[thirdparty/openssl.git] / test / tls13secretstest.c

/*
 * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/ssl.h>
#include <openssl/evp.h>

#include "../ssl/ssl_local.h"
#include "testutil.h"

#define IVLEN   12
#define KEYLEN  16

/*
 * Based on the test vectors available in:
 * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
 */

static unsigned char hs_start_hash[] = {
0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
};

static unsigned char hs_full_hash[] = {
0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
};

static unsigned char early_secret[] = {
0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
};

static unsigned char ecdhe_secret[] = {
0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
};

static unsigned char handshake_secret[] = {
0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
};

static const char *client_hts_label = "c hs traffic";

static unsigned char client_hts[] = {
0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
};

static unsigned char client_hts_key[] = {
0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
0xad, 0x26, 0x49
};

static unsigned char client_hts_iv[] = {
0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
};

static const char *server_hts_label = "s hs traffic";

static unsigned char server_hts[] = {
0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
};

static unsigned char server_hts_key[] = {
0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
0x11, 0xac, 0x8b
};

static unsigned char server_hts_iv[] = {
0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
};

static unsigned char master_secret[] = {
0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
};

static const char *client_ats_label = "c ap traffic";

static unsigned char client_ats[] = {
0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
};

static unsigned char client_ats_key[] = {
0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
0xce, 0x5c, 0x87
};

static unsigned char client_ats_iv[] = {
0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
};

static const char *server_ats_label = "s ap traffic";

static unsigned char server_ats[] = {
0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
};

static unsigned char server_ats_key[] = {
0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
0x4b, 0x9b, 0x7d
};

static unsigned char server_ats_iv[] = {
0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
};

/* Mocked out implementations of various functions */
int ssl3_digest_cached_records(SSL_CONNECTION *s, int keep)
{
    return 1;
}

static int full_hash = 0;

/* Give a hash of the currently set handshake */
int ssl_handshake_hash(SSL_CONNECTION *s, unsigned char *out, size_t outlen,
                       size_t *hashlen)
{
    if (sizeof(hs_start_hash) > outlen
            || sizeof(hs_full_hash) != sizeof(hs_start_hash))
        return 0;

    if (full_hash) {
        memcpy(out, hs_full_hash, sizeof(hs_full_hash));
        *hashlen = sizeof(hs_full_hash);
    } else {
        memcpy(out, hs_start_hash, sizeof(hs_start_hash));
        *hashlen = sizeof(hs_start_hash);
    }

    return 1;
}

const EVP_MD *ssl_handshake_md(SSL_CONNECTION *s)
{
    return EVP_sha256();
}

int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc,
                                     const EVP_CIPHER **enc)
{
    return 0;
}

int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
                       const EVP_CIPHER **enc, const EVP_MD **md,
                       int *mac_pkey_type, size_t *mac_secret_size,
                       SSL_COMP **comp, int use_etm)

{
    return 0;
}

int tls1_alert_code(int code)
{
    return code;
}

int ssl_log_secret(SSL_CONNECTION *sc,
                   const char *label,
                   const uint8_t *secret,
                   size_t secret_len)
{
    return 1;
}

const EVP_MD *ssl_md(SSL_CTX *ctx, int idx)
{
    return EVP_sha256();
}

void ossl_statem_send_fatal(SSL_CONNECTION *s, int al)
{
}

void ossl_statem_fatal(SSL_CONNECTION *s, int al, int reason,
                       const char *fmt, ...)
{
}

int ossl_statem_export_allowed(SSL_CONNECTION *s)
{
    return 1;
}

int ossl_statem_export_early_allowed(SSL_CONNECTION *s)
{
    return 1;
}

void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
{
}

void ssl_evp_md_free(const EVP_MD *md)
{
}

int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, int direction,
                             int level, unsigned char *secret, size_t secretlen,
                             unsigned char *key, size_t keylen,
                             unsigned char *iv,  size_t ivlen,
                             unsigned char *mackey, size_t mackeylen,
                             const EVP_CIPHER *ciph, size_t taglen,
                             int mactype, const EVP_MD *md,
                             const SSL_COMP *comp, const EVP_MD *kdfdigest)
{
    return 0;
}

/* End of mocked out code */

static int test_secret(SSL_CONNECTION *s, unsigned char *prk,
                       const unsigned char *label, size_t labellen,
                       const unsigned char *ref_secret,
                       const unsigned char *ref_key, const unsigned char *ref_iv)
{
    size_t hashsize;
    unsigned char gensecret[EVP_MAX_MD_SIZE];
    unsigned char hash[EVP_MAX_MD_SIZE];
    unsigned char key[KEYLEN];
    unsigned char iv[IVLEN];
    const EVP_MD *md = ssl_handshake_md(s);

    if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
        TEST_error("Failed to get hash");
        return 0;
    }

    if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
                           gensecret, hashsize, 1)) {
        TEST_error("Secret generation failed");
        return 0;
    }

    if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
        return 0;

    if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
        TEST_error("Key generation failed");
        return 0;
    }

    if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
        return 0;

    if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
        TEST_error("IV generation failed");
        return 0;
    }

    if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
        return 0;

    return 1;
}

static int test_handshake_secrets(void)
{
    SSL_CTX *ctx = NULL;
    SSL *ssl = NULL;
    SSL_CONNECTION *s;
    int ret = 0;
    size_t hashsize;
    unsigned char out_master_secret[EVP_MAX_MD_SIZE];
    size_t master_secret_length;

    ctx = SSL_CTX_new(TLS_method());
    if (!TEST_ptr(ctx))
        goto err;

    ssl = SSL_new(ctx);
    if (!TEST_ptr(ssl) || !TEST_ptr(s = SSL_CONNECTION_FROM_SSL_ONLY(ssl)))
        goto err;

    s->session = SSL_SESSION_new();
    if (!TEST_ptr(s->session))
        goto err;

    if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
                                         (unsigned char *)&s->early_secret))) {
        TEST_info("Early secret generation failed");
        goto err;
    }

    if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
                     early_secret, sizeof(early_secret))) {
        TEST_info("Early secret does not match");
        goto err;
    }

    if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
                                                   sizeof(ecdhe_secret)))) {
        TEST_info("Handshake secret generation failed");
        goto err;
    }

    if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
                     handshake_secret, sizeof(handshake_secret)))
        goto err;

    hashsize = EVP_MD_get_size(ssl_handshake_md(s));
    if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
        goto err;
    if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
        goto err;
    if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
        goto err;

    if (!TEST_true(test_secret(s, s->handshake_secret,
                               (unsigned char *)client_hts_label,
                               strlen(client_hts_label), client_hts,
                               client_hts_key, client_hts_iv))) {
        TEST_info("Client handshake secret test failed");
        goto err;
    }

    if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
        goto err;
    if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
        goto err;
    if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
        goto err;

    if (!TEST_true(test_secret(s, s->handshake_secret,
                               (unsigned char *)server_hts_label,
                               strlen(server_hts_label), server_hts,
                               server_hts_key, server_hts_iv))) {
        TEST_info("Server handshake secret test failed");
        goto err;
    }

    /*
     * Ensure the mocked out ssl_handshake_hash() returns the full handshake
     * hash.
     */
    full_hash = 1;

    if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
                                                s->handshake_secret, hashsize,
                                                &master_secret_length))) {
        TEST_info("Master secret generation failed");
        goto err;
    }

    if (!TEST_mem_eq(out_master_secret, master_secret_length,
                     master_secret, sizeof(master_secret))) {
        TEST_info("Master secret does not match");
        goto err;
    }

    if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
        goto err;
    if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
        goto err;
    if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
        goto err;

    if (!TEST_true(test_secret(s, out_master_secret,
                               (unsigned char *)client_ats_label,
                               strlen(client_ats_label), client_ats,
                               client_ats_key, client_ats_iv))) {
        TEST_info("Client application data secret test failed");
        goto err;
    }

    if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
        goto err;
    if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
        goto err;
    if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
        goto err;

    if (!TEST_true(test_secret(s, out_master_secret,
                               (unsigned char *)server_ats_label,
                               strlen(server_ats_label), server_ats,
                               server_ats_key, server_ats_iv))) {
        TEST_info("Server application data secret test failed");
        goto err;
    }

    ret = 1;
 err:
    SSL_free(ssl);
    SSL_CTX_free(ctx);
    return ret;
}

int setup_tests(void)
{
    ADD_TEST(test_handshake_secrets);
    return 1;
}
Commit	Line	Data
134bfe56	1	/*
da1c088f	2	* Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
134bfe56	3	*
909f1a2e	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
134bfe56 MC	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <openssl/ssl.h>
	11	#include <openssl/evp.h>
edd689ef	12
706457b7	13	#include "../ssl/ssl_local.h"
134bfe56 MC	14	#include "testutil.h"
	15
	16	#define IVLEN 12
	17	#define KEYLEN 16
	18
d6ce9da4	19	/*
c2969ff6	20	* Based on the test vectors available in:
df443918	21	* https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
134bfe56 MC	22	*/
	23
	24	static unsigned char hs_start_hash[] = {
d6ce9da4 MC	25	0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
	26	0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
	27	0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
134bfe56 MC	28	};
	29
	30	static unsigned char hs_full_hash[] = {
d6ce9da4 MC	31	0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
	32	0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
	33	0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
134bfe56 MC	34	};
	35
	36	static unsigned char early_secret[] = {
	37	0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
	38	0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
	39	0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
	40	};
	41
	42	static unsigned char ecdhe_secret[] = {
d6ce9da4 MC	43	0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
	44	0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
	45	0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
134bfe56 MC	46	};
	47
	48	static unsigned char handshake_secret[] = {
d6ce9da4 MC	49	0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
	50	0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
	51	0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
134bfe56 MC	52	};
134bfe56 MC	53
1f6359db	54	static const char *client_hts_label = "c hs traffic";
134bfe56 MC	55
134bfe56 MC	56	static unsigned char client_hts[] = {
d6ce9da4 MC	57	0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
	58	0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
	59	0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
134bfe56 MC	60	};
	61
	62	static unsigned char client_hts_key[] = {
d6ce9da4 MC	63	0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
d6ce9da4 MC	64	0xad, 0x26, 0x49
134bfe56 MC	65	};
	66
	67	static unsigned char client_hts_iv[] = {
d6ce9da4	68	0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
134bfe56 MC	69	};
134bfe56 MC	70
1f6359db	71	static const char *server_hts_label = "s hs traffic";
134bfe56 MC	72
134bfe56 MC	73	static unsigned char server_hts[] = {
d6ce9da4 MC	74	0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
	75	0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
	76	0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
134bfe56 MC	77	};
	78
	79	static unsigned char server_hts_key[] = {
d6ce9da4 MC	80	0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
d6ce9da4 MC	81	0x11, 0xac, 0x8b
134bfe56 MC	82	};
	83
	84	static unsigned char server_hts_iv[] = {
d6ce9da4	85	0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
134bfe56 MC	86	};
	87
	88	static unsigned char master_secret[] = {
d6ce9da4 MC	89	0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
	90	0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
	91	0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
134bfe56 MC	92	};
134bfe56 MC	93
1f6359db	94	static const char *client_ats_label = "c ap traffic";
134bfe56 MC	95
134bfe56 MC	96	static unsigned char client_ats[] = {
d6ce9da4 MC	97	0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
	98	0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
	99	0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
134bfe56 MC	100	};
	101
	102	static unsigned char client_ats_key[] = {
d6ce9da4 MC	103	0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
d6ce9da4 MC	104	0xce, 0x5c, 0x87
134bfe56 MC	105	};
	106
	107	static unsigned char client_ats_iv[] = {
d6ce9da4	108	0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
134bfe56 MC	109	};
134bfe56 MC	110
1f6359db	111	static const char *server_ats_label = "s ap traffic";
134bfe56 MC	112
134bfe56 MC	113	static unsigned char server_ats[] = {
d6ce9da4 MC	114	0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
	115	0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
	116	0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
134bfe56 MC	117	};
	118
	119	static unsigned char server_ats_key[] = {
d6ce9da4 MC	120	0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
d6ce9da4 MC	121	0x4b, 0x9b, 0x7d
134bfe56 MC	122	};
	123
	124	static unsigned char server_ats_iv[] = {
d6ce9da4	125	0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
134bfe56 MC	126	};
	127
	128	/* Mocked out implementations of various functions */
38b051a1	129	int ssl3_digest_cached_records(SSL_CONNECTION *s, int keep)
134bfe56 MC	130	{
	131	return 1;
	132	}
	133
	134	static int full_hash = 0;
	135
	136	/* Give a hash of the currently set handshake */
38b051a1	137	int ssl_handshake_hash(SSL_CONNECTION s, unsigned char out, size_t outlen,
134bfe56 MC	138	size_t *hashlen)
	139	{
	140	if (sizeof(hs_start_hash) > outlen
	141	\|\| sizeof(hs_full_hash) != sizeof(hs_start_hash))
	142	return 0;
	143
	144	if (full_hash) {
	145	memcpy(out, hs_full_hash, sizeof(hs_full_hash));
	146	*hashlen = sizeof(hs_full_hash);
	147	} else {
	148	memcpy(out, hs_start_hash, sizeof(hs_start_hash));
	149	*hashlen = sizeof(hs_start_hash);
	150	}
	151
	152	return 1;
	153	}
	154
38b051a1	155	const EVP_MD ssl_handshake_md(SSL_CONNECTION s)
134bfe56 MC	156	{
	157	return EVP_sha256();
	158	}
	159
9727f4e7 MC	160	int ssl_cipher_get_evp_cipher(SSL_CTX ctx, const SSL_CIPHER sslc,
	161	const EVP_CIPHER **enc)
	162	{
	163	return 0;
	164	}
	165
c8f6c28a MC	166	int ssl_cipher_get_evp(SSL_CTX ctx, const SSL_SESSION s,
	167	const EVP_CIPHER enc, const EVP_MD md,
	168	int mac_pkey_type, size_t mac_secret_size,
	169	SSL_COMP **comp, int use_etm)
92760c21 MC	170
	171	{
	172	return 0;
	173	}
	174
04904312 MC	175	int tls1_alert_code(int code)
	176	{
	177	return code;
	178	}
	179
38b051a1	180	int ssl_log_secret(SSL_CONNECTION *sc,
f1a5939f CB	181	const char *label,
	182	const uint8_t *secret,
	183	size_t secret_len)
	184	{
	185	return 1;
	186	}
	187
c8f6c28a	188	const EVP_MD ssl_md(SSL_CTX ctx, int idx)
d49e23ec MC	189	{
	190	return EVP_sha256();
	191	}
	192
38b051a1	193	void ossl_statem_send_fatal(SSL_CONNECTION *s, int al)
5a2d0ef3 RL	194	{
	195	}
	196
38b051a1 TM	197	void ossl_statem_fatal(SSL_CONNECTION *s, int al, int reason,
38b051a1 TM	198	const char *fmt, ...)
f63a17d6 MC	199	{
	200	}
	201
38b051a1	202	int ossl_statem_export_allowed(SSL_CONNECTION *s)
1f5878b8 TT	203	{
	204	return 1;
	205	}
	206
38b051a1	207	int ossl_statem_export_early_allowed(SSL_CONNECTION *s)
b38ede80 TT	208	{
	209	return 1;
	210	}
	211
c8f6c28a MC	212	void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
	213	{
	214	}
	215
	216	void ssl_evp_md_free(const EVP_MD *md)
	217	{
	218	}
	219
cc110a0a	220	int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, int direction,
3f9175c7 MC	221	int level, unsigned char *secret, size_t secretlen,
3f9175c7 MC	222	unsigned char *key, size_t keylen,
79eebb08 MC	223	unsigned char *iv, size_t ivlen,
	224	unsigned char *mackey, size_t mackeylen,
	225	const EVP_CIPHER *ciph, size_t taglen,
	226	int mactype, const EVP_MD *md,
3f9175c7	227	const SSL_COMP comp, const EVP_MD kdfdigest)
79eebb08 MC	228	{
	229	return 0;
	230	}
	231
134bfe56 MC	232	/* End of mocked out code */
134bfe56 MC	233
38b051a1	234	static int test_secret(SSL_CONNECTION s, unsigned char prk,
134bfe56 MC	235	const unsigned char *label, size_t labellen,
	236	const unsigned char *ref_secret,
	237	const unsigned char ref_key, const unsigned char ref_iv)
	238	{
ace081c1	239	size_t hashsize;
134bfe56	240	unsigned char gensecret[EVP_MAX_MD_SIZE];
ace081c1	241	unsigned char hash[EVP_MAX_MD_SIZE];
134bfe56 MC	242	unsigned char key[KEYLEN];
134bfe56 MC	243	unsigned char iv[IVLEN];
ec15acb6	244	const EVP_MD *md = ssl_handshake_md(s);
134bfe56	245
ace081c1	246	if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
2fae041d	247	TEST_error("Failed to get hash");
ace081c1 MC	248	return 0;
	249	}
	250
a19ae67d	251	if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
0fb2815b	252	gensecret, hashsize, 1)) {
2fae041d	253	TEST_error("Secret generation failed");
134bfe56 MC	254	return 0;
	255	}
	256
2fae041d	257	if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
134bfe56	258	return 0;
134bfe56	259
d49e23ec	260	if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
2fae041d	261	TEST_error("Key generation failed");
134bfe56 MC	262	return 0;
	263	}
	264
2fae041d	265	if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
134bfe56	266	return 0;
134bfe56	267
d49e23ec	268	if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
2fae041d	269	TEST_error("IV generation failed");
134bfe56 MC	270	return 0;
	271	}
	272
2fae041d	273	if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
134bfe56	274	return 0;
134bfe56 MC	275
	276	return 1;
	277	}
	278
	279	static int test_handshake_secrets(void)
	280	{
	281	SSL_CTX *ctx = NULL;
38b051a1 TM	282	SSL *ssl = NULL;
38b051a1 TM	283	SSL_CONNECTION *s;
134bfe56 MC	284	int ret = 0;
	285	size_t hashsize;
	286	unsigned char out_master_secret[EVP_MAX_MD_SIZE];
	287	size_t master_secret_length;
	288
	289	ctx = SSL_CTX_new(TLS_method());
2fae041d	290	if (!TEST_ptr(ctx))
134bfe56 MC	291	goto err;
134bfe56 MC	292
38b051a1 TM	293	ssl = SSL_new(ctx);
38b051a1 TM	294	if (!TEST_ptr(ssl) \|\| !TEST_ptr(s = SSL_CONNECTION_FROM_SSL_ONLY(ssl)))
134bfe56 MC	295	goto err;
134bfe56 MC	296
ec15acb6	297	s->session = SSL_SESSION_new();
2fae041d	298	if (!TEST_ptr(s->session))
ec15acb6 MC	299	goto err;
ec15acb6 MC	300
2fae041d P	301	if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
	302	(unsigned char *)&s->early_secret))) {
	303	TEST_info("Early secret generation failed");
134bfe56 MC	304	goto err;
	305	}
	306
2fae041d P	307	if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
	308	early_secret, sizeof(early_secret))) {
	309	TEST_info("Early secret does not match");
134bfe56 MC	310	goto err;
	311	}
	312
2fae041d P	313	if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
2fae041d P	314	sizeof(ecdhe_secret)))) {
44e69951	315	TEST_info("Handshake secret generation failed");
134bfe56 MC	316	goto err;
	317	}
	318
2fae041d P	319	if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
2fae041d P	320	handshake_secret, sizeof(handshake_secret)))
134bfe56	321	goto err;
134bfe56	322
ed576acd	323	hashsize = EVP_MD_get_size(ssl_handshake_md(s));
2fae041d P	324	if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
	325	goto err;
	326	if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
	327	goto err;
	328	if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
134bfe56	329	goto err;
134bfe56	330
2fae041d P	331	if (!TEST_true(test_secret(s, s->handshake_secret,
	332	(unsigned char *)client_hts_label,
	333	strlen(client_hts_label), client_hts,
	334	client_hts_key, client_hts_iv))) {
	335	TEST_info("Client handshake secret test failed");
134bfe56 MC	336	goto err;
	337	}
	338
2fae041d P	339	if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
	340	goto err;
	341	if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
	342	goto err;
	343	if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
134bfe56	344	goto err;
134bfe56	345
2fae041d P	346	if (!TEST_true(test_secret(s, s->handshake_secret,
	347	(unsigned char *)server_hts_label,
	348	strlen(server_hts_label), server_hts,
	349	server_hts_key, server_hts_iv))) {
	350	TEST_info("Server handshake secret test failed");
134bfe56 MC	351	goto err;
	352	}
	353
	354	/*
	355	* Ensure the mocked out ssl_handshake_hash() returns the full handshake
	356	* hash.
	357	*/
	358	full_hash = 1;
	359
2fae041d P	360	if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
	361	s->handshake_secret, hashsize,
	362	&master_secret_length))) {
	363	TEST_info("Master secret generation failed");
134bfe56 MC	364	goto err;
	365	}
	366
2fae041d P	367	if (!TEST_mem_eq(out_master_secret, master_secret_length,
	368	master_secret, sizeof(master_secret))) {
	369	TEST_info("Master secret does not match");
134bfe56 MC	370	goto err;
	371	}
	372
2fae041d P	373	if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
	374	goto err;
	375	if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
	376	goto err;
	377	if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
134bfe56	378	goto err;
134bfe56	379
2fae041d P	380	if (!TEST_true(test_secret(s, out_master_secret,
	381	(unsigned char *)client_ats_label,
	382	strlen(client_ats_label), client_ats,
	383	client_ats_key, client_ats_iv))) {
	384	TEST_info("Client application data secret test failed");
134bfe56 MC	385	goto err;
	386	}
	387
2fae041d P	388	if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
	389	goto err;
	390	if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
	391	goto err;
	392	if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
134bfe56	393	goto err;
134bfe56	394
2fae041d P	395	if (!TEST_true(test_secret(s, out_master_secret,
	396	(unsigned char *)server_ats_label,
	397	strlen(server_ats_label), server_ats,
	398	server_ats_key, server_ats_iv))) {
	399	TEST_info("Server application data secret test failed");
134bfe56 MC	400	goto err;
	401	}
	402
	403	ret = 1;
	404	err:
38b051a1	405	SSL_free(ssl);
134bfe56 MC	406	SSL_CTX_free(ctx);
	407	return ret;
	408	}
	409
3cb7c5cf	410	int setup_tests(void)
134bfe56	411	{
134bfe56	412	ADD_TEST(test_handshake_secrets);
ad887416	413	return 1;
134bfe56	414	}