1 /* $OpenBSD: key_schedule.c,v 1.9 2019/11/18 02:09:58 beck Exp $ */ 2 /* 3 * Copyright (c) 2018-2019 Bob Beck <beck@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <err.h> 19 20 #include "ssl_locl.h" 21 22 #include "bytestring.h" 23 #include "ssl_tlsext.h" 24 #include "tls13_internal.h" 25 26 static int failures = 0; 27 28 static void 29 hexdump(const unsigned char *buf, size_t len) 30 { 31 size_t i; 32 33 for (i = 1; i <= len; i++) 34 fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n"); 35 36 fprintf(stderr, "\n"); 37 } 38 39 static void 40 compare_data(const uint8_t *recv, size_t recv_len, const uint8_t *expect, 41 size_t expect_len) 42 { 43 fprintf(stderr, "received:\n"); 44 hexdump(recv, recv_len); 45 46 fprintf(stderr, "test data:\n"); 47 hexdump(expect, expect_len); 48 } 49 50 #define FAIL(msg, ...) \ 51 do { \ 52 fprintf(stderr, "[%s:%d] FAIL: ", __FILE__, __LINE__); \ 53 fprintf(stderr, msg, ##__VA_ARGS__); \ 54 failures++; \ 55 } while(0) 56 57 /* Hashes and secrets from test vector */ 58 59 uint8_t chello[] = { 60 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 61 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 62 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 63 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55 64 }; 65 const struct tls13_secret chello_hash = { 66 .data = chello, 67 .len = 32, 68 }; 69 70 uint8_t cshello [] = { 71 0x86, 0x0c, 0x06, 0xed, 0xc0, 0x78, 0x58, 0xee, 72 0x8e, 0x78, 0xf0, 0xe7, 0x42, 0x8c, 0x58, 0xed, 73 0xd6, 0xb4, 0x3f, 0x2c, 0xa3, 0xe6, 0xe9, 0x5f, 74 0x02, 0xed, 0x06, 0x3c, 0xf0, 0xe1, 0xca, 0xd8 75 }; 76 77 const struct tls13_secret cshello_hash = { 78 .data = cshello, 79 .len = 32, 80 }; 81 82 const uint8_t ecdhe [] = { 83 0x8b, 0xd4, 0x05, 0x4f, 0xb5, 0x5b, 0x9d, 0x63, 84 0xfd, 0xfb, 0xac, 0xf9, 0xf0, 0x4b, 0x9f, 0x0d, 85 0x35, 0xe6, 0xd6, 0x3f, 0x53, 0x75, 0x63, 0xef, 86 0xd4, 0x62, 0x72, 0x90, 0x0f, 0x89, 0x49, 0x2d 87 }; 88 89 uint8_t csfhello [] = { 90 0x96, 0x08, 0x10, 0x2a, 0x0f, 0x1c, 0xcc, 0x6d, 91 0xb6, 0x25, 0x0b, 0x7b, 0x7e, 0x41, 0x7b, 0x1a, 92 0x00, 0x0e, 0xaa, 0xda, 0x3d, 0xaa, 0xe4, 0x77, 93 0x7a, 0x76, 0x86, 0xc9, 0xff, 0x83, 0xdf, 0x13 94 }; 95 96 const struct tls13_secret csfhello_hash = { 97 .data = csfhello, 98 .len = 32, 99 }; 100 101 102 /* Expected Values */ 103 104 uint8_t expected_extracted_early[] = { 105 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 106 0x09, 0xe6, 0xcd, 0x98, 0x93, 0x68, 0x0c, 0xe2, 107 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 108 0xe1, 0xb2, 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a 109 }; 110 uint8_t expected_derived_early[] = { 111 0x6f, 0x26, 0x15, 0xa1, 0x08, 0xc7, 0x02, 0xc5, 112 0x67, 0x8f, 0x54, 0xfc, 0x9d, 0xba, 0xb6, 0x97, 113 0x16, 0xc0, 0x76, 0x18, 0x9c, 0x48, 0x25, 0x0c, 114 0xeb, 0xea, 0xc3, 0x57, 0x6c, 0x36, 0x11, 0xba 115 }; 116 uint8_t expected_extracted_handshake[] = { 117 0x1d, 0xc8, 0x26, 0xe9, 0x36, 0x06, 0xaa, 0x6f, 118 0xdc, 0x0a, 0xad, 0xc1, 0x2f, 0x74, 0x1b, 0x01, 119 0x04, 0x6a, 0xa6, 0xb9, 0x9f, 0x69, 0x1e, 0xd2, 120 0x21, 0xa9, 0xf0, 0xca, 0x04, 0x3f, 0xbe, 0xac 121 }; 122 uint8_t expected_client_handshake_traffic[] = { 123 0xb3, 0xed, 0xdb, 0x12, 0x6e, 0x06, 0x7f, 0x35, 124 0xa7, 0x80, 0xb3, 0xab, 0xf4, 0x5e, 0x2d, 0x8f, 125 0x3b, 0x1a, 0x95, 0x07, 0x38, 0xf5, 0x2e, 0x96, 126 0x00, 0x74, 0x6a, 0x0e, 0x27, 0xa5, 0x5a, 0x21 127 }; 128 129 uint8_t expected_server_handshake_traffic[] = { 130 0xb6, 0x7b, 0x7d, 0x69, 0x0c, 0xc1, 0x6c, 0x4e, 131 0x75, 0xe5, 0x42, 0x13, 0xcb, 0x2d, 0x37, 0xb4, 132 0xe9, 0xc9, 0x12, 0xbc, 0xde, 0xd9, 0x10, 0x5d, 133 0x42, 0xbe, 0xfd, 0x59, 0xd3, 0x91, 0xad, 0x38 134 }; 135 136 uint8_t expected_derived_handshake[] = { 137 0x43, 0xde, 0x77, 0xe0, 0xc7, 0x77, 0x13, 0x85, 138 0x9a, 0x94, 0x4d, 0xb9, 0xdb, 0x25, 0x90, 0xb5, 139 0x31, 0x90, 0xa6, 0x5b, 0x3e, 0xe2, 0xe4, 0xf1, 140 0x2d, 0xd7, 0xa0, 0xbb, 0x7c, 0xe2, 0x54, 0xb4 141 }; 142 143 uint8_t expected_extracted_master[] = { 144 0x18, 0xdf, 0x06, 0x84, 0x3d, 0x13, 0xa0, 0x8b, 145 0xf2, 0xa4, 0x49, 0x84, 0x4c, 0x5f, 0x8a, 0x47, 146 0x80, 0x01, 0xbc, 0x4d, 0x4c, 0x62, 0x79, 0x84, 147 0xd5, 0xa4, 0x1d, 0xa8, 0xd0, 0x40, 0x29, 0x19 148 }; 149 150 uint8_t expected_server_application_traffic[] = { 151 0xa1, 0x1a, 0xf9, 0xf0, 0x55, 0x31, 0xf8, 0x56, 152 0xad, 0x47, 0x11, 0x6b, 0x45, 0xa9, 0x50, 0x32, 153 0x82, 0x04, 0xb4, 0xf4, 0x4b, 0xfb, 0x6b, 0x3a, 154 0x4b, 0x4f, 0x1f, 0x3f, 0xcb, 0x63, 0x16, 0x43 155 }; 156 157 uint8_t expected_server_application_traffic_updated[] = { 158 0x51, 0x92, 0x1b, 0x8a, 0xa3, 0x00, 0x19, 0x76, 159 0xeb, 0x40, 0x1d, 0x0a, 0x43, 0x19, 0xa8, 0x51, 160 0x64, 0x16, 0xa6, 0xc5, 0x60, 0x01, 0xa3, 0x57, 161 0xe5, 0xd1, 0x62, 0x03, 0x1e, 0x84, 0xf9, 0x16, 162 }; 163 164 uint8_t expected_client_application_traffic[] = { 165 0x9e, 0x40, 0x64, 0x6c, 0xe7, 0x9a, 0x7f, 0x9d, 166 0xc0, 0x5a, 0xf8, 0x88, 0x9b, 0xce, 0x65, 0x52, 167 0x87, 0x5a, 0xfa, 0x0b, 0x06, 0xdf, 0x00, 0x87, 168 0xf7, 0x92, 0xeb, 0xb7, 0xc1, 0x75, 0x04, 0xa5, 169 }; 170 171 uint8_t expected_client_application_traffic_updated[] = { 172 0xfc, 0xdf, 0xcc, 0x72, 0x72, 0x5a, 0xae, 0xe4, 173 0x8b, 0xf6, 0x4e, 0x4f, 0xd8, 0xb7, 0x49, 0xcd, 174 0xbd, 0xba, 0xb3, 0x9d, 0x90, 0xda, 0x0b, 0x26, 175 0xe2, 0x24, 0x5c, 0xa6, 0xea, 0x16, 0x72, 0x07, 176 }; 177 178 uint8_t expected_exporter_master[] = { 179 0xfe, 0x22, 0xf8, 0x81, 0x17, 0x6e, 0xda, 0x18, 180 0xeb, 0x8f, 0x44, 0x52, 0x9e, 0x67, 0x92, 0xc5, 181 0x0c, 0x9a, 0x3f, 0x89, 0x45, 0x2f, 0x68, 0xd8, 182 0xae, 0x31, 0x1b, 0x43, 0x09, 0xd3, 0xcf, 0x50 183 }; 184 185 int 186 main (int argc, char **argv) 187 { 188 struct tls13_secrets *secrets; 189 190 if ((secrets = tls13_secrets_create(EVP_sha256(), 0)) == NULL) 191 errx(1,"failed to create secrets\n"); 192 193 secrets->insecure = 1; /* don't explicit_bzero when done */ 194 195 if (tls13_derive_handshake_secrets(secrets, ecdhe, 32, &cshello_hash)) 196 FAIL("derive_handshake_secrets worked when it shouldn't\n"); 197 if (tls13_derive_application_secrets(secrets, 198 &chello_hash)) 199 FAIL("derive_application_secrets worked when it shouldn't\n"); 200 201 if (!tls13_derive_early_secrets(secrets, 202 secrets->zeros.data, secrets->zeros.len, &chello_hash)) 203 FAIL("derive_early_secrets failed\n"); 204 if (tls13_derive_early_secrets(secrets, 205 secrets->zeros.data, secrets->zeros.len, &chello_hash)) 206 FAIL("derive_early_secrets worked when it shouldn't(2)\n"); 207 208 if (!tls13_derive_handshake_secrets(secrets, ecdhe, 32, &cshello_hash)) 209 FAIL("derive_handshake_secrets failed\n"); 210 if (tls13_derive_handshake_secrets(secrets, ecdhe, 32, &cshello_hash)) 211 FAIL("derive_handshake_secrets worked when it shouldn't(2)\n"); 212 213 /* XXX fix hash here once test vector sorted */ 214 if (!tls13_derive_application_secrets(secrets, &csfhello_hash)) 215 FAIL("derive_application_secrets failed\n"); 216 if (tls13_derive_application_secrets(secrets, &csfhello_hash)) 217 FAIL("derive_application_secrets worked when it " 218 "shouldn't(2)\n"); 219 220 fprintf(stderr, "extracted_early:\n"); 221 compare_data(secrets->extracted_early.data, 32, 222 expected_extracted_early, 32); 223 if (memcmp(secrets->extracted_early.data, 224 expected_extracted_early, 32) != 0) 225 FAIL("extracted_early does not match\n"); 226 227 fprintf(stderr, "derived_early:\n"); 228 compare_data(secrets->derived_early.data, 32, 229 expected_derived_early, 32); 230 if (memcmp(secrets->derived_early.data, 231 expected_derived_early, 32) != 0) 232 FAIL("derived_early does not match\n"); 233 234 fprintf(stderr, "extracted_handshake:\n"); 235 compare_data(secrets->extracted_handshake.data, 32, 236 expected_extracted_handshake, 32); 237 if (memcmp(secrets->extracted_handshake.data, 238 expected_extracted_handshake, 32) != 0) 239 FAIL("extracted_handshake does not match\n"); 240 241 fprintf(stderr, "client_handshake_traffic:\n"); 242 compare_data(secrets->client_handshake_traffic.data, 32, 243 expected_client_handshake_traffic, 32); 244 if (memcmp(secrets->client_handshake_traffic.data, 245 expected_client_handshake_traffic, 32) != 0) 246 FAIL("client_handshake_traffic does not match\n"); 247 248 fprintf(stderr, "server_handshake_traffic:\n"); 249 compare_data(secrets->server_handshake_traffic.data, 32, 250 expected_server_handshake_traffic, 32); 251 if (memcmp(secrets->server_handshake_traffic.data, 252 expected_server_handshake_traffic, 32) != 0) 253 FAIL("server_handshake_traffic does not match\n"); 254 255 fprintf(stderr, "derived_early:\n"); 256 compare_data(secrets->derived_early.data, 32, 257 expected_derived_early, 32); 258 if (memcmp(secrets->derived_early.data, 259 expected_derived_early, 32) != 0) 260 FAIL("derived_early does not match\n"); 261 262 fprintf(stderr, "derived_handshake:\n"); 263 compare_data(secrets->derived_handshake.data, 32, 264 expected_derived_handshake, 32); 265 if (memcmp(secrets->derived_handshake.data, 266 expected_derived_handshake, 32) != 0) 267 FAIL("derived_handshake does not match\n"); 268 269 fprintf(stderr, "extracted_master:\n"); 270 compare_data(secrets->extracted_master.data, 32, 271 expected_extracted_master, 32); 272 if (memcmp(secrets->extracted_master.data, 273 expected_extracted_master, 32) != 0) 274 FAIL("extracted_master does not match\n"); 275 276 fprintf(stderr, "server_application_traffic:\n"); 277 compare_data(secrets->server_application_traffic.data, 32, 278 expected_server_application_traffic, 32); 279 if (memcmp(secrets->server_application_traffic.data, 280 expected_server_application_traffic, 32) != 0) 281 FAIL("server_application_traffic does not match\n"); 282 283 fprintf(stderr, "client_application_traffic:\n"); 284 compare_data(secrets->client_application_traffic.data, 32, 285 expected_client_application_traffic, 32); 286 if (memcmp(secrets->client_application_traffic.data, 287 expected_client_application_traffic, 32) != 0) 288 FAIL("server_application_traffic does not match\n"); 289 290 fprintf(stderr, "exporter_master:\n"); 291 compare_data(secrets->exporter_master.data, 32, 292 expected_exporter_master, 32); 293 if (memcmp(secrets->exporter_master.data, 294 expected_exporter_master, 32) != 0) 295 FAIL("exporter_master does not match\n"); 296 297 tls13_update_server_traffic_secret(secrets); 298 fprintf(stderr, "server_application_traffic after update:\n"); 299 compare_data(secrets->server_application_traffic.data, 32, 300 expected_server_application_traffic_updated, 32); 301 if (memcmp(secrets->server_application_traffic.data, 302 expected_server_application_traffic_updated, 32) != 0) 303 FAIL("server_application_traffic does not match after update\n"); 304 305 306 tls13_update_client_traffic_secret(secrets); 307 fprintf(stderr, "client_application_traffic after update:\n"); 308 compare_data(secrets->client_application_traffic.data, 32, 309 expected_client_application_traffic_updated, 32); 310 if (memcmp(secrets->client_application_traffic.data, 311 expected_client_application_traffic_updated, 32) != 0) 312 FAIL("client_application_traffic does not match after update\n"); 313 314 tls13_secrets_destroy(secrets); 315 316 return failures; 317 } 318