Convert TLS1.2 KDF descriptions to multistep key derivation

Convert the description of PSA_ALG_TLS12_PRF and
PSA_ALG_TLS12_PSK_TO_MS to the key derivation API that takes one input
at a time rather than the old {secret,salt,label} interface.

Define a new input category "seed".
This commit is contained in:
Gilles Peskine 2019-05-21 15:58:13 +02:00
parent 6c6195d7ba
commit 2cb9e39b50

View File

@ -1232,11 +1232,14 @@
* specified in Section 5 of RFC 5246. It is based on HMAC and can be * specified in Section 5 of RFC 5246. It is based on HMAC and can be
* used with either SHA-256 or SHA-384. * used with either SHA-256 or SHA-384.
* *
* For the application to TLS-1.2, the salt and label arguments passed * This key derivation algorithm uses the following inputs:
* to psa_key_derivation() are what's called 'seed' and 'label' in RFC 5246, * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key.
* respectively. For example, for TLS key expansion, the salt is the * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label.
* - #PSA_KEY_DERIVATION_INPUT_SEED is the seed.
*
* For the application to TLS-1.2 key expansion, the seed is the
* concatenation of ServerHello.Random + ClientHello.Random, * concatenation of ServerHello.Random + ClientHello.Random,
* while the label is "key expansion". * and the label is "key expansion".
* *
* For example, `PSA_ALG_TLS12_PRF(PSA_ALG_SHA256)` represents the * For example, `PSA_ALG_TLS12_PRF(PSA_ALG_SHA256)` represents the
* TLS 1.2 PRF using HMAC-SHA-256. * TLS 1.2 PRF using HMAC-SHA-256.
@ -1273,10 +1276,15 @@
* The latter is based on HMAC and can be used with either SHA-256 * The latter is based on HMAC and can be used with either SHA-256
* or SHA-384. * or SHA-384.
* *
* For the application to TLS-1.2, the salt passed to psa_key_derivation() * This key derivation algorithm uses the following inputs:
* (and forwarded to the TLS-1.2 PRF) is the concatenation of the * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key.
* ClientHello.Random + ServerHello.Random, while the label is "master secret" * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label.
* or "extended master secret". * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed.
*
* For the application to TLS-1.2, the seed (which is
* forwarded to the TLS-1.2 PRF) is the concatenation of the
* ClientHello.Random + ServerHello.Random,
* and the label is "master secret" or "extended master secret".
* *
* For example, `PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA256)` represents the * For example, `PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA256)` represents the
* TLS-1.2 PSK to MasterSecret derivation PRF using HMAC-SHA-256. * TLS-1.2 PSK to MasterSecret derivation PRF using HMAC-SHA-256.
@ -1586,6 +1594,12 @@
*/ */
#define PSA_KEY_DERIVATION_INPUT_INFO ((psa_key_derivation_step_t)0x0203) #define PSA_KEY_DERIVATION_INPUT_INFO ((psa_key_derivation_step_t)0x0203)
/** A seed for key derivation.
*
* This must be a direct input.
*/
#define PSA_KEY_DERIVATION_INPUT_SEED ((psa_key_derivation_step_t)0x0204)
/**@}*/ /**@}*/
#endif /* PSA_CRYPTO_VALUES_H */ #endif /* PSA_CRYPTO_VALUES_H */