2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ssl.h>
11 #include <openssl/evp.h>
15 # pragma names as_is,shortened
18 #include "../ssl/ssl_locl.h"
21 # pragma names restore
29 /* The following are self-generated test vectors. This gives us very little
30 * confidence that we've got the implementation right, but at least tells us
31 * if we accidentally break something in the future. Until we can get some
32 * other source of test vectors this is all we've got.
33 * TODO(TLS1.3): As and when official vectors become available we should use
35 * https://www.ietf.org/id/draft-thomson-tls-tls13-vectors-00.txt, however at
36 * the time of writing these are not suitable because they are based on
37 * draft -16, which works differently to the draft -20 vectors below.
40 static unsigned char hs_start_hash[] = {
41 0xec, 0x14, 0x7a, 0x06, 0xde, 0xa3, 0xc8, 0x84, 0x6c, 0x02, 0xb2, 0x23, 0x8e,
42 0x41, 0xbd, 0xdc, 0x9d, 0x89, 0xf9, 0xae, 0xa1, 0x7b, 0x5e, 0xfd, 0x4d, 0x74,
43 0x82, 0xaf, 0x75, 0x88, 0x1c, 0x0a
46 static unsigned char hs_full_hash[] = {
47 0x75, 0x1a, 0x3d, 0x4a, 0x14, 0xdf, 0xab, 0xeb, 0x68, 0xe9, 0x2c, 0xa5, 0x91,
48 0x8e, 0x24, 0x08, 0xb9, 0xbc, 0xb0, 0x74, 0x89, 0x82, 0xec, 0x9c, 0x32, 0x30,
49 0xac, 0x30, 0xbb, 0xeb, 0x23, 0xe2,
52 static unsigned char early_secret[] = {
53 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
54 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
55 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
58 static unsigned char ecdhe_secret[] = {
59 0xe7, 0xb8, 0xfe, 0xf8, 0x90, 0x3b, 0x52, 0x0c, 0xb9, 0xa1, 0x89, 0x71, 0xb6,
60 0x9d, 0xd4, 0x5d, 0xca, 0x53, 0xce, 0x2f, 0x12, 0xbf, 0x3b, 0xef, 0x93, 0x15,
61 0xe3, 0x12, 0x71, 0xdf, 0x4b, 0x40
64 static unsigned char handshake_secret[] = {
65 0xf5, 0x51, 0xd0, 0xbd, 0x9e, 0x6a, 0xc0, 0x95, 0x5f, 0x8e, 0xae, 0xb6, 0x28,
66 0x2e, 0x8d, 0x9e, 0xf3, 0xd4, 0x08, 0x57, 0x81, 0xbc, 0x9d, 0x80, 0x91, 0x8a,
67 0x81, 0x33, 0x86, 0x58, 0x7f, 0x46
70 static const char *client_hts_label = "c hs traffic";
72 static unsigned char client_hts[] = {
73 0x61, 0x7b, 0x35, 0x07, 0x6b, 0x9d, 0x0e, 0x08, 0xcf, 0x73, 0x1d, 0x94, 0xa8,
74 0x66, 0x14, 0x78, 0x41, 0x09, 0xef, 0x25, 0x55, 0x51, 0x92, 0x1d, 0xd4, 0x6e,
75 0x04, 0x01, 0x35, 0xcf, 0x46, 0xab
78 static unsigned char client_hts_key[] = {
79 0x62, 0xd0, 0xdd, 0x00, 0xf6, 0x96, 0x19, 0xd3, 0xb8, 0x19, 0x3a, 0xb4, 0xa0,
83 static unsigned char client_hts_iv[] = {
84 0xff, 0xf7, 0x5d, 0xf5, 0xad, 0x35, 0xd5, 0xcb, 0x3c, 0x53, 0xf3, 0xa9
87 static const char *server_hts_label = "s hs traffic";
89 static unsigned char server_hts[] = {
90 0xfc, 0xf7, 0xdf, 0xe6, 0x4f, 0xa2, 0xc0, 0x4f, 0x62, 0x35, 0x38, 0x7f, 0x43,
91 0x4e, 0x01, 0x42, 0x23, 0x36, 0xd9, 0xc0, 0x39, 0xde, 0x68, 0x47, 0xa0, 0xb9,
92 0xdd, 0xcf, 0x29, 0xa8, 0x87, 0x59
95 static unsigned char server_hts_key[] = {
96 0x04, 0x67, 0xf3, 0x16, 0xa8, 0x05, 0xb8, 0xc4, 0x97, 0xee, 0x67, 0x04, 0x7b,
100 static unsigned char server_hts_iv[] = {
101 0xde, 0x83, 0xa7, 0x3e, 0x9d, 0x81, 0x4b, 0x04, 0xc4, 0x8b, 0x78, 0x09
104 static unsigned char master_secret[] = {
105 0x34, 0x83, 0x83, 0x84, 0x67, 0x12, 0xe7, 0xff, 0x24, 0xe8, 0x6e, 0x70, 0x56,
106 0x95, 0x16, 0x71, 0x43, 0x7f, 0x19, 0xd7, 0x85, 0x06, 0x9d, 0x75, 0x70, 0x49,
107 0x6e, 0x6c, 0xa4, 0x81, 0xf0, 0xb8
110 static const char *client_ats_label = "c ap traffic";
112 static unsigned char client_ats[] = {
113 0xc1, 0x4a, 0x6d, 0x79, 0x76, 0xd8, 0x10, 0x2b, 0x5a, 0x0c, 0x99, 0x51, 0x49,
114 0x3f, 0xee, 0x87, 0xdc, 0xaf, 0xf8, 0x2c, 0x24, 0xca, 0xb2, 0x14, 0xe8, 0xbe,
115 0x71, 0xa8, 0x20, 0x6d, 0xbd, 0xa5
118 static unsigned char client_ats_key[] = {
119 0xcc, 0x9f, 0x5f, 0x98, 0x0b, 0x5f, 0x10, 0x30, 0x6c, 0xba, 0xd7, 0xbe, 0x98,
123 static unsigned char client_ats_iv[] = {
124 0xb8, 0x09, 0x29, 0xe8, 0xd0, 0x2c, 0x70, 0xf6, 0x11, 0x62, 0xed, 0x6b
127 static const char *server_ats_label = "s ap traffic";
129 static unsigned char server_ats[] = {
130 0x2c, 0x90, 0x77, 0x38, 0xd3, 0xf8, 0x37, 0x02, 0xd1, 0xe4, 0x59, 0x8f, 0x48,
131 0x48, 0x53, 0x1d, 0x9f, 0x93, 0x65, 0x49, 0x1b, 0x9f, 0x7f, 0x52, 0xc8, 0x22,
132 0x29, 0x0d, 0x4c, 0x23, 0x21, 0x92
135 static unsigned char server_ats_key[] = {
136 0x0c, 0xb2, 0x95, 0x62, 0xd8, 0xd8, 0x8f, 0x48, 0xb0, 0x2c, 0xbf, 0xbe, 0xd7,
140 static unsigned char server_ats_iv[] = {
141 0x0d, 0xb2, 0x8f, 0x98, 0x85, 0x86, 0xa1, 0xb7, 0xe4, 0xd5, 0xc6, 0x9c
144 /* Mocked out implementations of various functions */
145 int ssl3_digest_cached_records(SSL *s, int keep)
150 static int full_hash = 0;
152 /* Give a hash of the currently set handshake */
153 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
156 if (sizeof(hs_start_hash) > outlen
157 || sizeof(hs_full_hash) != sizeof(hs_start_hash))
161 memcpy(out, hs_full_hash, sizeof(hs_full_hash));
162 *hashlen = sizeof(hs_full_hash);
164 memcpy(out, hs_start_hash, sizeof(hs_start_hash));
165 *hashlen = sizeof(hs_start_hash);
171 const EVP_MD *ssl_handshake_md(SSL *s)
176 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
180 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
184 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
185 const EVP_MD **md, int *mac_pkey_type,
186 size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
192 int tls1_alert_code(int code)
197 int ssl_log_secret(SSL *ssl,
199 const uint8_t *secret,
205 const EVP_MD *ssl_md(int idx)
210 void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
215 int ossl_statem_export_allowed(SSL *s)
220 int ossl_statem_export_early_allowed(SSL *s)
225 /* End of mocked out code */
227 static int test_secret(SSL *s, unsigned char *prk,
228 const unsigned char *label, size_t labellen,
229 const unsigned char *ref_secret,
230 const unsigned char *ref_key, const unsigned char *ref_iv)
233 unsigned char gensecret[EVP_MAX_MD_SIZE];
234 unsigned char hash[EVP_MAX_MD_SIZE];
235 unsigned char key[KEYLEN];
236 unsigned char iv[IVLEN];
237 const EVP_MD *md = ssl_handshake_md(s);
239 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
240 TEST_error("Failed to get hash");
244 if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
245 gensecret, hashsize)) {
246 TEST_error("Secret generation failed");
250 if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
253 if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
254 TEST_error("Key generation failed");
258 if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
261 if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
262 TEST_error("IV generation failed");
266 if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
272 static int test_handshake_secrets(void)
278 unsigned char out_master_secret[EVP_MAX_MD_SIZE];
279 size_t master_secret_length;
281 ctx = SSL_CTX_new(TLS_method());
289 s->session = SSL_SESSION_new();
290 if (!TEST_ptr(s->session))
293 if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
294 (unsigned char *)&s->early_secret))) {
295 TEST_info("Early secret generation failed");
299 if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
300 early_secret, sizeof(early_secret))) {
301 TEST_info("Early secret does not match");
305 if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
306 sizeof(ecdhe_secret)))) {
307 TEST_info("Handshake secret generation failed");
311 if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
312 handshake_secret, sizeof(handshake_secret)))
315 hashsize = EVP_MD_size(ssl_handshake_md(s));
316 if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
318 if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
320 if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
323 if (!TEST_true(test_secret(s, s->handshake_secret,
324 (unsigned char *)client_hts_label,
325 strlen(client_hts_label), client_hts,
326 client_hts_key, client_hts_iv))) {
327 TEST_info("Client handshake secret test failed");
331 if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
333 if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
335 if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
338 if (!TEST_true(test_secret(s, s->handshake_secret,
339 (unsigned char *)server_hts_label,
340 strlen(server_hts_label), server_hts,
341 server_hts_key, server_hts_iv))) {
342 TEST_info("Server handshake secret test failed");
347 * Ensure the mocked out ssl_handshake_hash() returns the full handshake
352 if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
353 s->handshake_secret, hashsize,
354 &master_secret_length))) {
355 TEST_info("Master secret generation failed");
359 if (!TEST_mem_eq(out_master_secret, master_secret_length,
360 master_secret, sizeof(master_secret))) {
361 TEST_info("Master secret does not match");
365 if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
367 if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
369 if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
372 if (!TEST_true(test_secret(s, out_master_secret,
373 (unsigned char *)client_ats_label,
374 strlen(client_ats_label), client_ats,
375 client_ats_key, client_ats_iv))) {
376 TEST_info("Client application data secret test failed");
380 if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
382 if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
384 if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
387 if (!TEST_true(test_secret(s, out_master_secret,
388 (unsigned char *)server_ats_label,
389 strlen(server_ats_label), server_ats,
390 server_ats_key, server_ats_iv))) {
391 TEST_info("Server application data secret test failed");
402 int setup_tests(void)
404 ADD_TEST(test_handshake_secrets);