test/tls13secretstest.c

   1 /*
   2  * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <openssl/ssl.h>
  11 #include <openssl/evp.h>
  12
  13 #include "../ssl/ssl_local.h"
  14 #include "testutil.h"
  15
  16 #define IVLEN   12
  17 #define KEYLEN  16
  18
  19 /*
  20  * Based on the test vectors available in:
  21  * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
  22  */
  23
  24 static unsigned char hs_start_hash[] = {
  25 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
  26 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
  27 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
  28 };
  29
  30 static unsigned char hs_full_hash[] = {
  31 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
  32 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
  33 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
  34 };
  35
  36 static unsigned char early_secret[] = {
  37 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
  38 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
  39 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
  40 };
  41
  42 static unsigned char ecdhe_secret[] = {
  43 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
  44 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
  45 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
  46 };
  47
  48 static unsigned char handshake_secret[] = {
  49 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
  50 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
  51 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
  52 };
  53
  54 static const char *client_hts_label = "c hs traffic";
  55
  56 static unsigned char client_hts[] = {
  57 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
  58 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
  59 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
  60 };
  61
  62 static unsigned char client_hts_key[] = {
  63 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
  64 0xad, 0x26, 0x49
  65 };
  66
  67 static unsigned char client_hts_iv[] = {
  68 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
  69 };
  70
  71 static const char *server_hts_label = "s hs traffic";
  72
  73 static unsigned char server_hts[] = {
  74 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
  75 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
  76 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
  77 };
  78
  79 static unsigned char server_hts_key[] = {
  80 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
  81 0x11, 0xac, 0x8b
  82 };
  83
  84 static unsigned char server_hts_iv[] = {
  85 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
  86 };
  87
  88 static unsigned char master_secret[] = {
  89 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
  90 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
  91 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
  92 };
  93
  94 static const char *client_ats_label = "c ap traffic";
  95
  96 static unsigned char client_ats[] = {
  97 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
  98 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
  99 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
 100 };
 101
 102 static unsigned char client_ats_key[] = {
 103 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
 104 0xce, 0x5c, 0x87
 105 };
 106
 107 static unsigned char client_ats_iv[] = {
 108 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
 109 };
 110
 111 static const char *server_ats_label = "s ap traffic";
 112
 113 static unsigned char server_ats[] = {
 114 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
 115 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
 116 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
 117 };
 118
 119 static unsigned char server_ats_key[] = {
 120 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
 121 0x4b, 0x9b, 0x7d
 122 };
 123
 124 static unsigned char server_ats_iv[] = {
 125 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
 126 };
 127
 128 /* Mocked out implementations of various functions */
 129 int ssl3_digest_cached_records(SSL *s, int keep)
 130 {
 131     return 1;
 132 }
 133
 134 static int full_hash = 0;
 135
 136 /* Give a hash of the currently set handshake */
 137 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
 138                        size_t *hashlen)
 139 {
 140     if (sizeof(hs_start_hash) > outlen
 141             || sizeof(hs_full_hash) != sizeof(hs_start_hash))
 142         return 0;
 143
 144     if (full_hash) {
 145         memcpy(out, hs_full_hash, sizeof(hs_full_hash));
 146         *hashlen = sizeof(hs_full_hash);
 147     } else {
 148         memcpy(out, hs_start_hash, sizeof(hs_start_hash));
 149         *hashlen = sizeof(hs_start_hash);
 150     }
 151
 152     return 1;
 153 }
 154
 155 const EVP_MD *ssl_handshake_md(SSL *s)
 156 {
 157     return EVP_sha256();
 158 }
 159
 160 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
 161 {
 162 }
 163
 164 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
 165 {
 166 }
 167
 168 int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
 169                        const EVP_CIPHER **enc, const EVP_MD **md,
 170                        int *mac_pkey_type, size_t *mac_secret_size,
 171                        SSL_COMP **comp, int use_etm)
 172
 173 {
 174     return 0;
 175 }
 176
 177 int tls1_alert_code(int code)
 178 {
 179     return code;
 180 }
 181
 182 int ssl_log_secret(SSL *ssl,
 183                    const char *label,
 184                    const uint8_t *secret,
 185                    size_t secret_len)
 186 {
 187     return 1;
 188 }
 189
 190 const EVP_MD *ssl_md(SSL_CTX *ctx, int idx)
 191 {
 192     return EVP_sha256();
 193 }
 194
 195 void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
 196                            int line)
 197 {
 198 }
 199
 200 int ossl_statem_export_allowed(SSL *s)
 201 {
 202     return 1;
 203 }
 204
 205 int ossl_statem_export_early_allowed(SSL *s)
 206 {
 207     return 1;
 208 }
 209
 210 void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
 211 {
 212 }
 213
 214 void ssl_evp_md_free(const EVP_MD *md)
 215 {
 216 }
 217
 218 /* End of mocked out code */
 219
 220 static int test_secret(SSL *s, unsigned char *prk,
 221                        const unsigned char *label, size_t labellen,
 222                        const unsigned char *ref_secret,
 223                        const unsigned char *ref_key, const unsigned char *ref_iv)
 224 {
 225     size_t hashsize;
 226     unsigned char gensecret[EVP_MAX_MD_SIZE];
 227     unsigned char hash[EVP_MAX_MD_SIZE];
 228     unsigned char key[KEYLEN];
 229     unsigned char iv[IVLEN];
 230     const EVP_MD *md = ssl_handshake_md(s);
 231
 232     if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
 233         TEST_error("Failed to get hash");
 234         return 0;
 235     }
 236
 237     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
 238                            gensecret, hashsize, 1)) {
 239         TEST_error("Secret generation failed");
 240         return 0;
 241     }
 242
 243     if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
 244         return 0;
 245
 246     if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
 247         TEST_error("Key generation failed");
 248         return 0;
 249     }
 250
 251     if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
 252         return 0;
 253
 254     if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
 255         TEST_error("IV generation failed");
 256         return 0;
 257     }
 258
 259     if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
 260         return 0;
 261
 262     return 1;
 263 }
 264
 265 static int test_handshake_secrets(void)
 266 {
 267     SSL_CTX *ctx = NULL;
 268     SSL *s = NULL;
 269     int ret = 0;
 270     size_t hashsize;
 271     unsigned char out_master_secret[EVP_MAX_MD_SIZE];
 272     size_t master_secret_length;
 273
 274     ctx = SSL_CTX_new(TLS_method());
 275     if (!TEST_ptr(ctx))
 276         goto err;
 277
 278     s = SSL_new(ctx);
 279     if (!TEST_ptr(s ))
 280         goto err;
 281
 282     s->session = SSL_SESSION_new();
 283     if (!TEST_ptr(s->session))
 284         goto err;
 285
 286     if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
 287                                          (unsigned char *)&s->early_secret))) {
 288         TEST_info("Early secret generation failed");
 289         goto err;
 290     }
 291
 292     if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
 293                      early_secret, sizeof(early_secret))) {
 294         TEST_info("Early secret does not match");
 295         goto err;
 296     }
 297
 298     if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
 299                                                    sizeof(ecdhe_secret)))) {
 300         TEST_info("Handshake secret generation failed");
 301         goto err;
 302     }
 303
 304     if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
 305                      handshake_secret, sizeof(handshake_secret)))
 306         goto err;
 307
 308     hashsize = EVP_MD_size(ssl_handshake_md(s));
 309     if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
 310         goto err;
 311     if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
 312         goto err;
 313     if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
 314         goto err;
 315
 316     if (!TEST_true(test_secret(s, s->handshake_secret,
 317                                (unsigned char *)client_hts_label,
 318                                strlen(client_hts_label), client_hts,
 319                                client_hts_key, client_hts_iv))) {
 320         TEST_info("Client handshake secret test failed");
 321         goto err;
 322     }
 323
 324     if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
 325         goto err;
 326     if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
 327         goto err;
 328     if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
 329         goto err;
 330
 331     if (!TEST_true(test_secret(s, s->handshake_secret,
 332                                (unsigned char *)server_hts_label,
 333                                strlen(server_hts_label), server_hts,
 334                                server_hts_key, server_hts_iv))) {
 335         TEST_info("Server handshake secret test failed");
 336         goto err;
 337     }
 338
 339     /*
 340      * Ensure the mocked out ssl_handshake_hash() returns the full handshake
 341      * hash.
 342      */
 343     full_hash = 1;
 344
 345     if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
 346                                                 s->handshake_secret, hashsize,
 347                                                 &master_secret_length))) {
 348         TEST_info("Master secret generation failed");
 349         goto err;
 350     }
 351
 352     if (!TEST_mem_eq(out_master_secret, master_secret_length,
 353                      master_secret, sizeof(master_secret))) {
 354         TEST_info("Master secret does not match");
 355         goto err;
 356     }
 357
 358     if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
 359         goto err;
 360     if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
 361         goto err;
 362     if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
 363         goto err;
 364
 365     if (!TEST_true(test_secret(s, out_master_secret,
 366                                (unsigned char *)client_ats_label,
 367                                strlen(client_ats_label), client_ats,
 368                                client_ats_key, client_ats_iv))) {
 369         TEST_info("Client application data secret test failed");
 370         goto err;
 371     }
 372
 373     if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
 374         goto err;
 375     if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
 376         goto err;
 377     if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
 378         goto err;
 379
 380     if (!TEST_true(test_secret(s, out_master_secret,
 381                                (unsigned char *)server_ats_label,
 382                                strlen(server_ats_label), server_ats,
 383                                server_ats_key, server_ats_iv))) {
 384         TEST_info("Server application data secret test failed");
 385         goto err;
 386     }
 387
 388     ret = 1;
 389  err:
 390     SSL_free(s);
 391     SSL_CTX_free(ctx);
 392     return ret;
 393 }
 394
 395 int setup_tests(void)
 396 {
 397     ADD_TEST(test_handshake_secrets);
 398     return 1;
 399 }