2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ssl.h>
11 #include <openssl/evp.h>
13 #include "../ssl/ssl_local.h"
20 * Based on the test vectors available in:
21 * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
24 static unsigned char hs_start_hash[] = {
25 0xc6, 0xc9, 0x18, 0xad, 0x2f, 0x41, 0x99, 0xd5, 0x59, 0x8e, 0xaf, 0x01, 0x16,
26 0xcb, 0x7a, 0x5c, 0x2c, 0x14, 0xcb, 0x54, 0x78, 0x12, 0x18, 0x88, 0x8d, 0xb7,
27 0x03, 0x0d, 0xd5, 0x0d, 0x5e, 0x6d
30 static unsigned char hs_full_hash[] = {
31 0xf8, 0xc1, 0x9e, 0x8c, 0x77, 0xc0, 0x38, 0x79, 0xbb, 0xc8, 0xeb, 0x6d, 0x56,
32 0xe0, 0x0d, 0xd5, 0xd8, 0x6e, 0xf5, 0x59, 0x27, 0xee, 0xfc, 0x08, 0xe1, 0xb0,
33 0x02, 0xb6, 0xec, 0xe0, 0x5d, 0xbf
36 static unsigned char early_secret[] = {
37 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
38 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
39 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
42 static unsigned char ecdhe_secret[] = {
43 0x81, 0x51, 0xd1, 0x46, 0x4c, 0x1b, 0x55, 0x53, 0x36, 0x23, 0xb9, 0xc2, 0x24,
44 0x6a, 0x6a, 0x0e, 0x6e, 0x7e, 0x18, 0x50, 0x63, 0xe1, 0x4a, 0xfd, 0xaf, 0xf0,
45 0xb6, 0xe1, 0xc6, 0x1a, 0x86, 0x42
48 static unsigned char handshake_secret[] = {
49 0x5b, 0x4f, 0x96, 0x5d, 0xf0, 0x3c, 0x68, 0x2c, 0x46, 0xe6, 0xee, 0x86, 0xc3,
50 0x11, 0x63, 0x66, 0x15, 0xa1, 0xd2, 0xbb, 0xb2, 0x43, 0x45, 0xc2, 0x52, 0x05,
51 0x95, 0x3c, 0x87, 0x9e, 0x8d, 0x06
54 static const char *client_hts_label = "c hs traffic";
56 static unsigned char client_hts[] = {
57 0xe2, 0xe2, 0x32, 0x07, 0xbd, 0x93, 0xfb, 0x7f, 0xe4, 0xfc, 0x2e, 0x29, 0x7a,
58 0xfe, 0xab, 0x16, 0x0e, 0x52, 0x2b, 0x5a, 0xb7, 0x5d, 0x64, 0xa8, 0x6e, 0x75,
59 0xbc, 0xac, 0x3f, 0x3e, 0x51, 0x03
62 static unsigned char client_hts_key[] = {
63 0x26, 0x79, 0xa4, 0x3e, 0x1d, 0x76, 0x78, 0x40, 0x34, 0xea, 0x17, 0x97, 0xd5,
67 static unsigned char client_hts_iv[] = {
68 0x54, 0x82, 0x40, 0x52, 0x90, 0xdd, 0x0d, 0x2f, 0x81, 0xc0, 0xd9, 0x42
71 static const char *server_hts_label = "s hs traffic";
73 static unsigned char server_hts[] = {
74 0x3b, 0x7a, 0x83, 0x9c, 0x23, 0x9e, 0xf2, 0xbf, 0x0b, 0x73, 0x05, 0xa0, 0xe0,
75 0xc4, 0xe5, 0xa8, 0xc6, 0xc6, 0x93, 0x30, 0xa7, 0x53, 0xb3, 0x08, 0xf5, 0xe3,
76 0xa8, 0x3a, 0xa2, 0xef, 0x69, 0x79
79 static unsigned char server_hts_key[] = {
80 0xc6, 0x6c, 0xb1, 0xae, 0xc5, 0x19, 0xdf, 0x44, 0xc9, 0x1e, 0x10, 0x99, 0x55,
84 static unsigned char server_hts_iv[] = {
85 0xf7, 0xf6, 0x88, 0x4c, 0x49, 0x81, 0x71, 0x6c, 0x2d, 0x0d, 0x29, 0xa4
88 static unsigned char master_secret[] = {
89 0x5c, 0x79, 0xd1, 0x69, 0x42, 0x4e, 0x26, 0x2b, 0x56, 0x32, 0x03, 0x62, 0x7b,
90 0xe4, 0xeb, 0x51, 0x03, 0x3f, 0x58, 0x8c, 0x43, 0xc9, 0xce, 0x03, 0x73, 0x37,
91 0x2d, 0xbc, 0xbc, 0x01, 0x85, 0xa7
94 static const char *client_ats_label = "c ap traffic";
96 static unsigned char client_ats[] = {
97 0xe2, 0xf0, 0xdb, 0x6a, 0x82, 0xe8, 0x82, 0x80, 0xfc, 0x26, 0xf7, 0x3c, 0x89,
98 0x85, 0x4e, 0xe8, 0x61, 0x5e, 0x25, 0xdf, 0x28, 0xb2, 0x20, 0x79, 0x62, 0xfa,
99 0x78, 0x22, 0x26, 0xb2, 0x36, 0x26
102 static unsigned char client_ats_key[] = {
103 0x88, 0xb9, 0x6a, 0xd6, 0x86, 0xc8, 0x4b, 0xe5, 0x5a, 0xce, 0x18, 0xa5, 0x9c,
107 static unsigned char client_ats_iv[] = {
108 0xb9, 0x9d, 0xc5, 0x8c, 0xd5, 0xff, 0x5a, 0xb0, 0x82, 0xfd, 0xad, 0x19
111 static const char *server_ats_label = "s ap traffic";
113 static unsigned char server_ats[] = {
114 0x5b, 0x73, 0xb1, 0x08, 0xd9, 0xac, 0x1b, 0x9b, 0x0c, 0x82, 0x48, 0xca, 0x39,
115 0x26, 0xec, 0x6e, 0x7b, 0xc4, 0x7e, 0x41, 0x17, 0x06, 0x96, 0x39, 0x87, 0xec,
116 0x11, 0x43, 0x5d, 0x30, 0x57, 0x19
119 static unsigned char server_ats_key[] = {
120 0xa6, 0x88, 0xeb, 0xb5, 0xac, 0x82, 0x6d, 0x6f, 0x42, 0xd4, 0x5c, 0x0c, 0xc4,
124 static unsigned char server_ats_iv[] = {
125 0xc1, 0xca, 0xd4, 0x42, 0x5a, 0x43, 0x8b, 0x5d, 0xe7, 0x14, 0x83, 0x0a
128 /* Mocked out implementations of various functions */
129 int ssl3_digest_cached_records(SSL *s, int keep)
134 static int full_hash = 0;
136 /* Give a hash of the currently set handshake */
137 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
140 if (sizeof(hs_start_hash) > outlen
141 || sizeof(hs_full_hash) != sizeof(hs_start_hash))
145 memcpy(out, hs_full_hash, sizeof(hs_full_hash));
146 *hashlen = sizeof(hs_full_hash);
148 memcpy(out, hs_start_hash, sizeof(hs_start_hash));
149 *hashlen = sizeof(hs_start_hash);
155 const EVP_MD *ssl_handshake_md(SSL *s)
160 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
164 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
168 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
169 const EVP_MD **md, int *mac_pkey_type,
170 size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
176 int tls1_alert_code(int code)
181 int ssl_log_secret(SSL *ssl,
183 const uint8_t *secret,
189 const EVP_MD *ssl_md(int idx)
194 void ossl_statem_fatal(SSL *s, int al, int func, int reason, const char *file,
199 int ossl_statem_export_allowed(SSL *s)
204 int ossl_statem_export_early_allowed(SSL *s)
209 /* End of mocked out code */
211 static int test_secret(SSL *s, unsigned char *prk,
212 const unsigned char *label, size_t labellen,
213 const unsigned char *ref_secret,
214 const unsigned char *ref_key, const unsigned char *ref_iv)
217 unsigned char gensecret[EVP_MAX_MD_SIZE];
218 unsigned char hash[EVP_MAX_MD_SIZE];
219 unsigned char key[KEYLEN];
220 unsigned char iv[IVLEN];
221 const EVP_MD *md = ssl_handshake_md(s);
223 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
224 TEST_error("Failed to get hash");
228 if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,
229 gensecret, hashsize, 1)) {
230 TEST_error("Secret generation failed");
234 if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
237 if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
238 TEST_error("Key generation failed");
242 if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
245 if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
246 TEST_error("IV generation failed");
250 if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
256 static int test_handshake_secrets(void)
262 unsigned char out_master_secret[EVP_MAX_MD_SIZE];
263 size_t master_secret_length;
265 ctx = SSL_CTX_new(TLS_method());
273 s->session = SSL_SESSION_new();
274 if (!TEST_ptr(s->session))
277 if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
278 (unsigned char *)&s->early_secret))) {
279 TEST_info("Early secret generation failed");
283 if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
284 early_secret, sizeof(early_secret))) {
285 TEST_info("Early secret does not match");
289 if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
290 sizeof(ecdhe_secret)))) {
291 TEST_info("Handshake secret generation failed");
295 if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
296 handshake_secret, sizeof(handshake_secret)))
299 hashsize = EVP_MD_size(ssl_handshake_md(s));
300 if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
302 if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
304 if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
307 if (!TEST_true(test_secret(s, s->handshake_secret,
308 (unsigned char *)client_hts_label,
309 strlen(client_hts_label), client_hts,
310 client_hts_key, client_hts_iv))) {
311 TEST_info("Client handshake secret test failed");
315 if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
317 if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
319 if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
322 if (!TEST_true(test_secret(s, s->handshake_secret,
323 (unsigned char *)server_hts_label,
324 strlen(server_hts_label), server_hts,
325 server_hts_key, server_hts_iv))) {
326 TEST_info("Server handshake secret test failed");
331 * Ensure the mocked out ssl_handshake_hash() returns the full handshake
336 if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
337 s->handshake_secret, hashsize,
338 &master_secret_length))) {
339 TEST_info("Master secret generation failed");
343 if (!TEST_mem_eq(out_master_secret, master_secret_length,
344 master_secret, sizeof(master_secret))) {
345 TEST_info("Master secret does not match");
349 if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
351 if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
353 if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
356 if (!TEST_true(test_secret(s, out_master_secret,
357 (unsigned char *)client_ats_label,
358 strlen(client_ats_label), client_ats,
359 client_ats_key, client_ats_iv))) {
360 TEST_info("Client application data secret test failed");
364 if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
366 if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
368 if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
371 if (!TEST_true(test_secret(s, out_master_secret,
372 (unsigned char *)server_ats_label,
373 strlen(server_ats_label), server_ats,
374 server_ats_key, server_ats_iv))) {
375 TEST_info("Server application data secret test failed");
386 int setup_tests(void)
388 ADD_TEST(test_handshake_secrets);