test/tls13secretstest.c

   1 /*
   2  * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the OpenSSL license (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <openssl/ssl.h>
  11 #include <openssl/evp.h>
  12
  13 #ifdef __VMS
  14 # pragma names save
  15 # pragma names as_is,shortened
  16 #endif
  17
  18 #include "../ssl/ssl_locl.h"
  19
  20 #ifdef __VMS
  21 # pragma names restore
  22 #endif
  23
  24 #include "testutil.h"
  25
  26 #define IVLEN   12
  27 #define KEYLEN  16
  28
  29 /* The following are self-generated test vectors. This gives us very little
  30  * confidence that we've got the implementation right, but at least tells us
  31  * if we accidentally  break something in the future. Until we can get some
  32  * other source of test vectors this is all we've got.
  33  * TODO(TLS1.3): As and when official vectors become available we should use
  34  * those, e.g. see
  35  * https://www.ietf.org/id/draft-thomson-tls-tls13-vectors-00.txt, however at
  36  * the time of writing these are not suitable because they are based on
  37  * draft -16, which works differently to the draft -19 vectors below.
  38  */
  39
  40 static unsigned char hs_start_hash[] = {
  41 0xec, 0x14, 0x7a, 0x06, 0xde, 0xa3, 0xc8, 0x84, 0x6c, 0x02, 0xb2, 0x23, 0x8e,
  42 0x41, 0xbd, 0xdc, 0x9d, 0x89, 0xf9, 0xae, 0xa1, 0x7b, 0x5e, 0xfd, 0x4d, 0x74,
  43 0x82, 0xaf, 0x75, 0x88, 0x1c, 0x0a
  44 };
  45
  46 static unsigned char hs_full_hash[] = {
  47 0x75, 0x1a, 0x3d, 0x4a, 0x14, 0xdf, 0xab, 0xeb, 0x68, 0xe9, 0x2c, 0xa5, 0x91,
  48 0x8e, 0x24, 0x08, 0xb9, 0xbc, 0xb0, 0x74, 0x89, 0x82, 0xec, 0x9c, 0x32, 0x30,
  49 0xac, 0x30, 0xbb, 0xeb, 0x23, 0xe2,
  50 };
  51
  52 static unsigned char early_secret[] = {
  53 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
  54 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
  55 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
  56 };
  57
  58 static unsigned char ecdhe_secret[] = {
  59 0xe7, 0xb8, 0xfe, 0xf8, 0x90, 0x3b, 0x52, 0x0c, 0xb9, 0xa1, 0x89, 0x71, 0xb6,
  60 0x9d, 0xd4, 0x5d, 0xca, 0x53, 0xce, 0x2f, 0x12, 0xbf, 0x3b, 0xef, 0x93, 0x15,
  61 0xe3, 0x12, 0x71, 0xdf, 0x4b, 0x40
  62 };
  63
  64 static unsigned char handshake_secret[] = {
  65 0xa4, 0xc6, 0x2e, 0x1c, 0x3c, 0xb8, 0x0a, 0xae, 0x34, 0x34, 0x0d, 0xb8, 0xfb,
  66 0x0d, 0xd5, 0x0d, 0x2d, 0x2f, 0x08, 0xa4, 0x54, 0x6b, 0xbb, 0x2e, 0x60, 0xc6,
  67 0x53, 0xac, 0xb3, 0xca, 0xf2, 0x87
  68 };
  69
  70 static const char *client_hts_label = "client handshake traffic secret";
  71
  72 static unsigned char client_hts[] = {
  73 0xd7, 0x58, 0x9f, 0x10, 0xa8, 0x30, 0xf3, 0x85, 0x63, 0x6f, 0xd9, 0xb0, 0x61,
  74 0xd5, 0x20, 0x19, 0xb1, 0x45, 0x96, 0x82, 0x24, 0x8e, 0x36, 0x45, 0xf7, 0x5a,
  75 0xd7, 0x2f, 0x31, 0xec, 0x57, 0xf7
  76 };
  77
  78 static unsigned char client_hts_key[] = {
  79 0xcc, 0x8b, 0xda, 0xbf, 0x83, 0x74, 0x2d, 0xf4, 0x53, 0x44, 0xff, 0xbc, 0xa4,
  80 0x43, 0xc8, 0x2a
  81 };
  82
  83 static unsigned char client_hts_iv[] = {
  84 0xa4, 0x83, 0x46, 0x11, 0xc2, 0x78, 0xea, 0x0f, 0x94, 0x52, 0x1d, 0xca
  85 };
  86
  87 static const char *server_hts_label = "server handshake traffic secret";
  88
  89 static unsigned char server_hts[] = {
  90 0xba, 0x7c, 0x3b, 0x74, 0x0d, 0x1e, 0x84, 0x82, 0xd6, 0x6f, 0x3e, 0x5e, 0x1d,
  91 0x6e, 0x25, 0xdc, 0x87, 0x1f, 0x48, 0x74, 0x2f, 0x65, 0xa4, 0x40, 0x39, 0xda,
  92 0xdc, 0x02, 0x2a, 0x16, 0x19, 0x5c
  93 };
  94
  95 static unsigned char server_hts_key[] = {
  96 0x7d, 0x22, 0x2a, 0x3f, 0x72, 0x37, 0x92, 0xd9, 0x95, 0x9a, 0xe1, 0x66, 0x32,
  97 0x6f, 0x0d, 0xc9
  98 };
  99
 100 static unsigned char server_hts_iv[] = {
 101 0xa2, 0x73, 0xcd, 0x4e, 0x20, 0xe7, 0xe1, 0xe3, 0xcb, 0x0e, 0x18, 0x9e
 102 };
 103
 104 static unsigned char master_secret[] = {
 105 0x9a, 0x2f, 0x36, 0xdc, 0x68, 0xab, 0x8f, 0x07, 0xef, 0x41, 0xea, 0x63, 0x39,
 106 0xfc, 0x46, 0x6b, 0x11, 0x24, 0xd6, 0xba, 0x6b, 0x8a, 0x92, 0x74, 0x61, 0xd3,
 107 0x64, 0x82, 0xc1, 0xc9, 0xc7, 0x0e
 108 };
 109
 110 static const char *client_ats_label = "client application traffic secret";
 111
 112 static unsigned char client_ats[] = {
 113 0xc3, 0x60, 0x5f, 0xb3, 0xc4, 0x4b, 0xc2, 0x25, 0xd2, 0xaf, 0x36, 0xad, 0x99,
 114 0xa1, 0xcd, 0xcf, 0x71, 0xc4, 0xb9, 0xa2, 0x3d, 0xd2, 0x3e, 0xe6, 0xff, 0xca,
 115 0x2c, 0x71, 0x86, 0x3d, 0x1f, 0x85
 116 };
 117
 118 static unsigned char client_ats_key[] = {
 119 0x3a, 0x25, 0x23, 0x12, 0xde, 0x0f, 0x53, 0xc7, 0xa0, 0xb2, 0xcf, 0x71, 0xb7,
 120 0x1a, 0x0d, 0xc7
 121 };
 122
 123 static unsigned char client_ats_iv[] = {
 124 0xbd, 0x0d, 0x3c, 0x26, 0x9d, 0x2d, 0xa6, 0x52, 0x1b, 0x8d, 0x45, 0xef
 125 };
 126
 127 static const char *server_ats_label = "server application traffic secret";
 128
 129 static unsigned char server_ats[] = {
 130 0x27, 0x8d, 0x96, 0x76, 0x95, 0x9e, 0x3e, 0x39, 0xa4, 0xa9, 0xfc, 0x46, 0x9c,
 131 0x32, 0x9f, 0xe0, 0x29, 0x50, 0x22, 0x45, 0x39, 0x82, 0xdd, 0x1c, 0xc5, 0xfb,
 132 0xa9, 0x0a, 0x68, 0x29, 0x4e, 0x80
 133 };
 134
 135 static unsigned char server_ats_key[] = {
 136 0x78, 0xbd, 0xd7, 0xc6, 0xb0, 0xf1, 0x50, 0x5e, 0xae, 0x54, 0xff, 0xa5, 0xf2,
 137 0xed, 0x0b, 0x77
 138 };
 139
 140 static unsigned char server_ats_iv[] = {
 141 0xb1, 0x7b, 0x1c, 0xa2, 0xca, 0xbe, 0xe4, 0xac, 0xb5, 0xf3, 0x91, 0x7e
 142 };
 143
 144 /* Mocked out implementations of various functions */
 145 int ssl3_digest_cached_records(SSL *s, int keep)
 146 {
 147     return 1;
 148 }
 149
 150 static int full_hash = 0;
 151
 152 /* Give a hash of the currently set handshake */
 153 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
 154                        size_t *hashlen)
 155 {
 156     if (sizeof(hs_start_hash) > outlen
 157             || sizeof(hs_full_hash) != sizeof(hs_start_hash))
 158         return 0;
 159
 160     if (full_hash) {
 161         memcpy(out, hs_full_hash, sizeof(hs_full_hash));
 162         *hashlen = sizeof(hs_full_hash);
 163     } else {
 164         memcpy(out, hs_start_hash, sizeof(hs_start_hash));
 165         *hashlen = sizeof(hs_start_hash);
 166     }
 167
 168     return 1;
 169 }
 170
 171 const EVP_MD *ssl_handshake_md(SSL *s)
 172 {
 173     return EVP_sha256();
 174 }
 175
 176 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
 177 {
 178 }
 179
 180 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
 181 {
 182 }
 183
 184 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 185                        const EVP_MD **md, int *mac_pkey_type,
 186                        size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
 187
 188 {
 189     return 0;
 190 }
 191
 192 int tls1_alert_code(int code)
 193 {
 194     return code;
 195 }
 196
 197 int ssl_log_secret(SSL *ssl,
 198                    const char *label,
 199                    const uint8_t *secret,
 200                    size_t secret_len)
 201 {
 202     return 1;
 203 }
 204
 205 const EVP_MD *ssl_md(int idx)
 206 {
 207     return EVP_sha256();
 208 }
 209
 210 /* End of mocked out code */
 211
 212 static int test_secret(SSL *s, unsigned char *prk,
 213                        const unsigned char *label, size_t labellen,
 214                        const unsigned char *ref_secret,
 215                        const unsigned char *ref_key, const unsigned char *ref_iv)
 216 {
 217     size_t hashsize;
 218     unsigned char gensecret[EVP_MAX_MD_SIZE];
 219     unsigned char hash[EVP_MAX_MD_SIZE];
 220     unsigned char key[KEYLEN];
 221     unsigned char iv[IVLEN];
 222     const EVP_MD *md = ssl_handshake_md(s);
 223
 224     if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
 225         TEST_error("Failed to get hash");
 226         return 0;
 227     }
 228
 229     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, gensecret,
 230                            hashsize)) {
 231         TEST_error("Secret generation failed");
 232         return 0;
 233     }
 234
 235     if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
 236         return 0;
 237
 238     if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
 239         TEST_error("Key generation failed");
 240         return 0;
 241     }
 242
 243     if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
 244         return 0;
 245
 246     if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
 247         TEST_error("IV generation failed");
 248         return 0;
 249     }
 250
 251     if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
 252         return 0;
 253
 254     return 1;
 255 }
 256
 257 static int test_handshake_secrets(void)
 258 {
 259     SSL_CTX *ctx = NULL;
 260     SSL *s = NULL;
 261     int ret = 0;
 262     size_t hashsize;
 263     unsigned char out_master_secret[EVP_MAX_MD_SIZE];
 264     size_t master_secret_length;
 265
 266     ctx = SSL_CTX_new(TLS_method());
 267     if (!TEST_ptr(ctx))
 268         goto err;
 269
 270     s = SSL_new(ctx);
 271     if (!TEST_ptr(s ))
 272         goto err;
 273
 274     s->session = SSL_SESSION_new();
 275     if (!TEST_ptr(s->session))
 276         goto err;
 277
 278     if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
 279                                          (unsigned char *)&s->early_secret))) {
 280         TEST_info("Early secret generation failed");
 281         goto err;
 282     }
 283
 284     if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
 285                      early_secret, sizeof(early_secret))) {
 286         TEST_info("Early secret does not match");
 287         goto err;
 288     }
 289
 290     if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
 291                                                    sizeof(ecdhe_secret)))) {
 292         TEST_info("Hanshake secret generation failed");
 293         goto err;
 294     }
 295
 296     if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
 297                      handshake_secret, sizeof(handshake_secret)))
 298         goto err;
 299
 300     hashsize = EVP_MD_size(ssl_handshake_md(s));
 301     if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
 302         goto err;
 303     if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
 304         goto err;
 305     if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
 306         goto err;
 307
 308     if (!TEST_true(test_secret(s, s->handshake_secret,
 309                                (unsigned char *)client_hts_label,
 310                                strlen(client_hts_label), client_hts,
 311                                client_hts_key, client_hts_iv))) {
 312         TEST_info("Client handshake secret test failed");
 313         goto err;
 314     }
 315
 316     if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
 317         goto err;
 318     if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
 319         goto err;
 320     if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
 321         goto err;
 322
 323     if (!TEST_true(test_secret(s, s->handshake_secret,
 324                                (unsigned char *)server_hts_label,
 325                                strlen(server_hts_label), server_hts,
 326                                server_hts_key, server_hts_iv))) {
 327         TEST_info("Server handshake secret test failed");
 328         goto err;
 329     }
 330
 331     /*
 332      * Ensure the mocked out ssl_handshake_hash() returns the full handshake
 333      * hash.
 334      */
 335     full_hash = 1;
 336
 337     if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
 338                                                 s->handshake_secret, hashsize,
 339                                                 &master_secret_length))) {
 340         TEST_info("Master secret generation failed");
 341         goto err;
 342     }
 343
 344     if (!TEST_mem_eq(out_master_secret, master_secret_length,
 345                      master_secret, sizeof(master_secret))) {
 346         TEST_info("Master secret does not match");
 347         goto err;
 348     }
 349
 350     if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
 351         goto err;
 352     if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
 353         goto err;
 354     if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
 355         goto err;
 356
 357     if (!TEST_true(test_secret(s, out_master_secret,
 358                                (unsigned char *)client_ats_label,
 359                                strlen(client_ats_label), client_ats,
 360                                client_ats_key, client_ats_iv))) {
 361         TEST_info("Client application data secret test failed");
 362         goto err;
 363     }
 364
 365     if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
 366         goto err;
 367     if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
 368         goto err;
 369     if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
 370         goto err;
 371
 372     if (!TEST_true(test_secret(s, out_master_secret,
 373                                (unsigned char *)server_ats_label,
 374                                strlen(server_ats_label), server_ats,
 375                                server_ats_key, server_ats_iv))) {
 376         TEST_info("Server application data secret test failed");
 377         goto err;
 378     }
 379
 380     ret = 1;
 381  err:
 382     SSL_free(s);
 383     SSL_CTX_free(ctx);
 384     return ret;
 385 }
 386
 387 void register_tests()
 388 {
 389     ADD_TEST(test_handshake_secrets);
 390 }