lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. |
| 3 | * |
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use |
| 5 | * this file except in compliance with the License. You can obtain a copy |
| 6 | * in the file LICENSE in the source distribution or at |
| 7 | * https://www.openssl.org/source/license.html |
| 8 | */ |
| 9 | |
| 10 | #include <openssl/ssl.h> |
| 11 | #include <openssl/evp.h> |
| 12 | |
| 13 | #ifdef __VMS |
| 14 | # pragma names save |
| 15 | # pragma names as_is,shortened |
| 16 | #endif |
| 17 | |
| 18 | #include "../ssl/ssl_local.h" |
| 19 | #include "../ssl/record/record_local.h" |
| 20 | |
| 21 | #ifdef __VMS |
| 22 | # pragma names restore |
| 23 | #endif |
| 24 | |
| 25 | #include "internal/nelem.h" |
| 26 | #include "testutil.h" |
| 27 | |
| 28 | /* |
| 29 | * Based on the test vectors provided in: |
| 30 | * https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06 |
| 31 | */ |
| 32 | |
| 33 | typedef struct { |
| 34 | /* |
| 35 | * We split these into 3 chunks in order to work around the 509 character |
| 36 | * limit that the standard specifies for string literals |
| 37 | */ |
| 38 | const char *plaintext[3]; |
| 39 | const char *ciphertext[3]; |
| 40 | const char *key; |
| 41 | const char *iv; |
| 42 | const char *seq; |
| 43 | } RECORD_DATA; |
| 44 | |
| 45 | /* |
| 46 | * Note 1: The plaintext values given here have an additional "16" or "17" byte |
| 47 | * added to the end when compared to the official vectors. The official vectors |
| 48 | * do not include the inner content type, but we require it. |
| 49 | * |
| 50 | * Note 2: These are the vectors for the "Simple 1-RTT Handshake" |
| 51 | */ |
| 52 | static RECORD_DATA refdata[] = { |
| 53 | { |
| 54 | /* |
| 55 | * Server: EncryptedExtensions, Certificate, CertificateVerify and |
| 56 | * Finished |
| 57 | */ |
| 58 | { |
| 59 | "080000240022000a00140012001d00170018001901000101010201030104001c" |
| 60 | "00024001000000000b0001b9000001b50001b0308201ac30820115a003020102" |
| 61 | "020102300d06092a864886f70d01010b0500300e310c300a0603550403130372" |
| 62 | "7361301e170d3136303733303031323335395a170d3236303733303031323335" |
| 63 | "395a300e310c300a0603550403130372736130819f300d06092a864886f70d01" |
| 64 | "0101050003818d0030818902818100b4bb498f8279303d980836399b36c6988c" |
| 65 | "0c68de55e1bdb826d3901a2461eafd2de49a91d015abbc9a95137ace6c1af19e", |
| 66 | "aa6af98c7ced43120998e187a80ee0ccb0524b1b018c3e0b63264d449a6d38e2" |
| 67 | "2a5fda430846748030530ef0461c8ca9d9efbfae8ea6d1d03e2bd193eff0ab9a" |
| 68 | "8002c47428a6d35a8d88d79f7f1e3f0203010001a31a301830090603551d1304" |
| 69 | "023000300b0603551d0f0404030205a0300d06092a864886f70d01010b050003" |
| 70 | "81810085aad2a0e5b9276b908c65f73a7267170618a54c5f8a7b337d2df7a594" |
| 71 | "365417f2eae8f8a58c8f8172f9319cf36b7fd6c55b80f21a03015156726096fd" |
| 72 | "335e5e67f2dbf102702e608ccae6bec1fc63a42a99be5c3eb7107c3c54e9b9eb", |
| 73 | "2bd5203b1c3b84e0a8b2f759409ba3eac9d91d402dcc0cc8f8961229ac9187b4" |
| 74 | "2b4de100000f00008408040080754040d0ddab8cf0e2da2bc4995b868ad745c8" |
| 75 | "e1564e33cde17880a42392cc624aeef6b67bb3f0ae71d9d54a2309731d87dc59" |
| 76 | "f642d733be2eb27484ad8a8c8eb3516a7ac57f2625e2b5c0888a8541f4e734f7" |
| 77 | "3d054761df1dd02f0e3e9a33cfa10b6e3eb4ebf7ac053b01fdabbddfc54133bc" |
| 78 | "d24c8bbdceb223b2aa03452a2914000020ac86acbc9cd25a45b57ad5b64db15d" |
| 79 | "4405cf8c80e314583ebf3283ef9a99310c16" |
| 80 | }, |
| 81 | { |
| 82 | "f10b26d8fcaf67b5b828f712122216a1cd14187465b77637cbcd78539128bb93" |
| 83 | "246dcca1af56f1eaa271666077455bc54965d85f05f9bd36d6996171eb536aff" |
| 84 | "613eeddc42bad5a2d2227c4606f1215f980e7afaf56bd3b85a51be130003101a" |
| 85 | "758d077b1c891d8e7a22947e5a229851fd42a9dd422608f868272abf92b3d43f" |
| 86 | "b46ac420259346067f66322fd708885680f4b4433c29116f2dfa529e09bba53c" |
| 87 | "7cd920121724809eaddcc84307ef46fc51a0b33d99d39db337fcd761ce0f2b02" |
| 88 | "dc73dedb6fddb77c4f8099bde93d5bee08bcf2131f29a2a37ff07949e8f8bcdd", |
| 89 | "3e8310b8bf8b3444c85aaf0d2aeb2d4f36fd14d5cb51fcebff418b3827136ab9" |
| 90 | "529e9a3d3f35e4c0ae749ea2dbc94982a1281d3e6daab719aa4460889321a008" |
| 91 | "bf10fa06ac0c61cc122cc90d5e22c0030c986ae84a33a0c47df174bcfbd50bf7" |
| 92 | "8ffdf24051ab423db63d5815db2f830040f30521131c98c66f16c362addce2fb" |
| 93 | "a0602cf0a7dddf22e8def7516cdfee95b4056cc9ad38c95352335421b5b1ffba" |
| 94 | "df75e5212fdad7a75f52a2801486a1eec3539580bee0e4b337cda6085ac9eccd" |
| 95 | "1a0f1a46cebfbb5cdfa3251ac28c3bc826148c6d8c1eb6a06f77f6ff632c6a83", |
| 96 | "e283e8f9df7c6dbabf1c6ea40629a85b43ab0c73d34f9d5072832a104eda3f75" |
| 97 | "f5d83da6e14822a18e14099d749eafd823ca2ac7542086501eca206ce7887920" |
| 98 | "008573757ce2f230a890782b99cc682377beee812756d04f9025135fb599d746" |
| 99 | "fefe7316c922ac265ca0d29021375adb63c1509c3e242dfb92b8dee891f7368c" |
| 100 | "4058399b8db9075f2dcc8216194e503b6652d87d2cb41f99adfdcc5be5ec7e1e" |
| 101 | "6326ac22d70bd3ba652827532d669aff005173597f8039c3ea4922d3ec757670" |
| 102 | "222f6ac29b93e90d7ad3f6dd96328e429cfcfd5cca22707fe2d86ad1dcb0be75" |
| 103 | "6e8e" |
| 104 | }, |
| 105 | "c66cb1aec519df44c91e10995511ac8b", |
| 106 | "f7f6884c4981716c2d0d29a4", |
| 107 | "0000000000000000" |
| 108 | }, |
| 109 | { |
| 110 | /* Client: Finished */ |
| 111 | { |
| 112 | "14000020b9027a0204b972b52cdefa58950fa1580d68c9cb124dbe691a7178f2" |
| 113 | "5c554b2316", "", "" |
| 114 | }, |
| 115 | { |
| 116 | "9539b4ae2f87fd8e616b295628ea953d9e3858db274970d19813ec136cae7d96" |
| 117 | "e0417775fcabd3d8858fdc60240912d218f5afb21c", "", "" |
| 118 | }, |
| 119 | "2679a43e1d76784034ea1797d5ad2649", |
| 120 | "5482405290dd0d2f81c0d942", |
| 121 | "0000000000000000" |
| 122 | }, |
| 123 | { |
| 124 | /* Server: NewSessionTicket */ |
| 125 | { |
| 126 | "040000c90000001e2fd3992f02000000b2ff099f9676cdff8b0bf8825d000000" |
| 127 | "007905a9d28efeef4a47c6f9b06a0cecdb0070d920b898997c75b79636943ed4" |
| 128 | "2046a96142bd084a04acfa0c490f452d756dea02c0f927259f1f3231ac0d541a" |
| 129 | "769129b740ce38090842b828c27fd729f59737ba98aa7b42e043c5da28f8dca8" |
| 130 | "590b2df410d5134fd6c4cacad8b30370602afa35d265bf4d127976bb36dbda6a" |
| 131 | "626f0270e20eebc73d6fcae2b1a0da122ee9042f76be56ebf41aa469c3d2c9da" |
| 132 | "9197d80008002a00040000040016", "", "" |
| 133 | }, |
| 134 | { |
| 135 | "3680c2b2109d25caa26c3b06eea9fdc5cb31613ba702176596da2e886bf6af93" |
| 136 | "507bd68161ad9cb4780653842e1041ecbf0088a65ac4ef438419dd1d95ddd9bd" |
| 137 | "2ad4484e7e167d0e6c008448ae58a0418713b6fc6c51e4bb23a537fb75a74f73" |
| 138 | "de31fe6aa0bc522515f8b25f8955428b5de5ac06762cec22b0aa78c94385ef8e" |
| 139 | "70fa24945b7c1f268510871689bbbbfaf2e7f4a19277024f95f1143ab12a31ec" |
| 140 | "63adb128cb390711fd6d06a498df3e98615d8eb102e23353b480efcca5e8e026" |
| 141 | "7a6d0fe2441f14c8c9664aefb2cfff6ae9e0442728b6a0940c1e824fda06", |
| 142 | "", "" |
| 143 | |
| 144 | }, |
| 145 | "a688ebb5ac826d6f42d45c0cc44b9b7d", |
| 146 | "c1cad4425a438b5de714830a", |
| 147 | "0000000000000000" |
| 148 | }, |
| 149 | { |
| 150 | /* Client: Application Data */ |
| 151 | { |
| 152 | "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" |
| 153 | "202122232425262728292a2b2c2d2e2f303117", "", "" |
| 154 | }, |
| 155 | { |
| 156 | "8c3497da00ae023e53c01b4324b665404c1b49e78fe2bf4d17f6348ae8340551" |
| 157 | "e363a0cd05f2179c4fef5ad689b5cae0bae94adc63632e571fb79aa91544c639" |
| 158 | "4d28a1", "", "" |
| 159 | |
| 160 | }, |
| 161 | "88b96ad686c84be55ace18a59cce5c87", |
| 162 | "b99dc58cd5ff5ab082fdad19", |
| 163 | "0000000000000000" |
| 164 | }, |
| 165 | |
| 166 | |
| 167 | { |
| 168 | /* Server: Application Data */ |
| 169 | { |
| 170 | "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" |
| 171 | "202122232425262728292a2b2c2d2e2f303117", "", "" |
| 172 | }, |
| 173 | { |
| 174 | "f65f49fd2df6cd2347c3d30166e3cfddb6308a5906c076112c6a37ff1dbd406b" |
| 175 | "5813c0abd734883017a6b2833186b13c14da5d75f33d8760789994e27d82043a" |
| 176 | "b88d65", "", "" |
| 177 | }, |
| 178 | "a688ebb5ac826d6f42d45c0cc44b9b7d", |
| 179 | "c1cad4425a438b5de714830a", |
| 180 | "0000000000000001" |
| 181 | }, |
| 182 | { |
| 183 | /* Client: CloseNotify */ |
| 184 | { |
| 185 | "010015", "", "" |
| 186 | }, |
| 187 | { |
| 188 | "2c2148163d7938a35f6acf2a6606f8cbd1d9f2", "", "" |
| 189 | }, |
| 190 | "88b96ad686c84be55ace18a59cce5c87", |
| 191 | "b99dc58cd5ff5ab082fdad19", |
| 192 | "0000000000000001" |
| 193 | }, |
| 194 | { |
| 195 | /* Server: CloseNotify */ |
| 196 | { |
| 197 | "010015", "", "" |
| 198 | }, |
| 199 | { |
| 200 | "f8141ebdb5eda511e0bce639a56ff9ea825a21", "", "" |
| 201 | |
| 202 | }, |
| 203 | "a688ebb5ac826d6f42d45c0cc44b9b7d", |
| 204 | "c1cad4425a438b5de714830a", |
| 205 | "0000000000000002" |
| 206 | } |
| 207 | }; |
| 208 | |
| 209 | /* |
| 210 | * Same thing as OPENSSL_hexstr2buf() but enables us to pass the string in |
| 211 | * 3 chunks |
| 212 | */ |
| 213 | static unsigned char *multihexstr2buf(const char *str[3], size_t *len) |
| 214 | { |
| 215 | size_t outer, inner, curr = 0; |
| 216 | unsigned char *outbuf; |
| 217 | size_t totlen = 0; |
| 218 | |
| 219 | /* Check lengths of all input strings are even */ |
| 220 | for (outer = 0; outer < 3; outer++) { |
| 221 | totlen += strlen(str[outer]); |
| 222 | if ((totlen & 1) != 0) |
| 223 | return NULL; |
| 224 | } |
| 225 | |
| 226 | totlen /= 2; |
| 227 | outbuf = OPENSSL_malloc(totlen); |
| 228 | if (outbuf == NULL) |
| 229 | return NULL; |
| 230 | |
| 231 | for (outer = 0; outer < 3; outer++) { |
| 232 | for (inner = 0; str[outer][inner] != 0; inner += 2) { |
| 233 | int hi, lo; |
| 234 | |
| 235 | hi = OPENSSL_hexchar2int(str[outer][inner]); |
| 236 | lo = OPENSSL_hexchar2int(str[outer][inner + 1]); |
| 237 | |
| 238 | if (hi < 0 || lo < 0) { |
| 239 | OPENSSL_free(outbuf); |
| 240 | return NULL; |
| 241 | } |
| 242 | outbuf[curr++] = (hi << 4) | lo; |
| 243 | } |
| 244 | } |
| 245 | |
| 246 | *len = totlen; |
| 247 | return outbuf; |
| 248 | } |
| 249 | |
| 250 | static int load_record(SSL3_RECORD *rec, RECORD_DATA *recd, unsigned char **key, |
| 251 | unsigned char *iv, size_t ivlen, unsigned char *seq) |
| 252 | { |
| 253 | unsigned char *pt = NULL, *sq = NULL, *ivtmp = NULL; |
| 254 | size_t ptlen; |
| 255 | |
| 256 | *key = OPENSSL_hexstr2buf(recd->key, NULL); |
| 257 | ivtmp = OPENSSL_hexstr2buf(recd->iv, NULL); |
| 258 | sq = OPENSSL_hexstr2buf(recd->seq, NULL); |
| 259 | pt = multihexstr2buf(recd->plaintext, &ptlen); |
| 260 | |
| 261 | if (*key == NULL || ivtmp == NULL || sq == NULL || pt == NULL) |
| 262 | goto err; |
| 263 | |
| 264 | rec->data = rec->input = OPENSSL_malloc(ptlen + EVP_GCM_TLS_TAG_LEN); |
| 265 | |
| 266 | if (rec->data == NULL) |
| 267 | goto err; |
| 268 | |
| 269 | rec->length = ptlen; |
| 270 | memcpy(rec->data, pt, ptlen); |
| 271 | OPENSSL_free(pt); |
| 272 | memcpy(seq, sq, SEQ_NUM_SIZE); |
| 273 | OPENSSL_free(sq); |
| 274 | memcpy(iv, ivtmp, ivlen); |
| 275 | OPENSSL_free(ivtmp); |
| 276 | |
| 277 | return 1; |
| 278 | err: |
| 279 | OPENSSL_free(*key); |
| 280 | *key = NULL; |
| 281 | OPENSSL_free(ivtmp); |
| 282 | OPENSSL_free(sq); |
| 283 | OPENSSL_free(pt); |
| 284 | return 0; |
| 285 | } |
| 286 | |
| 287 | static int test_record(SSL3_RECORD *rec, RECORD_DATA *recd, int enc) |
| 288 | { |
| 289 | int ret = 0; |
| 290 | unsigned char *refd; |
| 291 | size_t refdatalen = 0; |
| 292 | |
| 293 | if (enc) |
| 294 | refd = multihexstr2buf(recd->ciphertext, &refdatalen); |
| 295 | else |
| 296 | refd = multihexstr2buf(recd->plaintext, &refdatalen); |
| 297 | |
| 298 | if (!TEST_ptr(refd)) { |
| 299 | TEST_info("Failed to get reference data"); |
| 300 | goto err; |
| 301 | } |
| 302 | |
| 303 | if (!TEST_mem_eq(rec->data, rec->length, refd, refdatalen)) |
| 304 | goto err; |
| 305 | |
| 306 | ret = 1; |
| 307 | |
| 308 | err: |
| 309 | OPENSSL_free(refd); |
| 310 | return ret; |
| 311 | } |
| 312 | |
| 313 | #define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01") |
| 314 | |
| 315 | static int test_tls13_encryption(void) |
| 316 | { |
| 317 | SSL_CTX *ctx = NULL; |
| 318 | SSL *s = NULL; |
| 319 | SSL3_RECORD rec; |
| 320 | unsigned char *key = NULL, *iv = NULL, *seq = NULL; |
| 321 | const EVP_CIPHER *ciph = EVP_aes_128_gcm(); |
| 322 | int ret = 0; |
| 323 | size_t ivlen, ctr; |
| 324 | |
| 325 | /* |
| 326 | * Encrypted TLSv1.3 records always have an outer content type of |
| 327 | * application data, and a record version of TLSv1.2. |
| 328 | */ |
| 329 | rec.data = NULL; |
| 330 | rec.type = SSL3_RT_APPLICATION_DATA; |
| 331 | rec.rec_version = TLS1_2_VERSION; |
| 332 | |
| 333 | ctx = SSL_CTX_new(TLS_method()); |
| 334 | if (!TEST_ptr(ctx)) { |
| 335 | TEST_info("Failed creating SSL_CTX"); |
| 336 | goto err; |
| 337 | } |
| 338 | |
| 339 | s = SSL_new(ctx); |
| 340 | if (!TEST_ptr(s)) { |
| 341 | TEST_info("Failed creating SSL"); |
| 342 | goto err; |
| 343 | } |
| 344 | |
| 345 | s->enc_read_ctx = EVP_CIPHER_CTX_new(); |
| 346 | if (!TEST_ptr(s->enc_read_ctx)) |
| 347 | goto err; |
| 348 | |
| 349 | s->enc_write_ctx = EVP_CIPHER_CTX_new(); |
| 350 | if (!TEST_ptr(s->enc_write_ctx)) |
| 351 | goto err; |
| 352 | |
| 353 | s->s3->tmp.new_cipher = SSL_CIPHER_find(s, TLS13_AES_128_GCM_SHA256_BYTES); |
| 354 | if (!TEST_ptr(s->s3->tmp.new_cipher)) { |
| 355 | TEST_info("Failed to find cipher"); |
| 356 | goto err; |
| 357 | } |
| 358 | |
| 359 | for (ctr = 0; ctr < OSSL_NELEM(refdata); ctr++) { |
| 360 | /* Load the record */ |
| 361 | ivlen = EVP_CIPHER_iv_length(ciph); |
| 362 | if (!load_record(&rec, &refdata[ctr], &key, s->read_iv, ivlen, |
| 363 | RECORD_LAYER_get_read_sequence(&s->rlayer))) { |
| 364 | TEST_error("Failed loading key into EVP_CIPHER_CTX"); |
| 365 | goto err; |
| 366 | } |
| 367 | |
| 368 | /* Set up the read/write sequences */ |
| 369 | memcpy(RECORD_LAYER_get_write_sequence(&s->rlayer), |
| 370 | RECORD_LAYER_get_read_sequence(&s->rlayer), SEQ_NUM_SIZE); |
| 371 | memcpy(s->write_iv, s->read_iv, ivlen); |
| 372 | |
| 373 | /* Load the key into the EVP_CIPHER_CTXs */ |
| 374 | if (EVP_CipherInit_ex(s->enc_write_ctx, ciph, NULL, key, NULL, 1) <= 0 |
| 375 | || EVP_CipherInit_ex(s->enc_read_ctx, ciph, NULL, key, NULL, 0) |
| 376 | <= 0) { |
| 377 | TEST_error("Failed loading key into EVP_CIPHER_CTX\n"); |
| 378 | goto err; |
| 379 | } |
| 380 | |
| 381 | /* Encrypt it */ |
| 382 | if (!TEST_size_t_eq(tls13_enc(s, &rec, 1, 1), 1)) { |
| 383 | TEST_info("Failed to encrypt record %zu", ctr); |
| 384 | goto err; |
| 385 | } |
| 386 | if (!TEST_true(test_record(&rec, &refdata[ctr], 1))) { |
| 387 | TEST_info("Record %zu encryption test failed", ctr); |
| 388 | goto err; |
| 389 | } |
| 390 | |
| 391 | /* Decrypt it */ |
| 392 | if (!TEST_int_eq(tls13_enc(s, &rec, 1, 0), 1)) { |
| 393 | TEST_info("Failed to decrypt record %zu", ctr); |
| 394 | goto err; |
| 395 | } |
| 396 | if (!TEST_true(test_record(&rec, &refdata[ctr], 0))) { |
| 397 | TEST_info("Record %zu decryption test failed", ctr); |
| 398 | goto err; |
| 399 | } |
| 400 | |
| 401 | OPENSSL_free(rec.data); |
| 402 | OPENSSL_free(key); |
| 403 | OPENSSL_free(iv); |
| 404 | OPENSSL_free(seq); |
| 405 | rec.data = NULL; |
| 406 | key = NULL; |
| 407 | iv = NULL; |
| 408 | seq = NULL; |
| 409 | } |
| 410 | |
| 411 | TEST_note("PASS: %zu records tested", ctr); |
| 412 | ret = 1; |
| 413 | |
| 414 | err: |
| 415 | OPENSSL_free(rec.data); |
| 416 | OPENSSL_free(key); |
| 417 | OPENSSL_free(iv); |
| 418 | OPENSSL_free(seq); |
| 419 | SSL_free(s); |
| 420 | SSL_CTX_free(ctx); |
| 421 | return ret; |
| 422 | } |
| 423 | |
| 424 | int setup_tests(void) |
| 425 | { |
| 426 | ADD_TEST(test_tls13_encryption); |
| 427 | return 1; |
| 428 | } |