2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ssl.h>
11 #include <openssl/evp.h>
13 #include "../ssl/ssl_local.h"
20 * Based on the test vectors available in:
21 * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
24 static unsigned char hs_start_hash[] = {
25 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
26 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
27 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
30 static unsigned char hs_full_hash[] = {
31 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
32 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
33 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
36 static unsigned char early_secret[] = {
37 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
38 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
39 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
42 static unsigned char ecdhe_secret[] = {
43 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
44 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
45 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
48 static unsigned char handshake_secret[] = {
49 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
50 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
51 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
54 static const char *client_hts_label = "c hs traffic";
56 static unsigned char client_hts[] = {
57 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
58 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
59 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
62 static unsigned char client_hts_key[] = {
63 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
67 static unsigned char client_hts_iv[] = {
68 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
71 static const char *server_hts_label = "s hs traffic";
73 static unsigned char server_hts[] = {
74 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
75 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
76 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
79 static unsigned char server_hts_key[] = {
80 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
84 static unsigned char server_hts_iv[] = {
85 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
88 static unsigned char master_secret[] = {
89 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
90 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
91 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
94 static const char *client_ats_label = "c ap traffic";
96 static unsigned char client_ats[] = {
97 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
98 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
99 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
102 static unsigned char client_ats_key[] = {
103 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
107 static unsigned char client_ats_iv[] = {
108 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
111 static const char *server_ats_label = "s ap traffic";
113 static unsigned char server_ats[] = {
114 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
115 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
116 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
119 static unsigned char server_ats_key[] = {
120 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
124 static unsigned char server_ats_iv[] = {
125 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
128 /* Mocked out implementations of various functions */
129 int ssl3_digest_cached_records(SSL_CONNECTION *s, int keep)
134 static int full_hash = 0;
136 /* Give a hash of the currently set handshake */
137 int ssl_handshake_hash(SSL_CONNECTION *s, unsigned char *out, size_t outlen,
140 if (sizeof(hs_start_hash) > outlen
141 || sizeof(hs_full_hash) != sizeof(hs_start_hash))
145 memcpy(out, hs_full_hash, sizeof(hs_full_hash));
146 *hashlen = sizeof(hs_full_hash);
148 memcpy(out, hs_start_hash, sizeof(hs_start_hash));
149 *hashlen = sizeof(hs_start_hash);
155 const EVP_MD *ssl_handshake_md(SSL_CONNECTION *s)
160 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
164 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
168 int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc,
169 const EVP_CIPHER **enc)
174 int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
175 const EVP_CIPHER **enc, const EVP_MD **md,
176 int *mac_pkey_type, size_t *mac_secret_size,
177 SSL_COMP **comp, int use_etm)
183 int tls1_alert_code(int code)
188 int ssl_log_secret(SSL_CONNECTION *sc,
190 const uint8_t *secret,
196 const EVP_MD *ssl_md(SSL_CTX *ctx, int idx)
201 void ossl_statem_send_fatal(SSL_CONNECTION *s, int al)
205 void ossl_statem_fatal(SSL_CONNECTION *s, int al, int reason,
206 const char *fmt, ...)
210 int ossl_statem_export_allowed(SSL_CONNECTION *s)
215 int ossl_statem_export_early_allowed(SSL_CONNECTION *s)
220 void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
224 void ssl_evp_md_free(const EVP_MD *md)
228 int ssl_set_new_record_layer(SSL_CONNECTION *s, const OSSL_RECORD_METHOD *meth,
229 int version, int direction, int level,
230 unsigned char *key, size_t keylen,
231 unsigned char *iv, size_t ivlen,
232 unsigned char *mackey, size_t mackeylen,
233 const EVP_CIPHER *ciph, size_t taglen,
234 int mactype, const EVP_MD *md,
235 const SSL_COMP *comp)
240 /* End of mocked out code */
242 static int test_secret(SSL_CONNECTION *s, unsigned char *prk,
243 const unsigned char *label, size_t labellen,
244 const unsigned char *ref_secret,
245 const unsigned char *ref_key, const unsigned char *ref_iv)
248 unsigned char gensecret[EVP_MAX_MD_SIZE];
249 unsigned char hash[EVP_MAX_MD_SIZE];
250 unsigned char key[KEYLEN];
251 unsigned char iv[IVLEN];
252 const EVP_MD *md = ssl_handshake_md(s);
254 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
255 TEST_error("Failed to get hash");
259 if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
260 gensecret, hashsize, 1)) {
261 TEST_error("Secret generation failed");
265 if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
268 if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
269 TEST_error("Key generation failed");
273 if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
276 if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
277 TEST_error("IV generation failed");
281 if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
287 static int test_handshake_secrets(void)
294 unsigned char out_master_secret[EVP_MAX_MD_SIZE];
295 size_t master_secret_length;
297 ctx = SSL_CTX_new(TLS_method());
302 if (!TEST_ptr(ssl) || !TEST_ptr(s = SSL_CONNECTION_FROM_SSL_ONLY(ssl)))
305 s->session = SSL_SESSION_new();
306 if (!TEST_ptr(s->session))
309 if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
310 (unsigned char *)&s->early_secret))) {
311 TEST_info("Early secret generation failed");
315 if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
316 early_secret, sizeof(early_secret))) {
317 TEST_info("Early secret does not match");
321 if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
322 sizeof(ecdhe_secret)))) {
323 TEST_info("Handshake secret generation failed");
327 if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
328 handshake_secret, sizeof(handshake_secret)))
331 hashsize = EVP_MD_get_size(ssl_handshake_md(s));
332 if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
334 if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
336 if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
339 if (!TEST_true(test_secret(s, s->handshake_secret,
340 (unsigned char *)client_hts_label,
341 strlen(client_hts_label), client_hts,
342 client_hts_key, client_hts_iv))) {
343 TEST_info("Client handshake secret test failed");
347 if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
349 if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
351 if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
354 if (!TEST_true(test_secret(s, s->handshake_secret,
355 (unsigned char *)server_hts_label,
356 strlen(server_hts_label), server_hts,
357 server_hts_key, server_hts_iv))) {
358 TEST_info("Server handshake secret test failed");
363 * Ensure the mocked out ssl_handshake_hash() returns the full handshake
368 if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
369 s->handshake_secret, hashsize,
370 &master_secret_length))) {
371 TEST_info("Master secret generation failed");
375 if (!TEST_mem_eq(out_master_secret, master_secret_length,
376 master_secret, sizeof(master_secret))) {
377 TEST_info("Master secret does not match");
381 if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
383 if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
385 if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
388 if (!TEST_true(test_secret(s, out_master_secret,
389 (unsigned char *)client_ats_label,
390 strlen(client_ats_label), client_ats,
391 client_ats_key, client_ats_iv))) {
392 TEST_info("Client application data secret test failed");
396 if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
398 if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
400 if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
403 if (!TEST_true(test_secret(s, out_master_secret,
404 (unsigned char *)server_ats_label,
405 strlen(server_ats_label), server_ats,
406 server_ats_key, server_ats_iv))) {
407 TEST_info("Server application data secret test failed");
418 int setup_tests(void)
420 ADD_TEST(test_handshake_secrets);