. diff --git a/wolfssl/wolfcrypt/hmac.h b/wolfssl/wolfcrypt/hmac.h index f325dd35d..fc6dc2ee3 100644 --- a/wolfssl/wolfcrypt/hmac.h +++ b/wolfssl/wolfcrypt/hmac.h @@ -210,8 +210,15 @@ WOLFSSL_LOCAL int _InitHmac(Hmac* hmac, int type, void* heap); #ifdef HAVE_HKDF +WOLFSSL_LOCAL int wc_HKDF_Extract_ex(int type, const byte* salt, word32 saltSz, + const byte* inKey, word32 inKeySz, byte* out, void* heap, int devId); + WOLFSSL_API int wc_HKDF_Extract(int type, const byte* salt, word32 saltSz, const byte* inKey, word32 inKeySz, byte* out); + +WOLFSSL_LOCAL int wc_HKDF_Expand_ex(int type, const byte* inKey, word32 inKeySz, + const byte* info, word32 infoSz, + byte* out, word32 outSz, void* heap, int devId); WOLFSSL_API int wc_HKDF_Expand(int type, const byte* inKey, word32 inKeySz, const byte* info, word32 infoSz, byte* out, word32 outSz); diff --git a/wolfssl/wolfcrypt/kdf.h b/wolfssl/wolfcrypt/kdf.h index 6a6a85698..ab4df120c 100644 --- a/wolfssl/wolfcrypt/kdf.h +++ b/wolfssl/wolfcrypt/kdf.h @@ -76,9 +76,19 @@ enum { MAX_TLS13_HKDF_LABEL_SZ = 47 + WC_MAX_DIGEST_SIZE }; +WOLFSSL_LOCAL int wc_Tls13_HKDF_Extract_ex(byte* prk, const byte* salt, + word32 saltLen, byte* ikm, word32 ikmLen, int digest, void* heap, int devId); + WOLFSSL_API int wc_Tls13_HKDF_Extract(byte* prk, const byte* salt, word32 saltLen, byte* ikm, word32 ikmLen, int digest); +WOLFSSL_LOCAL int wc_Tls13_HKDF_Expand_Label_ex(byte* okm, word32 okmLen, + const byte* prk, word32 prkLen, + const byte* protocol, word32 protocolLen, + const byte* label, word32 labelLen, + const byte* info, word32 infoLen, + int digest, void* heap, int devId); + WOLFSSL_API int wc_Tls13_HKDF_Expand_Label(byte* okm, word32 okmLen, const byte* prk, word32 prkLen, const byte* protocol, word32 protocolLen,