]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/tls13secretstest.c
projects / thirdparty / openssl.git / blob
? search:


f08b5d372238b620c615746caed0be6f08f75651
[thirdparty/openssl.git] / test / tls13secretstest.c
1 /*
2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ssl.h>
11 #include <openssl/evp.h>
12
13 #ifdef __VMS
14 # pragma names save
15 # pragma names as_is,shortened
16 #endif
17
18 #include "../ssl/ssl_locl.h"
19
20 #ifdef __VMS
21 # pragma names restore
22 #endif
23
24 #include "testutil.h"
25
26 #define IVLEN 12
27 #define KEYLEN 16
28
29 /* The following are self-generated test vectors. This gives us very little
30 * confidence that we've got the implementation right, but at least tells us
31 * if we accidentally break something in the future. Until we can get some
32 * other source of test vectors this is all we've got.
33 * TODO(TLS1.3): As and when official vectors become available we should use
34 * those, e.g. see
35 * https://www.ietf.org/id/draft-thomson-tls-tls13-vectors-00.txt, however at
36 * the time of writing these are not suitable because they are based on
37 * draft -16, which works differently to the draft -20 vectors below.
38 */
39
40 static unsigned char hs_start_hash[] = {
41 0xec, 0x14, 0x7a, 0x06, 0xde, 0xa3, 0xc8, 0x84, 0x6c, 0x02, 0xb2, 0x23, 0x8e,
42 0x41, 0xbd, 0xdc, 0x9d, 0x89, 0xf9, 0xae, 0xa1, 0x7b, 0x5e, 0xfd, 0x4d, 0x74,
43 0x82, 0xaf, 0x75, 0x88, 0x1c, 0x0a
44 };
45
46 static unsigned char hs_full_hash[] = {
47 0x75, 0x1a, 0x3d, 0x4a, 0x14, 0xdf, 0xab, 0xeb, 0x68, 0xe9, 0x2c, 0xa5, 0x91,
48 0x8e, 0x24, 0x08, 0xb9, 0xbc, 0xb0, 0x74, 0x89, 0x82, 0xec, 0x9c, 0x32, 0x30,
49 0xac, 0x30, 0xbb, 0xeb, 0x23, 0xe2,
50 };
51
52 static unsigned char early_secret[] = {
53 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
54 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
55 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
56 };
57
58 static unsigned char ecdhe_secret[] = {
59 0xe7, 0xb8, 0xfe, 0xf8, 0x90, 0x3b, 0x52, 0x0c, 0xb9, 0xa1, 0x89, 0x71, 0xb6,
60 0x9d, 0xd4, 0x5d, 0xca, 0x53, 0xce, 0x2f, 0x12, 0xbf, 0x3b, 0xef, 0x93, 0x15,
61 0xe3, 0x12, 0x71, 0xdf, 0x4b, 0x40
62 };
63
64 static unsigned char handshake_secret[] = {
65 0xf5, 0x51, 0xd0, 0xbd, 0x9e, 0x6a, 0xc0, 0x95, 0x5f, 0x8e, 0xae, 0xb6, 0x28,
66 0x2e, 0x8d, 0x9e, 0xf3, 0xd4, 0x08, 0x57, 0x81, 0xbc, 0x9d, 0x80, 0x91, 0x8a,
67 0x81, 0x33, 0x86, 0x58, 0x7f, 0x46
68 };
69
70 static const char *client_hts_label = "c hs traffic";
71
72 static unsigned char client_hts[] = {
73 0x61, 0x7b, 0x35, 0x07, 0x6b, 0x9d, 0x0e, 0x08, 0xcf, 0x73, 0x1d, 0x94, 0xa8,
74 0x66, 0x14, 0x78, 0x41, 0x09, 0xef, 0x25, 0x55, 0x51, 0x92, 0x1d, 0xd4, 0x6e,
75 0x04, 0x01, 0x35, 0xcf, 0x46, 0xab
76 };
77
78 static unsigned char client_hts_key[] = {
79 0x62, 0xd0, 0xdd, 0x00, 0xf6, 0x96, 0x19, 0xd3, 0xb8, 0x19, 0x3a, 0xb4, 0xa0,
80 0x95, 0x85, 0xa7
81 };
82
83 static unsigned char client_hts_iv[] = {
84 0xff, 0xf7, 0x5d, 0xf5, 0xad, 0x35, 0xd5, 0xcb, 0x3c, 0x53, 0xf3, 0xa9
85 };
86
87 static const char *server_hts_label = "s hs traffic";
88
89 static unsigned char server_hts[] = {
90 0xfc, 0xf7, 0xdf, 0xe6, 0x4f, 0xa2, 0xc0, 0x4f, 0x62, 0x35, 0x38, 0x7f, 0x43,
91 0x4e, 0x01, 0x42, 0x23, 0x36, 0xd9, 0xc0, 0x39, 0xde, 0x68, 0x47, 0xa0, 0xb9,
92 0xdd, 0xcf, 0x29, 0xa8, 0x87, 0x59
93 };
94
95 static unsigned char server_hts_key[] = {
96 0x04, 0x67, 0xf3, 0x16, 0xa8, 0x05, 0xb8, 0xc4, 0x97, 0xee, 0x67, 0x04, 0x7b,
97 0xbc, 0xbc, 0x54
98 };
99
100 static unsigned char server_hts_iv[] = {
101 0xde, 0x83, 0xa7, 0x3e, 0x9d, 0x81, 0x4b, 0x04, 0xc4, 0x8b, 0x78, 0x09
102 };
103
104 static unsigned char master_secret[] = {
105 0x34, 0x83, 0x83, 0x84, 0x67, 0x12, 0xe7, 0xff, 0x24, 0xe8, 0x6e, 0x70, 0x56,
106 0x95, 0x16, 0x71, 0x43, 0x7f, 0x19, 0xd7, 0x85, 0x06, 0x9d, 0x75, 0x70, 0x49,
107 0x6e, 0x6c, 0xa4, 0x81, 0xf0, 0xb8
108 };
109
110 static const char *client_ats_label = "c ap traffic";
111
112 static unsigned char client_ats[] = {
113 0xc1, 0x4a, 0x6d, 0x79, 0x76, 0xd8, 0x10, 0x2b, 0x5a, 0x0c, 0x99, 0x51, 0x49,
114 0x3f, 0xee, 0x87, 0xdc, 0xaf, 0xf8, 0x2c, 0x24, 0xca, 0xb2, 0x14, 0xe8, 0xbe,
115 0x71, 0xa8, 0x20, 0x6d, 0xbd, 0xa5
116 };
117
118 static unsigned char client_ats_key[] = {
119 0xcc, 0x9f, 0x5f, 0x98, 0x0b, 0x5f, 0x10, 0x30, 0x6c, 0xba, 0xd7, 0xbe, 0x98,
120 0xd7, 0x57, 0x2e
121 };
122
123 static unsigned char client_ats_iv[] = {
124 0xb8, 0x09, 0x29, 0xe8, 0xd0, 0x2c, 0x70, 0xf6, 0x11, 0x62, 0xed, 0x6b
125 };
126
127 static const char *server_ats_label = "s ap traffic";
128
129 static unsigned char server_ats[] = {
130 0x2c, 0x90, 0x77, 0x38, 0xd3, 0xf8, 0x37, 0x02, 0xd1, 0xe4, 0x59, 0x8f, 0x48,
131 0x48, 0x53, 0x1d, 0x9f, 0x93, 0x65, 0x49, 0x1b, 0x9f, 0x7f, 0x52, 0xc8, 0x22,
132 0x29, 0x0d, 0x4c, 0x23, 0x21, 0x92
133 };
134
135 static unsigned char server_ats_key[] = {
136 0x0c, 0xb2, 0x95, 0x62, 0xd8, 0xd8, 0x8f, 0x48, 0xb0, 0x2c, 0xbf, 0xbe, 0xd7,
137 0xe6, 0x2b, 0xb3
138 };
139
140 static unsigned char server_ats_iv[] = {
141 0x0d, 0xb2, 0x8f, 0x98, 0x85, 0x86, 0xa1, 0xb7, 0xe4, 0xd5, 0xc6, 0x9c
142 };
143
144 /* Mocked out implementations of various functions */
145 int ssl3_digest_cached_records(SSL *s, int keep)
146 {
147 return 1;
148 }
149
150 static int full_hash = 0;
151
152 /* Give a hash of the currently set handshake */
153 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
154 size_t *hashlen)
155 {
156 if (sizeof(hs_start_hash) > outlen
157 || sizeof(hs_full_hash) != sizeof(hs_start_hash))
158 return 0;
159
160 if (full_hash) {
161 memcpy(out, hs_full_hash, sizeof(hs_full_hash));
162 *hashlen = sizeof(hs_full_hash);
163 } else {
164 memcpy(out, hs_start_hash, sizeof(hs_start_hash));
165 *hashlen = sizeof(hs_start_hash);
166 }
167
168 return 1;
169 }
170
171 const EVP_MD *ssl_handshake_md(SSL *s)
172 {
173 return EVP_sha256();
174 }
175
176 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
177 {
178 }
179
180 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
181 {
182 }
183
184 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
185 const EVP_MD **md, int *mac_pkey_type,
186 size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
187
188 {
189 return 0;
190 }
191
192 int tls1_alert_code(int code)
193 {
194 return code;
195 }
196
197 int ssl_log_secret(SSL *ssl,
198 const char *label,
199 const uint8_t *secret,
200 size_t secret_len)
201 {
202 return 1;
203 }
204
205 const EVP_MD *ssl_md(int idx)
206 {
207 return EVP_sha256();
208 }
209
210 void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
211 int line)
212 {
213 }
214
215 int ossl_statem_export_allowed(SSL *s)
216 {
217 return 1;
218 }
219
220 /* End of mocked out code */
221
222 static int test_secret(SSL *s, unsigned char *prk,
223 const unsigned char *label, size_t labellen,
224 const unsigned char *ref_secret,
225 const unsigned char *ref_key, const unsigned char *ref_iv)
226 {
227 size_t hashsize;
228 unsigned char gensecret[EVP_MAX_MD_SIZE];
229 unsigned char hash[EVP_MAX_MD_SIZE];
230 unsigned char key[KEYLEN];
231 unsigned char iv[IVLEN];
232 const EVP_MD *md = ssl_handshake_md(s);
233
234 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
235 TEST_error("Failed to get hash");
236 return 0;
237 }
238
239 if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
240 gensecret, hashsize)) {
241 TEST_error("Secret generation failed");
242 return 0;
243 }
244
245 if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
246 return 0;
247
248 if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
249 TEST_error("Key generation failed");
250 return 0;
251 }
252
253 if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
254 return 0;
255
256 if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
257 TEST_error("IV generation failed");
258 return 0;
259 }
260
261 if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
262 return 0;
263
264 return 1;
265 }
266
267 static int test_handshake_secrets(void)
268 {
269 SSL_CTX *ctx = NULL;
270 SSL *s = NULL;
271 int ret = 0;
272 size_t hashsize;
273 unsigned char out_master_secret[EVP_MAX_MD_SIZE];
274 size_t master_secret_length;
275
276 ctx = SSL_CTX_new(TLS_method());
277 if (!TEST_ptr(ctx))
278 goto err;
279
280 s = SSL_new(ctx);
281 if (!TEST_ptr(s ))
282 goto err;
283
284 s->session = SSL_SESSION_new();
285 if (!TEST_ptr(s->session))
286 goto err;
287
288 if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
289 (unsigned char *)&s->early_secret))) {
290 TEST_info("Early secret generation failed");
291 goto err;
292 }
293
294 if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
295 early_secret, sizeof(early_secret))) {
296 TEST_info("Early secret does not match");
297 goto err;
298 }
299
300 if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
301 sizeof(ecdhe_secret)))) {
302 TEST_info("Handshake secret generation failed");
303 goto err;
304 }
305
306 if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
307 handshake_secret, sizeof(handshake_secret)))
308 goto err;
309
310 hashsize = EVP_MD_size(ssl_handshake_md(s));
311 if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
312 goto err;
313 if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
314 goto err;
315 if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
316 goto err;
317
318 if (!TEST_true(test_secret(s, s->handshake_secret,
319 (unsigned char *)client_hts_label,
320 strlen(client_hts_label), client_hts,
321 client_hts_key, client_hts_iv))) {
322 TEST_info("Client handshake secret test failed");
323 goto err;
324 }
325
326 if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
327 goto err;
328 if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
329 goto err;
330 if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
331 goto err;
332
333 if (!TEST_true(test_secret(s, s->handshake_secret,
334 (unsigned char *)server_hts_label,
335 strlen(server_hts_label), server_hts,
336 server_hts_key, server_hts_iv))) {
337 TEST_info("Server handshake secret test failed");
338 goto err;
339 }
340
341 /*
342 * Ensure the mocked out ssl_handshake_hash() returns the full handshake
343 * hash.
344 */
345 full_hash = 1;
346
347 if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
348 s->handshake_secret, hashsize,
349 &master_secret_length))) {
350 TEST_info("Master secret generation failed");
351 goto err;
352 }
353
354 if (!TEST_mem_eq(out_master_secret, master_secret_length,
355 master_secret, sizeof(master_secret))) {
356 TEST_info("Master secret does not match");
357 goto err;
358 }
359
360 if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
361 goto err;
362 if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
363 goto err;
364 if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
365 goto err;
366
367 if (!TEST_true(test_secret(s, out_master_secret,
368 (unsigned char *)client_ats_label,
369 strlen(client_ats_label), client_ats,
370 client_ats_key, client_ats_iv))) {
371 TEST_info("Client application data secret test failed");
372 goto err;
373 }
374
375 if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
376 goto err;
377 if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
378 goto err;
379 if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
380 goto err;
381
382 if (!TEST_true(test_secret(s, out_master_secret,
383 (unsigned char *)server_ats_label,
384 strlen(server_ats_label), server_ats,
385 server_ats_key, server_ats_iv))) {
386 TEST_info("Server application data secret test failed");
387 goto err;
388 }
389
390 ret = 1;
391 err:
392 SSL_free(s);
393 SSL_CTX_free(ctx);
394 return ret;
395 }
396
397 int setup_tests()
398 {
399 ADD_TEST(test_handshake_secrets);
400 return 1;
401 }
A mirror of the official openssl repository