2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ssl.h>
11 #include <openssl/evp.h>
15 # pragma names as_is,shortened
18 #include "../ssl/ssl_locl.h"
21 # pragma names restore
25 #include "test_main.h"
30 /* The following are self-generated test vectors. This gives us very little
31 * confidence that we've got the implementation right, but at least tells us
32 * if we accidentally break something in the future. Until we can get some
33 * other source of test vectors this is all we've got.
34 * TODO(TLS1.3): As and when official vectors become available we should use
36 * https://www.ietf.org/id/draft-thomson-tls-tls13-vectors-00.txt, however at
37 * the time of writing these are not suitable because they are based on
38 * draft -16, which works differently to the draft -19 vectors below.
41 static unsigned char hs_start_hash[] = {
42 0xec, 0x14, 0x7a, 0x06, 0xde, 0xa3, 0xc8, 0x84, 0x6c, 0x02, 0xb2, 0x23, 0x8e,
43 0x41, 0xbd, 0xdc, 0x9d, 0x89, 0xf9, 0xae, 0xa1, 0x7b, 0x5e, 0xfd, 0x4d, 0x74,
44 0x82, 0xaf, 0x75, 0x88, 0x1c, 0x0a
47 static unsigned char hs_full_hash[] = {
48 0x75, 0x1a, 0x3d, 0x4a, 0x14, 0xdf, 0xab, 0xeb, 0x68, 0xe9, 0x2c, 0xa5, 0x91,
49 0x8e, 0x24, 0x08, 0xb9, 0xbc, 0xb0, 0x74, 0x89, 0x82, 0xec, 0x9c, 0x32, 0x30,
50 0xac, 0x30, 0xbb, 0xeb, 0x23, 0xe2,
53 static unsigned char early_secret[] = {
54 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b, 0x09, 0xe6, 0xcd, 0x98, 0x93,
55 0x68, 0x0c, 0xe2, 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60, 0xe1, 0xb2,
56 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
59 static unsigned char ecdhe_secret[] = {
60 0xe7, 0xb8, 0xfe, 0xf8, 0x90, 0x3b, 0x52, 0x0c, 0xb9, 0xa1, 0x89, 0x71, 0xb6,
61 0x9d, 0xd4, 0x5d, 0xca, 0x53, 0xce, 0x2f, 0x12, 0xbf, 0x3b, 0xef, 0x93, 0x15,
62 0xe3, 0x12, 0x71, 0xdf, 0x4b, 0x40
65 static unsigned char handshake_secret[] = {
66 0xa4, 0xc6, 0x2e, 0x1c, 0x3c, 0xb8, 0x0a, 0xae, 0x34, 0x34, 0x0d, 0xb8, 0xfb,
67 0x0d, 0xd5, 0x0d, 0x2d, 0x2f, 0x08, 0xa4, 0x54, 0x6b, 0xbb, 0x2e, 0x60, 0xc6,
68 0x53, 0xac, 0xb3, 0xca, 0xf2, 0x87
71 static const char *client_hts_label = "client handshake traffic secret";
73 static unsigned char client_hts[] = {
74 0xd7, 0x58, 0x9f, 0x10, 0xa8, 0x30, 0xf3, 0x85, 0x63, 0x6f, 0xd9, 0xb0, 0x61,
75 0xd5, 0x20, 0x19, 0xb1, 0x45, 0x96, 0x82, 0x24, 0x8e, 0x36, 0x45, 0xf7, 0x5a,
76 0xd7, 0x2f, 0x31, 0xec, 0x57, 0xf7
79 static unsigned char client_hts_key[] = {
80 0xcc, 0x8b, 0xda, 0xbf, 0x83, 0x74, 0x2d, 0xf4, 0x53, 0x44, 0xff, 0xbc, 0xa4,
84 static unsigned char client_hts_iv[] = {
85 0xa4, 0x83, 0x46, 0x11, 0xc2, 0x78, 0xea, 0x0f, 0x94, 0x52, 0x1d, 0xca
88 static const char *server_hts_label = "server handshake traffic secret";
90 static unsigned char server_hts[] = {
91 0xba, 0x7c, 0x3b, 0x74, 0x0d, 0x1e, 0x84, 0x82, 0xd6, 0x6f, 0x3e, 0x5e, 0x1d,
92 0x6e, 0x25, 0xdc, 0x87, 0x1f, 0x48, 0x74, 0x2f, 0x65, 0xa4, 0x40, 0x39, 0xda,
93 0xdc, 0x02, 0x2a, 0x16, 0x19, 0x5c
96 static unsigned char server_hts_key[] = {
97 0x7d, 0x22, 0x2a, 0x3f, 0x72, 0x37, 0x92, 0xd9, 0x95, 0x9a, 0xe1, 0x66, 0x32,
101 static unsigned char server_hts_iv[] = {
102 0xa2, 0x73, 0xcd, 0x4e, 0x20, 0xe7, 0xe1, 0xe3, 0xcb, 0x0e, 0x18, 0x9e
105 static unsigned char master_secret[] = {
106 0x9a, 0x2f, 0x36, 0xdc, 0x68, 0xab, 0x8f, 0x07, 0xef, 0x41, 0xea, 0x63, 0x39,
107 0xfc, 0x46, 0x6b, 0x11, 0x24, 0xd6, 0xba, 0x6b, 0x8a, 0x92, 0x74, 0x61, 0xd3,
108 0x64, 0x82, 0xc1, 0xc9, 0xc7, 0x0e
111 static const char *client_ats_label = "client application traffic secret";
113 static unsigned char client_ats[] = {
114 0xc3, 0x60, 0x5f, 0xb3, 0xc4, 0x4b, 0xc2, 0x25, 0xd2, 0xaf, 0x36, 0xad, 0x99,
115 0xa1, 0xcd, 0xcf, 0x71, 0xc4, 0xb9, 0xa2, 0x3d, 0xd2, 0x3e, 0xe6, 0xff, 0xca,
116 0x2c, 0x71, 0x86, 0x3d, 0x1f, 0x85
119 static unsigned char client_ats_key[] = {
120 0x3a, 0x25, 0x23, 0x12, 0xde, 0x0f, 0x53, 0xc7, 0xa0, 0xb2, 0xcf, 0x71, 0xb7,
124 static unsigned char client_ats_iv[] = {
125 0xbd, 0x0d, 0x3c, 0x26, 0x9d, 0x2d, 0xa6, 0x52, 0x1b, 0x8d, 0x45, 0xef
128 static const char *server_ats_label = "server application traffic secret";
130 static unsigned char server_ats[] = {
131 0x27, 0x8d, 0x96, 0x76, 0x95, 0x9e, 0x3e, 0x39, 0xa4, 0xa9, 0xfc, 0x46, 0x9c,
132 0x32, 0x9f, 0xe0, 0x29, 0x50, 0x22, 0x45, 0x39, 0x82, 0xdd, 0x1c, 0xc5, 0xfb,
133 0xa9, 0x0a, 0x68, 0x29, 0x4e, 0x80
136 static unsigned char server_ats_key[] = {
137 0x78, 0xbd, 0xd7, 0xc6, 0xb0, 0xf1, 0x50, 0x5e, 0xae, 0x54, 0xff, 0xa5, 0xf2,
141 static unsigned char server_ats_iv[] = {
142 0xb1, 0x7b, 0x1c, 0xa2, 0xca, 0xbe, 0xe4, 0xac, 0xb5, 0xf3, 0x91, 0x7e
145 /* Mocked out implementations of various functions */
146 int ssl3_digest_cached_records(SSL *s, int keep)
151 static int full_hash = 0;
153 /* Give a hash of the currently set handshake */
154 int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
157 if (sizeof(hs_start_hash) > outlen
158 || sizeof(hs_full_hash) != sizeof(hs_start_hash))
162 memcpy(out, hs_full_hash, sizeof(hs_full_hash));
163 *hashlen = sizeof(hs_full_hash);
165 memcpy(out, hs_start_hash, sizeof(hs_start_hash));
166 *hashlen = sizeof(hs_start_hash);
172 const EVP_MD *ssl_handshake_md(SSL *s)
177 void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl)
181 void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
185 int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
186 const EVP_MD **md, int *mac_pkey_type,
187 size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
193 int tls1_alert_code(int code)
198 int ssl_log_secret(SSL *ssl,
200 const uint8_t *secret,
206 const EVP_MD *ssl_md(int idx)
211 /* End of mocked out code */
213 static int test_secret(SSL *s, unsigned char *prk,
214 const unsigned char *label, size_t labellen,
215 const unsigned char *ref_secret,
216 const unsigned char *ref_key, const unsigned char *ref_iv)
219 unsigned char gensecret[EVP_MAX_MD_SIZE];
220 unsigned char hash[EVP_MAX_MD_SIZE];
221 unsigned char key[KEYLEN];
222 unsigned char iv[IVLEN];
223 const EVP_MD *md = ssl_handshake_md(s);
225 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) {
226 TEST_error("Failed to get hash");
230 if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, gensecret,
232 TEST_error("Secret generation failed");
236 if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize))
239 if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) {
240 TEST_error("Key generation failed");
244 if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN))
247 if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) {
248 TEST_error("IV generation failed");
252 if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN))
258 static int test_handshake_secrets(void)
264 unsigned char out_master_secret[EVP_MAX_MD_SIZE];
265 size_t master_secret_length;
267 ctx = SSL_CTX_new(TLS_method());
275 s->session = SSL_SESSION_new();
276 if (!TEST_ptr(s->session))
279 if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0,
280 (unsigned char *)&s->early_secret))) {
281 TEST_info("Early secret generation failed");
285 if (!TEST_mem_eq(s->early_secret, sizeof(early_secret),
286 early_secret, sizeof(early_secret))) {
287 TEST_info("Early secret does not match");
291 if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret,
292 sizeof(ecdhe_secret)))) {
293 TEST_info("Hanshake secret generation failed");
297 if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret),
298 handshake_secret, sizeof(handshake_secret)))
301 hashsize = EVP_MD_size(ssl_handshake_md(s));
302 if (!TEST_size_t_eq(sizeof(client_hts), hashsize))
304 if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN))
306 if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN))
309 if (!TEST_true(test_secret(s, s->handshake_secret,
310 (unsigned char *)client_hts_label,
311 strlen(client_hts_label), client_hts,
312 client_hts_key, client_hts_iv))) {
313 TEST_info("Client handshake secret test failed");
317 if (!TEST_size_t_eq(sizeof(server_hts), hashsize))
319 if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN))
321 if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN))
324 if (!TEST_true(test_secret(s, s->handshake_secret,
325 (unsigned char *)server_hts_label,
326 strlen(server_hts_label), server_hts,
327 server_hts_key, server_hts_iv))) {
328 TEST_info("Server handshake secret test failed");
333 * Ensure the mocked out ssl_handshake_hash() returns the full handshake
338 if (!TEST_true(tls13_generate_master_secret(s, out_master_secret,
339 s->handshake_secret, hashsize,
340 &master_secret_length))) {
341 TEST_info("Master secret generation failed");
345 if (!TEST_mem_eq(out_master_secret, master_secret_length,
346 master_secret, sizeof(master_secret))) {
347 TEST_info("Master secret does not match");
351 if (!TEST_size_t_eq(sizeof(client_ats), hashsize))
353 if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN))
355 if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN))
358 if (!TEST_true(test_secret(s, out_master_secret,
359 (unsigned char *)client_ats_label,
360 strlen(client_ats_label), client_ats,
361 client_ats_key, client_ats_iv))) {
362 TEST_info("Client application data secret test failed");
366 if (!TEST_size_t_eq(sizeof(server_ats), hashsize))
368 if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN))
370 if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN))
373 if (!TEST_true(test_secret(s, out_master_secret,
374 (unsigned char *)server_ats_label,
375 strlen(server_ats_label), server_ats,
376 server_ats_key, server_ats_iv))) {
377 TEST_info("Server application data secret test failed");
388 void register_tests()
390 ADD_TEST(test_handshake_secrets);