7ca6b3d055920cd12bc65477adb625ea27defe3d
[openssl.git] / test / tls13secretstest.c
1 /*
2  * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9
10 #include <openssl/ssl.h>
11 #include <openssl/evp.h>
12
13 #ifdef __VMS
14 # pragma names save
15 # pragma names as_is,shortened
16 #endif
17
18 #include "../ssl/ssl_locl.h"
19
20 #ifdef __VMS
21 # pragma names restore
22 #endif
23
24 #include "testutil.h"
25
26 #define IVLEN   12
27 #define KEYLEN  16
28
29 /*
30  * Based on the test vectors availble in:
31  * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
32  */
33
34 static unsigned char hs_start_hash[] = {
35 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
36 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
37 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
38 };
39
40 static unsigned char hs_full_hash[] = {
41 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
42 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
43 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
44 };
45
46 static unsigned char early_secret[] = {
47 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
48 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
49 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
50 };
51
52 static unsigned char ecdhe_secret[] = {
53 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
54 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
55 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
56 };
57
58 static unsigned char handshake_secret[] = {
59 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
60 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
61 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
62 };
63
64 static const char *client_hts_label = "c hs traffic";
65
66 static unsigned char client_hts[] = {
67 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
68 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
69 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
70 };
71
72 static unsigned char client_hts_key[] = {
73 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
74 0xad, 0x26, 0x49
75 };
76
77 static unsigned char client_hts_iv[] = {
78 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
79 };
80
81 static const char *server_hts_label = "s hs traffic";
82
83 static unsigned char server_hts[] = {
84 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
85 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
86 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
87 };
88
89 static unsigned char server_hts_key[] = {
90 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
91 0x11, 0xac, 0x8b
92 };
93
94 static unsigned char server_hts_iv[] = {
95 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
96 };
97
98 static unsigned char master_secret[] = {
99 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
100 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
101 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
102 };
103
104 static const char *client_ats_label = "c ap traffic";
105
106 static unsigned char client_ats[] = {
107 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
108 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
109 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
110 };
111
112 static unsigned char client_ats_key[] = {
113 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
114 0xce, 0x5c, 0x87
115 };
116
117 static unsigned char client_ats_iv[] = {
118 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
119 };
120
121 static const char *server_ats_label = "s ap traffic";
122
123 static unsigned char server_ats[] = {
124 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
125 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
126 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
127 };
128
129 static unsigned char server_ats_key[] = {
130 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
131 0x4b, 0x9b, 0x7d
132 };
133
134 static unsigned char server_ats_iv[] = {
135 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
136 };
137
138 /* Mocked out implementations of various functions */
139 int ssl3_digest_cached_records(SSL *s, int keep)
140 {
141     return 1;
142 }
143
144 static int full_hash = 0;
145
146 /* Give a hash of the currently set handshake */
147 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
148                        size_t *hashlen)
149 {
150     if (sizeof(hs_start_hash) > outlen
151             || sizeof(hs_full_hash) != sizeof(hs_start_hash))
152         return 0;
153
154     if (full_hash) {
155         memcpy(out, hs_full_hash, sizeof(hs_full_hash));
156         *hashlen = sizeof(hs_full_hash);
157     } else {
158         memcpy(out, hs_start_hash, sizeof(hs_start_hash));
159         *hashlen = sizeof(hs_start_hash);
160     }
161
162     return 1;
163 }
164
165 const EVP_MD *ssl_handshake_md(SSL *s)
166 {
167     return EVP_sha256();
168 }
169
170 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
171 {
172 }
173
174 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
175 {
176 }
177
178 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
179                        const EVP_MD **md, int *mac_pkey_type,
180                        size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
181
182 {
183     return 0;
184 }
185
186 int tls1_alert_code(int code)
187 {
188     return code;
189 }
190
191 int ssl_log_secret(SSL *ssl,
192                    const char *label,
193                    const uint8_t *secret,
194                    size_t secret_len)
195 {
196     return 1;
197 }
198
199 const EVP_MD *ssl_md(int idx)
200 {
201     return EVP_sha256();
202 }
203
204 void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
205                            int line)
206 {
207 }
208
209 int ossl_statem_export_allowed(SSL *s)
210 {
211     return 1;
212 }
213
214 int ossl_statem_export_early_allowed(SSL *s)
215 {
216     return 1;
217 }
218
219 /* End of mocked out code */
220
221 static int test_secret(SSL *s, unsigned char *prk,
222                        const unsigned char *label, size_t labellen,
223                        const unsigned char *ref_secret,
224                        const unsigned char *ref_key, const unsigned char *ref_iv)
225 {
226     size_t hashsize;
227     unsigned char gensecret[EVP_MAX_MD_SIZE];
228     unsigned char hash[EVP_MAX_MD_SIZE];
229     unsigned char key[KEYLEN];
230     unsigned char iv[IVLEN];
231     const EVP_MD *md = ssl_handshake_md(s);
232
233     if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
234         TEST_error("Failed to get hash");
235         return 0;
236     }
237
238     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
239                            gensecret, hashsize, 1)) {
240         TEST_error("Secret generation failed");
241         return 0;
242     }
243
244     if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
245         return 0;
246
247     if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
248         TEST_error("Key generation failed");
249         return 0;
250     }
251
252     if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
253         return 0;
254
255     if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
256         TEST_error("IV generation failed");
257         return 0;
258     }
259
260     if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
261         return 0;
262
263     return 1;
264 }
265
266 static int test_handshake_secrets(void)
267 {
268     SSL_CTX *ctx = NULL;
269     SSL *s = NULL;
270     int ret = 0;
271     size_t hashsize;
272     unsigned char out_master_secret[EVP_MAX_MD_SIZE];
273     size_t master_secret_length;
274
275     ctx = SSL_CTX_new(TLS_method());
276     if (!TEST_ptr(ctx))
277         goto err;
278
279     s = SSL_new(ctx);
280     if (!TEST_ptr(s ))
281         goto err;
282
283     s->session = SSL_SESSION_new();
284     if (!TEST_ptr(s->session))
285         goto err;
286
287     if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
288                                          (unsigned char *)&s->early_secret))) {
289         TEST_info("Early secret generation failed");
290         goto err;
291     }
292
293     if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
294                      early_secret, sizeof(early_secret))) {
295         TEST_info("Early secret does not match");
296         goto err;
297     }
298
299     if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
300                                                    sizeof(ecdhe_secret)))) {
301         TEST_info("Handshake secret generation failed");
302         goto err;
303     }
304
305     if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
306                      handshake_secret, sizeof(handshake_secret)))
307         goto err;
308
309     hashsize = EVP_MD_size(ssl_handshake_md(s));
310     if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
311         goto err;
312     if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
313         goto err;
314     if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
315         goto err;
316
317     if (!TEST_true(test_secret(s, s->handshake_secret,
318                                (unsigned char *)client_hts_label,
319                                strlen(client_hts_label), client_hts,
320                                client_hts_key, client_hts_iv))) {
321         TEST_info("Client handshake secret test failed");
322         goto err;
323     }
324
325     if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
326         goto err;
327     if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
328         goto err;
329     if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
330         goto err;
331
332     if (!TEST_true(test_secret(s, s->handshake_secret,
333                                (unsigned char *)server_hts_label,
334                                strlen(server_hts_label), server_hts,
335                                server_hts_key, server_hts_iv))) {
336         TEST_info("Server handshake secret test failed");
337         goto err;
338     }
339
340     /*
341      * Ensure the mocked out ssl_handshake_hash() returns the full handshake
342      * hash.
343      */
344     full_hash = 1;
345
346     if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
347                                                 s->handshake_secret, hashsize,
348                                                 &master_secret_length))) {
349         TEST_info("Master secret generation failed");
350         goto err;
351     }
352
353     if (!TEST_mem_eq(out_master_secret, master_secret_length,
354                      master_secret, sizeof(master_secret))) {
355         TEST_info("Master secret does not match");
356         goto err;
357     }
358
359     if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
360         goto err;
361     if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
362         goto err;
363     if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
364         goto err;
365
366     if (!TEST_true(test_secret(s, out_master_secret,
367                                (unsigned char *)client_ats_label,
368                                strlen(client_ats_label), client_ats,
369                                client_ats_key, client_ats_iv))) {
370         TEST_info("Client application data secret test failed");
371         goto err;
372     }
373
374     if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
375         goto err;
376     if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
377         goto err;
378     if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
379         goto err;
380
381     if (!TEST_true(test_secret(s, out_master_secret,
382                                (unsigned char *)server_ats_label,
383                                strlen(server_ats_label), server_ats,
384                                server_ats_key, server_ats_iv))) {
385         TEST_info("Server application data secret test failed");
386         goto err;
387     }
388
389     ret = 1;
390  err:
391     SSL_free(s);
392     SSL_CTX_free(ctx);
393     return ret;
394 }
395
396 int setup_tests(void)
397 {
398     ADD_TEST(test_handshake_secrets);
399     return 1;
400 }