test/tls13secretstest.c

   1 /*
   2  * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the OpenSSL license (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <openssl/ssl.h>
  11 #include <openssl/evp.h>
  12 #include "../ssl/ssl_locl.h"
  13
  14 #include "testutil.h"
  15 #include "test_main.h"
  16
  17 #define IVLEN   12
  18 #define KEYLEN  16
  19
  20 /* The following are self-generated test vectors. This gives us very little
  21  * confidence that we've got the implementation right, but at least tells us
  22  * if we accidentally  break something in the future. Until we can get some
  23  * other source of test vectors this is all we've got.
  24  * TODO(TLS1.3): As and when official vectors become available we should use
  25  * those, e.g. see
  26  * https://www.ietf.org/id/draft-thomson-tls-tls13-vectors-00.txt, however at
  27  * the time of writing these are not suitable because they are based on
  28  * draft -16, which works differently to the draft -19 vectors below.
  29  */
  30
  31 static unsigned char hs_start_hash[] = {
  32 0xec, 0x14, 0x7a, 0x06, 0xde, 0xa3, 0xc8, 0x84, 0x6c, 0x02, 0xb2, 0x23, 0x8e,
  33 0x41, 0xbd, 0xdc, 0x9d, 0x89, 0xf9, 0xae, 0xa1, 0x7b, 0x5e, 0xfd, 0x4d, 0x74,
  34 0x82, 0xaf, 0x75, 0x88, 0x1c, 0x0a
  35 };
  36
  37 static unsigned char hs_full_hash[] = {
  38 0x75, 0x1a, 0x3d, 0x4a, 0x14, 0xdf, 0xab, 0xeb, 0x68, 0xe9, 0x2c, 0xa5, 0x91,
  39 0x8e, 0x24, 0x08, 0xb9, 0xbc, 0xb0, 0x74, 0x89, 0x82, 0xec, 0x9c, 0x32, 0x30,
  40 0xac, 0x30, 0xbb, 0xeb, 0x23, 0xe2,
  41 };
  42
  43 static unsigned char early_secret[] = {
  44 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
  45 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
  46 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
  47 };
  48
  49 static unsigned char ecdhe_secret[] = {
  50 0xe7, 0xb8, 0xfe, 0xf8, 0x90, 0x3b, 0x52, 0x0c, 0xb9, 0xa1, 0x89, 0x71, 0xb6,
  51 0x9d, 0xd4, 0x5d, 0xca, 0x53, 0xce, 0x2f, 0x12, 0xbf, 0x3b, 0xef, 0x93, 0x15,
  52 0xe3, 0x12, 0x71, 0xdf, 0x4b, 0x40
  53 };
  54
  55 static unsigned char handshake_secret[] = {
  56 0xa4, 0xc6, 0x2e, 0x1c, 0x3c, 0xb8, 0x0a, 0xae, 0x34, 0x34, 0x0d, 0xb8, 0xfb,
  57 0x0d, 0xd5, 0x0d, 0x2d, 0x2f, 0x08, 0xa4, 0x54, 0x6b, 0xbb, 0x2e, 0x60, 0xc6,
  58 0x53, 0xac, 0xb3, 0xca, 0xf2, 0x87
  59 };
  60
  61 static const char *client_hts_label = "client handshake traffic secret";
  62
  63 static unsigned char client_hts[] = {
  64 0xd7, 0x58, 0x9f, 0x10, 0xa8, 0x30, 0xf3, 0x85, 0x63, 0x6f, 0xd9, 0xb0, 0x61,
  65 0xd5, 0x20, 0x19, 0xb1, 0x45, 0x96, 0x82, 0x24, 0x8e, 0x36, 0x45, 0xf7, 0x5a,
  66 0xd7, 0x2f, 0x31, 0xec, 0x57, 0xf7
  67 };
  68
  69 static unsigned char client_hts_key[] = {
  70 0xcc, 0x8b, 0xda, 0xbf, 0x83, 0x74, 0x2d, 0xf4, 0x53, 0x44, 0xff, 0xbc, 0xa4,
  71 0x43, 0xc8, 0x2a
  72 };
  73
  74 static unsigned char client_hts_iv[] = {
  75 0xa4, 0x83, 0x46, 0x11, 0xc2, 0x78, 0xea, 0x0f, 0x94, 0x52, 0x1d, 0xca
  76 };
  77
  78 static const char *server_hts_label = "server handshake traffic secret";
  79
  80 static unsigned char server_hts[] = {
  81 0xba, 0x7c, 0x3b, 0x74, 0x0d, 0x1e, 0x84, 0x82, 0xd6, 0x6f, 0x3e, 0x5e, 0x1d,
  82 0x6e, 0x25, 0xdc, 0x87, 0x1f, 0x48, 0x74, 0x2f, 0x65, 0xa4, 0x40, 0x39, 0xda,
  83 0xdc, 0x02, 0x2a, 0x16, 0x19, 0x5c
  84 };
  85
  86 static unsigned char server_hts_key[] = {
  87 0x7d, 0x22, 0x2a, 0x3f, 0x72, 0x37, 0x92, 0xd9, 0x95, 0x9a, 0xe1, 0x66, 0x32,
  88 0x6f, 0x0d, 0xc9
  89 };
  90
  91 static unsigned char server_hts_iv[] = {
  92 0xa2, 0x73, 0xcd, 0x4e, 0x20, 0xe7, 0xe1, 0xe3, 0xcb, 0x0e, 0x18, 0x9e
  93 };
  94
  95 static unsigned char master_secret[] = {
  96 0x9a, 0x2f, 0x36, 0xdc, 0x68, 0xab, 0x8f, 0x07, 0xef, 0x41, 0xea, 0x63, 0x39,
  97 0xfc, 0x46, 0x6b, 0x11, 0x24, 0xd6, 0xba, 0x6b, 0x8a, 0x92, 0x74, 0x61, 0xd3,
  98 0x64, 0x82, 0xc1, 0xc9, 0xc7, 0x0e
  99 };
 100
 101 static const char *client_ats_label = "client application traffic secret";
 102
 103 static unsigned char client_ats[] = {
 104 0xc3, 0x60, 0x5f, 0xb3, 0xc4, 0x4b, 0xc2, 0x25, 0xd2, 0xaf, 0x36, 0xad, 0x99,
 105 0xa1, 0xcd, 0xcf, 0x71, 0xc4, 0xb9, 0xa2, 0x3d, 0xd2, 0x3e, 0xe6, 0xff, 0xca,
 106 0x2c, 0x71, 0x86, 0x3d, 0x1f, 0x85
 107 };
 108
 109 static unsigned char client_ats_key[] = {
 110 0x3a, 0x25, 0x23, 0x12, 0xde, 0x0f, 0x53, 0xc7, 0xa0, 0xb2, 0xcf, 0x71, 0xb7,
 111 0x1a, 0x0d, 0xc7
 112 };
 113
 114 static unsigned char client_ats_iv[] = {
 115 0xbd, 0x0d, 0x3c, 0x26, 0x9d, 0x2d, 0xa6, 0x52, 0x1b, 0x8d, 0x45, 0xef
 116 };
 117
 118 static const char *server_ats_label = "server application traffic secret";
 119
 120 static unsigned char server_ats[] = {
 121 0x27, 0x8d, 0x96, 0x76, 0x95, 0x9e, 0x3e, 0x39, 0xa4, 0xa9, 0xfc, 0x46, 0x9c,
 122 0x32, 0x9f, 0xe0, 0x29, 0x50, 0x22, 0x45, 0x39, 0x82, 0xdd, 0x1c, 0xc5, 0xfb,
 123 0xa9, 0x0a, 0x68, 0x29, 0x4e, 0x80
 124 };
 125
 126 static unsigned char server_ats_key[] = {
 127 0x78, 0xbd, 0xd7, 0xc6, 0xb0, 0xf1, 0x50, 0x5e, 0xae, 0x54, 0xff, 0xa5, 0xf2,
 128 0xed, 0x0b, 0x77
 129 };
 130
 131 static unsigned char server_ats_iv[] = {
 132 0xb1, 0x7b, 0x1c, 0xa2, 0xca, 0xbe, 0xe4, 0xac, 0xb5, 0xf3, 0x91, 0x7e
 133 };
 134
 135 /* Mocked out implementations of various functions */
 136 int ssl3_digest_cached_records(SSL *s, int keep)
 137 {
 138     return 1;
 139 }
 140
 141 static int full_hash = 0;
 142
 143 /* Give a hash of the currently set handshake */
 144 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
 145                        size_t *hashlen)
 146 {
 147     if (sizeof(hs_start_hash) > outlen
 148             || sizeof(hs_full_hash) != sizeof(hs_start_hash))
 149         return 0;
 150
 151     if (full_hash) {
 152         memcpy(out, hs_full_hash, sizeof(hs_full_hash));
 153         *hashlen = sizeof(hs_full_hash);
 154     } else {
 155         memcpy(out, hs_start_hash, sizeof(hs_start_hash));
 156         *hashlen = sizeof(hs_start_hash);
 157     }
 158
 159     return 1;
 160 }
 161
 162 const EVP_MD *ssl_handshake_md(SSL *s)
 163 {
 164     return EVP_sha256();
 165 }
 166
 167 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
 168 {
 169 }
 170
 171 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
 172 {
 173 }
 174
 175 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 176                        const EVP_MD **md, int *mac_pkey_type,
 177                        size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
 178
 179 {
 180     return 0;
 181 }
 182
 183 int tls1_alert_code(int code)
 184 {
 185     return code;
 186 }
 187
 188 int ssl_log_secret(SSL *ssl,
 189                    const char *label,
 190                    const uint8_t *secret,
 191                    size_t secret_len)
 192 {
 193     return 1;
 194 }
 195
 196 const EVP_MD *ssl_md(int idx)
 197 {
 198     return EVP_sha256();
 199 }
 200
 201 /* End of mocked out code */
 202
 203 static int test_secret(SSL *s, unsigned char *prk,
 204                        const unsigned char *label, size_t labellen,
 205                        const unsigned char *ref_secret,
 206                        const unsigned char *ref_key, const unsigned char *ref_iv)
 207 {
 208     size_t hashsize;
 209     unsigned char gensecret[EVP_MAX_MD_SIZE];
 210     unsigned char hash[EVP_MAX_MD_SIZE];
 211     unsigned char key[KEYLEN];
 212     unsigned char iv[IVLEN];
 213     const EVP_MD *md = ssl_handshake_md(s);
 214
 215     if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
 216         TEST_error("Failed to get hash");
 217         return 0;
 218     }
 219
 220     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, gensecret,
 221                            hashsize)) {
 222         TEST_error("Secret generation failed");
 223         return 0;
 224     }
 225
 226     if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
 227         return 0;
 228
 229     if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
 230         TEST_error("Key generation failed");
 231         return 0;
 232     }
 233
 234     if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
 235         return 0;
 236
 237     if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
 238         TEST_error("IV generation failed");
 239         return 0;
 240     }
 241
 242     if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
 243         return 0;
 244
 245     return 1;
 246 }
 247
 248 static int test_handshake_secrets(void)
 249 {
 250     SSL_CTX *ctx = NULL;
 251     SSL *s = NULL;
 252     int ret = 0;
 253     size_t hashsize;
 254     unsigned char out_master_secret[EVP_MAX_MD_SIZE];
 255     size_t master_secret_length;
 256
 257     ctx = SSL_CTX_new(TLS_method());
 258     if (!TEST_ptr(ctx))
 259         goto err;
 260
 261     s = SSL_new(ctx);
 262     if (!TEST_ptr(s ))
 263         goto err;
 264
 265     s->session = SSL_SESSION_new();
 266     if (!TEST_ptr(s->session))
 267         goto err;
 268
 269     if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
 270                                          (unsigned char *)&s->early_secret))) {
 271         TEST_info("Early secret generation failed");
 272         goto err;
 273     }
 274
 275     if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
 276                      early_secret, sizeof(early_secret))) {
 277         TEST_info("Early secret does not match");
 278         goto err;
 279     }
 280
 281     if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
 282                                                    sizeof(ecdhe_secret)))) {
 283         TEST_info("Hanshake secret generation failed");
 284         goto err;
 285     }
 286
 287     if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
 288                      handshake_secret, sizeof(handshake_secret)))
 289         goto err;
 290
 291     hashsize = EVP_MD_size(ssl_handshake_md(s));
 292     if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
 293         goto err;
 294     if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
 295         goto err;
 296     if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
 297         goto err;
 298
 299     if (!TEST_true(test_secret(s, s->handshake_secret,
 300                                (unsigned char *)client_hts_label,
 301                                strlen(client_hts_label), client_hts,
 302                                client_hts_key, client_hts_iv))) {
 303         TEST_info("Client handshake secret test failed");
 304         goto err;
 305     }
 306
 307     if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
 308         goto err;
 309     if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
 310         goto err;
 311     if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
 312         goto err;
 313
 314     if (!TEST_true(test_secret(s, s->handshake_secret,
 315                                (unsigned char *)server_hts_label,
 316                                strlen(server_hts_label), server_hts,
 317                                server_hts_key, server_hts_iv))) {
 318         TEST_info("Server handshake secret test failed");
 319         goto err;
 320     }
 321
 322     /*
 323      * Ensure the mocked out ssl_handshake_hash() returns the full handshake
 324      * hash.
 325      */
 326     full_hash = 1;
 327
 328     if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
 329                                                 s->handshake_secret, hashsize,
 330                                                 &master_secret_length))) {
 331         TEST_info("Master secret generation failed");
 332         goto err;
 333     }
 334
 335     if (!TEST_mem_eq(out_master_secret, master_secret_length,
 336                      master_secret, sizeof(master_secret))) {
 337         TEST_info("Master secret does not match");
 338         goto err;
 339     }
 340
 341     if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
 342         goto err;
 343     if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
 344         goto err;
 345     if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
 346         goto err;
 347
 348     if (!TEST_true(test_secret(s, out_master_secret,
 349                                (unsigned char *)client_ats_label,
 350                                strlen(client_ats_label), client_ats,
 351                                client_ats_key, client_ats_iv))) {
 352         TEST_info("Client application data secret test failed");
 353         goto err;
 354     }
 355
 356     if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
 357         goto err;
 358     if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
 359         goto err;
 360     if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
 361         goto err;
 362
 363     if (!TEST_true(test_secret(s, out_master_secret,
 364                                (unsigned char *)server_ats_label,
 365                                strlen(server_ats_label), server_ats,
 366                                server_ats_key, server_ats_iv))) {
 367         TEST_info("Server application data secret test failed");
 368         goto err;
 369     }
 370
 371     ret = 1;
 372  err:
 373     SSL_free(s);
 374     SSL_CTX_free(ctx);
 375     return ret;
 376 }
 377
 378 void register_tests()
 379 {
 380     ADD_TEST(test_handshake_secrets);
 381 }