projects / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Copyright year updates
[openssl.git] / test / tls13secretstest.c
1 /*
2  * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9
10 #include <openssl/ssl.h>
11 #include <openssl/evp.h>
12
13 #include "../ssl/ssl_local.h"
14 #include "testutil.h"
15
16 #define IVLEN   12
17 #define KEYLEN  16
18
19 /*
20  * Based on the test vectors available in:
21  * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
22  */
23
24 static unsigned char hs_start_hash[] = {
25 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
26 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
27 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
28 };
29
30 static unsigned char hs_full_hash[] = {
31 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
32 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
33 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
34 };
35
36 static unsigned char early_secret[] = {
37 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
38 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
39 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
40 };
41
42 static unsigned char ecdhe_secret[] = {
43 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
44 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
45 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
46 };
47
48 static unsigned char handshake_secret[] = {
49 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
50 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
51 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
52 };
53
54 static const char *client_hts_label = "c hs traffic";
55
56 static unsigned char client_hts[] = {
57 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
58 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
59 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
60 };
61
62 static unsigned char client_hts_key[] = {
63 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
64 0xad, 0x26, 0x49
65 };
66
67 static unsigned char client_hts_iv[] = {
68 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
69 };
70
71 static const char *server_hts_label = "s hs traffic";
72
73 static unsigned char server_hts[] = {
74 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
75 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
76 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
77 };
78
79 static unsigned char server_hts_key[] = {
80 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
81 0x11, 0xac, 0x8b
82 };
83
84 static unsigned char server_hts_iv[] = {
85 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
86 };
87
88 static unsigned char master_secret[] = {
89 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
90 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
91 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
92 };
93
94 static const char *client_ats_label = "c ap traffic";
95
96 static unsigned char client_ats[] = {
97 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
98 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
99 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
100 };
101
102 static unsigned char client_ats_key[] = {
103 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
104 0xce, 0x5c, 0x87
105 };
106
107 static unsigned char client_ats_iv[] = {
108 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
109 };
110
111 static const char *server_ats_label = "s ap traffic";
112
113 static unsigned char server_ats[] = {
114 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
115 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
116 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
117 };
118
119 static unsigned char server_ats_key[] = {
120 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
121 0x4b, 0x9b, 0x7d
122 };
123
124 static unsigned char server_ats_iv[] = {
125 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
126 };
127
128 /* Mocked out implementations of various functions */
129 int ssl3_digest_cached_records(SSL_CONNECTION *s, int keep)
130 {
131     return 1;
132 }
133
134 static int full_hash = 0;
135
136 /* Give a hash of the currently set handshake */
137 int ssl_handshake_hash(SSL_CONNECTION *s, unsigned char *out, size_t outlen,
138                        size_t *hashlen)
139 {
140     if (sizeof(hs_start_hash) > outlen
141             || sizeof(hs_full_hash) != sizeof(hs_start_hash))
142         return 0;
143
144     if (full_hash) {
145         memcpy(out, hs_full_hash, sizeof(hs_full_hash));
146         *hashlen = sizeof(hs_full_hash);
147     } else {
148         memcpy(out, hs_start_hash, sizeof(hs_start_hash));
149         *hashlen = sizeof(hs_start_hash);
150     }
151
152     return 1;
153 }
154
155 const EVP_MD *ssl_handshake_md(SSL_CONNECTION *s)
156 {
157     return EVP_sha256();
158 }
159
160 int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc,
161                                      const EVP_CIPHER **enc)
162 {
163     return 0;
164 }
165
166 int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
167                        const EVP_CIPHER **enc, const EVP_MD **md,
168                        int *mac_pkey_type, size_t *mac_secret_size,
169                        SSL_COMP **comp, int use_etm)
170
171 {
172     return 0;
173 }
174
175 int tls1_alert_code(int code)
176 {
177     return code;
178 }
179
180 int ssl_log_secret(SSL_CONNECTION *sc,
181                    const char *label,
182                    const uint8_t *secret,
183                    size_t secret_len)
184 {
185     return 1;
186 }
187
188 const EVP_MD *ssl_md(SSL_CTX *ctx, int idx)
189 {
190     return EVP_sha256();
191 }
192
193 void ossl_statem_send_fatal(SSL_CONNECTION *s, int al)
194 {
195 }
196
197 void ossl_statem_fatal(SSL_CONNECTION *s, int al, int reason,
198                        const char *fmt, ...)
199 {
200 }
201
202 int ossl_statem_export_allowed(SSL_CONNECTION *s)
203 {
204     return 1;
205 }
206
207 int ossl_statem_export_early_allowed(SSL_CONNECTION *s)
208 {
209     return 1;
210 }
211
212 void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
213 {
214 }
215
216 void ssl_evp_md_free(const EVP_MD *md)
217 {
218 }
219
220 int ssl_set_new_record_layer(SSL_CONNECTION *s, int version, int direction,
221                              int level, unsigned char *secret, size_t secretlen,
222                              unsigned char *key, size_t keylen,
223                              unsigned char *iv,  size_t ivlen,
224                              unsigned char *mackey, size_t mackeylen,
225                              const EVP_CIPHER *ciph, size_t taglen,
226                              int mactype, const EVP_MD *md,
227                              const SSL_COMP *comp, const EVP_MD *kdfdigest)
228 {
229     return 0;
230 }
231
232 /* End of mocked out code */
233
234 static int test_secret(SSL_CONNECTION *s, unsigned char *prk,
235                        const unsigned char *label, size_t labellen,
236                        const unsigned char *ref_secret,
237                        const unsigned char *ref_key, const unsigned char *ref_iv)
238 {
239     size_t hashsize;
240     unsigned char gensecret[EVP_MAX_MD_SIZE];
241     unsigned char hash[EVP_MAX_MD_SIZE];
242     unsigned char key[KEYLEN];
243     unsigned char iv[IVLEN];
244     const EVP_MD *md = ssl_handshake_md(s);
245
246     if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
247         TEST_error("Failed to get hash");
248         return 0;
249     }
250
251     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
252                            gensecret, hashsize, 1)) {
253         TEST_error("Secret generation failed");
254         return 0;
255     }
256
257     if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
258         return 0;
259
260     if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
261         TEST_error("Key generation failed");
262         return 0;
263     }
264
265     if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
266         return 0;
267
268     if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
269         TEST_error("IV generation failed");
270         return 0;
271     }
272
273     if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
274         return 0;
275
276     return 1;
277 }
278
279 static int test_handshake_secrets(void)
280 {
281     SSL_CTX *ctx = NULL;
282     SSL *ssl = NULL;
283     SSL_CONNECTION *s;
284     int ret = 0;
285     size_t hashsize;
286     unsigned char out_master_secret[EVP_MAX_MD_SIZE];
287     size_t master_secret_length;
288
289     ctx = SSL_CTX_new(TLS_method());
290     if (!TEST_ptr(ctx))
291         goto err;
292
293     ssl = SSL_new(ctx);
294     if (!TEST_ptr(ssl) || !TEST_ptr(s = SSL_CONNECTION_FROM_SSL_ONLY(ssl)))
295         goto err;
296
297     s->session = SSL_SESSION_new();
298     if (!TEST_ptr(s->session))
299         goto err;
300
301     if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
302                                          (unsigned char *)&s->early_secret))) {
303         TEST_info("Early secret generation failed");
304         goto err;
305     }
306
307     if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
308                      early_secret, sizeof(early_secret))) {
309         TEST_info("Early secret does not match");
310         goto err;
311     }
312
313     if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
314                                                    sizeof(ecdhe_secret)))) {
315         TEST_info("Handshake secret generation failed");
316         goto err;
317     }
318
319     if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
320                      handshake_secret, sizeof(handshake_secret)))
321         goto err;
322
323     hashsize = EVP_MD_get_size(ssl_handshake_md(s));
324     if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
325         goto err;
326     if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
327         goto err;
328     if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
329         goto err;
330
331     if (!TEST_true(test_secret(s, s->handshake_secret,
332                                (unsigned char *)client_hts_label,
333                                strlen(client_hts_label), client_hts,
334                                client_hts_key, client_hts_iv))) {
335         TEST_info("Client handshake secret test failed");
336         goto err;
337     }
338
339     if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
340         goto err;
341     if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
342         goto err;
343     if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
344         goto err;
345
346     if (!TEST_true(test_secret(s, s->handshake_secret,
347                                (unsigned char *)server_hts_label,
348                                strlen(server_hts_label), server_hts,
349                                server_hts_key, server_hts_iv))) {
350         TEST_info("Server handshake secret test failed");
351         goto err;
352     }
353
354     /*
355      * Ensure the mocked out ssl_handshake_hash() returns the full handshake
356      * hash.
357      */
358     full_hash = 1;
359
360     if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
361                                                 s->handshake_secret, hashsize,
362                                                 &master_secret_length))) {
363         TEST_info("Master secret generation failed");
364         goto err;
365     }
366
367     if (!TEST_mem_eq(out_master_secret, master_secret_length,
368                      master_secret, sizeof(master_secret))) {
369         TEST_info("Master secret does not match");
370         goto err;
371     }
372
373     if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
374         goto err;
375     if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
376         goto err;
377     if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
378         goto err;
379
380     if (!TEST_true(test_secret(s, out_master_secret,
381                                (unsigned char *)client_ats_label,
382                                strlen(client_ats_label), client_ats,
383                                client_ats_key, client_ats_iv))) {
384         TEST_info("Client application data secret test failed");
385         goto err;
386     }
387
388     if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
389         goto err;
390     if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
391         goto err;
392     if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
393         goto err;
394
395     if (!TEST_true(test_secret(s, out_master_secret,
396                                (unsigned char *)server_ats_label,
397                                strlen(server_ats_label), server_ats,
398                                server_ats_key, server_ats_iv))) {
399         TEST_info("Server application data secret test failed");
400         goto err;
401     }
402
403     ret = 1;
404  err:
405     SSL_free(ssl);
406     SSL_CTX_free(ctx);
407     return ret;
408 }
409
410 int setup_tests(void)
411 {
412     ADD_TEST(test_handshake_secrets);
413     return 1;
414 }
Unnamed repository; edit this file 'description' to name the repository.