Fix cert with rsa instead of rsaEncryption as public key algorithm
[openssl.git] / test / tls13secretstest.c
1 /*
2  * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9
10 #include <openssl/ssl.h>
11 #include <openssl/evp.h>
12
13 #include "../ssl/ssl_locl.h"
14 #include "testutil.h"
15
16 #define IVLEN   12
17 #define KEYLEN  16
18
19 /*
20  * Based on the test vectors availble in:
21  * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06 
22  */
23
24 static unsigned char hs_start_hash[] = {
25 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
26 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
27 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
28 };
29
30 static unsigned char hs_full_hash[] = {
31 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
32 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
33 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
34 };
35
36 static unsigned char early_secret[] = {
37 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
38 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
39 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
40 };
41
42 static unsigned char ecdhe_secret[] = {
43 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
44 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
45 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
46 };
47
48 static unsigned char handshake_secret[] = {
49 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
50 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
51 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
52 };
53
54 static const char *client_hts_label = "c hs traffic";
55
56 static unsigned char client_hts[] = {
57 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
58 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
59 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
60 };
61
62 static unsigned char client_hts_key[] = {
63 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
64 0xad, 0x26, 0x49
65 };
66
67 static unsigned char client_hts_iv[] = {
68 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
69 };
70
71 static const char *server_hts_label = "s hs traffic";
72
73 static unsigned char server_hts[] = {
74 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
75 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
76 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
77 };
78
79 static unsigned char server_hts_key[] = {
80 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
81 0x11, 0xac, 0x8b
82 };
83
84 static unsigned char server_hts_iv[] = {
85 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
86 };
87
88 static unsigned char master_secret[] = {
89 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
90 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
91 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
92 };
93
94 static const char *client_ats_label = "c ap traffic";
95
96 static unsigned char client_ats[] = {
97 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
98 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
99 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
100 };
101
102 static unsigned char client_ats_key[] = {
103 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
104 0xce, 0x5c, 0x87
105 };
106
107 static unsigned char client_ats_iv[] = {
108 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
109 };
110
111 static const char *server_ats_label = "s ap traffic";
112
113 static unsigned char server_ats[] = {
114 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
115 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
116 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
117 };
118
119 static unsigned char server_ats_key[] = {
120 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
121 0x4b, 0x9b, 0x7d
122 };
123
124 static unsigned char server_ats_iv[] = {
125 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
126 };
127
128 /* Mocked out implementations of various functions */
129 int ssl3_digest_cached_records(SSL *s, int keep)
130 {
131     return 1;
132 }
133
134 static int full_hash = 0;
135
136 /* Give a hash of the currently set handshake */
137 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
138                        size_t *hashlen)
139 {
140     if (sizeof(hs_start_hash) > outlen
141             || sizeof(hs_full_hash) != sizeof(hs_start_hash))
142         return 0;
143
144     if (full_hash) {
145         memcpy(out, hs_full_hash, sizeof(hs_full_hash));
146         *hashlen = sizeof(hs_full_hash);
147     } else {
148         memcpy(out, hs_start_hash, sizeof(hs_start_hash));
149         *hashlen = sizeof(hs_start_hash);
150     }
151
152     return 1;
153 }
154
155 const EVP_MD *ssl_handshake_md(SSL *s)
156 {
157     return EVP_sha256();
158 }
159
160 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
161 {
162 }
163
164 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
165 {
166 }
167
168 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
169                        const EVP_MD **md, int *mac_pkey_type,
170                        size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
171
172 {
173     return 0;
174 }
175
176 int tls1_alert_code(int code)
177 {
178     return code;
179 }
180
181 int ssl_log_secret(SSL *ssl,
182                    const char *label,
183                    const uint8_t *secret,
184                    size_t secret_len)
185 {
186     return 1;
187 }
188
189 const EVP_MD *ssl_md(int idx)
190 {
191     return EVP_sha256();
192 }
193
194 void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
195                            int line)
196 {
197 }
198
199 int ossl_statem_export_allowed(SSL *s)
200 {
201     return 1;
202 }
203
204 int ossl_statem_export_early_allowed(SSL *s)
205 {
206     return 1;
207 }
208
209 /* End of mocked out code */
210
211 static int test_secret(SSL *s, unsigned char *prk,
212                        const unsigned char *label, size_t labellen,
213                        const unsigned char *ref_secret,
214                        const unsigned char *ref_key, const unsigned char *ref_iv)
215 {
216     size_t hashsize;
217     unsigned char gensecret[EVP_MAX_MD_SIZE];
218     unsigned char hash[EVP_MAX_MD_SIZE];
219     unsigned char key[KEYLEN];
220     unsigned char iv[IVLEN];
221     const EVP_MD *md = ssl_handshake_md(s);
222
223     if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
224         TEST_error("Failed to get hash");
225         return 0;
226     }
227
228     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
229                            gensecret, hashsize, 1)) {
230         TEST_error("Secret generation failed");
231         return 0;
232     }
233
234     if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
235         return 0;
236
237     if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
238         TEST_error("Key generation failed");
239         return 0;
240     }
241
242     if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
243         return 0;
244
245     if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
246         TEST_error("IV generation failed");
247         return 0;
248     }
249
250     if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
251         return 0;
252
253     return 1;
254 }
255
256 static int test_handshake_secrets(void)
257 {
258     SSL_CTX *ctx = NULL;
259     SSL *s = NULL;
260     int ret = 0;
261     size_t hashsize;
262     unsigned char out_master_secret[EVP_MAX_MD_SIZE];
263     size_t master_secret_length;
264
265     ctx = SSL_CTX_new(TLS_method());
266     if (!TEST_ptr(ctx))
267         goto err;
268
269     s = SSL_new(ctx);
270     if (!TEST_ptr(s ))
271         goto err;
272
273     s->session = SSL_SESSION_new();
274     if (!TEST_ptr(s->session))
275         goto err;
276
277     if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
278                                          (unsigned char *)&s->early_secret))) {
279         TEST_info("Early secret generation failed");
280         goto err;
281     }
282
283     if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
284                      early_secret, sizeof(early_secret))) {
285         TEST_info("Early secret does not match");
286         goto err;
287     }
288
289     if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
290                                                    sizeof(ecdhe_secret)))) {
291         TEST_info("Handshake secret generation failed");
292         goto err;
293     }
294
295     if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
296                      handshake_secret, sizeof(handshake_secret)))
297         goto err;
298
299     hashsize = EVP_MD_size(ssl_handshake_md(s));
300     if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
301         goto err;
302     if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
303         goto err;
304     if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
305         goto err;
306
307     if (!TEST_true(test_secret(s, s->handshake_secret,
308                                (unsigned char *)client_hts_label,
309                                strlen(client_hts_label), client_hts,
310                                client_hts_key, client_hts_iv))) {
311         TEST_info("Client handshake secret test failed");
312         goto err;
313     }
314
315     if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
316         goto err;
317     if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
318         goto err;
319     if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
320         goto err;
321
322     if (!TEST_true(test_secret(s, s->handshake_secret,
323                                (unsigned char *)server_hts_label,
324                                strlen(server_hts_label), server_hts,
325                                server_hts_key, server_hts_iv))) {
326         TEST_info("Server handshake secret test failed");
327         goto err;
328     }
329
330     /*
331      * Ensure the mocked out ssl_handshake_hash() returns the full handshake
332      * hash.
333      */
334     full_hash = 1;
335
336     if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
337                                                 s->handshake_secret, hashsize,
338                                                 &master_secret_length))) {
339         TEST_info("Master secret generation failed");
340         goto err;
341     }
342
343     if (!TEST_mem_eq(out_master_secret, master_secret_length,
344                      master_secret, sizeof(master_secret))) {
345         TEST_info("Master secret does not match");
346         goto err;
347     }
348
349     if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
350         goto err;
351     if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
352         goto err;
353     if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
354         goto err;
355
356     if (!TEST_true(test_secret(s, out_master_secret,
357                                (unsigned char *)client_ats_label,
358                                strlen(client_ats_label), client_ats,
359                                client_ats_key, client_ats_iv))) {
360         TEST_info("Client application data secret test failed");
361         goto err;
362     }
363
364     if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
365         goto err;
366     if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
367         goto err;
368     if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
369         goto err;
370
371     if (!TEST_true(test_secret(s, out_master_secret,
372                                (unsigned char *)server_ats_label,
373                                strlen(server_ats_label), server_ats,
374                                server_ats_key, server_ats_iv))) {
375         TEST_info("Server application data secret test failed");
376         goto err;
377     }
378
379     ret = 1;
380  err:
381     SSL_free(s);
382     SSL_CTX_free(ctx);
383     return ret;
384 }
385
386 int setup_tests(void)
387 {
388     ADD_TEST(test_handshake_secrets);
389     return 1;
390 }