1 /* Copyright (c) 2018, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 // cavp_tlskdf_test processes NIST TLS KDF test vectors and emits the 16 // corresponding response. 17 // See https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/components/askdfvs.pdf, section 6.4. 18 19 #include <vector> 20 21 #include <errno.h> 22 23 #include <openssl/digest.h> 24 25 #include "cavp_test_util.h" 26 #include "../crypto/fipsmodule/tls/internal.h" 27 #include "../crypto/test/file_test.h" 28 29 30 static bool TestTLSKDF(FileTest *t, void *arg) { 31 const EVP_MD *md = nullptr; 32 33 if (t->HasInstruction("TLS 1.0/1.1")) { 34 md = EVP_md5_sha1(); 35 } else if (t->HasInstruction("TLS 1.2")) { 36 if (t->HasInstruction("SHA-256")) { 37 md = EVP_sha256(); 38 } else if (t->HasInstruction("SHA-384")) { 39 md = EVP_sha384(); 40 } else if (t->HasInstruction("SHA-512")) { 41 md = EVP_sha512(); 42 } 43 } 44 45 if (md == nullptr) { 46 return false; 47 } 48 49 std::string key_block_len_str; 50 std::vector<uint8_t> premaster, server_random, client_random, 51 key_block_server_random, key_block_client_random; 52 if (!t->GetBytes(&premaster, "pre_master_secret") || 53 !t->GetBytes(&server_random, "serverHello_random") || 54 !t->GetBytes(&client_random, "clientHello_random") || 55 // The NIST tests specify different client and server randoms for the 56 // expansion step from the master-secret step. This is impossible in TLS. 57 !t->GetBytes(&key_block_server_random, "server_random") || 58 !t->GetBytes(&key_block_client_random, "client_random") || 59 !t->GetInstruction(&key_block_len_str, "key block length") || 60 // These are ignored. 61 !t->HasAttribute("COUNT") || 62 !t->HasInstruction("pre-master secret length")) { 63 return false; 64 } 65 66 uint8_t master_secret[48]; 67 static const char kMasterSecretLabel[] = "master secret"; 68 if (!CRYPTO_tls1_prf(md, master_secret, sizeof(master_secret), 69 premaster.data(), premaster.size(), kMasterSecretLabel, 70 sizeof(kMasterSecretLabel) - 1, client_random.data(), 71 client_random.size(), server_random.data(), 72 server_random.size())) { 73 return false; 74 } 75 76 errno = 0; 77 const long int key_block_bits = 78 strtol(key_block_len_str.c_str(), nullptr, 10); 79 if (errno != 0 || key_block_bits <= 0 || (key_block_bits & 7) != 0) { 80 return false; 81 } 82 const size_t key_block_len = key_block_bits / 8; 83 std::vector<uint8_t> key_block(key_block_len); 84 static const char kLabel[] = "key expansion"; 85 if (!CRYPTO_tls1_prf( 86 md, key_block.data(), key_block.size(), master_secret, 87 sizeof(master_secret), kLabel, sizeof(kLabel) - 1, 88 key_block_server_random.data(), key_block_server_random.size(), 89 key_block_client_random.data(), key_block_client_random.size())) { 90 return false; 91 } 92 93 printf("%smaster_secret = %s\r\nkey_block = %s\r\n\r\n", 94 t->CurrentTestToString().c_str(), 95 EncodeHex(master_secret, sizeof(master_secret)).c_str(), 96 EncodeHex(key_block.data(), key_block.size()).c_str()); 97 98 return true; 99 } 100 101 int cavp_tlskdf_test_main(int argc, char **argv) { 102 if (argc != 2) { 103 fprintf(stderr, "usage: %s <test file>\n", argv[0]); 104 return 1; 105 } 106 107 FileTest::Options opts; 108 opts.path = argv[1]; 109 opts.callback = TestTLSKDF; 110 opts.silent = true; 111 opts.comment_callback = EchoComment; 112 return FileTestMain(opts); 113 } 114