projects / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Implement KTLS in the new read record layer code
[openssl.git] / test / tls13secretstest.c
1 /*
2  * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9
10 #include <openssl/ssl.h>
11 #include <openssl/evp.h>
12
13 #include "../ssl/ssl_local.h"
14 #include "testutil.h"
15
16 #define IVLEN   12
17 #define KEYLEN  16
18
19 /*
20  * Based on the test vectors available in:
21  * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
22  */
23
24 static unsigned char hs_start_hash[] = {
25 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
26 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
27 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
28 };
29
30 static unsigned char hs_full_hash[] = {
31 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
32 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
33 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
34 };
35
36 static unsigned char early_secret[] = {
37 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
38 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
39 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
40 };
41
42 static unsigned char ecdhe_secret[] = {
43 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
44 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
45 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
46 };
47
48 static unsigned char handshake_secret[] = {
49 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
50 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
51 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
52 };
53
54 static const char *client_hts_label = "c hs traffic";
55
56 static unsigned char client_hts[] = {
57 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
58 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
59 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
60 };
61
62 static unsigned char client_hts_key[] = {
63 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
64 0xad, 0x26, 0x49
65 };
66
67 static unsigned char client_hts_iv[] = {
68 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
69 };
70
71 static const char *server_hts_label = "s hs traffic";
72
73 static unsigned char server_hts[] = {
74 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
75 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
76 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
77 };
78
79 static unsigned char server_hts_key[] = {
80 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
81 0x11, 0xac, 0x8b
82 };
83
84 static unsigned char server_hts_iv[] = {
85 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
86 };
87
88 static unsigned char master_secret[] = {
89 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
90 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
91 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
92 };
93
94 static const char *client_ats_label = "c ap traffic";
95
96 static unsigned char client_ats[] = {
97 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
98 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
99 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
100 };
101
102 static unsigned char client_ats_key[] = {
103 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
104 0xce, 0x5c, 0x87
105 };
106
107 static unsigned char client_ats_iv[] = {
108 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
109 };
110
111 static const char *server_ats_label = "s ap traffic";
112
113 static unsigned char server_ats[] = {
114 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
115 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
116 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
117 };
118
119 static unsigned char server_ats_key[] = {
120 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
121 0x4b, 0x9b, 0x7d
122 };
123
124 static unsigned char server_ats_iv[] = {
125 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
126 };
127
128 /* Mocked out implementations of various functions */
129 int ssl3_digest_cached_records(SSL_CONNECTION *s, int keep)
130 {
131     return 1;
132 }
133
134 static int full_hash = 0;
135
136 /* Give a hash of the currently set handshake */
137 int ssl_handshake_hash(SSL_CONNECTION *s, unsigned char *out, size_t outlen,
138                        size_t *hashlen)
139 {
140     if (sizeof(hs_start_hash) > outlen
141             || sizeof(hs_full_hash) != sizeof(hs_start_hash))
142         return 0;
143
144     if (full_hash) {
145         memcpy(out, hs_full_hash, sizeof(hs_full_hash));
146         *hashlen = sizeof(hs_full_hash);
147     } else {
148         memcpy(out, hs_start_hash, sizeof(hs_start_hash));
149         *hashlen = sizeof(hs_start_hash);
150     }
151
152     return 1;
153 }
154
155 const EVP_MD *ssl_handshake_md(SSL_CONNECTION *s)
156 {
157     return EVP_sha256();
158 }
159
160 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
161 {
162 }
163
164 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
165 {
166 }
167
168 int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc,
169                                      const EVP_CIPHER **enc)
170 {
171     return 0;
172 }
173
174 int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
175                        const EVP_CIPHER **enc, const EVP_MD **md,
176                        int *mac_pkey_type, size_t *mac_secret_size,
177                        SSL_COMP **comp, int use_etm)
178
179 {
180     return 0;
181 }
182
183 int tls1_alert_code(int code)
184 {
185     return code;
186 }
187
188 int ssl_log_secret(SSL_CONNECTION *sc,
189                    const char *label,
190                    const uint8_t *secret,
191                    size_t secret_len)
192 {
193     return 1;
194 }
195
196 const EVP_MD *ssl_md(SSL_CTX *ctx, int idx)
197 {
198     return EVP_sha256();
199 }
200
201 void ossl_statem_send_fatal(SSL_CONNECTION *s, int al)
202 {
203 }
204
205 void ossl_statem_fatal(SSL_CONNECTION *s, int al, int reason,
206                        const char *fmt, ...)
207 {
208 }
209
210 int ossl_statem_export_allowed(SSL_CONNECTION *s)
211 {
212     return 1;
213 }
214
215 int ossl_statem_export_early_allowed(SSL_CONNECTION *s)
216 {
217     return 1;
218 }
219
220 void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
221 {
222 }
223
224 void ssl_evp_md_free(const EVP_MD *md)
225 {
226 }
227
228 int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, int direction,
229                              int level, unsigned char *key, size_t keylen,
230                              unsigned char *iv,  size_t ivlen,
231                              unsigned char *mackey, size_t mackeylen,
232                              const EVP_CIPHER *ciph, size_t taglen,
233                              int mactype, const EVP_MD *md,
234                              const SSL_COMP *comp)
235 {
236     return 0;
237 }
238
239 /* End of mocked out code */
240
241 static int test_secret(SSL_CONNECTION *s, unsigned char *prk,
242                        const unsigned char *label, size_t labellen,
243                        const unsigned char *ref_secret,
244                        const unsigned char *ref_key, const unsigned char *ref_iv)
245 {
246     size_t hashsize;
247     unsigned char gensecret[EVP_MAX_MD_SIZE];
248     unsigned char hash[EVP_MAX_MD_SIZE];
249     unsigned char key[KEYLEN];
250     unsigned char iv[IVLEN];
251     const EVP_MD *md = ssl_handshake_md(s);
252
253     if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
254         TEST_error("Failed to get hash");
255         return 0;
256     }
257
258     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
259                            gensecret, hashsize, 1)) {
260         TEST_error("Secret generation failed");
261         return 0;
262     }
263
264     if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
265         return 0;
266
267     if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
268         TEST_error("Key generation failed");
269         return 0;
270     }
271
272     if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
273         return 0;
274
275     if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
276         TEST_error("IV generation failed");
277         return 0;
278     }
279
280     if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
281         return 0;
282
283     return 1;
284 }
285
286 static int test_handshake_secrets(void)
287 {
288     SSL_CTX *ctx = NULL;
289     SSL *ssl = NULL;
290     SSL_CONNECTION *s;
291     int ret = 0;
292     size_t hashsize;
293     unsigned char out_master_secret[EVP_MAX_MD_SIZE];
294     size_t master_secret_length;
295
296     ctx = SSL_CTX_new(TLS_method());
297     if (!TEST_ptr(ctx))
298         goto err;
299
300     ssl = SSL_new(ctx);
301     if (!TEST_ptr(ssl) || !TEST_ptr(s = SSL_CONNECTION_FROM_SSL_ONLY(ssl)))
302         goto err;
303
304     s->session = SSL_SESSION_new();
305     if (!TEST_ptr(s->session))
306         goto err;
307
308     if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
309                                          (unsigned char *)&s->early_secret))) {
310         TEST_info("Early secret generation failed");
311         goto err;
312     }
313
314     if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
315                      early_secret, sizeof(early_secret))) {
316         TEST_info("Early secret does not match");
317         goto err;
318     }
319
320     if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
321                                                    sizeof(ecdhe_secret)))) {
322         TEST_info("Handshake secret generation failed");
323         goto err;
324     }
325
326     if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
327                      handshake_secret, sizeof(handshake_secret)))
328         goto err;
329
330     hashsize = EVP_MD_get_size(ssl_handshake_md(s));
331     if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
332         goto err;
333     if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
334         goto err;
335     if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
336         goto err;
337
338     if (!TEST_true(test_secret(s, s->handshake_secret,
339                                (unsigned char *)client_hts_label,
340                                strlen(client_hts_label), client_hts,
341                                client_hts_key, client_hts_iv))) {
342         TEST_info("Client handshake secret test failed");
343         goto err;
344     }
345
346     if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
347         goto err;
348     if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
349         goto err;
350     if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
351         goto err;
352
353     if (!TEST_true(test_secret(s, s->handshake_secret,
354                                (unsigned char *)server_hts_label,
355                                strlen(server_hts_label), server_hts,
356                                server_hts_key, server_hts_iv))) {
357         TEST_info("Server handshake secret test failed");
358         goto err;
359     }
360
361     /*
362      * Ensure the mocked out ssl_handshake_hash() returns the full handshake
363      * hash.
364      */
365     full_hash = 1;
366
367     if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
368                                                 s->handshake_secret, hashsize,
369                                                 &master_secret_length))) {
370         TEST_info("Master secret generation failed");
371         goto err;
372     }
373
374     if (!TEST_mem_eq(out_master_secret, master_secret_length,
375                      master_secret, sizeof(master_secret))) {
376         TEST_info("Master secret does not match");
377         goto err;
378     }
379
380     if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
381         goto err;
382     if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
383         goto err;
384     if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
385         goto err;
386
387     if (!TEST_true(test_secret(s, out_master_secret,
388                                (unsigned char *)client_ats_label,
389                                strlen(client_ats_label), client_ats,
390                                client_ats_key, client_ats_iv))) {
391         TEST_info("Client application data secret test failed");
392         goto err;
393     }
394
395     if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
396         goto err;
397     if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
398         goto err;
399     if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
400         goto err;
401
402     if (!TEST_true(test_secret(s, out_master_secret,
403                                (unsigned char *)server_ats_label,
404                                strlen(server_ats_label), server_ats,
405                                server_ats_key, server_ats_iv))) {
406         TEST_info("Server application data secret test failed");
407         goto err;
408     }
409
410     ret = 1;
411  err:
412     SSL_free(ssl);
413     SSL_CTX_free(ctx);
414     return ret;
415 }
416
417 int setup_tests(void)
418 {
419     ADD_TEST(test_handshake_secrets);
420     return 1;
421 }
Unnamed repository; edit this file 'description' to name the repository.