Return a fatal error if application data is encountered during shutdown
[openssl.git] / test / tls13secretstest.c
1 /*
2  * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9
10 #include <openssl/ssl.h>
11 #include <openssl/evp.h>
12
13 #ifdef __VMS
14 # pragma names save
15 # pragma names as_is,shortened
16 #endif
17
18 #include "../ssl/ssl_locl.h"
19
20 #ifdef __VMS
21 # pragma names restore
22 #endif
23
24 #include "testutil.h"
25
26 #define IVLEN   12
27 #define KEYLEN  16
28
29 /* The following are self-generated test vectors. This gives us very little
30  * confidence that we've got the implementation right, but at least tells us
31  * if we accidentally  break something in the future. Until we can get some
32  * other source of test vectors this is all we've got.
33  * TODO(TLS1.3): As and when official vectors become available we should use
34  * those, e.g. see
35  * https://www.ietf.org/id/draft-thomson-tls-tls13-vectors-00.txt, however at
36  * the time of writing these are not suitable because they are based on
37  * draft -16, which works differently to the draft -20 vectors below.
38  */
39
40 static unsigned char hs_start_hash[] = {
41 0xec, 0x14, 0x7a, 0x06, 0xde, 0xa3, 0xc8, 0x84, 0x6c, 0x02, 0xb2, 0x23, 0x8e,
42 0x41, 0xbd, 0xdc, 0x9d, 0x89, 0xf9, 0xae, 0xa1, 0x7b, 0x5e, 0xfd, 0x4d, 0x74,
43 0x82, 0xaf, 0x75, 0x88, 0x1c, 0x0a
44 };
45
46 static unsigned char hs_full_hash[] = {
47 0x75, 0x1a, 0x3d, 0x4a, 0x14, 0xdf, 0xab, 0xeb, 0x68, 0xe9, 0x2c, 0xa5, 0x91,
48 0x8e, 0x24, 0x08, 0xb9, 0xbc, 0xb0, 0x74, 0x89, 0x82, 0xec, 0x9c, 0x32, 0x30,
49 0xac, 0x30, 0xbb, 0xeb, 0x23, 0xe2,
50 };
51
52 static unsigned char early_secret[] = {
53 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
54 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
55 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
56 };
57
58 static unsigned char ecdhe_secret[] = {
59 0xe7, 0xb8, 0xfe, 0xf8, 0x90, 0x3b, 0x52, 0x0c, 0xb9, 0xa1, 0x89, 0x71, 0xb6,
60 0x9d, 0xd4, 0x5d, 0xca, 0x53, 0xce, 0x2f, 0x12, 0xbf, 0x3b, 0xef, 0x93, 0x15,
61 0xe3, 0x12, 0x71, 0xdf, 0x4b, 0x40
62 };
63
64 static unsigned char handshake_secret[] = {
65 0xf5, 0x51, 0xd0, 0xbd, 0x9e, 0x6a, 0xc0, 0x95, 0x5f, 0x8e, 0xae, 0xb6, 0x28,
66 0x2e, 0x8d, 0x9e, 0xf3, 0xd4, 0x08, 0x57, 0x81, 0xbc, 0x9d, 0x80, 0x91, 0x8a,
67 0x81, 0x33, 0x86, 0x58, 0x7f, 0x46
68 };
69
70 static const char *client_hts_label = "c hs traffic";
71
72 static unsigned char client_hts[] = {
73 0x61, 0x7b, 0x35, 0x07, 0x6b, 0x9d, 0x0e, 0x08, 0xcf, 0x73, 0x1d, 0x94, 0xa8,
74 0x66, 0x14, 0x78, 0x41, 0x09, 0xef, 0x25, 0x55, 0x51, 0x92, 0x1d, 0xd4, 0x6e,
75 0x04, 0x01, 0x35, 0xcf, 0x46, 0xab
76 };
77
78 static unsigned char client_hts_key[] = {
79 0x62, 0xd0, 0xdd, 0x00, 0xf6, 0x96, 0x19, 0xd3, 0xb8, 0x19, 0x3a, 0xb4, 0xa0,
80 0x95, 0x85, 0xa7
81 };
82
83 static unsigned char client_hts_iv[] = {
84 0xff, 0xf7, 0x5d, 0xf5, 0xad, 0x35, 0xd5, 0xcb, 0x3c, 0x53, 0xf3, 0xa9
85 };
86
87 static const char *server_hts_label = "s hs traffic";
88
89 static unsigned char server_hts[] = {
90 0xfc, 0xf7, 0xdf, 0xe6, 0x4f, 0xa2, 0xc0, 0x4f, 0x62, 0x35, 0x38, 0x7f, 0x43,
91 0x4e, 0x01, 0x42, 0x23, 0x36, 0xd9, 0xc0, 0x39, 0xde, 0x68, 0x47, 0xa0, 0xb9,
92 0xdd, 0xcf, 0x29, 0xa8, 0x87, 0x59
93 };
94
95 static unsigned char server_hts_key[] = {
96 0x04, 0x67, 0xf3, 0x16, 0xa8, 0x05, 0xb8, 0xc4, 0x97, 0xee, 0x67, 0x04, 0x7b,
97 0xbc, 0xbc, 0x54
98 };
99
100 static unsigned char server_hts_iv[] = {
101 0xde, 0x83, 0xa7, 0x3e, 0x9d, 0x81, 0x4b, 0x04, 0xc4, 0x8b, 0x78, 0x09
102 };
103
104 static unsigned char master_secret[] = {
105 0x34, 0x83, 0x83, 0x84, 0x67, 0x12, 0xe7, 0xff, 0x24, 0xe8, 0x6e, 0x70, 0x56,
106 0x95, 0x16, 0x71, 0x43, 0x7f, 0x19, 0xd7, 0x85, 0x06, 0x9d, 0x75, 0x70, 0x49,
107 0x6e, 0x6c, 0xa4, 0x81, 0xf0, 0xb8
108 };
109
110 static const char *client_ats_label = "c ap traffic";
111
112 static unsigned char client_ats[] = {
113 0xc1, 0x4a, 0x6d, 0x79, 0x76, 0xd8, 0x10, 0x2b, 0x5a, 0x0c, 0x99, 0x51, 0x49,
114 0x3f, 0xee, 0x87, 0xdc, 0xaf, 0xf8, 0x2c, 0x24, 0xca, 0xb2, 0x14, 0xe8, 0xbe,
115 0x71, 0xa8, 0x20, 0x6d, 0xbd, 0xa5
116 };
117
118 static unsigned char client_ats_key[] = {
119 0xcc, 0x9f, 0x5f, 0x98, 0x0b, 0x5f, 0x10, 0x30, 0x6c, 0xba, 0xd7, 0xbe, 0x98,
120 0xd7, 0x57, 0x2e
121 };
122
123 static unsigned char client_ats_iv[] = {
124 0xb8, 0x09, 0x29, 0xe8, 0xd0, 0x2c, 0x70, 0xf6, 0x11, 0x62, 0xed, 0x6b
125 };
126
127 static const char *server_ats_label = "s ap traffic";
128
129 static unsigned char server_ats[] = {
130 0x2c, 0x90, 0x77, 0x38, 0xd3, 0xf8, 0x37, 0x02, 0xd1, 0xe4, 0x59, 0x8f, 0x48,
131 0x48, 0x53, 0x1d, 0x9f, 0x93, 0x65, 0x49, 0x1b, 0x9f, 0x7f, 0x52, 0xc8, 0x22,
132 0x29, 0x0d, 0x4c, 0x23, 0x21, 0x92
133 };
134
135 static unsigned char server_ats_key[] = {
136 0x0c, 0xb2, 0x95, 0x62, 0xd8, 0xd8, 0x8f, 0x48, 0xb0, 0x2c, 0xbf, 0xbe, 0xd7,
137 0xe6, 0x2b, 0xb3
138 };
139
140 static unsigned char server_ats_iv[] = {
141 0x0d, 0xb2, 0x8f, 0x98, 0x85, 0x86, 0xa1, 0xb7, 0xe4, 0xd5, 0xc6, 0x9c
142 };
143
144 /* Mocked out implementations of various functions */
145 int ssl3_digest_cached_records(SSL *s, int keep)
146 {
147     return 1;
148 }
149
150 static int full_hash = 0;
151
152 /* Give a hash of the currently set handshake */
153 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
154                        size_t *hashlen)
155 {
156     if (sizeof(hs_start_hash) > outlen
157             || sizeof(hs_full_hash) != sizeof(hs_start_hash))
158         return 0;
159
160     if (full_hash) {
161         memcpy(out, hs_full_hash, sizeof(hs_full_hash));
162         *hashlen = sizeof(hs_full_hash);
163     } else {
164         memcpy(out, hs_start_hash, sizeof(hs_start_hash));
165         *hashlen = sizeof(hs_start_hash);
166     }
167
168     return 1;
169 }
170
171 const EVP_MD *ssl_handshake_md(SSL *s)
172 {
173     return EVP_sha256();
174 }
175
176 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
177 {
178 }
179
180 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
181 {
182 }
183
184 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
185                        const EVP_MD **md, int *mac_pkey_type,
186                        size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
187
188 {
189     return 0;
190 }
191
192 int tls1_alert_code(int code)
193 {
194     return code;
195 }
196
197 int ssl_log_secret(SSL *ssl,
198                    const char *label,
199                    const uint8_t *secret,
200                    size_t secret_len)
201 {
202     return 1;
203 }
204
205 const EVP_MD *ssl_md(int idx)
206 {
207     return EVP_sha256();
208 }
209
210 void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
211                            int line)
212 {
213 }
214
215 int ossl_statem_export_allowed(SSL *s)
216 {
217     return 1;
218 }
219
220 int ossl_statem_export_early_allowed(SSL *s)
221 {
222     return 1;
223 }
224
225 /* End of mocked out code */
226
227 static int test_secret(SSL *s, unsigned char *prk,
228                        const unsigned char *label, size_t labellen,
229                        const unsigned char *ref_secret,
230                        const unsigned char *ref_key, const unsigned char *ref_iv)
231 {
232     size_t hashsize;
233     unsigned char gensecret[EVP_MAX_MD_SIZE];
234     unsigned char hash[EVP_MAX_MD_SIZE];
235     unsigned char key[KEYLEN];
236     unsigned char iv[IVLEN];
237     const EVP_MD *md = ssl_handshake_md(s);
238
239     if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
240         TEST_error("Failed to get hash");
241         return 0;
242     }
243
244     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
245                            gensecret, hashsize)) {
246         TEST_error("Secret generation failed");
247         return 0;
248     }
249
250     if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
251         return 0;
252
253     if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
254         TEST_error("Key generation failed");
255         return 0;
256     }
257
258     if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
259         return 0;
260
261     if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
262         TEST_error("IV generation failed");
263         return 0;
264     }
265
266     if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
267         return 0;
268
269     return 1;
270 }
271
272 static int test_handshake_secrets(void)
273 {
274     SSL_CTX *ctx = NULL;
275     SSL *s = NULL;
276     int ret = 0;
277     size_t hashsize;
278     unsigned char out_master_secret[EVP_MAX_MD_SIZE];
279     size_t master_secret_length;
280
281     ctx = SSL_CTX_new(TLS_method());
282     if (!TEST_ptr(ctx))
283         goto err;
284
285     s = SSL_new(ctx);
286     if (!TEST_ptr(s ))
287         goto err;
288
289     s->session = SSL_SESSION_new();
290     if (!TEST_ptr(s->session))
291         goto err;
292
293     if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
294                                          (unsigned char *)&s->early_secret))) {
295         TEST_info("Early secret generation failed");
296         goto err;
297     }
298
299     if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
300                      early_secret, sizeof(early_secret))) {
301         TEST_info("Early secret does not match");
302         goto err;
303     }
304
305     if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
306                                                    sizeof(ecdhe_secret)))) {
307         TEST_info("Handshake secret generation failed");
308         goto err;
309     }
310
311     if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
312                      handshake_secret, sizeof(handshake_secret)))
313         goto err;
314
315     hashsize = EVP_MD_size(ssl_handshake_md(s));
316     if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
317         goto err;
318     if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
319         goto err;
320     if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
321         goto err;
322
323     if (!TEST_true(test_secret(s, s->handshake_secret,
324                                (unsigned char *)client_hts_label,
325                                strlen(client_hts_label), client_hts,
326                                client_hts_key, client_hts_iv))) {
327         TEST_info("Client handshake secret test failed");
328         goto err;
329     }
330
331     if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
332         goto err;
333     if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
334         goto err;
335     if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
336         goto err;
337
338     if (!TEST_true(test_secret(s, s->handshake_secret,
339                                (unsigned char *)server_hts_label,
340                                strlen(server_hts_label), server_hts,
341                                server_hts_key, server_hts_iv))) {
342         TEST_info("Server handshake secret test failed");
343         goto err;
344     }
345
346     /*
347      * Ensure the mocked out ssl_handshake_hash() returns the full handshake
348      * hash.
349      */
350     full_hash = 1;
351
352     if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
353                                                 s->handshake_secret, hashsize,
354                                                 &master_secret_length))) {
355         TEST_info("Master secret generation failed");
356         goto err;
357     }
358
359     if (!TEST_mem_eq(out_master_secret, master_secret_length,
360                      master_secret, sizeof(master_secret))) {
361         TEST_info("Master secret does not match");
362         goto err;
363     }
364
365     if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
366         goto err;
367     if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
368         goto err;
369     if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
370         goto err;
371
372     if (!TEST_true(test_secret(s, out_master_secret,
373                                (unsigned char *)client_ats_label,
374                                strlen(client_ats_label), client_ats,
375                                client_ats_key, client_ats_iv))) {
376         TEST_info("Client application data secret test failed");
377         goto err;
378     }
379
380     if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
381         goto err;
382     if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
383         goto err;
384     if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
385         goto err;
386
387     if (!TEST_true(test_secret(s, out_master_secret,
388                                (unsigned char *)server_ats_label,
389                                strlen(server_ats_label), server_ats,
390                                server_ats_key, server_ats_iv))) {
391         TEST_info("Server application data secret test failed");
392         goto err;
393     }
394
395     ret = 1;
396  err:
397     SSL_free(s);
398     SSL_CTX_free(ctx);
399     return ret;
400 }
401
402 int setup_tests(void)
403 {
404     ADD_TEST(test_handshake_secrets);
405     return 1;
406 }