test/tls13secretstest.c

   1 /*
   2  * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <openssl/ssl.h>
  11 #include <openssl/evp.h>
  12
  13 #include "../ssl/ssl_local.h"
  14 #include "testutil.h"
  15
  16 #define IVLEN   12
  17 #define KEYLEN  16
  18
  19 /*
  20  * Based on the test vectors available in:
  21  * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
  22  */
  23
  24 static unsigned char hs_start_hash[] = {
  25 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
  26 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
  27 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
  28 };
  29
  30 static unsigned char hs_full_hash[] = {
  31 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
  32 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
  33 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
  34 };
  35
  36 static unsigned char early_secret[] = {
  37 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
  38 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
  39 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
  40 };
  41
  42 static unsigned char ecdhe_secret[] = {
  43 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
  44 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
  45 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
  46 };
  47
  48 static unsigned char handshake_secret[] = {
  49 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
  50 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
  51 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
  52 };
  53
  54 static const char *client_hts_label = "c hs traffic";
  55
  56 static unsigned char client_hts[] = {
  57 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
  58 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
  59 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
  60 };
  61
  62 static unsigned char client_hts_key[] = {
  63 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
  64 0xad, 0x26, 0x49
  65 };
  66
  67 static unsigned char client_hts_iv[] = {
  68 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
  69 };
  70
  71 static const char *server_hts_label = "s hs traffic";
  72
  73 static unsigned char server_hts[] = {
  74 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
  75 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
  76 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
  77 };
  78
  79 static unsigned char server_hts_key[] = {
  80 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
  81 0x11, 0xac, 0x8b
  82 };
  83
  84 static unsigned char server_hts_iv[] = {
  85 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
  86 };
  87
  88 static unsigned char master_secret[] = {
  89 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
  90 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
  91 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
  92 };
  93
  94 static const char *client_ats_label = "c ap traffic";
  95
  96 static unsigned char client_ats[] = {
  97 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
  98 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
  99 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
 100 };
 101
 102 static unsigned char client_ats_key[] = {
 103 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
 104 0xce, 0x5c, 0x87
 105 };
 106
 107 static unsigned char client_ats_iv[] = {
 108 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
 109 };
 110
 111 static const char *server_ats_label = "s ap traffic";
 112
 113 static unsigned char server_ats[] = {
 114 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
 115 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
 116 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
 117 };
 118
 119 static unsigned char server_ats_key[] = {
 120 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
 121 0x4b, 0x9b, 0x7d
 122 };
 123
 124 static unsigned char server_ats_iv[] = {
 125 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
 126 };
 127
 128 /* Mocked out implementations of various functions */
 129 int ssl3_digest_cached_records(SSL *s, int keep)
 130 {
 131     return 1;
 132 }
 133
 134 static int full_hash = 0;
 135
 136 /* Give a hash of the currently set handshake */
 137 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
 138                        size_t *hashlen)
 139 {
 140     if (sizeof(hs_start_hash) > outlen
 141             || sizeof(hs_full_hash) != sizeof(hs_start_hash))
 142         return 0;
 143
 144     if (full_hash) {
 145         memcpy(out, hs_full_hash, sizeof(hs_full_hash));
 146         *hashlen = sizeof(hs_full_hash);
 147     } else {
 148         memcpy(out, hs_start_hash, sizeof(hs_start_hash));
 149         *hashlen = sizeof(hs_start_hash);
 150     }
 151
 152     return 1;
 153 }
 154
 155 const EVP_MD *ssl_handshake_md(SSL *s)
 156 {
 157     return EVP_sha256();
 158 }
 159
 160 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
 161 {
 162 }
 163
 164 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
 165 {
 166 }
 167
 168 int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc,
 169                                      const EVP_CIPHER **enc)
 170 {
 171     return 0;
 172 }
 173
 174 int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
 175                        const EVP_CIPHER **enc, const EVP_MD **md,
 176                        int *mac_pkey_type, size_t *mac_secret_size,
 177                        SSL_COMP **comp, int use_etm)
 178
 179 {
 180     return 0;
 181 }
 182
 183 int tls1_alert_code(int code)
 184 {
 185     return code;
 186 }
 187
 188 int ssl_log_secret(SSL *ssl,
 189                    const char *label,
 190                    const uint8_t *secret,
 191                    size_t secret_len)
 192 {
 193     return 1;
 194 }
 195
 196 const EVP_MD *ssl_md(SSL_CTX *ctx, int idx)
 197 {
 198     return EVP_sha256();
 199 }
 200
 201 void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
 202                            int line)
 203 {
 204 }
 205
 206 int ossl_statem_export_allowed(SSL *s)
 207 {
 208     return 1;
 209 }
 210
 211 int ossl_statem_export_early_allowed(SSL *s)
 212 {
 213     return 1;
 214 }
 215
 216 void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
 217 {
 218 }
 219
 220 void ssl_evp_md_free(const EVP_MD *md)
 221 {
 222 }
 223
 224 /* End of mocked out code */
 225
 226 static int test_secret(SSL *s, unsigned char *prk,
 227                        const unsigned char *label, size_t labellen,
 228                        const unsigned char *ref_secret,
 229                        const unsigned char *ref_key, const unsigned char *ref_iv)
 230 {
 231     size_t hashsize;
 232     unsigned char gensecret[EVP_MAX_MD_SIZE];
 233     unsigned char hash[EVP_MAX_MD_SIZE];
 234     unsigned char key[KEYLEN];
 235     unsigned char iv[IVLEN];
 236     const EVP_MD *md = ssl_handshake_md(s);
 237
 238     if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
 239         TEST_error("Failed to get hash");
 240         return 0;
 241     }
 242
 243     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
 244                            gensecret, hashsize, 1)) {
 245         TEST_error("Secret generation failed");
 246         return 0;
 247     }
 248
 249     if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
 250         return 0;
 251
 252     if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
 253         TEST_error("Key generation failed");
 254         return 0;
 255     }
 256
 257     if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
 258         return 0;
 259
 260     if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
 261         TEST_error("IV generation failed");
 262         return 0;
 263     }
 264
 265     if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
 266         return 0;
 267
 268     return 1;
 269 }
 270
 271 static int test_handshake_secrets(void)
 272 {
 273     SSL_CTX *ctx = NULL;
 274     SSL *s = NULL;
 275     int ret = 0;
 276     size_t hashsize;
 277     unsigned char out_master_secret[EVP_MAX_MD_SIZE];
 278     size_t master_secret_length;
 279
 280     ctx = SSL_CTX_new(TLS_method());
 281     if (!TEST_ptr(ctx))
 282         goto err;
 283
 284     s = SSL_new(ctx);
 285     if (!TEST_ptr(s ))
 286         goto err;
 287
 288     s->session = SSL_SESSION_new();
 289     if (!TEST_ptr(s->session))
 290         goto err;
 291
 292     if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
 293                                          (unsigned char *)&s->early_secret))) {
 294         TEST_info("Early secret generation failed");
 295         goto err;
 296     }
 297
 298     if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
 299                      early_secret, sizeof(early_secret))) {
 300         TEST_info("Early secret does not match");
 301         goto err;
 302     }
 303
 304     if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
 305                                                    sizeof(ecdhe_secret)))) {
 306         TEST_info("Handshake secret generation failed");
 307         goto err;
 308     }
 309
 310     if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
 311                      handshake_secret, sizeof(handshake_secret)))
 312         goto err;
 313
 314     hashsize = EVP_MD_size(ssl_handshake_md(s));
 315     if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
 316         goto err;
 317     if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
 318         goto err;
 319     if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
 320         goto err;
 321
 322     if (!TEST_true(test_secret(s, s->handshake_secret,
 323                                (unsigned char *)client_hts_label,
 324                                strlen(client_hts_label), client_hts,
 325                                client_hts_key, client_hts_iv))) {
 326         TEST_info("Client handshake secret test failed");
 327         goto err;
 328     }
 329
 330     if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
 331         goto err;
 332     if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
 333         goto err;
 334     if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
 335         goto err;
 336
 337     if (!TEST_true(test_secret(s, s->handshake_secret,
 338                                (unsigned char *)server_hts_label,
 339                                strlen(server_hts_label), server_hts,
 340                                server_hts_key, server_hts_iv))) {
 341         TEST_info("Server handshake secret test failed");
 342         goto err;
 343     }
 344
 345     /*
 346      * Ensure the mocked out ssl_handshake_hash() returns the full handshake
 347      * hash.
 348      */
 349     full_hash = 1;
 350
 351     if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
 352                                                 s->handshake_secret, hashsize,
 353                                                 &master_secret_length))) {
 354         TEST_info("Master secret generation failed");
 355         goto err;
 356     }
 357
 358     if (!TEST_mem_eq(out_master_secret, master_secret_length,
 359                      master_secret, sizeof(master_secret))) {
 360         TEST_info("Master secret does not match");
 361         goto err;
 362     }
 363
 364     if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
 365         goto err;
 366     if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
 367         goto err;
 368     if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
 369         goto err;
 370
 371     if (!TEST_true(test_secret(s, out_master_secret,
 372                                (unsigned char *)client_ats_label,
 373                                strlen(client_ats_label), client_ats,
 374                                client_ats_key, client_ats_iv))) {
 375         TEST_info("Client application data secret test failed");
 376         goto err;
 377     }
 378
 379     if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
 380         goto err;
 381     if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
 382         goto err;
 383     if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
 384         goto err;
 385
 386     if (!TEST_true(test_secret(s, out_master_secret,
 387                                (unsigned char *)server_ats_label,
 388                                strlen(server_ats_label), server_ats,
 389                                server_ats_key, server_ats_iv))) {
 390         TEST_info("Server application data secret test failed");
 391         goto err;
 392     }
 393
 394     ret = 1;
 395  err:
 396     SSL_free(s);
 397     SSL_CTX_free(ctx);
 398     return ret;
 399 }
 400
 401 int setup_tests(void)
 402 {
 403     ADD_TEST(test_handshake_secrets);
 404     return 1;
 405 }