summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libssl/Makefile5
-rw-r--r--src/lib/libssl/tls13_internal.h58
-rw-r--r--src/lib/libssl/tls13_key_schedule.c375
-rw-r--r--src/regress/lib/libssl/key_schedule/Makefile9
-rw-r--r--src/regress/lib/libssl/key_schedule/key_schedule.c240
5 files changed, 685 insertions, 2 deletions
diff --git a/src/lib/libssl/Makefile b/src/lib/libssl/Makefile
index e912562a75..762ca0d18d 100644
--- a/src/lib/libssl/Makefile
+++ b/src/lib/libssl/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.40 2018/11/05 05:45:15 jsing Exp $ 1# $OpenBSD: Makefile,v 1.41 2018/11/07 19:43:12 beck Exp $
2 2
3.include <bsd.own.mk> 3.include <bsd.own.mk>
4.ifndef NOMAN 4.ifndef NOMAN
@@ -33,7 +33,8 @@ SRCS= \
33 ssl_ciph.c ssl_stat.c ssl_rsa.c \ 33 ssl_ciph.c ssl_stat.c ssl_rsa.c \
34 ssl_asn1.c ssl_txt.c ssl_algs.c \ 34 ssl_asn1.c ssl_txt.c ssl_algs.c \
35 bio_ssl.c ssl_err.c ssl_methods.c \ 35 bio_ssl.c ssl_err.c ssl_methods.c \
36 ssl_packet.c ssl_tlsext.c ssl_versions.c pqueue.c ssl_init.c 36 ssl_packet.c ssl_tlsext.c ssl_versions.c pqueue.c ssl_init.c \
37 tls13_key_schedule.c
37SRCS+= s3_cbc.c 38SRCS+= s3_cbc.c
38SRCS+= bs_ber.c bs_cbb.c bs_cbs.c 39SRCS+= bs_ber.c bs_cbb.c bs_cbs.c
39 40
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
new file mode 100644
index 0000000000..b1d24ef02b
--- /dev/null
+++ b/src/lib/libssl/tls13_internal.h
@@ -0,0 +1,58 @@
1/* $OpenBSD: tls13_internal.h,v 1.1 2018/11/07 19:43:12 beck Exp $ */
2/* Copyright (c) 2018, Bob Beck <beck@openbsd.org>
3 *
4 * Permission to use, copy, modify, and/or distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
11 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
13 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
14 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17struct tls13_secret {
18 uint8_t *data;
19 size_t len;
20};
21
22/* RFC 8446 Section 7.1 Page 92 */
23struct tls13_secrets {
24 int resumption;
25 int init_done;
26 int early_done;
27 int handshake_done;
28 int schedule_done;
29 int insecure; /* Set by tests */
30 struct tls13_secret zeros;
31 struct tls13_secret extracted_early;
32 struct tls13_secret binder_key;
33 struct tls13_secret client_early_traffic;
34 struct tls13_secret early_exporter_master;
35 struct tls13_secret derived_early;
36 struct tls13_secret extracted_handshake;
37 struct tls13_secret client_handshake_traffic;
38 struct tls13_secret server_handshake_traffic;
39 struct tls13_secret derived_handshake;
40 struct tls13_secret extracted_master;
41 struct tls13_secret client_application_traffic;
42 struct tls13_secret server_application_traffic;
43 struct tls13_secret exporter_master;
44 struct tls13_secret resumption_master;
45};
46
47struct tls13_secrets *tls13_secrets_new(size_t hash_length);
48void tls13_secrets_init(struct tls13_secrets *secrets, int resumption);
49void tls13_secrets_destroy(struct tls13_secrets *secrets);
50
51int tls13_derive_early_secrets(struct tls13_secrets *secrets,
52 const EVP_MD *digest,uint8_t *psk, size_t psk_len,
53 const struct tls13_secret *context);
54int tls13_derive_handshake_secrets(struct tls13_secrets *secrets,
55 const EVP_MD *digest, const uint8_t *ecdhe, size_t ecdhe_len,
56 const struct tls13_secret *context);
57int tls13_derive_application_secrets(struct tls13_secrets *secrets,
58 const EVP_MD *digest, const struct tls13_secret *context);
diff --git a/src/lib/libssl/tls13_key_schedule.c b/src/lib/libssl/tls13_key_schedule.c
new file mode 100644
index 0000000000..6aa8b65e70
--- /dev/null
+++ b/src/lib/libssl/tls13_key_schedule.c
@@ -0,0 +1,375 @@
1/* $OpenBSD: tls13_key_schedule.c,v 1.1 2018/11/07 19:43:12 beck Exp $ */
2/* Copyright (c) 2018, Bob Beck <beck@openbsd.org>
3 *
4 * Permission to use, copy, modify, and/or distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
11 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
13 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
14 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17#include <string.h>
18#include <stdlib.h>
19
20#include <openssl/evp.h>
21#include <openssl/hkdf.h>
22
23#include "bytestring.h"
24#include "tls13_internal.h"
25
26void
27tls13_secrets_destroy(struct tls13_secrets *secrets)
28{
29 if (secrets == NULL)
30 return;
31
32 /* you can never be too sure :) */
33 freezero(secrets->zeros.data, secrets->zeros.len);
34
35 freezero(secrets->extracted_early.data,
36 secrets->extracted_early.len);
37 freezero(secrets->binder_key.data,
38 secrets->binder_key.len);
39 freezero(secrets->client_early_traffic.data,
40 secrets->client_early_traffic.len);
41 freezero(secrets->early_exporter_master.data,
42 secrets->early_exporter_master.len);
43 freezero(secrets->derived_early.data,
44 secrets->derived_early.len);
45 freezero(secrets->extracted_handshake.data,
46 secrets->extracted_handshake.len);
47 freezero(secrets->client_handshake_traffic.data,
48 secrets->client_handshake_traffic.len);
49 freezero(secrets->server_handshake_traffic.data,
50 secrets->server_handshake_traffic.len);
51 freezero(secrets->derived_handshake.data,
52 secrets->derived_handshake.len);
53 freezero(secrets->extracted_master.data,
54 secrets->extracted_master.len);
55 freezero(secrets->client_application_traffic.data,
56 secrets->client_application_traffic.len);
57 freezero(secrets->server_application_traffic.data,
58 secrets->server_application_traffic.len);
59 freezero(secrets->exporter_master.data,
60 secrets->exporter_master.len);
61 freezero(secrets->resumption_master.data,
62 secrets->resumption_master.len);
63
64 freezero(secrets, sizeof(struct tls13_secrets));
65}
66
67/*
68 * Allocate a set of secrets for a key schedule using
69 * a size of hash_length from RFC 8446 section 7.1
70 */
71struct tls13_secrets *
72tls13_secrets_new(size_t hash_length)
73{
74 struct tls13_secrets *secrets = NULL;
75
76 if ((secrets = calloc(1, sizeof(struct tls13_secrets))) == NULL)
77 goto err;
78 if ((secrets->zeros.data = calloc(hash_length, sizeof(uint8_t))) == NULL)
79 goto err;
80 secrets->zeros.len = hash_length;
81
82 if ((secrets->extracted_early.data = malloc(hash_length)) == NULL)
83 goto err;
84 secrets->extracted_early.len = hash_length;
85 if ((secrets->binder_key.data = malloc(hash_length)) == NULL)
86 goto err;
87 secrets->binder_key.len = hash_length;
88 if ((secrets->client_early_traffic.data = malloc(hash_length)) == NULL)
89 goto err;
90 secrets->client_early_traffic.len = hash_length;
91 if ((secrets->early_exporter_master.data = malloc(hash_length)) ==
92 NULL)
93 goto err;
94 secrets->early_exporter_master.len = hash_length;
95 if ((secrets->derived_early.data = malloc(hash_length)) == NULL)
96 goto err;
97 secrets->derived_early.len = hash_length;
98 if ((secrets->extracted_handshake.data = malloc(hash_length)) == NULL)
99 goto err;
100 secrets->extracted_handshake.len = hash_length;
101 if ((secrets->extracted_handshake.data = malloc(hash_length)) == NULL)
102 goto err;
103 secrets->extracted_handshake.len = hash_length;
104 if ((secrets->client_handshake_traffic.data = malloc(hash_length))
105 == NULL)
106 goto err;
107 secrets->client_handshake_traffic.len = hash_length;
108 if ((secrets->server_handshake_traffic.data = malloc(hash_length))
109 == NULL)
110 goto err;
111 secrets->server_handshake_traffic.len = hash_length;
112 if ((secrets->derived_handshake.data = malloc(hash_length)) == NULL)
113 goto err;
114 secrets->derived_handshake.len = hash_length;
115 if ((secrets->extracted_master.data = malloc(hash_length)) == NULL)
116 goto err;
117 secrets->extracted_master.len = hash_length;
118 if ((secrets->client_application_traffic.data = malloc(hash_length)) ==
119 NULL)
120 goto err;
121 secrets->client_application_traffic.len = hash_length;
122 if ((secrets->server_application_traffic.data = malloc(hash_length)) ==
123 NULL)
124 goto err;
125 secrets->server_application_traffic.len = hash_length;
126 if ((secrets->exporter_master.data = malloc(hash_length)) == NULL)
127 goto err;
128 secrets->exporter_master.len = hash_length;
129 if ((secrets->resumption_master.data = malloc(hash_length)) == NULL)
130 goto err;
131 secrets->resumption_master.len = hash_length;
132
133 return secrets;
134 err:
135 tls13_secrets_destroy(secrets);
136 return NULL;
137}
138
139void
140tls13_secrets_init(struct tls13_secrets *secrets, int resumption)
141{
142 secrets->resumption = resumption;
143 secrets->init_done = 1;
144}
145
146static int
147tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest,
148 const struct tls13_secret *secret, const char *label,
149 const struct tls13_secret *context)
150{
151 const char tls13_plabel[] = "tls13 ";
152 uint8_t *hkdf_label;
153 size_t hkdf_label_len;
154 CBB cbb, child;
155 int ret;
156
157 if (!CBB_init(&cbb, 256))
158 return 0;
159 if (!CBB_add_u16(&cbb, out->len))
160 goto err;
161 if (!CBB_add_u8_length_prefixed(&cbb, &child))
162 goto err;
163 if (!CBB_add_bytes(&child, tls13_plabel, strlen(tls13_plabel)))
164 goto err;
165 if (!CBB_add_bytes(&child, label, strlen(label)))
166 goto err;
167 if (!CBB_add_u8_length_prefixed(&cbb, &child))
168 goto err;
169 if (!CBB_add_bytes(&child, context->data, context->len))
170 goto err;
171 if (!CBB_finish(&cbb, &hkdf_label, &hkdf_label_len))
172 goto err;
173
174 ret = HKDF_expand(out->data, out->len, digest, secret->data,
175 secret->len, hkdf_label, hkdf_label_len);
176 free(hkdf_label);
177 return(ret);
178 err:
179 CBB_cleanup(&cbb);
180 return(0);
181}
182
183static int
184tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest,
185 const struct tls13_secret *secret, const char *label,
186 const struct tls13_secret *context)
187{
188 return tls13_hkdf_expand_label(out, digest, secret, label, context);
189}
190
191
192int
193tls13_derive_early_secrets(struct tls13_secrets *secrets, const EVP_MD *digest,
194 uint8_t *psk, size_t psk_len, const struct tls13_secret *context)
195{
196 struct tls13_secret binder_context;
197 uint8_t binder_context_data[EVP_MAX_MD_SIZE] = { 0 };
198 unsigned binder_context_len;
199 EVP_MD_CTX *mdctx;
200
201 if (!secrets->init_done || secrets->early_done)
202 return 0;
203
204 if ((mdctx = EVP_MD_CTX_new()) == NULL)
205 return 0;
206
207 if (!EVP_DigestInit_ex(mdctx, digest, NULL) ||
208 !EVP_DigestUpdate(mdctx, secrets->zeros.data, secrets->zeros.len) ||
209 !EVP_DigestFinal_ex(mdctx, binder_context_data,
210 &binder_context_len)) {
211 EVP_MD_CTX_free(mdctx);
212 return 0;
213 }
214 binder_context.data = binder_context_data;
215 binder_context.len = binder_context_len;
216 EVP_MD_CTX_free(mdctx);
217
218 /* If these don't match, we were initialized with the wrong length */
219 if (binder_context_len != secrets->zeros.len)
220 return 0;
221
222 if (!HKDF_extract(secrets->extracted_early.data,
223 &secrets->extracted_early.len, digest, psk, psk_len,
224 secrets->zeros.data, secrets->zeros.len))
225 return 0;
226
227 if (secrets->extracted_early.len != secrets->zeros.len)
228 return 0;
229
230 if (!tls13_derive_secret(&secrets->binder_key,
231 digest, &secrets->extracted_early,
232 secrets->resumption ? "res binder" : "ext binder",
233 &binder_context))
234 return 0;
235
236 if (!tls13_derive_secret(&secrets->client_early_traffic,
237 digest, &secrets->extracted_early, "c e traffic", context))
238 return 0;
239
240 if (!tls13_derive_secret(&secrets->early_exporter_master,
241 digest, &secrets->extracted_early, "e exp master", context))
242 return 0;
243
244 if (!tls13_derive_secret(&secrets->derived_early,
245 digest, &secrets->extracted_early, "derived", context))
246 return 0;
247
248 /* RFC 8446 recommends */
249 if (!secrets->insecure)
250 explicit_bzero(secrets->extracted_early.data,
251 secrets->extracted_early.len);
252 secrets->early_done = 1;
253 return 1;
254}
255
256int
257tls13_derive_handshake_secrets(struct tls13_secrets *secrets,
258 const EVP_MD *digest, const uint8_t *ecdhe, size_t ecdhe_len,
259 const struct tls13_secret *context)
260{
261 if (!secrets->init_done || !secrets->early_done ||
262 secrets->handshake_done)
263 return 0;
264
265 if (!HKDF_extract(secrets->extracted_handshake.data,
266 &secrets->extracted_handshake.len,
267 digest, ecdhe, ecdhe_len, secrets->derived_early.data,
268 secrets->derived_early.len))
269 return 0;
270
271 if (secrets->extracted_handshake.len != secrets->zeros.len)
272 return 0;
273
274 /* XXX */
275 if (!secrets->insecure)
276 explicit_bzero(secrets->derived_early.data,
277 secrets->derived_early.len);
278
279 if (!tls13_derive_secret(&secrets->client_handshake_traffic,
280 digest, &secrets->extracted_handshake, "c hs traffic", context))
281 return 0;
282 if (!tls13_derive_secret(&secrets->server_handshake_traffic,
283 digest, &secrets->extracted_handshake, "s hs traffic", context))
284 return 0;
285 if (!tls13_derive_secret(&secrets->derived_handshake,
286 digest, &secrets->extracted_handshake, "derived", context))
287 return 0;
288
289 /* RFC 8446 recommends */
290 if (!secrets->insecure)
291 explicit_bzero(secrets->extracted_handshake.data,
292 secrets->extracted_handshake.len);
293 secrets->handshake_done = 1;
294 return 1;
295}
296
297int
298tls13_derive_application_secrets(struct tls13_secrets *secrets,
299 const EVP_MD *digest, const struct tls13_secret *context)
300{
301 if (!secrets->init_done || !secrets->early_done ||
302 !secrets->handshake_done || secrets->schedule_done)
303 return 0;
304
305 if (!HKDF_extract(secrets->extracted_master.data,
306 &secrets->extracted_master.len,
307 digest, secrets->zeros.data, secrets->zeros.len, // XXX ?
308 secrets->derived_handshake.data,
309 secrets->derived_handshake.len))
310 return 0;
311
312 if (secrets->extracted_master.len != secrets->zeros.len)
313 return 0;
314
315 /* XXX */
316 if (!secrets->insecure)
317 explicit_bzero(secrets->derived_handshake.data,
318 secrets->derived_handshake.len);
319
320 if (!tls13_derive_secret(&secrets->client_application_traffic,
321 digest, &secrets->extracted_master, "c ap traffic", context))
322 return 0;
323 if (!tls13_derive_secret(&secrets->server_application_traffic,
324 digest, &secrets->extracted_master, "s ap traffic", context))
325 return 0;
326 if (!tls13_derive_secret(&secrets->exporter_master,
327 digest, &secrets->extracted_master, "exp master", context))
328 return 0;
329 if (!tls13_derive_secret(&secrets->resumption_master,
330 digest, &secrets->extracted_master, "res master", context))
331 return 0;
332
333 /* RFC 8446 recommends */
334 if (!secrets->insecure)
335 explicit_bzero(secrets->extracted_master.data,
336 secrets->extracted_master.len);
337 secrets->schedule_done = 1;
338 return 1;
339}
340
341int
342tls13_update_client_traffic_secret(struct tls13_secrets *secrets,
343 const EVP_MD *digest)
344{
345 const struct tls13_secret empty = {
346 .data = "",
347 .len = 0,
348 };
349
350 if (!secrets->init_done || !secrets->early_done ||
351 !secrets->handshake_done || !secrets->schedule_done)
352 return 0;
353
354 return tls13_hkdf_expand_label(&secrets->client_application_traffic,
355 digest, &secrets->client_application_traffic, "traffic upd",
356 &empty);
357}
358
359int
360tls13_update_server_traffic_secret(struct tls13_secrets *secrets,
361 const EVP_MD *digest)
362{
363 const struct tls13_secret empty = {
364 .data = "",
365 .len = 0,
366 };
367
368 if (!secrets->init_done || !secrets->early_done ||
369 !secrets->handshake_done || !secrets->schedule_done)
370 return 0;
371
372 return tls13_hkdf_expand_label(&secrets->server_application_traffic,
373 digest, &secrets->server_application_traffic, "traffic upd",
374 &empty);
375}
diff --git a/src/regress/lib/libssl/key_schedule/Makefile b/src/regress/lib/libssl/key_schedule/Makefile
new file mode 100644
index 0000000000..24e12b7c36
--- /dev/null
+++ b/src/regress/lib/libssl/key_schedule/Makefile
@@ -0,0 +1,9 @@
1# $OpenBSD: Makefile,v 1.1 2018/11/07 19:43:12 beck Exp $
2
3PROG= key_schedule
4LDADD= ${SSL_INT} -lcrypto
5DPADD= ${LIBCRYPTO} ${LIBSSL}
6WARNINGS= Yes
7CFLAGS+= -DLIBRESSL_INTERNAL -Wundef -Werror -I$(BSDSRCDIR)/lib/libssl
8
9.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/key_schedule/key_schedule.c b/src/regress/lib/libssl/key_schedule/key_schedule.c
new file mode 100644
index 0000000000..c6d420ae56
--- /dev/null
+++ b/src/regress/lib/libssl/key_schedule/key_schedule.c
@@ -0,0 +1,240 @@
1/* $OpenBSD: key_schedule.c,v 1.1 2018/11/07 19:43:12 beck Exp $ */
2/*
3 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <err.h>
19
20#include "ssl_locl.h"
21
22#include "bytestring.h"
23#include "ssl_tlsext.h"
24#include "tls13_internal.h"
25
26static int failures = 0;
27
28static void
29hexdump(const unsigned char *buf, size_t len)
30{
31 size_t i;
32
33 for (i = 1; i <= len; i++)
34 fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n");
35
36 fprintf(stderr, "\n");
37}
38
39static void
40compare_data(const uint8_t *recv, size_t recv_len, const uint8_t *expect,
41 size_t expect_len)
42{
43 fprintf(stderr, "received:\n");
44 hexdump(recv, recv_len);
45
46 fprintf(stderr, "test data:\n");
47 hexdump(expect, expect_len);
48}
49
50#define FAIL(msg, ...) \
51do { \
52 fprintf(stderr, "[%s:%d] FAIL: ", __FILE__, __LINE__); \
53 fprintf(stderr, msg, ##__VA_ARGS__); \
54 failures++; \
55} while(0)
56
57/* Hashes and secrets from test vector */
58
59uint8_t chello[] = {
60 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14,
61 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24,
62 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c,
63 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55
64};
65const struct tls13_secret chello_hash = {
66 .data = chello,
67 .len = 32,
68};
69
70uint8_t cshello [] = {
71 0x86, 0x0c, 0x06, 0xed, 0xc0, 0x78, 0x58, 0xee,
72 0x8e, 0x78, 0xf0, 0xe7, 0x42, 0x8c, 0x58, 0xed,
73 0xd6, 0xb4, 0x3f, 0x2c, 0xa3, 0xe6, 0xe9, 0x5f,
74 0x02, 0xed, 0x06, 0x3c, 0xf0, 0xe1, 0xca, 0xd8
75};
76
77const struct tls13_secret cshello_hash = {
78 .data = cshello,
79 .len = 32,
80};
81
82const uint8_t ecdhe [] = {
83 0x8b, 0xd4, 0x05, 0x4f, 0xb5, 0x5b, 0x9d, 0x63,
84 0xfd, 0xfb, 0xac, 0xf9, 0xf0, 0x4b, 0x9f, 0x0d,
85 0x35, 0xe6, 0xd6, 0x3f, 0x53, 0x75, 0x63, 0xef,
86 0xd4, 0x62, 0x72, 0x90, 0x0f, 0x89, 0x49, 0x2d
87};
88
89/* Expected Values */
90
91uint8_t expected_extracted_early[] = {
92 0x33, 0xad, 0x0a, 0x1c, 0x60, 0x7e, 0xc0, 0x3b,
93 0x09, 0xe6, 0xcd, 0x98, 0x93, 0x68, 0x0c, 0xe2,
94 0x10, 0xad, 0xf3, 0x00, 0xaa, 0x1f, 0x26, 0x60,
95 0xe1, 0xb2, 0x2e, 0x10, 0xf1, 0x70, 0xf9, 0x2a
96};
97uint8_t expected_derived_early[] = {
98 0x6f, 0x26, 0x15, 0xa1, 0x08, 0xc7, 0x02, 0xc5,
99 0x67, 0x8f, 0x54, 0xfc, 0x9d, 0xba, 0xb6, 0x97,
100 0x16, 0xc0, 0x76, 0x18, 0x9c, 0x48, 0x25, 0x0c,
101 0xeb, 0xea, 0xc3, 0x57, 0x6c, 0x36, 0x11, 0xba
102};
103uint8_t expected_extracted_handshake[] = {
104 0x1d, 0xc8, 0x26, 0xe9, 0x36, 0x06, 0xaa, 0x6f,
105 0xdc, 0x0a, 0xad, 0xc1, 0x2f, 0x74, 0x1b, 0x01,
106 0x04, 0x6a, 0xa6, 0xb9, 0x9f, 0x69, 0x1e, 0xd2,
107 0x21, 0xa9, 0xf0, 0xca, 0x04, 0x3f, 0xbe, 0xac
108};
109uint8_t expected_client_handshake_traffic[] = {
110 0xb3, 0xed, 0xdb, 0x12, 0x6e, 0x06, 0x7f, 0x35,
111 0xa7, 0x80, 0xb3, 0xab, 0xf4, 0x5e, 0x2d, 0x8f,
112 0x3b, 0x1a, 0x95, 0x07, 0x38, 0xf5, 0x2e, 0x96,
113 0x00, 0x74, 0x6a, 0x0e, 0x27, 0xa5, 0x5a, 0x21
114};
115
116uint8_t expected_server_handshake_traffic[] = {
117 0xb6, 0x7b, 0x7d, 0x69, 0x0c, 0xc1, 0x6c, 0x4e,
118 0x75, 0xe5, 0x42, 0x13, 0xcb, 0x2d, 0x37, 0xb4,
119 0xe9, 0xc9, 0x12, 0xbc, 0xde, 0xd9, 0x10, 0x5d,
120 0x42, 0xbe, 0xfd, 0x59, 0xd3, 0x91, 0xad, 0x38
121};
122
123uint8_t expected_derived_handshake[] = {
124 0x43, 0xde, 0x77, 0xe0, 0xc7, 0x77, 0x13, 0x85,
125 0x9a, 0x94, 0x4d, 0xb9, 0xdb, 0x25, 0x90, 0xb5,
126 0x31, 0x90, 0xa6, 0x5b, 0x3e, 0xe2, 0xe4, 0xf1,
127 0x2d, 0xd7, 0xa0, 0xbb, 0x7c, 0xe2, 0x54, 0xb4
128};
129
130uint8_t expected_extracted_master[] = {
131 0x18, 0xdf, 0x06, 0x84, 0x3d, 0x13, 0xa0, 0x8b,
132 0xf2, 0xa4, 0x49, 0x84, 0x4c, 0x5f, 0x8a, 0x47,
133 0x80, 0x01, 0xbc, 0x4d, 0x4c, 0x62, 0x79, 0x84,
134 0xd5, 0xa4, 0x1d, 0xa8, 0xd0, 0x40, 0x29, 0x19
135};
136
137int main () {
138 struct tls13_secrets *secrets;
139
140 secrets = tls13_secrets_new(32);
141
142 if (tls13_derive_early_secrets(secrets, EVP_sha256(),
143 secrets->zeros.data, secrets->zeros.len, &chello_hash))
144 FAIL("derive_early_secrets worked when it shouldn't\n");
145
146 tls13_secrets_init(secrets, 0);
147 secrets->insecure = 1; /* don't explicit_bzero when done */
148
149 if (tls13_derive_handshake_secrets(secrets, EVP_sha256(), ecdhe,
150 32, &cshello_hash))
151 FAIL("derive_handshake_secrets worked when it shouldn't\n");
152 if (tls13_derive_application_secrets(secrets, EVP_sha256(),
153 &chello_hash))
154 FAIL("derive_application_secrets worked when it shouldn't\n");
155
156 if (!tls13_derive_early_secrets(secrets, EVP_sha256(),
157 secrets->zeros.data, secrets->zeros.len, &chello_hash))
158 FAIL("derive_early_secrets failed\n");
159 if (tls13_derive_early_secrets(secrets, EVP_sha256(),
160 secrets->zeros.data, secrets->zeros.len, &chello_hash))
161 FAIL("derive_early_secrets worked when it shouldn't(2)\n");
162
163 if (!tls13_derive_handshake_secrets(secrets, EVP_sha256(), ecdhe,
164 32, &cshello_hash))
165 FAIL("derive_handshake_secrets failed\n");
166 if (tls13_derive_handshake_secrets(secrets, EVP_sha256(), ecdhe,
167 32, &cshello_hash))
168 FAIL("derive_handshake_secrets worked when it shouldn't(2)\n");
169
170 /* XXX XXX this should get fixed when test vectors clarified */
171 memcpy(secrets->derived_handshake.data, expected_derived_handshake,
172 32);
173 /* XXX fix hash here once test vector sorted */
174 if (!tls13_derive_application_secrets(secrets, EVP_sha256(),
175 &chello_hash))
176 FAIL("derive_application_secrets failed\n");
177 if (tls13_derive_application_secrets(secrets, EVP_sha256(),
178 &chello_hash))
179 FAIL("derive_application_secrets worked when it "
180 "shouldn't(2)\n");
181
182 fprintf(stderr, "extracted_early:\n");
183 compare_data(secrets->extracted_early.data, 32,
184 expected_extracted_early, 32);
185 if (memcmp(secrets->extracted_early.data,
186 expected_extracted_early, 32) != 0)
187 FAIL("extracted_early does not match\n");
188
189 fprintf(stderr, "derived_early:\n");
190 compare_data(secrets->derived_early.data, 32,
191 expected_derived_early, 32);
192 if (memcmp(secrets->derived_early.data,
193 expected_derived_early, 32) != 0)
194 FAIL("derived_early does not match\n");
195
196 fprintf(stderr, "extracted_handshake:\n");
197 compare_data(secrets->extracted_handshake.data, 32,
198 expected_extracted_handshake, 32);
199 if (memcmp(secrets->extracted_handshake.data,
200 expected_extracted_handshake, 32) != 0)
201 FAIL("extracted_handshake does not match\n");
202
203 fprintf(stderr, "client_handshake_traffic:\n");
204 compare_data(secrets->client_handshake_traffic.data, 32,
205 expected_client_handshake_traffic, 32);
206 if (memcmp(secrets->client_handshake_traffic.data,
207 expected_client_handshake_traffic, 32) != 0)
208 FAIL("client_handshake_traffic does not match\n");
209
210 fprintf(stderr, "server_handshake_traffic:\n");
211 compare_data(secrets->server_handshake_traffic.data, 32,
212 expected_server_handshake_traffic, 32);
213 if (memcmp(secrets->server_handshake_traffic.data,
214 expected_server_handshake_traffic, 32) != 0)
215 FAIL("server_handshake_traffic does not match\n");
216
217 fprintf(stderr, "derived_early:\n");
218 compare_data(secrets->derived_early.data, 32,
219 expected_derived_early, 32);
220 if (memcmp(secrets->derived_early.data,
221 expected_derived_early, 32) != 0)
222 FAIL("derived_early does not match\n");
223
224 /* XXX this is currently totally volkswagened from above */
225 fprintf(stderr, "derived_handshake:\n");
226 compare_data(secrets->derived_handshake.data, 32,
227 expected_derived_handshake, 32);
228 if (memcmp(secrets->derived_handshake.data,
229 expected_derived_handshake, 32) != 0)
230 FAIL("derived_handshake does not match\n");
231
232 fprintf(stderr, "extracted_master:\n");
233 compare_data(secrets->extracted_master.data, 32,
234 expected_extracted_master, 32);
235 if (memcmp(secrets->extracted_master.data,
236 expected_extracted_master, 32) != 0)
237 FAIL("extracted_master does not match\n");
238
239 return(failures);
240}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 17:39:25 +0000