1 /* 2 * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <openssl/ssl.h> 11 #include <openssl/evp.h> 12 13 #ifdef __VMS 14 # pragma names save 15 # pragma names as_is,shortened 16 #endif 17 18 #include "../ssl/ssl_local.h" 19 20 #ifdef __VMS 21 # pragma names restore 22 #endif 23 24 #include "testutil.h" 25 26 #define IVLEN 12 27 #define KEYLEN 16 28 29 /* 30 * Based on the test vectors available in: 31 * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06 32 */ 33 34 static unsigned char hs_start_hash[] = { 35 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16, 36 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7, 37 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d 38 }; 39 40 static unsigned char hs_full_hash[] = { 41 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56, 42 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0, 43 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf 44 }; 45 46 static unsigned char early_secret[] = { 47 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93, 48 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2, 49 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a 50 }; 51 52 static unsigned char ecdhe_secret[] = { 53 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24, 54 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0, 55 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42 56 }; 57 58 static unsigned char handshake_secret[] = { 59 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3, 60 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05, 61 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06 62 }; 63 64 static const char *client_hts_label = "c hs traffic"; 65 66 static unsigned char client_hts[] = { 67 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a, 68 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75, 69 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03 70 }; 71 72 static unsigned char client_hts_key[] = { 73 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5, 74 0xad, 0x26, 0x49 75 }; 76 77 static unsigned char client_hts_iv[] = { 78 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42 79 }; 80 81 static const char *server_hts_label = "s hs traffic"; 82 83 static unsigned char server_hts[] = { 84 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0, 85 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3, 86 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79 87 }; 88 89 static unsigned char server_hts_key[] = { 90 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55, 91 0x11, 0xac, 0x8b 92 }; 93 94 static unsigned char server_hts_iv[] = { 95 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4 96 }; 97 98 static unsigned char master_secret[] = { 99 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b, 100 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37, 101 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7 102 }; 103 104 static const char *client_ats_label = "c ap traffic"; 105 106 static unsigned char client_ats[] = { 107 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89, 108 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa, 109 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26 110 }; 111 112 static unsigned char client_ats_key[] = { 113 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c, 114 0xce, 0x5c, 0x87 115 }; 116 117 static unsigned char client_ats_iv[] = { 118 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19 119 }; 120 121 static const char *server_ats_label = "s ap traffic"; 122 123 static unsigned char server_ats[] = { 124 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39, 125 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec, 126 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19 127 }; 128 129 static unsigned char server_ats_key[] = { 130 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4, 131 0x4b, 0x9b, 0x7d 132 }; 133 134 static unsigned char server_ats_iv[] = { 135 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a 136 }; 137 138 /* Mocked out implementations of various functions */ 139 int ssl3_digest_cached_records(SSL *s, int keep) 140 { 141 return 1; 142 } 143 144 static int full_hash = 0; 145 146 /* Give a hash of the currently set handshake */ 147 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen, 148 size_t *hashlen) 149 { 150 if (sizeof(hs_start_hash) > outlen 151 || sizeof(hs_full_hash) != sizeof(hs_start_hash)) 152 return 0; 153 154 if (full_hash) { 155 memcpy(out, hs_full_hash, sizeof(hs_full_hash)); 156 *hashlen = sizeof(hs_full_hash); 157 } else { 158 memcpy(out, hs_start_hash, sizeof(hs_start_hash)); 159 *hashlen = sizeof(hs_start_hash); 160 } 161 162 return 1; 163 } 164 165 const EVP_MD *ssl_handshake_md(SSL *s) 166 { 167 return EVP_sha256(); 168 } 169 170 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl) 171 { 172 } 173 174 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl) 175 { 176 } 177 178 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, 179 const EVP_MD **md, int *mac_pkey_type, 180 size_t *mac_secret_size, SSL_COMP **comp, int use_etm) 181 182 { 183 return 0; 184 } 185 186 int tls1_alert_code(int code) 187 { 188 return code; 189 } 190 191 int ssl_log_secret(SSL *ssl, 192 const char *label, 193 const uint8_t *secret, 194 size_t secret_len) 195 { 196 return 1; 197 } 198 199 const EVP_MD *ssl_md(int idx) 200 { 201 return EVP_sha256(); 202 } 203 204 void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file, 205 int line) 206 { 207 } 208 209 int ossl_statem_export_allowed(SSL *s) 210 { 211 return 1; 212 } 213 214 int ossl_statem_export_early_allowed(SSL *s) 215 { 216 return 1; 217 } 218 219 /* End of mocked out code */ 220 221 static int test_secret(SSL *s, unsigned char *prk, 222 const unsigned char *label, size_t labellen, 223 const unsigned char *ref_secret, 224 const unsigned char *ref_key, const unsigned char *ref_iv) 225 { 226 size_t hashsize; 227 unsigned char gensecret[EVP_MAX_MD_SIZE]; 228 unsigned char hash[EVP_MAX_MD_SIZE]; 229 unsigned char key[KEYLEN]; 230 unsigned char iv[IVLEN]; 231 const EVP_MD *md = ssl_handshake_md(s); 232 233 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) { 234 TEST_error("Failed to get hash"); 235 return 0; 236 } 237 238 if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize, 239 gensecret, hashsize, 1)) { 240 TEST_error("Secret generation failed"); 241 return 0; 242 } 243 244 if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize)) 245 return 0; 246 247 if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) { 248 TEST_error("Key generation failed"); 249 return 0; 250 } 251 252 if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN)) 253 return 0; 254 255 if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) { 256 TEST_error("IV generation failed"); 257 return 0; 258 } 259 260 if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN)) 261 return 0; 262 263 return 1; 264 } 265 266 static int test_handshake_secrets(void) 267 { 268 SSL_CTX *ctx = NULL; 269 SSL *s = NULL; 270 int ret = 0; 271 size_t hashsize; 272 unsigned char out_master_secret[EVP_MAX_MD_SIZE]; 273 size_t master_secret_length; 274 275 ctx = SSL_CTX_new(TLS_method()); 276 if (!TEST_ptr(ctx)) 277 goto err; 278 279 s = SSL_new(ctx); 280 if (!TEST_ptr(s )) 281 goto err; 282 283 s->session = SSL_SESSION_new(); 284 if (!TEST_ptr(s->session)) 285 goto err; 286 287 if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0, 288 (unsigned char *)&s->early_secret))) { 289 TEST_info("Early secret generation failed"); 290 goto err; 291 } 292 293 if (!TEST_mem_eq(s->early_secret, sizeof(early_secret), 294 early_secret, sizeof(early_secret))) { 295 TEST_info("Early secret does not match"); 296 goto err; 297 } 298 299 if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret, 300 sizeof(ecdhe_secret)))) { 301 TEST_info("Handshake secret generation failed"); 302 goto err; 303 } 304 305 if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret), 306 handshake_secret, sizeof(handshake_secret))) 307 goto err; 308 309 hashsize = EVP_MD_size(ssl_handshake_md(s)); 310 if (!TEST_size_t_eq(sizeof(client_hts), hashsize)) 311 goto err; 312 if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN)) 313 goto err; 314 if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN)) 315 goto err; 316 317 if (!TEST_true(test_secret(s, s->handshake_secret, 318 (unsigned char *)client_hts_label, 319 strlen(client_hts_label), client_hts, 320 client_hts_key, client_hts_iv))) { 321 TEST_info("Client handshake secret test failed"); 322 goto err; 323 } 324 325 if (!TEST_size_t_eq(sizeof(server_hts), hashsize)) 326 goto err; 327 if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN)) 328 goto err; 329 if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN)) 330 goto err; 331 332 if (!TEST_true(test_secret(s, s->handshake_secret, 333 (unsigned char *)server_hts_label, 334 strlen(server_hts_label), server_hts, 335 server_hts_key, server_hts_iv))) { 336 TEST_info("Server handshake secret test failed"); 337 goto err; 338 } 339 340 /* 341 * Ensure the mocked out ssl_handshake_hash() returns the full handshake 342 * hash. 343 */ 344 full_hash = 1; 345 346 if (!TEST_true(tls13_generate_master_secret(s, out_master_secret, 347 s->handshake_secret, hashsize, 348 &master_secret_length))) { 349 TEST_info("Master secret generation failed"); 350 goto err; 351 } 352 353 if (!TEST_mem_eq(out_master_secret, master_secret_length, 354 master_secret, sizeof(master_secret))) { 355 TEST_info("Master secret does not match"); 356 goto err; 357 } 358 359 if (!TEST_size_t_eq(sizeof(client_ats), hashsize)) 360 goto err; 361 if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN)) 362 goto err; 363 if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN)) 364 goto err; 365 366 if (!TEST_true(test_secret(s, out_master_secret, 367 (unsigned char *)client_ats_label, 368 strlen(client_ats_label), client_ats, 369 client_ats_key, client_ats_iv))) { 370 TEST_info("Client application data secret test failed"); 371 goto err; 372 } 373 374 if (!TEST_size_t_eq(sizeof(server_ats), hashsize)) 375 goto err; 376 if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN)) 377 goto err; 378 if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN)) 379 goto err; 380 381 if (!TEST_true(test_secret(s, out_master_secret, 382 (unsigned char *)server_ats_label, 383 strlen(server_ats_label), server_ats, 384 server_ats_key, server_ats_iv))) { 385 TEST_info("Server application data secret test failed"); 386 goto err; 387 } 388 389 ret = 1; 390 err: 391 SSL_free(s); 392 SSL_CTX_free(ctx); 393 return ret; 394 } 395 396 int setup_tests(void) 397 { 398 ADD_TEST(test_handshake_secrets); 399 return 1; 400 } 401