2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ssl.h>
11 #include <openssl/evp.h>
13 #include "../ssl/ssl_local.h"
20 * Based on the test vectors available in:
21 * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
24 static unsigned char hs_start_hash[] = {
25 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
26 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
27 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
30 static unsigned char hs_full_hash[] = {
31 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
32 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
33 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
36 static unsigned char early_secret[] = {
37 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
38 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
39 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
42 static unsigned char ecdhe_secret[] = {
43 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
44 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
45 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
48 static unsigned char handshake_secret[] = {
49 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
50 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
51 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
54 static const char *client_hts_label = "c hs traffic";
56 static unsigned char client_hts[] = {
57 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
58 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
59 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
62 static unsigned char client_hts_key[] = {
63 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
67 static unsigned char client_hts_iv[] = {
68 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
71 static const char *server_hts_label = "s hs traffic";
73 static unsigned char server_hts[] = {
74 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
75 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
76 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
79 static unsigned char server_hts_key[] = {
80 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
84 static unsigned char server_hts_iv[] = {
85 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
88 static unsigned char master_secret[] = {
89 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
90 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
91 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
94 static const char *client_ats_label = "c ap traffic";
96 static unsigned char client_ats[] = {
97 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
98 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
99 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
102 static unsigned char client_ats_key[] = {
103 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
107 static unsigned char client_ats_iv[] = {
108 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
111 static const char *server_ats_label = "s ap traffic";
113 static unsigned char server_ats[] = {
114 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
115 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
116 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
119 static unsigned char server_ats_key[] = {
120 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
124 static unsigned char server_ats_iv[] = {
125 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
128 /* Mocked out implementations of various functions */
129 int ssl3_digest_cached_records(SSL_CONNECTION *s, int keep)
134 static int full_hash = 0;
136 /* Give a hash of the currently set handshake */
137 int ssl_handshake_hash(SSL_CONNECTION *s, unsigned char *out, size_t outlen,
140 if (sizeof(hs_start_hash) > outlen
141 || sizeof(hs_full_hash) != sizeof(hs_start_hash))
145 memcpy(out, hs_full_hash, sizeof(hs_full_hash));
146 *hashlen = sizeof(hs_full_hash);
148 memcpy(out, hs_start_hash, sizeof(hs_start_hash));
149 *hashlen = sizeof(hs_start_hash);
155 const EVP_MD *ssl_handshake_md(SSL_CONNECTION *s)
160 int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc,
161 const EVP_CIPHER **enc)
166 int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
167 const EVP_CIPHER **enc, const EVP_MD **md,
168 int *mac_pkey_type, size_t *mac_secret_size,
169 SSL_COMP **comp, int use_etm)
175 int tls1_alert_code(int code)
180 int ssl_log_secret(SSL_CONNECTION *sc,
182 const uint8_t *secret,
188 const EVP_MD *ssl_md(SSL_CTX *ctx, int idx)
193 void ossl_statem_send_fatal(SSL_CONNECTION *s, int al)
197 void ossl_statem_fatal(SSL_CONNECTION *s, int al, int reason,
198 const char *fmt, ...)
202 int ossl_statem_export_allowed(SSL_CONNECTION *s)
207 int ossl_statem_export_early_allowed(SSL_CONNECTION *s)
212 void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
216 void ssl_evp_md_free(const EVP_MD *md)
220 int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, int direction,
221 int level, unsigned char *key, size_t keylen,
222 unsigned char *iv, size_t ivlen,
223 unsigned char *mackey, size_t mackeylen,
224 const EVP_CIPHER *ciph, size_t taglen,
225 int mactype, const EVP_MD *md,
226 const SSL_COMP *comp)
231 /* End of mocked out code */
233 static int test_secret(SSL_CONNECTION *s, unsigned char *prk,
234 const unsigned char *label, size_t labellen,
235 const unsigned char *ref_secret,
236 const unsigned char *ref_key, const unsigned char *ref_iv)
239 unsigned char gensecret[EVP_MAX_MD_SIZE];
240 unsigned char hash[EVP_MAX_MD_SIZE];
241 unsigned char key[KEYLEN];
242 unsigned char iv[IVLEN];
243 const EVP_MD *md = ssl_handshake_md(s);
245 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
246 TEST_error("Failed to get hash");
250 if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
251 gensecret, hashsize, 1)) {
252 TEST_error("Secret generation failed");
256 if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
259 if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
260 TEST_error("Key generation failed");
264 if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
267 if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
268 TEST_error("IV generation failed");
272 if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
278 static int test_handshake_secrets(void)
285 unsigned char out_master_secret[EVP_MAX_MD_SIZE];
286 size_t master_secret_length;
288 ctx = SSL_CTX_new(TLS_method());
293 if (!TEST_ptr(ssl) || !TEST_ptr(s = SSL_CONNECTION_FROM_SSL_ONLY(ssl)))
296 s->session = SSL_SESSION_new();
297 if (!TEST_ptr(s->session))
300 if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
301 (unsigned char *)&s->early_secret))) {
302 TEST_info("Early secret generation failed");
306 if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
307 early_secret, sizeof(early_secret))) {
308 TEST_info("Early secret does not match");
312 if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
313 sizeof(ecdhe_secret)))) {
314 TEST_info("Handshake secret generation failed");
318 if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
319 handshake_secret, sizeof(handshake_secret)))
322 hashsize = EVP_MD_get_size(ssl_handshake_md(s));
323 if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
325 if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
327 if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
330 if (!TEST_true(test_secret(s, s->handshake_secret,
331 (unsigned char *)client_hts_label,
332 strlen(client_hts_label), client_hts,
333 client_hts_key, client_hts_iv))) {
334 TEST_info("Client handshake secret test failed");
338 if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
340 if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
342 if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
345 if (!TEST_true(test_secret(s, s->handshake_secret,
346 (unsigned char *)server_hts_label,
347 strlen(server_hts_label), server_hts,
348 server_hts_key, server_hts_iv))) {
349 TEST_info("Server handshake secret test failed");
354 * Ensure the mocked out ssl_handshake_hash() returns the full handshake
359 if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
360 s->handshake_secret, hashsize,
361 &master_secret_length))) {
362 TEST_info("Master secret generation failed");
366 if (!TEST_mem_eq(out_master_secret, master_secret_length,
367 master_secret, sizeof(master_secret))) {
368 TEST_info("Master secret does not match");
372 if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
374 if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
376 if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
379 if (!TEST_true(test_secret(s, out_master_secret,
380 (unsigned char *)client_ats_label,
381 strlen(client_ats_label), client_ats,
382 client_ats_key, client_ats_iv))) {
383 TEST_info("Client application data secret test failed");
387 if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
389 if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
391 if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
394 if (!TEST_true(test_secret(s, out_master_secret,
395 (unsigned char *)server_ats_label,
396 strlen(server_ats_label), server_ats,
397 server_ats_key, server_ats_iv))) {
398 TEST_info("Server application data secret test failed");
409 int setup_tests(void)
411 ADD_TEST(test_handshake_secrets);