1 /*
2 * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/ssl.h>
11 #include <openssl/evp.h>
12
13 #ifdef __VMS
14 # pragma names save
15 # pragma names as_is,shortened
16 #endif
17
18 #include "../ssl/ssl_local.h"
19
20 #ifdef __VMS
21 # pragma names restore
22 #endif
23
24 #include "testutil.h"
25
26 #define IVLEN 12
27 #define KEYLEN 16
28
29 /*
30 * Based on the test vectors available in:
31 * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
32 */
33
34 static unsigned char hs_start_hash[] = {
35 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
36 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
37 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
38 };
39
40 static unsigned char hs_full_hash[] = {
41 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
42 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
43 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
44 };
45
46 static unsigned char early_secret[] = {
47 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
48 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
49 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
50 };
51
52 static unsigned char ecdhe_secret[] = {
53 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
54 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
55 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
56 };
57
58 static unsigned char handshake_secret[] = {
59 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
60 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
61 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
62 };
63
64 static const char *client_hts_label = "c hs traffic";
65
66 static unsigned char client_hts[] = {
67 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
68 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
69 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
70 };
71
72 static unsigned char client_hts_key[] = {
73 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
74 0xad, 0x26, 0x49
75 };
76
77 static unsigned char client_hts_iv[] = {
78 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
79 };
80
81 static const char *server_hts_label = "s hs traffic";
82
83 static unsigned char server_hts[] = {
84 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
85 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
86 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
87 };
88
89 static unsigned char server_hts_key[] = {
90 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
91 0x11, 0xac, 0x8b
92 };
93
94 static unsigned char server_hts_iv[] = {
95 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
96 };
97
98 static unsigned char master_secret[] = {
99 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
100 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
101 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
102 };
103
104 static const char *client_ats_label = "c ap traffic";
105
106 static unsigned char client_ats[] = {
107 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
108 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
109 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
110 };
111
112 static unsigned char client_ats_key[] = {
113 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
114 0xce, 0x5c, 0x87
115 };
116
117 static unsigned char client_ats_iv[] = {
118 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
119 };
120
121 static const char *server_ats_label = "s ap traffic";
122
123 static unsigned char server_ats[] = {
124 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
125 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
126 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
127 };
128
129 static unsigned char server_ats_key[] = {
130 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
131 0x4b, 0x9b, 0x7d
132 };
133
134 static unsigned char server_ats_iv[] = {
135 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
136 };
137
138 /* Mocked out implementations of various functions */
ssl3_digest_cached_records(SSL * s,int keep)139 int ssl3_digest_cached_records(SSL *s, int keep)
140 {
141 return 1;
142 }
143
144 static int full_hash = 0;
145
146 /* Give a hash of the currently set handshake */
ssl_handshake_hash(SSL * s,unsigned char * out,size_t outlen,size_t * hashlen)147 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
148 size_t *hashlen)
149 {
150 if (sizeof(hs_start_hash) > outlen
151 || sizeof(hs_full_hash) != sizeof(hs_start_hash))
152 return 0;
153
154 if (full_hash) {
155 memcpy(out, hs_full_hash, sizeof(hs_full_hash));
156 *hashlen = sizeof(hs_full_hash);
157 } else {
158 memcpy(out, hs_start_hash, sizeof(hs_start_hash));
159 *hashlen = sizeof(hs_start_hash);
160 }
161
162 return 1;
163 }
164
ssl_handshake_md(SSL * s)165 const EVP_MD *ssl_handshake_md(SSL *s)
166 {
167 return EVP_sha256();
168 }
169
RECORD_LAYER_reset_read_sequence(RECORD_LAYER * rl)170 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
171 {
172 }
173
RECORD_LAYER_reset_write_sequence(RECORD_LAYER * rl)174 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
175 {
176 }
177
ssl_cipher_get_evp(const SSL_SESSION * s,const EVP_CIPHER ** enc,const EVP_MD ** md,int * mac_pkey_type,size_t * mac_secret_size,SSL_COMP ** comp,int use_etm)178 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
179 const EVP_MD **md, int *mac_pkey_type,
180 size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
181
182 {
183 return 0;
184 }
185
tls1_alert_code(int code)186 int tls1_alert_code(int code)
187 {
188 return code;
189 }
190
ssl_log_secret(SSL * ssl,const char * label,const uint8_t * secret,size_t secret_len)191 int ssl_log_secret(SSL *ssl,
192 const char *label,
193 const uint8_t *secret,
194 size_t secret_len)
195 {
196 return 1;
197 }
198
ssl_md(int idx)199 const EVP_MD *ssl_md(int idx)
200 {
201 return EVP_sha256();
202 }
203
ossl_statem_fatal(SSL * s,int al,int func,int reason,const char * file,int line)204 void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
205 int line)
206 {
207 }
208
ossl_statem_export_allowed(SSL * s)209 int ossl_statem_export_allowed(SSL *s)
210 {
211 return 1;
212 }
213
ossl_statem_export_early_allowed(SSL * s)214 int ossl_statem_export_early_allowed(SSL *s)
215 {
216 return 1;
217 }
218
219 /* End of mocked out code */
220
test_secret(SSL * s,unsigned char * prk,const unsigned char * label,size_t labellen,const unsigned char * ref_secret,const unsigned char * ref_key,const unsigned char * ref_iv)221 static int test_secret(SSL *s, unsigned char *prk,
222 const unsigned char *label, size_t labellen,
223 const unsigned char *ref_secret,
224 const unsigned char *ref_key, const unsigned char *ref_iv)
225 {
226 size_t hashsize;
227 unsigned char gensecret[EVP_MAX_MD_SIZE];
228 unsigned char hash[EVP_MAX_MD_SIZE];
229 unsigned char key[KEYLEN];
230 unsigned char iv[IVLEN];
231 const EVP_MD *md = ssl_handshake_md(s);
232
233 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
234 TEST_error("Failed to get hash");
235 return 0;
236 }
237
238 if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
239 gensecret, hashsize, 1)) {
240 TEST_error("Secret generation failed");
241 return 0;
242 }
243
244 if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
245 return 0;
246
247 if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
248 TEST_error("Key generation failed");
249 return 0;
250 }
251
252 if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
253 return 0;
254
255 if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
256 TEST_error("IV generation failed");
257 return 0;
258 }
259
260 if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
261 return 0;
262
263 return 1;
264 }
265
test_handshake_secrets(void)266 static int test_handshake_secrets(void)
267 {
268 SSL_CTX *ctx = NULL;
269 SSL *s = NULL;
270 int ret = 0;
271 size_t hashsize;
272 unsigned char out_master_secret[EVP_MAX_MD_SIZE];
273 size_t master_secret_length;
274
275 ctx = SSL_CTX_new(TLS_method());
276 if (!TEST_ptr(ctx))
277 goto err;
278
279 s = SSL_new(ctx);
280 if (!TEST_ptr(s ))
281 goto err;
282
283 s->session = SSL_SESSION_new();
284 if (!TEST_ptr(s->session))
285 goto err;
286
287 if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
288 (unsigned char *)&s->early_secret))) {
289 TEST_info("Early secret generation failed");
290 goto err;
291 }
292
293 if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
294 early_secret, sizeof(early_secret))) {
295 TEST_info("Early secret does not match");
296 goto err;
297 }
298
299 if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
300 sizeof(ecdhe_secret)))) {
301 TEST_info("Handshake secret generation failed");
302 goto err;
303 }
304
305 if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
306 handshake_secret, sizeof(handshake_secret)))
307 goto err;
308
309 hashsize = EVP_MD_size(ssl_handshake_md(s));
310 if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
311 goto err;
312 if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
313 goto err;
314 if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
315 goto err;
316
317 if (!TEST_true(test_secret(s, s->handshake_secret,
318 (unsigned char *)client_hts_label,
319 strlen(client_hts_label), client_hts,
320 client_hts_key, client_hts_iv))) {
321 TEST_info("Client handshake secret test failed");
322 goto err;
323 }
324
325 if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
326 goto err;
327 if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
328 goto err;
329 if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
330 goto err;
331
332 if (!TEST_true(test_secret(s, s->handshake_secret,
333 (unsigned char *)server_hts_label,
334 strlen(server_hts_label), server_hts,
335 server_hts_key, server_hts_iv))) {
336 TEST_info("Server handshake secret test failed");
337 goto err;
338 }
339
340 /*
341 * Ensure the mocked out ssl_handshake_hash() returns the full handshake
342 * hash.
343 */
344 full_hash = 1;
345
346 if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
347 s->handshake_secret, hashsize,
348 &master_secret_length))) {
349 TEST_info("Master secret generation failed");
350 goto err;
351 }
352
353 if (!TEST_mem_eq(out_master_secret, master_secret_length,
354 master_secret, sizeof(master_secret))) {
355 TEST_info("Master secret does not match");
356 goto err;
357 }
358
359 if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
360 goto err;
361 if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
362 goto err;
363 if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
364 goto err;
365
366 if (!TEST_true(test_secret(s, out_master_secret,
367 (unsigned char *)client_ats_label,
368 strlen(client_ats_label), client_ats,
369 client_ats_key, client_ats_iv))) {
370 TEST_info("Client application data secret test failed");
371 goto err;
372 }
373
374 if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
375 goto err;
376 if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
377 goto err;
378 if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
379 goto err;
380
381 if (!TEST_true(test_secret(s, out_master_secret,
382 (unsigned char *)server_ats_label,
383 strlen(server_ats_label), server_ats,
384 server_ats_key, server_ats_iv))) {
385 TEST_info("Server application data secret test failed");
386 goto err;
387 }
388
389 ret = 1;
390 err:
391 SSL_free(s);
392 SSL_CTX_free(ctx);
393 return ret;
394 }
395
setup_tests(void)396 int setup_tests(void)
397 {
398 ADD_TEST(test_handshake_secrets);
399 return 1;
400 }
401