1 /*
2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ssl.h>
11 #include <openssl/evp.h>
12
13 #include "../ssl/ssl_local.h"
14 #include "testutil.h"
15
16 #define IVLEN 12
17 #define KEYLEN 16
18
19 /*
20 * Based on the test vectors available in:
21 * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
22 */
23
24 static unsigned char hs_start_hash[] = {
25 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
26 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
27 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
28 };
29
30 static unsigned char hs_full_hash[] = {
31 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
32 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
33 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
34 };
35
36 static unsigned char early_secret[] = {
37 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
38 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
39 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
40 };
41
42 static unsigned char ecdhe_secret[] = {
43 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
44 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
45 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
46 };
47
48 static unsigned char handshake_secret[] = {
49 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
50 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
51 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
52 };
53
54 static const char *client_hts_label = "c hs traffic";
55
56 static unsigned char client_hts[] = {
57 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
58 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
59 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
60 };
61
62 static unsigned char client_hts_key[] = {
63 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
64 0xad, 0x26, 0x49
65 };
66
67 static unsigned char client_hts_iv[] = {
68 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
69 };
70
71 static const char *server_hts_label = "s hs traffic";
72
73 static unsigned char server_hts[] = {
74 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
75 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
76 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
77 };
78
79 static unsigned char server_hts_key[] = {
80 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
81 0x11, 0xac, 0x8b
82 };
83
84 static unsigned char server_hts_iv[] = {
85 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
86 };
87
88 static unsigned char master_secret[] = {
89 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
90 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
91 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
92 };
93
94 static const char *client_ats_label = "c ap traffic";
95
96 static unsigned char client_ats[] = {
97 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
98 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
99 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
100 };
101
102 static unsigned char client_ats_key[] = {
103 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
104 0xce, 0x5c, 0x87
105 };
106
107 static unsigned char client_ats_iv[] = {
108 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
109 };
110
111 static const char *server_ats_label = "s ap traffic";
112
113 static unsigned char server_ats[] = {
114 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
115 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
116 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
117 };
118
119 static unsigned char server_ats_key[] = {
120 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
121 0x4b, 0x9b, 0x7d
122 };
123
124 static unsigned char server_ats_iv[] = {
125 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
126 };
127
128 /* Mocked out implementations of various functions */
ssl3_digest_cached_records(SSL * s,int keep)129 int ssl3_digest_cached_records(SSL *s, int keep)
130 {
131 return 1;
132 }
133
134 static int full_hash = 0;
135
136 /* Give a hash of the currently set handshake */
ssl_handshake_hash(SSL * s,unsigned char * out,size_t outlen,size_t * hashlen)137 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
138 size_t *hashlen)
139 {
140 if (sizeof(hs_start_hash) > outlen
141 || sizeof(hs_full_hash) != sizeof(hs_start_hash))
142 return 0;
143
144 if (full_hash) {
145 memcpy(out, hs_full_hash, sizeof(hs_full_hash));
146 *hashlen = sizeof(hs_full_hash);
147 } else {
148 memcpy(out, hs_start_hash, sizeof(hs_start_hash));
149 *hashlen = sizeof(hs_start_hash);
150 }
151
152 return 1;
153 }
154
ssl_handshake_md(SSL * s)155 const EVP_MD *ssl_handshake_md(SSL *s)
156 {
157 return EVP_sha256();
158 }
159
RECORD_LAYER_reset_read_sequence(RECORD_LAYER * rl)160 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
161 {
162 }
163
RECORD_LAYER_reset_write_sequence(RECORD_LAYER * rl)164 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
165 {
166 }
167
ssl_cipher_get_evp_cipher(SSL_CTX * ctx,const SSL_CIPHER * sslc,const EVP_CIPHER ** enc)168 int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc,
169 const EVP_CIPHER **enc)
170 {
171 return 0;
172 }
173
ssl_cipher_get_evp(SSL_CTX * ctx,const SSL_SESSION * s,const EVP_CIPHER ** enc,const EVP_MD ** md,int * mac_pkey_type,size_t * mac_secret_size,SSL_COMP ** comp,int use_etm)174 int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
175 const EVP_CIPHER **enc, const EVP_MD **md,
176 int *mac_pkey_type, size_t *mac_secret_size,
177 SSL_COMP **comp, int use_etm)
178
179 {
180 return 0;
181 }
182
tls1_alert_code(int code)183 int tls1_alert_code(int code)
184 {
185 return code;
186 }
187
ssl_log_secret(SSL * ssl,const char * label,const uint8_t * secret,size_t secret_len)188 int ssl_log_secret(SSL *ssl,
189 const char *label,
190 const uint8_t *secret,
191 size_t secret_len)
192 {
193 return 1;
194 }
195
ssl_md(SSL_CTX * ctx,int idx)196 const EVP_MD *ssl_md(SSL_CTX *ctx, int idx)
197 {
198 return EVP_sha256();
199 }
200
ossl_statem_send_fatal(SSL * s,int al)201 void ossl_statem_send_fatal(SSL *s, int al)
202 {
203 }
204
ossl_statem_fatal(SSL * s,int al,int reason,const char * fmt,...)205 void ossl_statem_fatal(SSL *s, int al, int reason, const char *fmt, ...)
206 {
207 }
208
ossl_statem_export_allowed(SSL * s)209 int ossl_statem_export_allowed(SSL *s)
210 {
211 return 1;
212 }
213
ossl_statem_export_early_allowed(SSL * s)214 int ossl_statem_export_early_allowed(SSL *s)
215 {
216 return 1;
217 }
218
ssl_evp_cipher_free(const EVP_CIPHER * cipher)219 void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
220 {
221 }
222
ssl_evp_md_free(const EVP_MD * md)223 void ssl_evp_md_free(const EVP_MD *md)
224 {
225 }
226
227 /* End of mocked out code */
228
test_secret(SSL * s,unsigned char * prk,const unsigned char * label,size_t labellen,const unsigned char * ref_secret,const unsigned char * ref_key,const unsigned char * ref_iv)229 static int test_secret(SSL *s, unsigned char *prk,
230 const unsigned char *label, size_t labellen,
231 const unsigned char *ref_secret,
232 const unsigned char *ref_key, const unsigned char *ref_iv)
233 {
234 size_t hashsize;
235 unsigned char gensecret[EVP_MAX_MD_SIZE];
236 unsigned char hash[EVP_MAX_MD_SIZE];
237 unsigned char key[KEYLEN];
238 unsigned char iv[IVLEN];
239 const EVP_MD *md = ssl_handshake_md(s);
240
241 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
242 TEST_error("Failed to get hash");
243 return 0;
244 }
245
246 if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
247 gensecret, hashsize, 1)) {
248 TEST_error("Secret generation failed");
249 return 0;
250 }
251
252 if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
253 return 0;
254
255 if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
256 TEST_error("Key generation failed");
257 return 0;
258 }
259
260 if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
261 return 0;
262
263 if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
264 TEST_error("IV generation failed");
265 return 0;
266 }
267
268 if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
269 return 0;
270
271 return 1;
272 }
273
test_handshake_secrets(void)274 static int test_handshake_secrets(void)
275 {
276 SSL_CTX *ctx = NULL;
277 SSL *s = NULL;
278 int ret = 0;
279 size_t hashsize;
280 unsigned char out_master_secret[EVP_MAX_MD_SIZE];
281 size_t master_secret_length;
282
283 ctx = SSL_CTX_new(TLS_method());
284 if (!TEST_ptr(ctx))
285 goto err;
286
287 s = SSL_new(ctx);
288 if (!TEST_ptr(s ))
289 goto err;
290
291 s->session = SSL_SESSION_new();
292 if (!TEST_ptr(s->session))
293 goto err;
294
295 if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
296 (unsigned char *)&s->early_secret))) {
297 TEST_info("Early secret generation failed");
298 goto err;
299 }
300
301 if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
302 early_secret, sizeof(early_secret))) {
303 TEST_info("Early secret does not match");
304 goto err;
305 }
306
307 if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
308 sizeof(ecdhe_secret)))) {
309 TEST_info("Handshake secret generation failed");
310 goto err;
311 }
312
313 if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
314 handshake_secret, sizeof(handshake_secret)))
315 goto err;
316
317 hashsize = EVP_MD_get_size(ssl_handshake_md(s));
318 if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
319 goto err;
320 if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
321 goto err;
322 if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
323 goto err;
324
325 if (!TEST_true(test_secret(s, s->handshake_secret,
326 (unsigned char *)client_hts_label,
327 strlen(client_hts_label), client_hts,
328 client_hts_key, client_hts_iv))) {
329 TEST_info("Client handshake secret test failed");
330 goto err;
331 }
332
333 if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
334 goto err;
335 if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
336 goto err;
337 if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
338 goto err;
339
340 if (!TEST_true(test_secret(s, s->handshake_secret,
341 (unsigned char *)server_hts_label,
342 strlen(server_hts_label), server_hts,
343 server_hts_key, server_hts_iv))) {
344 TEST_info("Server handshake secret test failed");
345 goto err;
346 }
347
348 /*
349 * Ensure the mocked out ssl_handshake_hash() returns the full handshake
350 * hash.
351 */
352 full_hash = 1;
353
354 if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
355 s->handshake_secret, hashsize,
356 &master_secret_length))) {
357 TEST_info("Master secret generation failed");
358 goto err;
359 }
360
361 if (!TEST_mem_eq(out_master_secret, master_secret_length,
362 master_secret, sizeof(master_secret))) {
363 TEST_info("Master secret does not match");
364 goto err;
365 }
366
367 if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
368 goto err;
369 if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
370 goto err;
371 if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
372 goto err;
373
374 if (!TEST_true(test_secret(s, out_master_secret,
375 (unsigned char *)client_ats_label,
376 strlen(client_ats_label), client_ats,
377 client_ats_key, client_ats_iv))) {
378 TEST_info("Client application data secret test failed");
379 goto err;
380 }
381
382 if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
383 goto err;
384 if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
385 goto err;
386 if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
387 goto err;
388
389 if (!TEST_true(test_secret(s, out_master_secret,
390 (unsigned char *)server_ats_label,
391 strlen(server_ats_label), server_ats,
392 server_ats_key, server_ats_iv))) {
393 TEST_info("Server application data secret test failed");
394 goto err;
395 }
396
397 ret = 1;
398 err:
399 SSL_free(s);
400 SSL_CTX_free(ctx);
401 return ret;
402 }
403
setup_tests(void)404 int setup_tests(void)
405 {
406 ADD_TEST(test_handshake_secrets);
407 return 1;
408 }
409