test/tls13secretstest.c

   1 /*
   2  * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the OpenSSL license (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <openssl/ssl.h>
  11 #include <openssl/evp.h>
  12
  13 #ifdef __VMS
  14 # pragma names save
  15 # pragma names as_is,shortened
  16 #endif
  17
  18 #include "../ssl/ssl_locl.h"
  19
  20 #ifdef __VMS
  21 # pragma names restore
  22 #endif
  23
  24 #include "testutil.h"
  25
  26 #define IVLEN   12
  27 #define KEYLEN  16
  28
  29 /* The following are self-generated test vectors. This gives us very little
  30  * confidence that we've got the implementation right, but at least tells us
  31  * if we accidentally  break something in the future. Until we can get some
  32  * other source of test vectors this is all we've got.
  33  * TODO(TLS1.3): As and when official vectors become available we should use
  34  * those, e.g. see
  35  * https://www.ietf.org/id/draft-thomson-tls-tls13-vectors-00.txt, however at
  36  * the time of writing these are not suitable because they are based on
  37  * draft -16, which works differently to the draft -20 vectors below.
  38  */
  39
  40 static unsigned char hs_start_hash[] = {
  41 0xec, 0x14, 0x7a, 0x06, 0xde, 0xa3, 0xc8, 0x84, 0x6c, 0x02, 0xb2, 0x23, 0x8e,
  42 0x41, 0xbd, 0xdc, 0x9d, 0x89, 0xf9, 0xae, 0xa1, 0x7b, 0x5e, 0xfd, 0x4d, 0x74,
  43 0x82, 0xaf, 0x75, 0x88, 0x1c, 0x0a
  44 };
  45
  46 static unsigned char hs_full_hash[] = {
  47 0x75, 0x1a, 0x3d, 0x4a, 0x14, 0xdf, 0xab, 0xeb, 0x68, 0xe9, 0x2c, 0xa5, 0x91,
  48 0x8e, 0x24, 0x08, 0xb9, 0xbc, 0xb0, 0x74, 0x89, 0x82, 0xec, 0x9c, 0x32, 0x30,
  49 0xac, 0x30, 0xbb, 0xeb, 0x23, 0xe2,
  50 };
  51
  52 static unsigned char early_secret[] = {
  53 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
  54 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
  55 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
  56 };
  57
  58 static unsigned char ecdhe_secret[] = {
  59 0xe7, 0xb8, 0xfe, 0xf8, 0x90, 0x3b, 0x52, 0x0c, 0xb9, 0xa1, 0x89, 0x71, 0xb6,
  60 0x9d, 0xd4, 0x5d, 0xca, 0x53, 0xce, 0x2f, 0x12, 0xbf, 0x3b, 0xef, 0x93, 0x15,
  61 0xe3, 0x12, 0x71, 0xdf, 0x4b, 0x40
  62 };
  63
  64 static unsigned char handshake_secret[] = {
  65 0xf5, 0x51, 0xd0, 0xbd, 0x9e, 0x6a, 0xc0, 0x95, 0x5f, 0x8e, 0xae, 0xb6, 0x28,
  66 0x2e, 0x8d, 0x9e, 0xf3, 0xd4, 0x08, 0x57, 0x81, 0xbc, 0x9d, 0x80, 0x91, 0x8a,
  67 0x81, 0x33, 0x86, 0x58, 0x7f, 0x46
  68 };
  69
  70 static const char *client_hts_label = "c hs traffic";
  71
  72 static unsigned char client_hts[] = {
  73 0x61, 0x7b, 0x35, 0x07, 0x6b, 0x9d, 0x0e, 0x08, 0xcf, 0x73, 0x1d, 0x94, 0xa8,
  74 0x66, 0x14, 0x78, 0x41, 0x09, 0xef, 0x25, 0x55, 0x51, 0x92, 0x1d, 0xd4, 0x6e,
  75 0x04, 0x01, 0x35, 0xcf, 0x46, 0xab
  76 };
  77
  78 static unsigned char client_hts_key[] = {
  79 0x62, 0xd0, 0xdd, 0x00, 0xf6, 0x96, 0x19, 0xd3, 0xb8, 0x19, 0x3a, 0xb4, 0xa0,
  80 0x95, 0x85, 0xa7
  81 };
  82
  83 static unsigned char client_hts_iv[] = {
  84 0xff, 0xf7, 0x5d, 0xf5, 0xad, 0x35, 0xd5, 0xcb, 0x3c, 0x53, 0xf3, 0xa9
  85 };
  86
  87 static const char *server_hts_label = "s hs traffic";
  88
  89 static unsigned char server_hts[] = {
  90 0xfc, 0xf7, 0xdf, 0xe6, 0x4f, 0xa2, 0xc0, 0x4f, 0x62, 0x35, 0x38, 0x7f, 0x43,
  91 0x4e, 0x01, 0x42, 0x23, 0x36, 0xd9, 0xc0, 0x39, 0xde, 0x68, 0x47, 0xa0, 0xb9,
  92 0xdd, 0xcf, 0x29, 0xa8, 0x87, 0x59
  93 };
  94
  95 static unsigned char server_hts_key[] = {
  96 0x04, 0x67, 0xf3, 0x16, 0xa8, 0x05, 0xb8, 0xc4, 0x97, 0xee, 0x67, 0x04, 0x7b,
  97 0xbc, 0xbc, 0x54
  98 };
  99
 100 static unsigned char server_hts_iv[] = {
 101 0xde, 0x83, 0xa7, 0x3e, 0x9d, 0x81, 0x4b, 0x04, 0xc4, 0x8b, 0x78, 0x09
 102 };
 103
 104 static unsigned char master_secret[] = {
 105 0x34, 0x83, 0x83, 0x84, 0x67, 0x12, 0xe7, 0xff, 0x24, 0xe8, 0x6e, 0x70, 0x56,
 106 0x95, 0x16, 0x71, 0x43, 0x7f, 0x19, 0xd7, 0x85, 0x06, 0x9d, 0x75, 0x70, 0x49,
 107 0x6e, 0x6c, 0xa4, 0x81, 0xf0, 0xb8
 108 };
 109
 110 static const char *client_ats_label = "c ap traffic";
 111
 112 static unsigned char client_ats[] = {
 113 0xc1, 0x4a, 0x6d, 0x79, 0x76, 0xd8, 0x10, 0x2b, 0x5a, 0x0c, 0x99, 0x51, 0x49,
 114 0x3f, 0xee, 0x87, 0xdc, 0xaf, 0xf8, 0x2c, 0x24, 0xca, 0xb2, 0x14, 0xe8, 0xbe,
 115 0x71, 0xa8, 0x20, 0x6d, 0xbd, 0xa5
 116 };
 117
 118 static unsigned char client_ats_key[] = {
 119 0xcc, 0x9f, 0x5f, 0x98, 0x0b, 0x5f, 0x10, 0x30, 0x6c, 0xba, 0xd7, 0xbe, 0x98,
 120 0xd7, 0x57, 0x2e
 121 };
 122
 123 static unsigned char client_ats_iv[] = {
 124 0xb8, 0x09, 0x29, 0xe8, 0xd0, 0x2c, 0x70, 0xf6, 0x11, 0x62, 0xed, 0x6b
 125 };
 126
 127 static const char *server_ats_label = "s ap traffic";
 128
 129 static unsigned char server_ats[] = {
 130 0x2c, 0x90, 0x77, 0x38, 0xd3, 0xf8, 0x37, 0x02, 0xd1, 0xe4, 0x59, 0x8f, 0x48,
 131 0x48, 0x53, 0x1d, 0x9f, 0x93, 0x65, 0x49, 0x1b, 0x9f, 0x7f, 0x52, 0xc8, 0x22,
 132 0x29, 0x0d, 0x4c, 0x23, 0x21, 0x92
 133 };
 134
 135 static unsigned char server_ats_key[] = {
 136 0x0c, 0xb2, 0x95, 0x62, 0xd8, 0xd8, 0x8f, 0x48, 0xb0, 0x2c, 0xbf, 0xbe, 0xd7,
 137 0xe6, 0x2b, 0xb3
 138 };
 139
 140 static unsigned char server_ats_iv[] = {
 141 0x0d, 0xb2, 0x8f, 0x98, 0x85, 0x86, 0xa1, 0xb7, 0xe4, 0xd5, 0xc6, 0x9c
 142 };
 143
 144 /* Mocked out implementations of various functions */
 145 int ssl3_digest_cached_records(SSL *s, int keep)
 146 {
 147     return 1;
 148 }
 149
 150 static int full_hash = 0;
 151
 152 /* Give a hash of the currently set handshake */
 153 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
 154                        size_t *hashlen)
 155 {
 156     if (sizeof(hs_start_hash) > outlen
 157             || sizeof(hs_full_hash) != sizeof(hs_start_hash))
 158         return 0;
 159
 160     if (full_hash) {
 161         memcpy(out, hs_full_hash, sizeof(hs_full_hash));
 162         *hashlen = sizeof(hs_full_hash);
 163     } else {
 164         memcpy(out, hs_start_hash, sizeof(hs_start_hash));
 165         *hashlen = sizeof(hs_start_hash);
 166     }
 167
 168     return 1;
 169 }
 170
 171 const EVP_MD *ssl_handshake_md(SSL *s)
 172 {
 173     return EVP_sha256();
 174 }
 175
 176 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
 177 {
 178 }
 179
 180 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
 181 {
 182 }
 183
 184 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 185                        const EVP_MD **md, int *mac_pkey_type,
 186                        size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
 187
 188 {
 189     return 0;
 190 }
 191
 192 int tls1_alert_code(int code)
 193 {
 194     return code;
 195 }
 196
 197 int ssl_log_secret(SSL *ssl,
 198                    const char *label,
 199                    const uint8_t *secret,
 200                    size_t secret_len)
 201 {
 202     return 1;
 203 }
 204
 205 const EVP_MD *ssl_md(int idx)
 206 {
 207     return EVP_sha256();
 208 }
 209
 210 void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
 211                            int line)
 212 {
 213 }
 214
 215 int ossl_statem_export_allowed(SSL *s)
 216 {
 217     return 1;
 218 }
 219
 220 int ossl_statem_export_early_allowed(SSL *s)
 221 {
 222     return 1;
 223 }
 224
 225 /* End of mocked out code */
 226
 227 static int test_secret(SSL *s, unsigned char *prk,
 228                        const unsigned char *label, size_t labellen,
 229                        const unsigned char *ref_secret,
 230                        const unsigned char *ref_key, const unsigned char *ref_iv)
 231 {
 232     size_t hashsize;
 233     unsigned char gensecret[EVP_MAX_MD_SIZE];
 234     unsigned char hash[EVP_MAX_MD_SIZE];
 235     unsigned char key[KEYLEN];
 236     unsigned char iv[IVLEN];
 237     const EVP_MD *md = ssl_handshake_md(s);
 238
 239     if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
 240         TEST_error("Failed to get hash");
 241         return 0;
 242     }
 243
 244     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
 245                            gensecret, hashsize)) {
 246         TEST_error("Secret generation failed");
 247         return 0;
 248     }
 249
 250     if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
 251         return 0;
 252
 253     if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
 254         TEST_error("Key generation failed");
 255         return 0;
 256     }
 257
 258     if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
 259         return 0;
 260
 261     if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
 262         TEST_error("IV generation failed");
 263         return 0;
 264     }
 265
 266     if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
 267         return 0;
 268
 269     return 1;
 270 }
 271
 272 static int test_handshake_secrets(void)
 273 {
 274     SSL_CTX *ctx = NULL;
 275     SSL *s = NULL;
 276     int ret = 0;
 277     size_t hashsize;
 278     unsigned char out_master_secret[EVP_MAX_MD_SIZE];
 279     size_t master_secret_length;
 280
 281     ctx = SSL_CTX_new(TLS_method());
 282     if (!TEST_ptr(ctx))
 283         goto err;
 284
 285     s = SSL_new(ctx);
 286     if (!TEST_ptr(s ))
 287         goto err;
 288
 289     s->session = SSL_SESSION_new();
 290     if (!TEST_ptr(s->session))
 291         goto err;
 292
 293     if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
 294                                          (unsigned char *)&s->early_secret))) {
 295         TEST_info("Early secret generation failed");
 296         goto err;
 297     }
 298
 299     if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
 300                      early_secret, sizeof(early_secret))) {
 301         TEST_info("Early secret does not match");
 302         goto err;
 303     }
 304
 305     if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
 306                                                    sizeof(ecdhe_secret)))) {
 307         TEST_info("Handshake secret generation failed");
 308         goto err;
 309     }
 310
 311     if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
 312                      handshake_secret, sizeof(handshake_secret)))
 313         goto err;
 314
 315     hashsize = EVP_MD_size(ssl_handshake_md(s));
 316     if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
 317         goto err;
 318     if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
 319         goto err;
 320     if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
 321         goto err;
 322
 323     if (!TEST_true(test_secret(s, s->handshake_secret,
 324                                (unsigned char *)client_hts_label,
 325                                strlen(client_hts_label), client_hts,
 326                                client_hts_key, client_hts_iv))) {
 327         TEST_info("Client handshake secret test failed");
 328         goto err;
 329     }
 330
 331     if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
 332         goto err;
 333     if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
 334         goto err;
 335     if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
 336         goto err;
 337
 338     if (!TEST_true(test_secret(s, s->handshake_secret,
 339                                (unsigned char *)server_hts_label,
 340                                strlen(server_hts_label), server_hts,
 341                                server_hts_key, server_hts_iv))) {
 342         TEST_info("Server handshake secret test failed");
 343         goto err;
 344     }
 345
 346     /*
 347      * Ensure the mocked out ssl_handshake_hash() returns the full handshake
 348      * hash.
 349      */
 350     full_hash = 1;
 351
 352     if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
 353                                                 s->handshake_secret, hashsize,
 354                                                 &master_secret_length))) {
 355         TEST_info("Master secret generation failed");
 356         goto err;
 357     }
 358
 359     if (!TEST_mem_eq(out_master_secret, master_secret_length,
 360                      master_secret, sizeof(master_secret))) {
 361         TEST_info("Master secret does not match");
 362         goto err;
 363     }
 364
 365     if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
 366         goto err;
 367     if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
 368         goto err;
 369     if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
 370         goto err;
 371
 372     if (!TEST_true(test_secret(s, out_master_secret,
 373                                (unsigned char *)client_ats_label,
 374                                strlen(client_ats_label), client_ats,
 375                                client_ats_key, client_ats_iv))) {
 376         TEST_info("Client application data secret test failed");
 377         goto err;
 378     }
 379
 380     if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
 381         goto err;
 382     if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
 383         goto err;
 384     if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
 385         goto err;
 386
 387     if (!TEST_true(test_secret(s, out_master_secret,
 388                                (unsigned char *)server_ats_label,
 389                                strlen(server_ats_label), server_ats,
 390                                server_ats_key, server_ats_iv))) {
 391         TEST_info("Server application data secret test failed");
 392         goto err;
 393     }
 394
 395     ret = 1;
 396  err:
 397     SSL_free(s);
 398     SSL_CTX_free(ctx);
 399     return ret;
 400 }
 401
 402 int setup_tests(void)
 403 {
 404     ADD_TEST(test_handshake_secrets);
 405     return 1;
 406 }