test/tls13secretstest.c

   1 /*
   2  * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <openssl/ssl.h>
  11 #include <openssl/evp.h>
  12
  13 #include "../ssl/ssl_local.h"
  14 #include "testutil.h"
  15
  16 #define IVLEN   12
  17 #define KEYLEN  16
  18
  19 /*
  20  * Based on the test vectors available in:
  21  * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
  22  */
  23
  24 static unsigned char hs_start_hash[] = {
  25 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
  26 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
  27 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
  28 };
  29
  30 static unsigned char hs_full_hash[] = {
  31 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
  32 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
  33 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
  34 };
  35
  36 static unsigned char early_secret[] = {
  37 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
  38 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
  39 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
  40 };
  41
  42 static unsigned char ecdhe_secret[] = {
  43 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
  44 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
  45 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
  46 };
  47
  48 static unsigned char handshake_secret[] = {
  49 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
  50 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
  51 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
  52 };
  53
  54 static const char *client_hts_label = "c hs traffic";
  55
  56 static unsigned char client_hts[] = {
  57 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
  58 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
  59 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
  60 };
  61
  62 static unsigned char client_hts_key[] = {
  63 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
  64 0xad, 0x26, 0x49
  65 };
  66
  67 static unsigned char client_hts_iv[] = {
  68 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
  69 };
  70
  71 static const char *server_hts_label = "s hs traffic";
  72
  73 static unsigned char server_hts[] = {
  74 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
  75 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
  76 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
  77 };
  78
  79 static unsigned char server_hts_key[] = {
  80 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
  81 0x11, 0xac, 0x8b
  82 };
  83
  84 static unsigned char server_hts_iv[] = {
  85 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
  86 };
  87
  88 static unsigned char master_secret[] = {
  89 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
  90 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
  91 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
  92 };
  93
  94 static const char *client_ats_label = "c ap traffic";
  95
  96 static unsigned char client_ats[] = {
  97 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
  98 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
  99 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
 100 };
 101
 102 static unsigned char client_ats_key[] = {
 103 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
 104 0xce, 0x5c, 0x87
 105 };
 106
 107 static unsigned char client_ats_iv[] = {
 108 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
 109 };
 110
 111 static const char *server_ats_label = "s ap traffic";
 112
 113 static unsigned char server_ats[] = {
 114 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
 115 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
 116 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
 117 };
 118
 119 static unsigned char server_ats_key[] = {
 120 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
 121 0x4b, 0x9b, 0x7d
 122 };
 123
 124 static unsigned char server_ats_iv[] = {
 125 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
 126 };
 127
 128 /* Mocked out implementations of various functions */
 129 int ssl3_digest_cached_records(SSL_CONNECTION *s, int keep)
 130 {
 131     return 1;
 132 }
 133
 134 static int full_hash = 0;
 135
 136 /* Give a hash of the currently set handshake */
 137 int ssl_handshake_hash(SSL_CONNECTION *s, unsigned char *out, size_t outlen,
 138                        size_t *hashlen)
 139 {
 140     if (sizeof(hs_start_hash) > outlen
 141             || sizeof(hs_full_hash) != sizeof(hs_start_hash))
 142         return 0;
 143
 144     if (full_hash) {
 145         memcpy(out, hs_full_hash, sizeof(hs_full_hash));
 146         *hashlen = sizeof(hs_full_hash);
 147     } else {
 148         memcpy(out, hs_start_hash, sizeof(hs_start_hash));
 149         *hashlen = sizeof(hs_start_hash);
 150     }
 151
 152     return 1;
 153 }
 154
 155 const EVP_MD *ssl_handshake_md(SSL_CONNECTION *s)
 156 {
 157     return EVP_sha256();
 158 }
 159
 160 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
 161 {
 162 }
 163
 164 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
 165 {
 166 }
 167
 168 int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc,
 169                                      const EVP_CIPHER **enc)
 170 {
 171     return 0;
 172 }
 173
 174 int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
 175                        const EVP_CIPHER **enc, const EVP_MD **md,
 176                        int *mac_pkey_type, size_t *mac_secret_size,
 177                        SSL_COMP **comp, int use_etm)
 178
 179 {
 180     return 0;
 181 }
 182
 183 int tls1_alert_code(int code)
 184 {
 185     return code;
 186 }
 187
 188 int ssl_log_secret(SSL_CONNECTION *sc,
 189                    const char *label,
 190                    const uint8_t *secret,
 191                    size_t secret_len)
 192 {
 193     return 1;
 194 }
 195
 196 const EVP_MD *ssl_md(SSL_CTX *ctx, int idx)
 197 {
 198     return EVP_sha256();
 199 }
 200
 201 void ossl_statem_send_fatal(SSL_CONNECTION *s, int al)
 202 {
 203 }
 204
 205 void ossl_statem_fatal(SSL_CONNECTION *s, int al, int reason,
 206                        const char *fmt, ...)
 207 {
 208 }
 209
 210 int ossl_statem_export_allowed(SSL_CONNECTION *s)
 211 {
 212     return 1;
 213 }
 214
 215 int ossl_statem_export_early_allowed(SSL_CONNECTION *s)
 216 {
 217     return 1;
 218 }
 219
 220 void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
 221 {
 222 }
 223
 224 void ssl_evp_md_free(const EVP_MD *md)
 225 {
 226 }
 227
 228 /* End of mocked out code */
 229
 230 static int test_secret(SSL_CONNECTION *s, unsigned char *prk,
 231                        const unsigned char *label, size_t labellen,
 232                        const unsigned char *ref_secret,
 233                        const unsigned char *ref_key, const unsigned char *ref_iv)
 234 {
 235     size_t hashsize;
 236     unsigned char gensecret[EVP_MAX_MD_SIZE];
 237     unsigned char hash[EVP_MAX_MD_SIZE];
 238     unsigned char key[KEYLEN];
 239     unsigned char iv[IVLEN];
 240     const EVP_MD *md = ssl_handshake_md(s);
 241
 242     if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
 243         TEST_error("Failed to get hash");
 244         return 0;
 245     }
 246
 247     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
 248                            gensecret, hashsize, 1)) {
 249         TEST_error("Secret generation failed");
 250         return 0;
 251     }
 252
 253     if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
 254         return 0;
 255
 256     if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
 257         TEST_error("Key generation failed");
 258         return 0;
 259     }
 260
 261     if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
 262         return 0;
 263
 264     if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
 265         TEST_error("IV generation failed");
 266         return 0;
 267     }
 268
 269     if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
 270         return 0;
 271
 272     return 1;
 273 }
 274
 275 static int test_handshake_secrets(void)
 276 {
 277     SSL_CTX *ctx = NULL;
 278     SSL *ssl = NULL;
 279     SSL_CONNECTION *s;
 280     int ret = 0;
 281     size_t hashsize;
 282     unsigned char out_master_secret[EVP_MAX_MD_SIZE];
 283     size_t master_secret_length;
 284
 285     ctx = SSL_CTX_new(TLS_method());
 286     if (!TEST_ptr(ctx))
 287         goto err;
 288
 289     ssl = SSL_new(ctx);
 290     if (!TEST_ptr(ssl) || !TEST_ptr(s = SSL_CONNECTION_FROM_SSL_ONLY(ssl)))
 291         goto err;
 292
 293     s->session = SSL_SESSION_new();
 294     if (!TEST_ptr(s->session))
 295         goto err;
 296
 297     if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
 298                                          (unsigned char *)&s->early_secret))) {
 299         TEST_info("Early secret generation failed");
 300         goto err;
 301     }
 302
 303     if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
 304                      early_secret, sizeof(early_secret))) {
 305         TEST_info("Early secret does not match");
 306         goto err;
 307     }
 308
 309     if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
 310                                                    sizeof(ecdhe_secret)))) {
 311         TEST_info("Handshake secret generation failed");
 312         goto err;
 313     }
 314
 315     if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
 316                      handshake_secret, sizeof(handshake_secret)))
 317         goto err;
 318
 319     hashsize = EVP_MD_get_size(ssl_handshake_md(s));
 320     if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
 321         goto err;
 322     if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
 323         goto err;
 324     if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
 325         goto err;
 326
 327     if (!TEST_true(test_secret(s, s->handshake_secret,
 328                                (unsigned char *)client_hts_label,
 329                                strlen(client_hts_label), client_hts,
 330                                client_hts_key, client_hts_iv))) {
 331         TEST_info("Client handshake secret test failed");
 332         goto err;
 333     }
 334
 335     if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
 336         goto err;
 337     if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
 338         goto err;
 339     if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
 340         goto err;
 341
 342     if (!TEST_true(test_secret(s, s->handshake_secret,
 343                                (unsigned char *)server_hts_label,
 344                                strlen(server_hts_label), server_hts,
 345                                server_hts_key, server_hts_iv))) {
 346         TEST_info("Server handshake secret test failed");
 347         goto err;
 348     }
 349
 350     /*
 351      * Ensure the mocked out ssl_handshake_hash() returns the full handshake
 352      * hash.
 353      */
 354     full_hash = 1;
 355
 356     if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
 357                                                 s->handshake_secret, hashsize,
 358                                                 &master_secret_length))) {
 359         TEST_info("Master secret generation failed");
 360         goto err;
 361     }
 362
 363     if (!TEST_mem_eq(out_master_secret, master_secret_length,
 364                      master_secret, sizeof(master_secret))) {
 365         TEST_info("Master secret does not match");
 366         goto err;
 367     }
 368
 369     if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
 370         goto err;
 371     if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
 372         goto err;
 373     if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
 374         goto err;
 375
 376     if (!TEST_true(test_secret(s, out_master_secret,
 377                                (unsigned char *)client_ats_label,
 378                                strlen(client_ats_label), client_ats,
 379                                client_ats_key, client_ats_iv))) {
 380         TEST_info("Client application data secret test failed");
 381         goto err;
 382     }
 383
 384     if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
 385         goto err;
 386     if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
 387         goto err;
 388     if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
 389         goto err;
 390
 391     if (!TEST_true(test_secret(s, out_master_secret,
 392                                (unsigned char *)server_ats_label,
 393                                strlen(server_ats_label), server_ats,
 394                                server_ats_key, server_ats_iv))) {
 395         TEST_info("Server application data secret test failed");
 396         goto err;
 397     }
 398
 399     ret = 1;
 400  err:
 401     SSL_free(ssl);
 402     SSL_CTX_free(ctx);
 403     return ret;
 404 }
 405
 406 int setup_tests(void)
 407 {
 408     ADD_TEST(test_handshake_secrets);
 409     return 1;
 410 }