1 /* Copyright (c) 2018, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 // cavp_tlskdf_test processes NIST TLS KDF test vectors and emits the
16 // corresponding response.
17 // See https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/components/askdfvs.pdf, section 6.4.
18
19 #include <vector>
20
21 #include <errno.h>
22
23 #include <openssl/digest.h>
24
25 #include "cavp_test_util.h"
26 #include "../crypto/fipsmodule/tls/internal.h"
27 #include "../crypto/test/file_test.h"
28 #include "../crypto/test/test_util.h"
29
30
TestTLSKDF(FileTest * t,void * arg)31 static bool TestTLSKDF(FileTest *t, void *arg) {
32 const EVP_MD *md = nullptr;
33
34 if (t->HasInstruction("TLS 1.0/1.1")) {
35 md = EVP_md5_sha1();
36 } else if (t->HasInstruction("TLS 1.2")) {
37 if (t->HasInstruction("SHA-256")) {
38 md = EVP_sha256();
39 } else if (t->HasInstruction("SHA-384")) {
40 md = EVP_sha384();
41 } else if (t->HasInstruction("SHA-512")) {
42 md = EVP_sha512();
43 }
44 }
45
46 if (md == nullptr) {
47 return false;
48 }
49
50 std::string key_block_len_str;
51 std::vector<uint8_t> premaster, server_random, client_random,
52 key_block_server_random, key_block_client_random;
53 if (!t->GetBytes(&premaster, "pre_master_secret") ||
54 !t->GetBytes(&server_random, "serverHello_random") ||
55 !t->GetBytes(&client_random, "clientHello_random") ||
56 // The NIST tests specify different client and server randoms for the
57 // expansion step from the master-secret step. This is impossible in TLS.
58 !t->GetBytes(&key_block_server_random, "server_random") ||
59 !t->GetBytes(&key_block_client_random, "client_random") ||
60 !t->GetInstruction(&key_block_len_str, "key block length") ||
61 // These are ignored.
62 !t->HasAttribute("COUNT") ||
63 !t->HasInstruction("pre-master secret length")) {
64 return false;
65 }
66
67 uint8_t master_secret[48];
68 static const char kMasterSecretLabel[] = "master secret";
69 if (!CRYPTO_tls1_prf(md, master_secret, sizeof(master_secret),
70 premaster.data(), premaster.size(), kMasterSecretLabel,
71 sizeof(kMasterSecretLabel) - 1, client_random.data(),
72 client_random.size(), server_random.data(),
73 server_random.size())) {
74 return false;
75 }
76
77 errno = 0;
78 const long int key_block_bits =
79 strtol(key_block_len_str.c_str(), nullptr, 10);
80 if (errno != 0 || key_block_bits <= 0 || (key_block_bits & 7) != 0) {
81 return false;
82 }
83 const size_t key_block_len = key_block_bits / 8;
84 std::vector<uint8_t> key_block(key_block_len);
85 static const char kLabel[] = "key expansion";
86 if (!CRYPTO_tls1_prf(
87 md, key_block.data(), key_block.size(), master_secret,
88 sizeof(master_secret), kLabel, sizeof(kLabel) - 1,
89 key_block_server_random.data(), key_block_server_random.size(),
90 key_block_client_random.data(), key_block_client_random.size())) {
91 return false;
92 }
93
94 printf("%smaster_secret = %s\r\nkey_block = %s\r\n\r\n",
95 t->CurrentTestToString().c_str(), EncodeHex(master_secret).c_str(),
96 EncodeHex(key_block).c_str());
97
98 return true;
99 }
100
cavp_tlskdf_test_main(int argc,char ** argv)101 int cavp_tlskdf_test_main(int argc, char **argv) {
102 if (argc != 2) {
103 fprintf(stderr, "usage: %s <test file>\n", argv[0]);
104 return 1;
105 }
106
107 FileTest::Options opts;
108 opts.path = argv[1];
109 opts.callback = TestTLSKDF;
110 opts.silent = true;
111 opts.comment_callback = EchoComment;
112 return FileTestMain(opts);
113 }
114