2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ssl.h>
11 #include <openssl/evp.h>
15 # pragma names as_is,shortened
18 #include "../ssl/ssl_locl.h"
21 # pragma names restore
30 * Based on the test vectors availble in:
31 * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
34 static unsigned char hs_start_hash[] = {
35 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
36 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
37 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
40 static unsigned char hs_full_hash[] = {
41 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
42 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
43 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
46 static unsigned char early_secret[] = {
47 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
48 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
49 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
52 static unsigned char ecdhe_secret[] = {
53 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
54 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
55 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
58 static unsigned char handshake_secret[] = {
59 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
60 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
61 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
64 static const char *client_hts_label = "c hs traffic";
66 static unsigned char client_hts[] = {
67 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
68 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
69 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
72 static unsigned char client_hts_key[] = {
73 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
77 static unsigned char client_hts_iv[] = {
78 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
81 static const char *server_hts_label = "s hs traffic";
83 static unsigned char server_hts[] = {
84 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
85 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
86 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
89 static unsigned char server_hts_key[] = {
90 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
94 static unsigned char server_hts_iv[] = {
95 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
98 static unsigned char master_secret[] = {
99 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
100 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
101 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
104 static const char *client_ats_label = "c ap traffic";
106 static unsigned char client_ats[] = {
107 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
108 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
109 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
112 static unsigned char client_ats_key[] = {
113 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
117 static unsigned char client_ats_iv[] = {
118 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
121 static const char *server_ats_label = "s ap traffic";
123 static unsigned char server_ats[] = {
124 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
125 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
126 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
129 static unsigned char server_ats_key[] = {
130 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
134 static unsigned char server_ats_iv[] = {
135 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
138 /* Mocked out implementations of various functions */
139 int ssl3_digest_cached_records(SSL *s, int keep)
144 static int full_hash = 0;
146 /* Give a hash of the currently set handshake */
147 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
150 if (sizeof(hs_start_hash) > outlen
151 || sizeof(hs_full_hash) != sizeof(hs_start_hash))
155 memcpy(out, hs_full_hash, sizeof(hs_full_hash));
156 *hashlen = sizeof(hs_full_hash);
158 memcpy(out, hs_start_hash, sizeof(hs_start_hash));
159 *hashlen = sizeof(hs_start_hash);
165 const EVP_MD *ssl_handshake_md(SSL *s)
170 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
174 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
178 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
179 const EVP_MD **md, int *mac_pkey_type,
180 size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
186 int tls1_alert_code(int code)
191 int ssl_log_secret(SSL *ssl,
193 const uint8_t *secret,
199 const EVP_MD *ssl_md(int idx)
204 void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
209 int ossl_statem_export_allowed(SSL *s)
214 int ossl_statem_export_early_allowed(SSL *s)
219 /* End of mocked out code */
221 static int test_secret(SSL *s, unsigned char *prk,
222 const unsigned char *label, size_t labellen,
223 const unsigned char *ref_secret,
224 const unsigned char *ref_key, const unsigned char *ref_iv)
227 unsigned char gensecret[EVP_MAX_MD_SIZE];
228 unsigned char hash[EVP_MAX_MD_SIZE];
229 unsigned char key[KEYLEN];
230 unsigned char iv[IVLEN];
231 const EVP_MD *md = ssl_handshake_md(s);
233 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
234 TEST_error("Failed to get hash");
238 if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
239 gensecret, hashsize)) {
240 TEST_error("Secret generation failed");
244 if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
247 if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
248 TEST_error("Key generation failed");
252 if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
255 if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
256 TEST_error("IV generation failed");
260 if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
266 static int test_handshake_secrets(void)
272 unsigned char out_master_secret[EVP_MAX_MD_SIZE];
273 size_t master_secret_length;
275 ctx = SSL_CTX_new(TLS_method());
283 s->session = SSL_SESSION_new();
284 if (!TEST_ptr(s->session))
287 if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
288 (unsigned char *)&s->early_secret))) {
289 TEST_info("Early secret generation failed");
293 if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
294 early_secret, sizeof(early_secret))) {
295 TEST_info("Early secret does not match");
299 if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
300 sizeof(ecdhe_secret)))) {
301 TEST_info("Handshake secret generation failed");
305 if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
306 handshake_secret, sizeof(handshake_secret)))
309 hashsize = EVP_MD_size(ssl_handshake_md(s));
310 if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
312 if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
314 if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
317 if (!TEST_true(test_secret(s, s->handshake_secret,
318 (unsigned char *)client_hts_label,
319 strlen(client_hts_label), client_hts,
320 client_hts_key, client_hts_iv))) {
321 TEST_info("Client handshake secret test failed");
325 if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
327 if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
329 if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
332 if (!TEST_true(test_secret(s, s->handshake_secret,
333 (unsigned char *)server_hts_label,
334 strlen(server_hts_label), server_hts,
335 server_hts_key, server_hts_iv))) {
336 TEST_info("Server handshake secret test failed");
341 * Ensure the mocked out ssl_handshake_hash() returns the full handshake
346 if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
347 s->handshake_secret, hashsize,
348 &master_secret_length))) {
349 TEST_info("Master secret generation failed");
353 if (!TEST_mem_eq(out_master_secret, master_secret_length,
354 master_secret, sizeof(master_secret))) {
355 TEST_info("Master secret does not match");
359 if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
361 if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
363 if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
366 if (!TEST_true(test_secret(s, out_master_secret,
367 (unsigned char *)client_ats_label,
368 strlen(client_ats_label), client_ats,
369 client_ats_key, client_ats_iv))) {
370 TEST_info("Client application data secret test failed");
374 if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
376 if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
378 if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
381 if (!TEST_true(test_secret(s, out_master_secret,
382 (unsigned char *)server_ats_label,
383 strlen(server_ats_label), server_ats,
384 server_ats_key, server_ats_iv))) {
385 TEST_info("Server application data secret test failed");
396 int setup_tests(void)
398 ADD_TEST(test_handshake_secrets);