test/tls13secretstest.c

   1 /*
   2  * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <openssl/ssl.h>
  11 #include <openssl/evp.h>
  12
  13 #include "../ssl/ssl_locl.h"
  14 #include "testutil.h"
  15
  16 #define IVLEN   12
  17 #define KEYLEN  16
  18
  19 /*
  20  * Based on the test vectors availble in:
  21  * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
  22  */
  23
  24 static unsigned char hs_start_hash[] = {
  25 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
  26 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
  27 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
  28 };
  29
  30 static unsigned char hs_full_hash[] = {
  31 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
  32 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
  33 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
  34 };
  35
  36 static unsigned char early_secret[] = {
  37 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
  38 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
  39 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
  40 };
  41
  42 static unsigned char ecdhe_secret[] = {
  43 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
  44 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
  45 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
  46 };
  47
  48 static unsigned char handshake_secret[] = {
  49 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
  50 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
  51 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
  52 };
  53
  54 static const char *client_hts_label = "c hs traffic";
  55
  56 static unsigned char client_hts[] = {
  57 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
  58 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
  59 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
  60 };
  61
  62 static unsigned char client_hts_key[] = {
  63 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
  64 0xad, 0x26, 0x49
  65 };
  66
  67 static unsigned char client_hts_iv[] = {
  68 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
  69 };
  70
  71 static const char *server_hts_label = "s hs traffic";
  72
  73 static unsigned char server_hts[] = {
  74 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
  75 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
  76 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
  77 };
  78
  79 static unsigned char server_hts_key[] = {
  80 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
  81 0x11, 0xac, 0x8b
  82 };
  83
  84 static unsigned char server_hts_iv[] = {
  85 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
  86 };
  87
  88 static unsigned char master_secret[] = {
  89 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
  90 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
  91 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
  92 };
  93
  94 static const char *client_ats_label = "c ap traffic";
  95
  96 static unsigned char client_ats[] = {
  97 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
  98 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
  99 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
 100 };
 101
 102 static unsigned char client_ats_key[] = {
 103 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
 104 0xce, 0x5c, 0x87
 105 };
 106
 107 static unsigned char client_ats_iv[] = {
 108 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
 109 };
 110
 111 static const char *server_ats_label = "s ap traffic";
 112
 113 static unsigned char server_ats[] = {
 114 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
 115 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
 116 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
 117 };
 118
 119 static unsigned char server_ats_key[] = {
 120 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
 121 0x4b, 0x9b, 0x7d
 122 };
 123
 124 static unsigned char server_ats_iv[] = {
 125 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
 126 };
 127
 128 /* Mocked out implementations of various functions */
 129 int ssl3_digest_cached_records(SSL *s, int keep)
 130 {
 131     return 1;
 132 }
 133
 134 static int full_hash = 0;
 135
 136 /* Give a hash of the currently set handshake */
 137 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
 138                        size_t *hashlen)
 139 {
 140     if (sizeof(hs_start_hash) > outlen
 141             || sizeof(hs_full_hash) != sizeof(hs_start_hash))
 142         return 0;
 143
 144     if (full_hash) {
 145         memcpy(out, hs_full_hash, sizeof(hs_full_hash));
 146         *hashlen = sizeof(hs_full_hash);
 147     } else {
 148         memcpy(out, hs_start_hash, sizeof(hs_start_hash));
 149         *hashlen = sizeof(hs_start_hash);
 150     }
 151
 152     return 1;
 153 }
 154
 155 const EVP_MD *ssl_handshake_md(SSL *s)
 156 {
 157     return EVP_sha256();
 158 }
 159
 160 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
 161 {
 162 }
 163
 164 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
 165 {
 166 }
 167
 168 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 169                        const EVP_MD **md, int *mac_pkey_type,
 170                        size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
 171
 172 {
 173     return 0;
 174 }
 175
 176 int tls1_alert_code(int code)
 177 {
 178     return code;
 179 }
 180
 181 int ssl_log_secret(SSL *ssl,
 182                    const char *label,
 183                    const uint8_t *secret,
 184                    size_t secret_len)
 185 {
 186     return 1;
 187 }
 188
 189 const EVP_MD *ssl_md(int idx)
 190 {
 191     return EVP_sha256();
 192 }
 193
 194 void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
 195                            int line)
 196 {
 197 }
 198
 199 int ossl_statem_export_allowed(SSL *s)
 200 {
 201     return 1;
 202 }
 203
 204 int ossl_statem_export_early_allowed(SSL *s)
 205 {
 206     return 1;
 207 }
 208
 209 /* End of mocked out code */
 210
 211 static int test_secret(SSL *s, unsigned char *prk,
 212                        const unsigned char *label, size_t labellen,
 213                        const unsigned char *ref_secret,
 214                        const unsigned char *ref_key, const unsigned char *ref_iv)
 215 {
 216     size_t hashsize;
 217     unsigned char gensecret[EVP_MAX_MD_SIZE];
 218     unsigned char hash[EVP_MAX_MD_SIZE];
 219     unsigned char key[KEYLEN];
 220     unsigned char iv[IVLEN];
 221     const EVP_MD *md = ssl_handshake_md(s);
 222
 223     if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
 224         TEST_error("Failed to get hash");
 225         return 0;
 226     }
 227
 228     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
 229                            gensecret, hashsize, 1)) {
 230         TEST_error("Secret generation failed");
 231         return 0;
 232     }
 233
 234     if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
 235         return 0;
 236
 237     if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
 238         TEST_error("Key generation failed");
 239         return 0;
 240     }
 241
 242     if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
 243         return 0;
 244
 245     if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
 246         TEST_error("IV generation failed");
 247         return 0;
 248     }
 249
 250     if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
 251         return 0;
 252
 253     return 1;
 254 }
 255
 256 static int test_handshake_secrets(void)
 257 {
 258     SSL_CTX *ctx = NULL;
 259     SSL *s = NULL;
 260     int ret = 0;
 261     size_t hashsize;
 262     unsigned char out_master_secret[EVP_MAX_MD_SIZE];
 263     size_t master_secret_length;
 264
 265     ctx = SSL_CTX_new(TLS_method());
 266     if (!TEST_ptr(ctx))
 267         goto err;
 268
 269     s = SSL_new(ctx);
 270     if (!TEST_ptr(s ))
 271         goto err;
 272
 273     s->session = SSL_SESSION_new();
 274     if (!TEST_ptr(s->session))
 275         goto err;
 276
 277     if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
 278                                          (unsigned char *)&s->early_secret))) {
 279         TEST_info("Early secret generation failed");
 280         goto err;
 281     }
 282
 283     if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
 284                      early_secret, sizeof(early_secret))) {
 285         TEST_info("Early secret does not match");
 286         goto err;
 287     }
 288
 289     if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
 290                                                    sizeof(ecdhe_secret)))) {
 291         TEST_info("Handshake secret generation failed");
 292         goto err;
 293     }
 294
 295     if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
 296                      handshake_secret, sizeof(handshake_secret)))
 297         goto err;
 298
 299     hashsize = EVP_MD_size(ssl_handshake_md(s));
 300     if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
 301         goto err;
 302     if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
 303         goto err;
 304     if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
 305         goto err;
 306
 307     if (!TEST_true(test_secret(s, s->handshake_secret,
 308                                (unsigned char *)client_hts_label,
 309                                strlen(client_hts_label), client_hts,
 310                                client_hts_key, client_hts_iv))) {
 311         TEST_info("Client handshake secret test failed");
 312         goto err;
 313     }
 314
 315     if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
 316         goto err;
 317     if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
 318         goto err;
 319     if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
 320         goto err;
 321
 322     if (!TEST_true(test_secret(s, s->handshake_secret,
 323                                (unsigned char *)server_hts_label,
 324                                strlen(server_hts_label), server_hts,
 325                                server_hts_key, server_hts_iv))) {
 326         TEST_info("Server handshake secret test failed");
 327         goto err;
 328     }
 329
 330     /*
 331      * Ensure the mocked out ssl_handshake_hash() returns the full handshake
 332      * hash.
 333      */
 334     full_hash = 1;
 335
 336     if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
 337                                                 s->handshake_secret, hashsize,
 338                                                 &master_secret_length))) {
 339         TEST_info("Master secret generation failed");
 340         goto err;
 341     }
 342
 343     if (!TEST_mem_eq(out_master_secret, master_secret_length,
 344                      master_secret, sizeof(master_secret))) {
 345         TEST_info("Master secret does not match");
 346         goto err;
 347     }
 348
 349     if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
 350         goto err;
 351     if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
 352         goto err;
 353     if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
 354         goto err;
 355
 356     if (!TEST_true(test_secret(s, out_master_secret,
 357                                (unsigned char *)client_ats_label,
 358                                strlen(client_ats_label), client_ats,
 359                                client_ats_key, client_ats_iv))) {
 360         TEST_info("Client application data secret test failed");
 361         goto err;
 362     }
 363
 364     if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
 365         goto err;
 366     if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
 367         goto err;
 368     if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
 369         goto err;
 370
 371     if (!TEST_true(test_secret(s, out_master_secret,
 372                                (unsigned char *)server_ats_label,
 373                                strlen(server_ats_label), server_ats,
 374                                server_ats_key, server_ats_iv))) {
 375         TEST_info("Server application data secret test failed");
 376         goto err;
 377     }
 378
 379     ret = 1;
 380  err:
 381     SSL_free(s);
 382     SSL_CTX_free(ctx);
 383     return ret;
 384 }
 385
 386 int setup_tests(void)
 387 {
 388     ADD_TEST(test_handshake_secrets);
 389     return 1;
 390 }