test/tls13secretstest.c

   1 /*
   2  * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the OpenSSL license (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <openssl/ssl.h>
  11 #include <openssl/evp.h>
  12
  13 #ifdef __VMS
  14 # pragma names save
  15 # pragma names as_is,shortened
  16 #endif
  17
  18 #include "../ssl/ssl_locl.h"
  19
  20 #ifdef __VMS
  21 # pragma names restore
  22 #endif
  23
  24 #include "testutil.h"
  25
  26 #define IVLEN   12
  27 #define KEYLEN  16
  28
  29 /*
  30  * Based on the test vectors availble in:
  31  * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
  32  */
  33
  34 static unsigned char hs_start_hash[] = {
  35 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
  36 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
  37 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
  38 };
  39
  40 static unsigned char hs_full_hash[] = {
  41 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
  42 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
  43 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
  44 };
  45
  46 static unsigned char early_secret[] = {
  47 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
  48 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
  49 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
  50 };
  51
  52 static unsigned char ecdhe_secret[] = {
  53 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
  54 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
  55 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
  56 };
  57
  58 static unsigned char handshake_secret[] = {
  59 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
  60 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
  61 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
  62 };
  63
  64 static const char *client_hts_label = "c hs traffic";
  65
  66 static unsigned char client_hts[] = {
  67 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
  68 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
  69 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
  70 };
  71
  72 static unsigned char client_hts_key[] = {
  73 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
  74 0xad, 0x26, 0x49
  75 };
  76
  77 static unsigned char client_hts_iv[] = {
  78 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
  79 };
  80
  81 static const char *server_hts_label = "s hs traffic";
  82
  83 static unsigned char server_hts[] = {
  84 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
  85 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
  86 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
  87 };
  88
  89 static unsigned char server_hts_key[] = {
  90 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
  91 0x11, 0xac, 0x8b
  92 };
  93
  94 static unsigned char server_hts_iv[] = {
  95 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
  96 };
  97
  98 static unsigned char master_secret[] = {
  99 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
 100 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
 101 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
 102 };
 103
 104 static const char *client_ats_label = "c ap traffic";
 105
 106 static unsigned char client_ats[] = {
 107 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
 108 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
 109 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
 110 };
 111
 112 static unsigned char client_ats_key[] = {
 113 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
 114 0xce, 0x5c, 0x87
 115 };
 116
 117 static unsigned char client_ats_iv[] = {
 118 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
 119 };
 120
 121 static const char *server_ats_label = "s ap traffic";
 122
 123 static unsigned char server_ats[] = {
 124 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
 125 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
 126 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
 127 };
 128
 129 static unsigned char server_ats_key[] = {
 130 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
 131 0x4b, 0x9b, 0x7d
 132 };
 133
 134 static unsigned char server_ats_iv[] = {
 135 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
 136 };
 137
 138 /* Mocked out implementations of various functions */
 139 int ssl3_digest_cached_records(SSL *s, int keep)
 140 {
 141     return 1;
 142 }
 143
 144 static int full_hash = 0;
 145
 146 /* Give a hash of the currently set handshake */
 147 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
 148                        size_t *hashlen)
 149 {
 150     if (sizeof(hs_start_hash) > outlen
 151             || sizeof(hs_full_hash) != sizeof(hs_start_hash))
 152         return 0;
 153
 154     if (full_hash) {
 155         memcpy(out, hs_full_hash, sizeof(hs_full_hash));
 156         *hashlen = sizeof(hs_full_hash);
 157     } else {
 158         memcpy(out, hs_start_hash, sizeof(hs_start_hash));
 159         *hashlen = sizeof(hs_start_hash);
 160     }
 161
 162     return 1;
 163 }
 164
 165 const EVP_MD *ssl_handshake_md(SSL *s)
 166 {
 167     return EVP_sha256();
 168 }
 169
 170 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
 171 {
 172 }
 173
 174 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
 175 {
 176 }
 177
 178 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 179                        const EVP_MD **md, int *mac_pkey_type,
 180                        size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
 181
 182 {
 183     return 0;
 184 }
 185
 186 int tls1_alert_code(int code)
 187 {
 188     return code;
 189 }
 190
 191 int ssl_log_secret(SSL *ssl,
 192                    const char *label,
 193                    const uint8_t *secret,
 194                    size_t secret_len)
 195 {
 196     return 1;
 197 }
 198
 199 const EVP_MD *ssl_md(int idx)
 200 {
 201     return EVP_sha256();
 202 }
 203
 204 void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
 205                            int line)
 206 {
 207 }
 208
 209 int ossl_statem_export_allowed(SSL *s)
 210 {
 211     return 1;
 212 }
 213
 214 int ossl_statem_export_early_allowed(SSL *s)
 215 {
 216     return 1;
 217 }
 218
 219 /* End of mocked out code */
 220
 221 static int test_secret(SSL *s, unsigned char *prk,
 222                        const unsigned char *label, size_t labellen,
 223                        const unsigned char *ref_secret,
 224                        const unsigned char *ref_key, const unsigned char *ref_iv)
 225 {
 226     size_t hashsize;
 227     unsigned char gensecret[EVP_MAX_MD_SIZE];
 228     unsigned char hash[EVP_MAX_MD_SIZE];
 229     unsigned char key[KEYLEN];
 230     unsigned char iv[IVLEN];
 231     const EVP_MD *md = ssl_handshake_md(s);
 232
 233     if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
 234         TEST_error("Failed to get hash");
 235         return 0;
 236     }
 237
 238     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
 239                            gensecret, hashsize)) {
 240         TEST_error("Secret generation failed");
 241         return 0;
 242     }
 243
 244     if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
 245         return 0;
 246
 247     if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
 248         TEST_error("Key generation failed");
 249         return 0;
 250     }
 251
 252     if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
 253         return 0;
 254
 255     if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
 256         TEST_error("IV generation failed");
 257         return 0;
 258     }
 259
 260     if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
 261         return 0;
 262
 263     return 1;
 264 }
 265
 266 static int test_handshake_secrets(void)
 267 {
 268     SSL_CTX *ctx = NULL;
 269     SSL *s = NULL;
 270     int ret = 0;
 271     size_t hashsize;
 272     unsigned char out_master_secret[EVP_MAX_MD_SIZE];
 273     size_t master_secret_length;
 274
 275     ctx = SSL_CTX_new(TLS_method());
 276     if (!TEST_ptr(ctx))
 277         goto err;
 278
 279     s = SSL_new(ctx);
 280     if (!TEST_ptr(s ))
 281         goto err;
 282
 283     s->session = SSL_SESSION_new();
 284     if (!TEST_ptr(s->session))
 285         goto err;
 286
 287     if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
 288                                          (unsigned char *)&s->early_secret))) {
 289         TEST_info("Early secret generation failed");
 290         goto err;
 291     }
 292
 293     if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
 294                      early_secret, sizeof(early_secret))) {
 295         TEST_info("Early secret does not match");
 296         goto err;
 297     }
 298
 299     if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
 300                                                    sizeof(ecdhe_secret)))) {
 301         TEST_info("Handshake secret generation failed");
 302         goto err;
 303     }
 304
 305     if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
 306                      handshake_secret, sizeof(handshake_secret)))
 307         goto err;
 308
 309     hashsize = EVP_MD_size(ssl_handshake_md(s));
 310     if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
 311         goto err;
 312     if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
 313         goto err;
 314     if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
 315         goto err;
 316
 317     if (!TEST_true(test_secret(s, s->handshake_secret,
 318                                (unsigned char *)client_hts_label,
 319                                strlen(client_hts_label), client_hts,
 320                                client_hts_key, client_hts_iv))) {
 321         TEST_info("Client handshake secret test failed");
 322         goto err;
 323     }
 324
 325     if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
 326         goto err;
 327     if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
 328         goto err;
 329     if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
 330         goto err;
 331
 332     if (!TEST_true(test_secret(s, s->handshake_secret,
 333                                (unsigned char *)server_hts_label,
 334                                strlen(server_hts_label), server_hts,
 335                                server_hts_key, server_hts_iv))) {
 336         TEST_info("Server handshake secret test failed");
 337         goto err;
 338     }
 339
 340     /*
 341      * Ensure the mocked out ssl_handshake_hash() returns the full handshake
 342      * hash.
 343      */
 344     full_hash = 1;
 345
 346     if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
 347                                                 s->handshake_secret, hashsize,
 348                                                 &master_secret_length))) {
 349         TEST_info("Master secret generation failed");
 350         goto err;
 351     }
 352
 353     if (!TEST_mem_eq(out_master_secret, master_secret_length,
 354                      master_secret, sizeof(master_secret))) {
 355         TEST_info("Master secret does not match");
 356         goto err;
 357     }
 358
 359     if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
 360         goto err;
 361     if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
 362         goto err;
 363     if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
 364         goto err;
 365
 366     if (!TEST_true(test_secret(s, out_master_secret,
 367                                (unsigned char *)client_ats_label,
 368                                strlen(client_ats_label), client_ats,
 369                                client_ats_key, client_ats_iv))) {
 370         TEST_info("Client application data secret test failed");
 371         goto err;
 372     }
 373
 374     if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
 375         goto err;
 376     if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
 377         goto err;
 378     if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
 379         goto err;
 380
 381     if (!TEST_true(test_secret(s, out_master_secret,
 382                                (unsigned char *)server_ats_label,
 383                                strlen(server_ats_label), server_ats,
 384                                server_ats_key, server_ats_iv))) {
 385         TEST_info("Server application data secret test failed");
 386         goto err;
 387     }
 388
 389     ret = 1;
 390  err:
 391     SSL_free(s);
 392     SSL_CTX_free(ctx);
 393     return ret;
 394 }
 395
 396 int setup_tests(void)
 397 {
 398     ADD_TEST(test_handshake_secrets);
 399     return 1;
 400 }