2018-01-05 21:59:09 +00:00
|
|
|
/* Copyright (c) 2018, Google Inc.
|
|
|
|
|
*
|
|
|
|
|
* Permission to use, copy, modify, and/or distribute this software for any
|
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
|
* copyright notice and this permission notice appear in all copies.
|
|
|
|
|
*
|
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
|
|
|
|
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
|
|
|
|
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
|
|
|
|
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
|
|
|
|
|
|
|
|
|
// cavp_tlskdf_test processes NIST TLS KDF test vectors and emits the
|
|
|
|
|
// corresponding response.
|
|
|
|
|
// See https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/components/askdfvs.pdf, section 6.4.
|
|
|
|
|
|
|
|
|
|
#include <vector>
|
|
|
|
|
|
2018-02-02 22:42:32 +00:00
|
|
|
#include <errno.h>
|
|
|
|
|
|
2018-01-05 21:59:09 +00:00
|
|
|
#include <openssl/digest.h>
|
|
|
|
|
|
|
|
|
|
#include "cavp_test_util.h"
|
|
|
|
|
#include "../crypto/fipsmodule/tls/internal.h"
|
|
|
|
|
#include "../crypto/test/file_test.h"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static bool TestTLSKDF(FileTest *t, void *arg) {
|
|
|
|
|
const EVP_MD *md = nullptr;
|
|
|
|
|
|
|
|
|
|
if (t->HasInstruction("TLS 1.0/1.1")) {
|
|
|
|
|
md = EVP_md5_sha1();
|
|
|
|
|
} else if (t->HasInstruction("TLS 1.2")) {
|
|
|
|
|
if (t->HasInstruction("SHA-256")) {
|
|
|
|
|
md = EVP_sha256();
|
|
|
|
|
} else if (t->HasInstruction("SHA-384")) {
|
|
|
|
|
md = EVP_sha384();
|
|
|
|
|
} else if (t->HasInstruction("SHA-512")) {
|
|
|
|
|
md = EVP_sha512();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (md == nullptr) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
std::string key_block_len_str;
|
|
|
|
|
std::vector<uint8_t> premaster, server_random, client_random,
|
|
|
|
|
key_block_server_random, key_block_client_random;
|
|
|
|
|
if (!t->GetBytes(&premaster, "pre_master_secret") ||
|
|
|
|
|
!t->GetBytes(&server_random, "serverHello_random") ||
|
|
|
|
|
!t->GetBytes(&client_random, "clientHello_random") ||
|
|
|
|
|
// The NIST tests specify different client and server randoms for the
|
|
|
|
|
// expansion step from the master-secret step. This is impossible in TLS.
|
|
|
|
|
!t->GetBytes(&key_block_server_random, "server_random") ||
|
|
|
|
|
!t->GetBytes(&key_block_client_random, "client_random") ||
|
|
|
|
|
!t->GetInstruction(&key_block_len_str, "key block length") ||
|
|
|
|
|
// These are ignored.
|
|
|
|
|
!t->HasAttribute("COUNT") ||
|
|
|
|
|
!t->HasInstruction("pre-master secret length")) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
uint8_t master_secret[48];
|
|
|
|
|
static const char kMasterSecretLabel[] = "master secret";
|
|
|
|
|
if (!CRYPTO_tls1_prf(md, master_secret, sizeof(master_secret),
|
|
|
|
|
premaster.data(), premaster.size(), kMasterSecretLabel,
|
|
|
|
|
sizeof(kMasterSecretLabel) - 1, client_random.data(),
|
|
|
|
|
client_random.size(), server_random.data(),
|
|
|
|
|
server_random.size())) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
errno = 0;
|
|
|
|
|
const long int key_block_bits =
|
|
|
|
|
strtol(key_block_len_str.c_str(), nullptr, 10);
|
|
|
|
|
if (errno != 0 || key_block_bits <= 0 || (key_block_bits & 7) != 0) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
const size_t key_block_len = key_block_bits / 8;
|
|
|
|
|
std::vector<uint8_t> key_block(key_block_len);
|
|
|
|
|
static const char kLabel[] = "key expansion";
|
|
|
|
|
if (!CRYPTO_tls1_prf(
|
|
|
|
|
md, key_block.data(), key_block.size(), master_secret,
|
|
|
|
|
sizeof(master_secret), kLabel, sizeof(kLabel) - 1,
|
|
|
|
|
key_block_server_random.data(), key_block_server_random.size(),
|
|
|
|
|
key_block_client_random.data(), key_block_client_random.size())) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
printf("%smaster_secret = %s\r\nkey_block = %s\r\n\r\n",
|
|
|
|
|
t->CurrentTestToString().c_str(),
|
|
|
|
|
EncodeHex(master_secret, sizeof(master_secret)).c_str(),
|
|
|
|
|
EncodeHex(key_block.data(), key_block.size()).c_str());
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int cavp_tlskdf_test_main(int argc, char **argv) {
|
|
|
|
|
if (argc != 2) {
|
|
|
|
|
fprintf(stderr, "usage: %s <test file>\n", argv[0]);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
FileTest::Options opts;
|
|
|
|
|
opts.path = argv[1];
|
|
|
|
|
opts.callback = TestTLSKDF;
|
|
|
|
|
opts.silent = true;
|
|
|
|
|
opts.comment_callback = EchoComment;
|
|
|
|
|
return FileTestMain(opts);
|
|
|
|
|
}
|
