test/tls13secretstest.c

   1 /*
   2  * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the OpenSSL license (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <openssl/ssl.h>
  11 #include <openssl/evp.h>
  12
  13 #ifdef __VMS
  14 # pragma names save
  15 # pragma names as_is,shortened
  16 #endif
  17
  18 #include "../ssl/ssl_locl.h"
  19
  20 #ifdef __VMS
  21 # pragma names restore
  22 #endif
  23
  24 #include "testutil.h"
  25
  26 #define IVLEN   12
  27 #define KEYLEN  16
  28
  29 /* The following are self-generated test vectors. This gives us very little
  30  * confidence that we've got the implementation right, but at least tells us
  31  * if we accidentally  break something in the future. Until we can get some
  32  * other source of test vectors this is all we've got.
  33  * TODO(TLS1.3): As and when official vectors become available we should use
  34  * those, e.g. see
  35  * https://www.ietf.org/id/draft-thomson-tls-tls13-vectors-00.txt, however at
  36  * the time of writing these are not suitable because they are based on
  37  * draft -16, which works differently to the draft -20 vectors below.
  38  */
  39
  40 static unsigned char hs_start_hash[] = {
  41 0xec, 0x14, 0x7a, 0x06, 0xde, 0xa3, 0xc8, 0x84, 0x6c, 0x02, 0xb2, 0x23, 0x8e,
  42 0x41, 0xbd, 0xdc, 0x9d, 0x89, 0xf9, 0xae, 0xa1, 0x7b, 0x5e, 0xfd, 0x4d, 0x74,
  43 0x82, 0xaf, 0x75, 0x88, 0x1c, 0x0a
  44 };
  45
  46 static unsigned char hs_full_hash[] = {
  47 0x75, 0x1a, 0x3d, 0x4a, 0x14, 0xdf, 0xab, 0xeb, 0x68, 0xe9, 0x2c, 0xa5, 0x91,
  48 0x8e, 0x24, 0x08, 0xb9, 0xbc, 0xb0, 0x74, 0x89, 0x82, 0xec, 0x9c, 0x32, 0x30,
  49 0xac, 0x30, 0xbb, 0xeb, 0x23, 0xe2,
  50 };
  51
  52 static unsigned char early_secret[] = {
  53 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
  54 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
  55 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
  56 };
  57
  58 static unsigned char ecdhe_secret[] = {
  59 0xe7, 0xb8, 0xfe, 0xf8, 0x90, 0x3b, 0x52, 0x0c, 0xb9, 0xa1, 0x89, 0x71, 0xb6,
  60 0x9d, 0xd4, 0x5d, 0xca, 0x53, 0xce, 0x2f, 0x12, 0xbf, 0x3b, 0xef, 0x93, 0x15,
  61 0xe3, 0x12, 0x71, 0xdf, 0x4b, 0x40
  62 };
  63
  64 static unsigned char handshake_secret[] = {
  65 0xf5, 0x51, 0xd0, 0xbd, 0x9e, 0x6a, 0xc0, 0x95, 0x5f, 0x8e, 0xae, 0xb6, 0x28,
  66 0x2e, 0x8d, 0x9e, 0xf3, 0xd4, 0x08, 0x57, 0x81, 0xbc, 0x9d, 0x80, 0x91, 0x8a,
  67 0x81, 0x33, 0x86, 0x58, 0x7f, 0x46
  68 };
  69
  70 static const char *client_hts_label = "c hs traffic";
  71
  72 static unsigned char client_hts[] = {
  73 0x61, 0x7b, 0x35, 0x07, 0x6b, 0x9d, 0x0e, 0x08, 0xcf, 0x73, 0x1d, 0x94, 0xa8,
  74 0x66, 0x14, 0x78, 0x41, 0x09, 0xef, 0x25, 0x55, 0x51, 0x92, 0x1d, 0xd4, 0x6e,
  75 0x04, 0x01, 0x35, 0xcf, 0x46, 0xab
  76 };
  77
  78 static unsigned char client_hts_key[] = {
  79 0x62, 0xd0, 0xdd, 0x00, 0xf6, 0x96, 0x19, 0xd3, 0xb8, 0x19, 0x3a, 0xb4, 0xa0,
  80 0x95, 0x85, 0xa7
  81 };
  82
  83 static unsigned char client_hts_iv[] = {
  84 0xff, 0xf7, 0x5d, 0xf5, 0xad, 0x35, 0xd5, 0xcb, 0x3c, 0x53, 0xf3, 0xa9
  85 };
  86
  87 static const char *server_hts_label = "s hs traffic";
  88
  89 static unsigned char server_hts[] = {
  90 0xfc, 0xf7, 0xdf, 0xe6, 0x4f, 0xa2, 0xc0, 0x4f, 0x62, 0x35, 0x38, 0x7f, 0x43,
  91 0x4e, 0x01, 0x42, 0x23, 0x36, 0xd9, 0xc0, 0x39, 0xde, 0x68, 0x47, 0xa0, 0xb9,
  92 0xdd, 0xcf, 0x29, 0xa8, 0x87, 0x59
  93 };
  94
  95 static unsigned char server_hts_key[] = {
  96 0x04, 0x67, 0xf3, 0x16, 0xa8, 0x05, 0xb8, 0xc4, 0x97, 0xee, 0x67, 0x04, 0x7b,
  97 0xbc, 0xbc, 0x54
  98 };
  99
 100 static unsigned char server_hts_iv[] = {
 101 0xde, 0x83, 0xa7, 0x3e, 0x9d, 0x81, 0x4b, 0x04, 0xc4, 0x8b, 0x78, 0x09
 102 };
 103
 104 static unsigned char master_secret[] = {
 105 0x34, 0x83, 0x83, 0x84, 0x67, 0x12, 0xe7, 0xff, 0x24, 0xe8, 0x6e, 0x70, 0x56,
 106 0x95, 0x16, 0x71, 0x43, 0x7f, 0x19, 0xd7, 0x85, 0x06, 0x9d, 0x75, 0x70, 0x49,
 107 0x6e, 0x6c, 0xa4, 0x81, 0xf0, 0xb8
 108 };
 109
 110 static const char *client_ats_label = "c ap traffic";
 111
 112 static unsigned char client_ats[] = {
 113 0xc1, 0x4a, 0x6d, 0x79, 0x76, 0xd8, 0x10, 0x2b, 0x5a, 0x0c, 0x99, 0x51, 0x49,
 114 0x3f, 0xee, 0x87, 0xdc, 0xaf, 0xf8, 0x2c, 0x24, 0xca, 0xb2, 0x14, 0xe8, 0xbe,
 115 0x71, 0xa8, 0x20, 0x6d, 0xbd, 0xa5
 116 };
 117
 118 static unsigned char client_ats_key[] = {
 119 0xcc, 0x9f, 0x5f, 0x98, 0x0b, 0x5f, 0x10, 0x30, 0x6c, 0xba, 0xd7, 0xbe, 0x98,
 120 0xd7, 0x57, 0x2e
 121 };
 122
 123 static unsigned char client_ats_iv[] = {
 124 0xb8, 0x09, 0x29, 0xe8, 0xd0, 0x2c, 0x70, 0xf6, 0x11, 0x62, 0xed, 0x6b
 125 };
 126
 127 static const char *server_ats_label = "s ap traffic";
 128
 129 static unsigned char server_ats[] = {
 130 0x2c, 0x90, 0x77, 0x38, 0xd3, 0xf8, 0x37, 0x02, 0xd1, 0xe4, 0x59, 0x8f, 0x48,
 131 0x48, 0x53, 0x1d, 0x9f, 0x93, 0x65, 0x49, 0x1b, 0x9f, 0x7f, 0x52, 0xc8, 0x22,
 132 0x29, 0x0d, 0x4c, 0x23, 0x21, 0x92
 133 };
 134
 135 static unsigned char server_ats_key[] = {
 136 0x0c, 0xb2, 0x95, 0x62, 0xd8, 0xd8, 0x8f, 0x48, 0xb0, 0x2c, 0xbf, 0xbe, 0xd7,
 137 0xe6, 0x2b, 0xb3
 138 };
 139
 140 static unsigned char server_ats_iv[] = {
 141 0x0d, 0xb2, 0x8f, 0x98, 0x85, 0x86, 0xa1, 0xb7, 0xe4, 0xd5, 0xc6, 0x9c
 142 };
 143
 144 /* Mocked out implementations of various functions */
 145 int ssl3_digest_cached_records(SSL *s, int keep)
 146 {
 147     return 1;
 148 }
 149
 150 static int full_hash = 0;
 151
 152 /* Give a hash of the currently set handshake */
 153 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
 154                        size_t *hashlen)
 155 {
 156     if (sizeof(hs_start_hash) > outlen
 157             || sizeof(hs_full_hash) != sizeof(hs_start_hash))
 158         return 0;
 159
 160     if (full_hash) {
 161         memcpy(out, hs_full_hash, sizeof(hs_full_hash));
 162         *hashlen = sizeof(hs_full_hash);
 163     } else {
 164         memcpy(out, hs_start_hash, sizeof(hs_start_hash));
 165         *hashlen = sizeof(hs_start_hash);
 166     }
 167
 168     return 1;
 169 }
 170
 171 const EVP_MD *ssl_handshake_md(SSL *s)
 172 {
 173     return EVP_sha256();
 174 }
 175
 176 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
 177 {
 178 }
 179
 180 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
 181 {
 182 }
 183
 184 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 185                        const EVP_MD **md, int *mac_pkey_type,
 186                        size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
 187
 188 {
 189     return 0;
 190 }
 191
 192 int tls1_alert_code(int code)
 193 {
 194     return code;
 195 }
 196
 197 int ssl_log_secret(SSL *ssl,
 198                    const char *label,
 199                    const uint8_t *secret,
 200                    size_t secret_len)
 201 {
 202     return 1;
 203 }
 204
 205 const EVP_MD *ssl_md(int idx)
 206 {
 207     return EVP_sha256();
 208 }
 209
 210 void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
 211                            int line)
 212 {
 213 }
 214
 215 int ossl_statem_export_allowed(SSL *s)
 216 {
 217     return 1;
 218 }
 219
 220 /* End of mocked out code */
 221
 222 static int test_secret(SSL *s, unsigned char *prk,
 223                        const unsigned char *label, size_t labellen,
 224                        const unsigned char *ref_secret,
 225                        const unsigned char *ref_key, const unsigned char *ref_iv)
 226 {
 227     size_t hashsize;
 228     unsigned char gensecret[EVP_MAX_MD_SIZE];
 229     unsigned char hash[EVP_MAX_MD_SIZE];
 230     unsigned char key[KEYLEN];
 231     unsigned char iv[IVLEN];
 232     const EVP_MD *md = ssl_handshake_md(s);
 233
 234     if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
 235         TEST_error("Failed to get hash");
 236         return 0;
 237     }
 238
 239     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
 240                            gensecret, hashsize)) {
 241         TEST_error("Secret generation failed");
 242         return 0;
 243     }
 244
 245     if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
 246         return 0;
 247
 248     if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
 249         TEST_error("Key generation failed");
 250         return 0;
 251     }
 252
 253     if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
 254         return 0;
 255
 256     if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
 257         TEST_error("IV generation failed");
 258         return 0;
 259     }
 260
 261     if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
 262         return 0;
 263
 264     return 1;
 265 }
 266
 267 static int test_handshake_secrets(void)
 268 {
 269     SSL_CTX *ctx = NULL;
 270     SSL *s = NULL;
 271     int ret = 0;
 272     size_t hashsize;
 273     unsigned char out_master_secret[EVP_MAX_MD_SIZE];
 274     size_t master_secret_length;
 275
 276     ctx = SSL_CTX_new(TLS_method());
 277     if (!TEST_ptr(ctx))
 278         goto err;
 279
 280     s = SSL_new(ctx);
 281     if (!TEST_ptr(s ))
 282         goto err;
 283
 284     s->session = SSL_SESSION_new();
 285     if (!TEST_ptr(s->session))
 286         goto err;
 287
 288     if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
 289                                          (unsigned char *)&s->early_secret))) {
 290         TEST_info("Early secret generation failed");
 291         goto err;
 292     }
 293
 294     if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
 295                      early_secret, sizeof(early_secret))) {
 296         TEST_info("Early secret does not match");
 297         goto err;
 298     }
 299
 300     if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
 301                                                    sizeof(ecdhe_secret)))) {
 302         TEST_info("Handshake secret generation failed");
 303         goto err;
 304     }
 305
 306     if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
 307                      handshake_secret, sizeof(handshake_secret)))
 308         goto err;
 309
 310     hashsize = EVP_MD_size(ssl_handshake_md(s));
 311     if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
 312         goto err;
 313     if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
 314         goto err;
 315     if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
 316         goto err;
 317
 318     if (!TEST_true(test_secret(s, s->handshake_secret,
 319                                (unsigned char *)client_hts_label,
 320                                strlen(client_hts_label), client_hts,
 321                                client_hts_key, client_hts_iv))) {
 322         TEST_info("Client handshake secret test failed");
 323         goto err;
 324     }
 325
 326     if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
 327         goto err;
 328     if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
 329         goto err;
 330     if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
 331         goto err;
 332
 333     if (!TEST_true(test_secret(s, s->handshake_secret,
 334                                (unsigned char *)server_hts_label,
 335                                strlen(server_hts_label), server_hts,
 336                                server_hts_key, server_hts_iv))) {
 337         TEST_info("Server handshake secret test failed");
 338         goto err;
 339     }
 340
 341     /*
 342      * Ensure the mocked out ssl_handshake_hash() returns the full handshake
 343      * hash.
 344      */
 345     full_hash = 1;
 346
 347     if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
 348                                                 s->handshake_secret, hashsize,
 349                                                 &master_secret_length))) {
 350         TEST_info("Master secret generation failed");
 351         goto err;
 352     }
 353
 354     if (!TEST_mem_eq(out_master_secret, master_secret_length,
 355                      master_secret, sizeof(master_secret))) {
 356         TEST_info("Master secret does not match");
 357         goto err;
 358     }
 359
 360     if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
 361         goto err;
 362     if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
 363         goto err;
 364     if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
 365         goto err;
 366
 367     if (!TEST_true(test_secret(s, out_master_secret,
 368                                (unsigned char *)client_ats_label,
 369                                strlen(client_ats_label), client_ats,
 370                                client_ats_key, client_ats_iv))) {
 371         TEST_info("Client application data secret test failed");
 372         goto err;
 373     }
 374
 375     if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
 376         goto err;
 377     if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
 378         goto err;
 379     if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
 380         goto err;
 381
 382     if (!TEST_true(test_secret(s, out_master_secret,
 383                                (unsigned char *)server_ats_label,
 384                                strlen(server_ats_label), server_ats,
 385                                server_ats_key, server_ats_iv))) {
 386         TEST_info("Server application data secret test failed");
 387         goto err;
 388     }
 389
 390     ret = 1;
 391  err:
 392     SSL_free(s);
 393     SSL_CTX_free(ctx);
 394     return ret;
 395 }
 396
 397 int setup_tests()
 398 {
 399     ADD_TEST(test_handshake_secrets);
 400     return 1;
 401 }