Add initial TLS 1.3 key schedule support with basic regress tests

ok jsing@ tb@
author: beck <> 2018-11-07 19:43:12 +0000
committer: beck <> 2018-11-07 19:43:12 +0000
commit: a0109d3da709152993f22cb2bb2d8787a88fadc0 (patch)
tree: 8118d73fc7e25abac8b6e6dcc785da60672d75c6 /src/regress
parent: 13765826e4b6ab4b743501175301bb9fdc8108f4 (diff)
download: openbsd-a0109d3da709152993f22cb2bb2d8787a88fadc0.tar.gz
openbsd-a0109d3da709152993f22cb2bb2d8787a88fadc0.tar.bz2
openbsd-a0109d3da709152993f22cb2bb2d8787a88fadc0.zip
2 files changed, 249 insertions, 0 deletions
diff --git a/src/regress/lib/libssl/key_schedule/Makefile b/src/regress/lib/libssl/key_schedule/Makefile
new file mode 100644
index 0000000000..24e12b7c36
--- /dev/null
+++ b/src/regress/lib/libssl/key_schedule/Makefile
@@ -0,0 +1,9 @@
+# $OpenBSD: Makefile,v 1.1 2018/11/07 19:43:12 beck Exp $
+PROG=   key_schedule
+LDADD=  ${SSL_INT} -lcrypto
+DPADD=  ${LIBCRYPTO} ${LIBSSL}
+WARNINGS=       Yes
+CFLAGS+=        -DLIBRESSL_INTERNAL -Wundef -Werror -I$(BSDSRCDIR)/lib/libssl
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/key_schedule/key_schedule.c b/src/regress/lib/libssl/key_schedule/key_schedule.c
new file mode 100644
index 0000000000..c6d420ae56
--- /dev/null
+++ b/src/regress/lib/libssl/key_schedule/key_schedule.c
@@ -0,0 +1,240 @@
+/* $OpenBSD: key_schedule.c,v 1.1 2018/11/07 19:43:12 beck Exp $ */
+/*
+ * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <err.h>
+#include "ssl_locl.h"
+#include "bytestring.h"
+#include "ssl_tlsext.h"
+#include "tls13_internal.h"
+static int failures = 0;
+static void
+hexdump(const unsigned char *buf, size_t len)
+{
+        size_t i;
+        for (i = 1; i <= len; i++)
+                fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n");
+        fprintf(stderr, "\n");
+}
+static void
+compare_data(const uint8_t *recv, size_t recv_len, const uint8_t *expect,
+    size_t expect_len)
+{
+        fprintf(stderr, "received:\n");
+        hexdump(recv, recv_len);
+        fprintf(stderr, "test data:\n");
+        hexdump(expect, expect_len);
+}
+#define FAIL(msg, ...)                                          \
+do {                                                            \
+        fprintf(stderr, "[%s:%d] FAIL: ", __FILE__, __LINE__);  \
+        fprintf(stderr, msg, ##__VA_ARGS__);                    \
+        failures++;                                             \
+} while(0)
+/* Hashes and secrets from test vector */
+uint8_t chello[] = {
+        0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14,
+        0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24,
+        0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c,
+        0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
+};
+const struct tls13_secret chello_hash = {
+        .data = chello,
+        .len = 32,
+};
+uint8_t cshello [] = {
+        0x86, 0x0c, 0x06, 0xed, 0xc0, 0x78, 0x58, 0xee,
+        0x8e, 0x78, 0xf0, 0xe7, 0x42, 0x8c, 0x58, 0xed,
+        0xd6, 0xb4, 0x3f, 0x2c, 0xa3, 0xe6, 0xe9, 0x5f,
+        0x02, 0xed, 0x06, 0x3c, 0xf0, 0xe1, 0xca, 0xd8
+};
+const struct tls13_secret cshello_hash = {
+        .data = cshello,
+        .len = 32,
+};
+const uint8_t ecdhe [] = {
+        0x8b, 0xd4, 0x05, 0x4f, 0xb5, 0x5b, 0x9d, 0x63,
+        0xfd, 0xfb, 0xac, 0xf9, 0xf0, 0x4b, 0x9f, 0x0d,
+        0x35, 0xe6, 0xd6, 0x3f, 0x53, 0x75, 0x63, 0xef,
+        0xd4, 0x62, 0x72, 0x90, 0x0f, 0x89, 0x49, 0x2d
+};
+/* Expected Values */
+uint8_t expected_extracted_early[] = {
+        0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b,
+        0x09, 0xe6, 0xcd, 0x98, 0x93, 0x68, 0x0c, 0xe2,
+        0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60,
+        0xe1, 0xb2, 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
+};
+uint8_t expected_derived_early[] = {
+        0x6f, 0x26, 0x15, 0xa1, 0x08, 0xc7, 0x02, 0xc5,
+        0x67, 0x8f, 0x54, 0xfc, 0x9d, 0xba, 0xb6, 0x97,
+        0x16, 0xc0, 0x76, 0x18, 0x9c, 0x48, 0x25, 0x0c,
+        0xeb, 0xea, 0xc3, 0x57, 0x6c, 0x36, 0x11, 0xba
+};
+uint8_t expected_extracted_handshake[] = {
+        0x1d, 0xc8, 0x26, 0xe9, 0x36, 0x06, 0xaa, 0x6f,
+        0xdc, 0x0a, 0xad, 0xc1, 0x2f, 0x74, 0x1b, 0x01,
+        0x04, 0x6a, 0xa6, 0xb9, 0x9f, 0x69, 0x1e, 0xd2,
+        0x21, 0xa9, 0xf0, 0xca, 0x04, 0x3f, 0xbe, 0xac
+};
+uint8_t expected_client_handshake_traffic[] = {
+        0xb3, 0xed, 0xdb, 0x12, 0x6e, 0x06, 0x7f, 0x35,
+        0xa7, 0x80, 0xb3, 0xab, 0xf4, 0x5e, 0x2d, 0x8f,
+        0x3b, 0x1a, 0x95, 0x07, 0x38, 0xf5, 0x2e, 0x96,
+        0x00, 0x74, 0x6a, 0x0e, 0x27, 0xa5, 0x5a, 0x21
+};
+uint8_t expected_server_handshake_traffic[] = {
+        0xb6, 0x7b, 0x7d, 0x69, 0x0c, 0xc1, 0x6c, 0x4e,
+        0x75, 0xe5, 0x42, 0x13, 0xcb, 0x2d, 0x37, 0xb4,
+        0xe9, 0xc9, 0x12, 0xbc, 0xde, 0xd9, 0x10, 0x5d,
+        0x42, 0xbe, 0xfd, 0x59, 0xd3, 0x91, 0xad, 0x38
+};
+uint8_t expected_derived_handshake[] = {
+        0x43, 0xde, 0x77, 0xe0, 0xc7, 0x77, 0x13, 0x85,
+        0x9a, 0x94, 0x4d, 0xb9, 0xdb, 0x25, 0x90, 0xb5,
+        0x31, 0x90, 0xa6, 0x5b, 0x3e, 0xe2, 0xe4, 0xf1,
+        0x2d, 0xd7, 0xa0, 0xbb, 0x7c, 0xe2, 0x54, 0xb4
+};
+uint8_t expected_extracted_master[] = {
+        0x18, 0xdf, 0x06, 0x84, 0x3d, 0x13, 0xa0, 0x8b,
+        0xf2, 0xa4, 0x49, 0x84, 0x4c, 0x5f, 0x8a, 0x47,
+        0x80, 0x01, 0xbc, 0x4d, 0x4c, 0x62, 0x79, 0x84,
+        0xd5, 0xa4, 0x1d, 0xa8, 0xd0, 0x40, 0x29, 0x19
+};
+int main () {
+        struct tls13_secrets *secrets;
+        secrets = tls13_secrets_new(32);
+        if (tls13_derive_early_secrets(secrets, EVP_sha256(),
+            secrets->zeros.data, secrets->zeros.len, &chello_hash))
+                FAIL("derive_early_secrets worked when it shouldn't\n");
+        tls13_secrets_init(secrets, 0);
+        secrets->insecure = 1; /* don't explicit_bzero when done */
+        if (tls13_derive_handshake_secrets(secrets, EVP_sha256(), ecdhe,
+            32, &cshello_hash))
+                FAIL("derive_handshake_secrets worked when it shouldn't\n");
+        if (tls13_derive_application_secrets(secrets, EVP_sha256(),
+            &chello_hash))
+                FAIL("derive_application_secrets worked when it shouldn't\n");
+        if (!tls13_derive_early_secrets(secrets, EVP_sha256(),
+            secrets->zeros.data, secrets->zeros.len, &chello_hash))
+                FAIL("derive_early_secrets failed\n");
+        if (tls13_derive_early_secrets(secrets, EVP_sha256(),
+            secrets->zeros.data, secrets->zeros.len, &chello_hash))
+                FAIL("derive_early_secrets worked when it shouldn't(2)\n");
+        if (!tls13_derive_handshake_secrets(secrets, EVP_sha256(), ecdhe,
+            32, &cshello_hash))
+                FAIL("derive_handshake_secrets failed\n");
+        if (tls13_derive_handshake_secrets(secrets, EVP_sha256(), ecdhe,
+            32, &cshello_hash))
+                FAIL("derive_handshake_secrets worked when it shouldn't(2)\n");
+        /* XXX XXX this should get fixed when test vectors clarified */
+        memcpy(secrets->derived_handshake.data, expected_derived_handshake,
+            32);
+        /* XXX fix hash here once test vector sorted */
+        if (!tls13_derive_application_secrets(secrets, EVP_sha256(),
+            &chello_hash))
+                FAIL("derive_application_secrets failed\n");
+        if (tls13_derive_application_secrets(secrets, EVP_sha256(),
+            &chello_hash))
+                FAIL("derive_application_secrets worked when it "
+                    "shouldn't(2)\n");
+        fprintf(stderr, "extracted_early:\n");
+        compare_data(secrets->extracted_early.data, 32,
+            expected_extracted_early, 32);
+        if (memcmp(secrets->extracted_early.data,
+            expected_extracted_early, 32) != 0)
+                FAIL("extracted_early does not match\n");
+        fprintf(stderr, "derived_early:\n");
+        compare_data(secrets->derived_early.data, 32,
+            expected_derived_early, 32);
+        if (memcmp(secrets->derived_early.data,
+            expected_derived_early, 32) != 0)
+                FAIL("derived_early does not match\n");
+        fprintf(stderr, "extracted_handshake:\n");
+        compare_data(secrets->extracted_handshake.data, 32,
+            expected_extracted_handshake, 32);
+        if (memcmp(secrets->extracted_handshake.data,
+            expected_extracted_handshake, 32) != 0)
+                FAIL("extracted_handshake does not match\n");
+        fprintf(stderr, "client_handshake_traffic:\n");
+        compare_data(secrets->client_handshake_traffic.data, 32,
+            expected_client_handshake_traffic, 32);
+        if (memcmp(secrets->client_handshake_traffic.data,
+            expected_client_handshake_traffic, 32) != 0)
+                FAIL("client_handshake_traffic does not match\n");
+        fprintf(stderr, "server_handshake_traffic:\n");
+        compare_data(secrets->server_handshake_traffic.data, 32,
+            expected_server_handshake_traffic, 32);
+        if (memcmp(secrets->server_handshake_traffic.data,
+            expected_server_handshake_traffic, 32) != 0)
+                FAIL("server_handshake_traffic does not match\n");
+        fprintf(stderr, "derived_early:\n");
+        compare_data(secrets->derived_early.data, 32,
+            expected_derived_early, 32);
+        if (memcmp(secrets->derived_early.data,
+            expected_derived_early, 32) != 0)
+                FAIL("derived_early does not match\n");
+        /* XXX this is currently totally volkswagened from above */
+        fprintf(stderr, "derived_handshake:\n");
+        compare_data(secrets->derived_handshake.data, 32,
+            expected_derived_handshake, 32);
+        if (memcmp(secrets->derived_handshake.data,
+            expected_derived_handshake, 32) != 0)
+                FAIL("derived_handshake does not match\n");
+        fprintf(stderr, "extracted_master:\n");
+        compare_data(secrets->extracted_master.data, 32,
+            expected_extracted_master, 32);
+        if (memcmp(secrets->extracted_master.data,
+            expected_extracted_master, 32) != 0)
+                FAIL("extracted_master does not match\n");
+        return(failures);
+}
author	beck <>	2018-11-07 19:43:12 +0000
committer	beck <>	2018-11-07 19:43:12 +0000
commit	a0109d3da709152993f22cb2bb2d8787a88fadc0 (patch)
tree	8118d73fc7e25abac8b6e6dcc785da60672d75c6 /src/regress
parent	13765826e4b6ab4b743501175301bb9fdc8108f4 (diff)
download	openbsd-a0109d3da709152993f22cb2bb2d8787a88fadc0.tar.gz openbsd-a0109d3da709152993f22cb2bb2d8787a88fadc0.tar.bz2 openbsd-a0109d3da709152993f22cb2bb2d8787a88fadc0.zip

diff --git a/src/regress/lib/libssl/key_schedule/Makefile b/src/regress/lib/libssl/key_schedule/Makefile new file mode 100644 index 0000000000..24e12b7c36 --- /dev/null +++ b/src/regress/lib/libssl/key_schedule/Makefile
@@ -0,0 +1,9 @@
	1	# $OpenBSD: Makefile,v 1.1 2018/11/07 19:43:12 beck Exp $
	2
	3	PROG= key_schedule
	4	LDADD= ${SSL_INT} -lcrypto
	5	DPADD= ${LIBCRYPTO} ${LIBSSL}
	6	WARNINGS= Yes
	7	CFLAGS+= -DLIBRESSL_INTERNAL -Wundef -Werror -I$(BSDSRCDIR)/lib/libssl
	8
	9	.include <bsd.regress.mk>


diff --git a/src/regress/lib/libssl/key_schedule/key_schedule.c b/src/regress/lib/libssl/key_schedule/key_schedule.c new file mode 100644 index 0000000000..c6d420ae56 --- /dev/null +++ b/src/regress/lib/libssl/key_schedule/key_schedule.c
@@ -0,0 +1,240 @@
	1	/* $OpenBSD: key_schedule.c,v 1.1 2018/11/07 19:43:12 beck Exp $ */
	2	/*
	3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
	4	*
	5	* Permission to use, copy, modify, and distribute this software for any
	6	* purpose with or without fee is hereby granted, provided that the above
	7	* copyright notice and this permission notice appear in all copies.
	8	*
	9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	*/
	17
	18	#include <err.h>
	19
	20	#include "ssl_locl.h"
	21
	22	#include "bytestring.h"
	23	#include "ssl_tlsext.h"
	24	#include "tls13_internal.h"
	25
	26	static int failures = 0;
	27
	28	static void
	29	hexdump(const unsigned char *buf, size_t len)
	30	{
	31	size_t i;
	32
	33	for (i = 1; i <= len; i++)
	34	fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n");
	35
	36	fprintf(stderr, "\n");
	37	}
	38
	39	static void
	40	compare_data(const uint8_t recv, size_t recv_len, const uint8_t expect,
	41	size_t expect_len)
	42	{
	43	fprintf(stderr, "received:\n");
	44	hexdump(recv, recv_len);
	45
	46	fprintf(stderr, "test data:\n");
	47	hexdump(expect, expect_len);
	48	}
	49
	50	#define FAIL(msg, ...) \
	51	do { \
	52	fprintf(stderr, "[%s:%d] FAIL: ", __FILE__, __LINE__); \
	53	fprintf(stderr, msg, ##__VA_ARGS__); \
	54	failures++; \
	55	} while(0)
	56
	57	/* Hashes and secrets from test vector */
	58
	59	uint8_t chello[] = {
	60	0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14,
	61	0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24,
	62	0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c,
	63	0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
	64	};
	65	const struct tls13_secret chello_hash = {
	66	.data = chello,
	67	.len = 32,
	68	};
	69
	70	uint8_t cshello [] = {
	71	0x86, 0x0c, 0x06, 0xed, 0xc0, 0x78, 0x58, 0xee,
	72	0x8e, 0x78, 0xf0, 0xe7, 0x42, 0x8c, 0x58, 0xed,
	73	0xd6, 0xb4, 0x3f, 0x2c, 0xa3, 0xe6, 0xe9, 0x5f,
	74	0x02, 0xed, 0x06, 0x3c, 0xf0, 0xe1, 0xca, 0xd8
	75	};
	76
	77	const struct tls13_secret cshello_hash = {
	78	.data = cshello,
	79	.len = 32,
	80	};
	81
	82	const uint8_t ecdhe [] = {
	83	0x8b, 0xd4, 0x05, 0x4f, 0xb5, 0x5b, 0x9d, 0x63,
	84	0xfd, 0xfb, 0xac, 0xf9, 0xf0, 0x4b, 0x9f, 0x0d,
	85	0x35, 0xe6, 0xd6, 0x3f, 0x53, 0x75, 0x63, 0xef,
	86	0xd4, 0x62, 0x72, 0x90, 0x0f, 0x89, 0x49, 0x2d
	87	};
	88
	89	/* Expected Values */
	90
	91	uint8_t expected_extracted_early[] = {
	92	0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b,
	93	0x09, 0xe6, 0xcd, 0x98, 0x93, 0x68, 0x0c, 0xe2,
	94	0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60,
	95	0xe1, 0xb2, 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
	96	};
	97	uint8_t expected_derived_early[] = {
	98	0x6f, 0x26, 0x15, 0xa1, 0x08, 0xc7, 0x02, 0xc5,
	99	0x67, 0x8f, 0x54, 0xfc, 0x9d, 0xba, 0xb6, 0x97,
	100	0x16, 0xc0, 0x76, 0x18, 0x9c, 0x48, 0x25, 0x0c,
	101	0xeb, 0xea, 0xc3, 0x57, 0x6c, 0x36, 0x11, 0xba
	102	};
	103	uint8_t expected_extracted_handshake[] = {
	104	0x1d, 0xc8, 0x26, 0xe9, 0x36, 0x06, 0xaa, 0x6f,
	105	0xdc, 0x0a, 0xad, 0xc1, 0x2f, 0x74, 0x1b, 0x01,
	106	0x04, 0x6a, 0xa6, 0xb9, 0x9f, 0x69, 0x1e, 0xd2,
	107	0x21, 0xa9, 0xf0, 0xca, 0x04, 0x3f, 0xbe, 0xac
	108	};
	109	uint8_t expected_client_handshake_traffic[] = {
	110	0xb3, 0xed, 0xdb, 0x12, 0x6e, 0x06, 0x7f, 0x35,
	111	0xa7, 0x80, 0xb3, 0xab, 0xf4, 0x5e, 0x2d, 0x8f,
	112	0x3b, 0x1a, 0x95, 0x07, 0x38, 0xf5, 0x2e, 0x96,
	113	0x00, 0x74, 0x6a, 0x0e, 0x27, 0xa5, 0x5a, 0x21
	114	};
	115
	116	uint8_t expected_server_handshake_traffic[] = {
	117	0xb6, 0x7b, 0x7d, 0x69, 0x0c, 0xc1, 0x6c, 0x4e,
	118	0x75, 0xe5, 0x42, 0x13, 0xcb, 0x2d, 0x37, 0xb4,
	119	0xe9, 0xc9, 0x12, 0xbc, 0xde, 0xd9, 0x10, 0x5d,
	120	0x42, 0xbe, 0xfd, 0x59, 0xd3, 0x91, 0xad, 0x38
	121	};
	122
	123	uint8_t expected_derived_handshake[] = {
	124	0x43, 0xde, 0x77, 0xe0, 0xc7, 0x77, 0x13, 0x85,
	125	0x9a, 0x94, 0x4d, 0xb9, 0xdb, 0x25, 0x90, 0xb5,
	126	0x31, 0x90, 0xa6, 0x5b, 0x3e, 0xe2, 0xe4, 0xf1,
	127	0x2d, 0xd7, 0xa0, 0xbb, 0x7c, 0xe2, 0x54, 0xb4
	128	};
	129
	130	uint8_t expected_extracted_master[] = {
	131	0x18, 0xdf, 0x06, 0x84, 0x3d, 0x13, 0xa0, 0x8b,
	132	0xf2, 0xa4, 0x49, 0x84, 0x4c, 0x5f, 0x8a, 0x47,
	133	0x80, 0x01, 0xbc, 0x4d, 0x4c, 0x62, 0x79, 0x84,
	134	0xd5, 0xa4, 0x1d, 0xa8, 0xd0, 0x40, 0x29, 0x19
	135	};
	136
	137	int main () {
	138	struct tls13_secrets *secrets;
	139
	140	secrets = tls13_secrets_new(32);
	141
	142	if (tls13_derive_early_secrets(secrets, EVP_sha256(),
	143	secrets->zeros.data, secrets->zeros.len, &chello_hash))
	144	FAIL("derive_early_secrets worked when it shouldn't\n");
	145
	146	tls13_secrets_init(secrets, 0);
	147	secrets->insecure = 1; /* don't explicit_bzero when done */
	148
	149	if (tls13_derive_handshake_secrets(secrets, EVP_sha256(), ecdhe,
	150	32, &cshello_hash))
	151	FAIL("derive_handshake_secrets worked when it shouldn't\n");
	152	if (tls13_derive_application_secrets(secrets, EVP_sha256(),
	153	&chello_hash))
	154	FAIL("derive_application_secrets worked when it shouldn't\n");
	155
	156	if (!tls13_derive_early_secrets(secrets, EVP_sha256(),
	157	secrets->zeros.data, secrets->zeros.len, &chello_hash))
	158	FAIL("derive_early_secrets failed\n");
	159	if (tls13_derive_early_secrets(secrets, EVP_sha256(),
	160	secrets->zeros.data, secrets->zeros.len, &chello_hash))
	161	FAIL("derive_early_secrets worked when it shouldn't(2)\n");
	162
	163	if (!tls13_derive_handshake_secrets(secrets, EVP_sha256(), ecdhe,
	164	32, &cshello_hash))
	165	FAIL("derive_handshake_secrets failed\n");
	166	if (tls13_derive_handshake_secrets(secrets, EVP_sha256(), ecdhe,
	167	32, &cshello_hash))
	168	FAIL("derive_handshake_secrets worked when it shouldn't(2)\n");
	169
	170	/* XXX XXX this should get fixed when test vectors clarified */
	171	memcpy(secrets->derived_handshake.data, expected_derived_handshake,
	172	32);
	173	/* XXX fix hash here once test vector sorted */
	174	if (!tls13_derive_application_secrets(secrets, EVP_sha256(),
	175	&chello_hash))
	176	FAIL("derive_application_secrets failed\n");
	177	if (tls13_derive_application_secrets(secrets, EVP_sha256(),
	178	&chello_hash))
	179	FAIL("derive_application_secrets worked when it "
	180	"shouldn't(2)\n");
	181
	182	fprintf(stderr, "extracted_early:\n");
	183	compare_data(secrets->extracted_early.data, 32,
	184	expected_extracted_early, 32);
	185	if (memcmp(secrets->extracted_early.data,
	186	expected_extracted_early, 32) != 0)
	187	FAIL("extracted_early does not match\n");
	188
	189	fprintf(stderr, "derived_early:\n");
	190	compare_data(secrets->derived_early.data, 32,
	191	expected_derived_early, 32);
	192	if (memcmp(secrets->derived_early.data,
	193	expected_derived_early, 32) != 0)
	194	FAIL("derived_early does not match\n");
	195
	196	fprintf(stderr, "extracted_handshake:\n");
	197	compare_data(secrets->extracted_handshake.data, 32,
	198	expected_extracted_handshake, 32);
	199	if (memcmp(secrets->extracted_handshake.data,
	200	expected_extracted_handshake, 32) != 0)
	201	FAIL("extracted_handshake does not match\n");
	202
	203	fprintf(stderr, "client_handshake_traffic:\n");
	204	compare_data(secrets->client_handshake_traffic.data, 32,
	205	expected_client_handshake_traffic, 32);
	206	if (memcmp(secrets->client_handshake_traffic.data,
	207	expected_client_handshake_traffic, 32) != 0)
	208	FAIL("client_handshake_traffic does not match\n");
	209
	210	fprintf(stderr, "server_handshake_traffic:\n");
	211	compare_data(secrets->server_handshake_traffic.data, 32,
	212	expected_server_handshake_traffic, 32);
	213	if (memcmp(secrets->server_handshake_traffic.data,
	214	expected_server_handshake_traffic, 32) != 0)
	215	FAIL("server_handshake_traffic does not match\n");
	216
	217	fprintf(stderr, "derived_early:\n");
	218	compare_data(secrets->derived_early.data, 32,
	219	expected_derived_early, 32);
	220	if (memcmp(secrets->derived_early.data,
	221	expected_derived_early, 32) != 0)
	222	FAIL("derived_early does not match\n");
	223
	224	/* XXX this is currently totally volkswagened from above */
	225	fprintf(stderr, "derived_handshake:\n");
	226	compare_data(secrets->derived_handshake.data, 32,
	227	expected_derived_handshake, 32);
	228	if (memcmp(secrets->derived_handshake.data,
	229	expected_derived_handshake, 32) != 0)
	230	FAIL("derived_handshake does not match\n");
	231
	232	fprintf(stderr, "extracted_master:\n");
	233	compare_data(secrets->extracted_master.data, 32,
	234	expected_extracted_master, 32);
	235	if (memcmp(secrets->extracted_master.data,
	236	expected_extracted_master, 32) != 0)
	237	FAIL("extracted_master does not match\n");
	238
	239	return(failures);
	240	}