xref: /freebsd/crypto/openssl/test/tls13secretstest.c (revision 7fdf597e96a02165cfe22ff357b857d5fa15ed8a)
1 /*
2  * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <openssl/ssl.h>
11 #include <openssl/evp.h>
12 
13 #include "../ssl/ssl_local.h"
14 #include "testutil.h"
15 
16 #define IVLEN   12
17 #define KEYLEN  16
18 
19 /*
20  * Based on the test vectors available in:
21  * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
22  */
23 
24 static unsigned char hs_start_hash[] = {
25 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
26 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
27 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
28 };
29 
30 static unsigned char hs_full_hash[] = {
31 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
32 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
33 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
34 };
35 
36 static unsigned char early_secret[] = {
37 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
38 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
39 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
40 };
41 
42 static unsigned char ecdhe_secret[] = {
43 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
44 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
45 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
46 };
47 
48 static unsigned char handshake_secret[] = {
49 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
50 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
51 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
52 };
53 
54 static const char *client_hts_label = "c hs traffic";
55 
56 static unsigned char client_hts[] = {
57 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
58 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
59 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
60 };
61 
62 static unsigned char client_hts_key[] = {
63 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
64 0xad, 0x26, 0x49
65 };
66 
67 static unsigned char client_hts_iv[] = {
68 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
69 };
70 
71 static const char *server_hts_label = "s hs traffic";
72 
73 static unsigned char server_hts[] = {
74 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
75 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
76 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
77 };
78 
79 static unsigned char server_hts_key[] = {
80 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
81 0x11, 0xac, 0x8b
82 };
83 
84 static unsigned char server_hts_iv[] = {
85 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
86 };
87 
88 static unsigned char master_secret[] = {
89 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
90 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
91 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
92 };
93 
94 static const char *client_ats_label = "c ap traffic";
95 
96 static unsigned char client_ats[] = {
97 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
98 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
99 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
100 };
101 
102 static unsigned char client_ats_key[] = {
103 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
104 0xce, 0x5c, 0x87
105 };
106 
107 static unsigned char client_ats_iv[] = {
108 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
109 };
110 
111 static const char *server_ats_label = "s ap traffic";
112 
113 static unsigned char server_ats[] = {
114 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
115 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
116 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
117 };
118 
119 static unsigned char server_ats_key[] = {
120 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
121 0x4b, 0x9b, 0x7d
122 };
123 
124 static unsigned char server_ats_iv[] = {
125 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
126 };
127 
128 /* Mocked out implementations of various functions */
129 int ssl3_digest_cached_records(SSL *s, int keep)
130 {
131     return 1;
132 }
133 
134 static int full_hash = 0;
135 
136 /* Give a hash of the currently set handshake */
137 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
138                        size_t *hashlen)
139 {
140     if (sizeof(hs_start_hash) > outlen
141             || sizeof(hs_full_hash) != sizeof(hs_start_hash))
142         return 0;
143 
144     if (full_hash) {
145         memcpy(out, hs_full_hash, sizeof(hs_full_hash));
146         *hashlen = sizeof(hs_full_hash);
147     } else {
148         memcpy(out, hs_start_hash, sizeof(hs_start_hash));
149         *hashlen = sizeof(hs_start_hash);
150     }
151 
152     return 1;
153 }
154 
155 const EVP_MD *ssl_handshake_md(SSL *s)
156 {
157     return EVP_sha256();
158 }
159 
160 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
161 {
162 }
163 
164 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
165 {
166 }
167 
168 int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc,
169                                      const EVP_CIPHER **enc)
170 {
171     return 0;
172 }
173 
174 int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
175                        const EVP_CIPHER **enc, const EVP_MD **md,
176                        int *mac_pkey_type, size_t *mac_secret_size,
177                        SSL_COMP **comp, int use_etm)
178 
179 {
180     return 0;
181 }
182 
183 int tls1_alert_code(int code)
184 {
185     return code;
186 }
187 
188 int ssl_log_secret(SSL *ssl,
189                    const char *label,
190                    const uint8_t *secret,
191                    size_t secret_len)
192 {
193     return 1;
194 }
195 
196 const EVP_MD *ssl_md(SSL_CTX *ctx, int idx)
197 {
198     return EVP_sha256();
199 }
200 
201 void ossl_statem_send_fatal(SSL *s, int al)
202 {
203 }
204 
205 void ossl_statem_fatal(SSL *s, int al, int reason, const char *fmt, ...)
206 {
207 }
208 
209 int ossl_statem_export_allowed(SSL *s)
210 {
211     return 1;
212 }
213 
214 int ossl_statem_export_early_allowed(SSL *s)
215 {
216     return 1;
217 }
218 
219 void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
220 {
221 }
222 
223 void ssl_evp_md_free(const EVP_MD *md)
224 {
225 }
226 
227 /* End of mocked out code */
228 
229 static int test_secret(SSL *s, unsigned char *prk,
230                        const unsigned char *label, size_t labellen,
231                        const unsigned char *ref_secret,
232                        const unsigned char *ref_key, const unsigned char *ref_iv)
233 {
234     size_t hashsize;
235     unsigned char gensecret[EVP_MAX_MD_SIZE];
236     unsigned char hash[EVP_MAX_MD_SIZE];
237     unsigned char key[KEYLEN];
238     unsigned char iv[IVLEN];
239     const EVP_MD *md = ssl_handshake_md(s);
240 
241     if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
242         TEST_error("Failed to get hash");
243         return 0;
244     }
245 
246     if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
247                            gensecret, hashsize, 1)) {
248         TEST_error("Secret generation failed");
249         return 0;
250     }
251 
252     if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
253         return 0;
254 
255     if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
256         TEST_error("Key generation failed");
257         return 0;
258     }
259 
260     if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
261         return 0;
262 
263     if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
264         TEST_error("IV generation failed");
265         return 0;
266     }
267 
268     if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
269         return 0;
270 
271     return 1;
272 }
273 
274 static int test_handshake_secrets(void)
275 {
276     SSL_CTX *ctx = NULL;
277     SSL *s = NULL;
278     int ret = 0;
279     size_t hashsize;
280     unsigned char out_master_secret[EVP_MAX_MD_SIZE];
281     size_t master_secret_length;
282 
283     ctx = SSL_CTX_new(TLS_method());
284     if (!TEST_ptr(ctx))
285         goto err;
286 
287     s = SSL_new(ctx);
288     if (!TEST_ptr(s ))
289         goto err;
290 
291     s->session = SSL_SESSION_new();
292     if (!TEST_ptr(s->session))
293         goto err;
294 
295     if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
296                                          (unsigned char *)&s->early_secret))) {
297         TEST_info("Early secret generation failed");
298         goto err;
299     }
300 
301     if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
302                      early_secret, sizeof(early_secret))) {
303         TEST_info("Early secret does not match");
304         goto err;
305     }
306 
307     if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
308                                                    sizeof(ecdhe_secret)))) {
309         TEST_info("Handshake secret generation failed");
310         goto err;
311     }
312 
313     if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
314                      handshake_secret, sizeof(handshake_secret)))
315         goto err;
316 
317     hashsize = EVP_MD_get_size(ssl_handshake_md(s));
318     if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
319         goto err;
320     if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
321         goto err;
322     if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
323         goto err;
324 
325     if (!TEST_true(test_secret(s, s->handshake_secret,
326                                (unsigned char *)client_hts_label,
327                                strlen(client_hts_label), client_hts,
328                                client_hts_key, client_hts_iv))) {
329         TEST_info("Client handshake secret test failed");
330         goto err;
331     }
332 
333     if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
334         goto err;
335     if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
336         goto err;
337     if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
338         goto err;
339 
340     if (!TEST_true(test_secret(s, s->handshake_secret,
341                                (unsigned char *)server_hts_label,
342                                strlen(server_hts_label), server_hts,
343                                server_hts_key, server_hts_iv))) {
344         TEST_info("Server handshake secret test failed");
345         goto err;
346     }
347 
348     /*
349      * Ensure the mocked out ssl_handshake_hash() returns the full handshake
350      * hash.
351      */
352     full_hash = 1;
353 
354     if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
355                                                 s->handshake_secret, hashsize,
356                                                 &master_secret_length))) {
357         TEST_info("Master secret generation failed");
358         goto err;
359     }
360 
361     if (!TEST_mem_eq(out_master_secret, master_secret_length,
362                      master_secret, sizeof(master_secret))) {
363         TEST_info("Master secret does not match");
364         goto err;
365     }
366 
367     if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
368         goto err;
369     if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
370         goto err;
371     if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
372         goto err;
373 
374     if (!TEST_true(test_secret(s, out_master_secret,
375                                (unsigned char *)client_ats_label,
376                                strlen(client_ats_label), client_ats,
377                                client_ats_key, client_ats_iv))) {
378         TEST_info("Client application data secret test failed");
379         goto err;
380     }
381 
382     if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
383         goto err;
384     if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
385         goto err;
386     if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
387         goto err;
388 
389     if (!TEST_true(test_secret(s, out_master_secret,
390                                (unsigned char *)server_ats_label,
391                                strlen(server_ats_label), server_ats,
392                                server_ats_key, server_ats_iv))) {
393         TEST_info("Server application data secret test failed");
394         goto err;
395     }
396 
397     ret = 1;
398  err:
399     SSL_free(s);
400     SSL_CTX_free(ctx);
401     return ret;
402 }
403 
404 int setup_tests(void)
405 {
406     ADD_TEST(test_handshake_secrets);
407     return 1;
408 }
409