2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ssl.h>
11 #include <openssl/evp.h>
12 #include "../ssl/ssl_locl.h"
15 #include "test_main.h"
20 /* The following are self-generated test vectors. This gives us very little
21 * confidence that we've got the implementation right, but at least tells us
22 * if we accidentally break something in the future. Until we can get some
23 * other source of test vectors this is all we've got.
24 * TODO(TLS1.3): As and when official vectors become available we should use
26 * https://www.ietf.org/id/draft-thomson-tls-tls13-vectors-00.txt, however at
27 * the time of writing these are not suitable because they are based on
28 * draft -16, which works differently to the draft -19 vectors below.
31 static unsigned char hs_start_hash[] = {
32 0xec, 0x14, 0x7a, 0x06, 0xde, 0xa3, 0xc8, 0x84, 0x6c, 0x02, 0xb2, 0x23, 0x8e,
33 0x41, 0xbd, 0xdc, 0x9d, 0x89, 0xf9, 0xae, 0xa1, 0x7b, 0x5e, 0xfd, 0x4d, 0x74,
34 0x82, 0xaf, 0x75, 0x88, 0x1c, 0x0a
37 static unsigned char hs_full_hash[] = {
38 0x75, 0x1a, 0x3d, 0x4a, 0x14, 0xdf, 0xab, 0xeb, 0x68, 0xe9, 0x2c, 0xa5, 0x91,
39 0x8e, 0x24, 0x08, 0xb9, 0xbc, 0xb0, 0x74, 0x89, 0x82, 0xec, 0x9c, 0x32, 0x30,
40 0xac, 0x30, 0xbb, 0xeb, 0x23, 0xe2,
43 static unsigned char early_secret[] = {
44 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
45 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
46 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
49 static unsigned char ecdhe_secret[] = {
50 0xe7, 0xb8, 0xfe, 0xf8, 0x90, 0x3b, 0x52, 0x0c, 0xb9, 0xa1, 0x89, 0x71, 0xb6,
51 0x9d, 0xd4, 0x5d, 0xca, 0x53, 0xce, 0x2f, 0x12, 0xbf, 0x3b, 0xef, 0x93, 0x15,
52 0xe3, 0x12, 0x71, 0xdf, 0x4b, 0x40
55 static unsigned char handshake_secret[] = {
56 0xa4, 0xc6, 0x2e, 0x1c, 0x3c, 0xb8, 0x0a, 0xae, 0x34, 0x34, 0x0d, 0xb8, 0xfb,
57 0x0d, 0xd5, 0x0d, 0x2d, 0x2f, 0x08, 0xa4, 0x54, 0x6b, 0xbb, 0x2e, 0x60, 0xc6,
58 0x53, 0xac, 0xb3, 0xca, 0xf2, 0x87
61 static const char *client_hts_label = "client handshake traffic secret";
63 static unsigned char client_hts[] = {
64 0xd7, 0x58, 0x9f, 0x10, 0xa8, 0x30, 0xf3, 0x85, 0x63, 0x6f, 0xd9, 0xb0, 0x61,
65 0xd5, 0x20, 0x19, 0xb1, 0x45, 0x96, 0x82, 0x24, 0x8e, 0x36, 0x45, 0xf7, 0x5a,
66 0xd7, 0x2f, 0x31, 0xec, 0x57, 0xf7
69 static unsigned char client_hts_key[] = {
70 0xcc, 0x8b, 0xda, 0xbf, 0x83, 0x74, 0x2d, 0xf4, 0x53, 0x44, 0xff, 0xbc, 0xa4,
74 static unsigned char client_hts_iv[] = {
75 0xa4, 0x83, 0x46, 0x11, 0xc2, 0x78, 0xea, 0x0f, 0x94, 0x52, 0x1d, 0xca
78 static const char *server_hts_label = "server handshake traffic secret";
80 static unsigned char server_hts[] = {
81 0xba, 0x7c, 0x3b, 0x74, 0x0d, 0x1e, 0x84, 0x82, 0xd6, 0x6f, 0x3e, 0x5e, 0x1d,
82 0x6e, 0x25, 0xdc, 0x87, 0x1f, 0x48, 0x74, 0x2f, 0x65, 0xa4, 0x40, 0x39, 0xda,
83 0xdc, 0x02, 0x2a, 0x16, 0x19, 0x5c
86 static unsigned char server_hts_key[] = {
87 0x7d, 0x22, 0x2a, 0x3f, 0x72, 0x37, 0x92, 0xd9, 0x95, 0x9a, 0xe1, 0x66, 0x32,
91 static unsigned char server_hts_iv[] = {
92 0xa2, 0x73, 0xcd, 0x4e, 0x20, 0xe7, 0xe1, 0xe3, 0xcb, 0x0e, 0x18, 0x9e
95 static unsigned char master_secret[] = {
96 0x9a, 0x2f, 0x36, 0xdc, 0x68, 0xab, 0x8f, 0x07, 0xef, 0x41, 0xea, 0x63, 0x39,
97 0xfc, 0x46, 0x6b, 0x11, 0x24, 0xd6, 0xba, 0x6b, 0x8a, 0x92, 0x74, 0x61, 0xd3,
98 0x64, 0x82, 0xc1, 0xc9, 0xc7, 0x0e
101 static const char *client_ats_label = "client application traffic secret";
103 static unsigned char client_ats[] = {
104 0xc3, 0x60, 0x5f, 0xb3, 0xc4, 0x4b, 0xc2, 0x25, 0xd2, 0xaf, 0x36, 0xad, 0x99,
105 0xa1, 0xcd, 0xcf, 0x71, 0xc4, 0xb9, 0xa2, 0x3d, 0xd2, 0x3e, 0xe6, 0xff, 0xca,
106 0x2c, 0x71, 0x86, 0x3d, 0x1f, 0x85
109 static unsigned char client_ats_key[] = {
110 0x3a, 0x25, 0x23, 0x12, 0xde, 0x0f, 0x53, 0xc7, 0xa0, 0xb2, 0xcf, 0x71, 0xb7,
114 static unsigned char client_ats_iv[] = {
115 0xbd, 0x0d, 0x3c, 0x26, 0x9d, 0x2d, 0xa6, 0x52, 0x1b, 0x8d, 0x45, 0xef
118 static const char *server_ats_label = "server application traffic secret";
120 static unsigned char server_ats[] = {
121 0x27, 0x8d, 0x96, 0x76, 0x95, 0x9e, 0x3e, 0x39, 0xa4, 0xa9, 0xfc, 0x46, 0x9c,
122 0x32, 0x9f, 0xe0, 0x29, 0x50, 0x22, 0x45, 0x39, 0x82, 0xdd, 0x1c, 0xc5, 0xfb,
123 0xa9, 0x0a, 0x68, 0x29, 0x4e, 0x80
126 static unsigned char server_ats_key[] = {
127 0x78, 0xbd, 0xd7, 0xc6, 0xb0, 0xf1, 0x50, 0x5e, 0xae, 0x54, 0xff, 0xa5, 0xf2,
131 static unsigned char server_ats_iv[] = {
132 0xb1, 0x7b, 0x1c, 0xa2, 0xca, 0xbe, 0xe4, 0xac, 0xb5, 0xf3, 0x91, 0x7e
135 /* Mocked out implementations of various functions */
136 int ssl3_digest_cached_records(SSL *s, int keep)
141 static int full_hash = 0;
143 /* Give a hash of the currently set handshake */
144 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
147 if (sizeof(hs_start_hash) > outlen
148 || sizeof(hs_full_hash) != sizeof(hs_start_hash))
152 memcpy(out, hs_full_hash, sizeof(hs_full_hash));
153 *hashlen = sizeof(hs_full_hash);
155 memcpy(out, hs_start_hash, sizeof(hs_start_hash));
156 *hashlen = sizeof(hs_start_hash);
162 const EVP_MD *ssl_handshake_md(SSL *s)
167 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
171 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
175 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
176 const EVP_MD **md, int *mac_pkey_type,
177 size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
183 int tls1_alert_code(int code)
188 int ssl_log_secret(SSL *ssl,
190 const uint8_t *secret,
196 const EVP_MD *ssl_md(int idx)
201 /* End of mocked out code */
203 static int test_secret(SSL *s, unsigned char *prk,
204 const unsigned char *label, size_t labellen,
205 const unsigned char *ref_secret,
206 const unsigned char *ref_key, const unsigned char *ref_iv)
209 unsigned char gensecret[EVP_MAX_MD_SIZE];
210 unsigned char hash[EVP_MAX_MD_SIZE];
211 unsigned char key[KEYLEN];
212 unsigned char iv[IVLEN];
213 const EVP_MD *md = ssl_handshake_md(s);
215 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
216 TEST_error("Failed to get hash");
220 if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, gensecret,
222 TEST_error("Secret generation failed");
226 if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
229 if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
230 TEST_error("Key generation failed");
234 if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
237 if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
238 TEST_error("IV generation failed");
242 if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
248 static int test_handshake_secrets(void)
254 unsigned char out_master_secret[EVP_MAX_MD_SIZE];
255 size_t master_secret_length;
257 ctx = SSL_CTX_new(TLS_method());
265 s->session = SSL_SESSION_new();
266 if (!TEST_ptr(s->session))
269 if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
270 (unsigned char *)&s->early_secret))) {
271 TEST_info("Early secret generation failed");
275 if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
276 early_secret, sizeof(early_secret))) {
277 TEST_info("Early secret does not match");
281 if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
282 sizeof(ecdhe_secret)))) {
283 TEST_info("Hanshake secret generation failed");
287 if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
288 handshake_secret, sizeof(handshake_secret)))
291 hashsize = EVP_MD_size(ssl_handshake_md(s));
292 if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
294 if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
296 if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
299 if (!TEST_true(test_secret(s, s->handshake_secret,
300 (unsigned char *)client_hts_label,
301 strlen(client_hts_label), client_hts,
302 client_hts_key, client_hts_iv))) {
303 TEST_info("Client handshake secret test failed");
307 if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
309 if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
311 if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
314 if (!TEST_true(test_secret(s, s->handshake_secret,
315 (unsigned char *)server_hts_label,
316 strlen(server_hts_label), server_hts,
317 server_hts_key, server_hts_iv))) {
318 TEST_info("Server handshake secret test failed");
323 * Ensure the mocked out ssl_handshake_hash() returns the full handshake
328 if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
329 s->handshake_secret, hashsize,
330 &master_secret_length))) {
331 TEST_info("Master secret generation failed");
335 if (!TEST_mem_eq(out_master_secret, master_secret_length,
336 master_secret, sizeof(master_secret))) {
337 TEST_info("Master secret does not match");
341 if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
343 if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
345 if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
348 if (!TEST_true(test_secret(s, out_master_secret,
349 (unsigned char *)client_ats_label,
350 strlen(client_ats_label), client_ats,
351 client_ats_key, client_ats_iv))) {
352 TEST_info("Client application data secret test failed");
356 if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
358 if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
360 if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
363 if (!TEST_true(test_secret(s, out_master_secret,
364 (unsigned char *)server_ats_label,
365 strlen(server_ats_label), server_ats,
366 server_ats_key, server_ats_iv))) {
367 TEST_info("Server application data secret test failed");
378 void register_tests()
380 ADD_TEST(test_handshake_secrets);