int main(int argc, char **argv)
{
uint8_t data[256] = { 0 };
struct s2n_drbg drbg = {{ 0 }};
struct s2n_blob blob = {.data = data, .size = 64 };
struct s2n_timer timer;
uint64_t drbg_nanoseconds;
uint64_t urandom_nanoseconds;
struct s2n_stuffer nist_reference_personalization_strings;
struct s2n_stuffer nist_reference_returned_bits;
struct s2n_stuffer nist_reference_values;
struct s2n_config *config;
BEGIN_TEST();
EXPECT_NOT_NULL(config = s2n_config_new())
/* Open /dev/urandom */
EXPECT_TRUE(entropy_fd = open("/dev/urandom", O_RDONLY));
/* Convert the hex entropy data into binary */
EXPECT_SUCCESS(s2n_stuffer_alloc_ro_from_hex_string(&nist_reference_entropy, nist_reference_entropy_hex));
EXPECT_SUCCESS(s2n_stuffer_alloc_ro_from_hex_string(&nist_reference_personalization_strings, nist_reference_personalization_strings_hex));
EXPECT_SUCCESS(s2n_stuffer_alloc_ro_from_hex_string(&nist_reference_returned_bits, nist_reference_returned_bits_hex));
EXPECT_SUCCESS(s2n_stuffer_alloc_ro_from_hex_string(&nist_reference_values, nist_reference_values_hex));
/* Check everything against the NIST vectors */
for (int i = 0; i < 14; i++) {
uint8_t ps[32];
struct s2n_drbg nist_drbg = { .entropy_generator = nist_fake_urandom_data };
struct s2n_blob personalization_string = {.data = ps, .size = 32};
/* Read the next personalization string */
EXPECT_SUCCESS(s2n_stuffer_read(&nist_reference_personalization_strings, &personalization_string));
/* Instantiate the DRBG */
EXPECT_SUCCESS(s2n_drbg_instantiate(&nist_drbg, &personalization_string));
uint8_t nist_v[16];
GUARD(s2n_stuffer_read_bytes(&nist_reference_values, nist_v, sizeof(nist_v)));
EXPECT_TRUE(memcmp(nist_v, nist_drbg.v, sizeof(nist_drbg.v)) == 0);
/* Generate 512 bits (FIRST CALL) */
uint8_t out[64];
struct s2n_blob generated = {.data = out, .size = 64 };
EXPECT_SUCCESS(s2n_drbg_generate(&nist_drbg, &generated));
GUARD(s2n_stuffer_read_bytes(&nist_reference_values, nist_v, sizeof(nist_v)));
EXPECT_TRUE(memcmp(nist_v, nist_drbg.v, sizeof(nist_drbg.v)) == 0);
/* Generate another 512 bits (SECOND CALL) */
EXPECT_SUCCESS(s2n_drbg_generate(&nist_drbg, &generated));
GUARD(s2n_stuffer_read_bytes(&nist_reference_values, nist_v, sizeof(nist_v)));
EXPECT_TRUE(memcmp(nist_v, nist_drbg.v, sizeof(nist_drbg.v)) == 0);
uint8_t nist_returned_bits[64];
GUARD(s2n_stuffer_read_bytes(&nist_reference_returned_bits, nist_returned_bits, sizeof(nist_returned_bits)));
EXPECT_TRUE(memcmp(nist_returned_bits, out, sizeof(nist_returned_bits)) == 0);
EXPECT_SUCCESS(s2n_drbg_wipe(&nist_drbg));
}
EXPECT_SUCCESS(s2n_drbg_instantiate(&drbg, &blob));
/* Use the DRBG for 32MB of data */
EXPECT_SUCCESS(s2n_timer_start(config, &timer));
for (int i = 0; i < 500000; i++) {
EXPECT_SUCCESS(s2n_drbg_generate(&drbg, &blob));
}
EXPECT_SUCCESS(s2n_timer_reset(config, &timer, &drbg_nanoseconds));
/* Use urandom for 32MB of data */
EXPECT_SUCCESS(s2n_timer_start(config, &timer));
for (int i = 0; i < 500000; i++) {
EXPECT_SUCCESS(s2n_get_urandom_data(&blob));
}
EXPECT_SUCCESS(s2n_timer_reset(config, &timer, &urandom_nanoseconds));
/* Confirm that the DRBG is faster than urandom */
EXPECT_TRUE(drbg_nanoseconds < urandom_nanoseconds);
/* NOTE: s2n_random_test also includes monobit tests for this DRBG */
/* the DRBG state is 128 bytes, test that we can get more than that */
blob.size = 129;
for (int i = 0; i < 10; i++) {
EXPECT_SUCCESS(s2n_drbg_generate(&drbg, &blob));
}
EXPECT_SUCCESS(s2n_drbg_wipe(&drbg));
EXPECT_SUCCESS(s2n_stuffer_free(&nist_reference_entropy));
EXPECT_SUCCESS(s2n_stuffer_free(&nist_reference_personalization_strings));
EXPECT_SUCCESS(s2n_stuffer_free(&nist_reference_returned_bits));
EXPECT_SUCCESS(s2n_stuffer_free(&nist_reference_values));
END_TEST();
}
int main(int argc, char **argv) {
BEGIN_TEST();
EXPECT_SUCCESS(setenv("S2N_ENABLE_CLIENT_MODE", "1", 0));
/* Part 1 setup a client and server connection with everything they need for a key exchange */
struct s2n_connection *client_conn, *server_conn;
EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
struct s2n_config *server_config, *client_config;
client_config = s2n_fetch_unsafe_client_testing_config();
GUARD(s2n_connection_set_config(client_conn, client_config));
/* Part 1.1 setup server's keypair and the give the client the certificate */
char *cert_chain;
char *private_key;
char *client_chain;
EXPECT_NOT_NULL(cert_chain = malloc(S2N_MAX_TEST_PEM_SIZE));
EXPECT_NOT_NULL(private_key = malloc(S2N_MAX_TEST_PEM_SIZE));
EXPECT_NOT_NULL(client_chain = malloc(S2N_MAX_TEST_PEM_SIZE));
EXPECT_NOT_NULL(server_config = s2n_config_new());
EXPECT_SUCCESS(s2n_read_test_pem(S2N_RSA_2048_PKCS1_CERT_CHAIN, cert_chain, S2N_MAX_TEST_PEM_SIZE));
EXPECT_SUCCESS(s2n_read_test_pem(S2N_RSA_2048_PKCS1_KEY, private_key, S2N_MAX_TEST_PEM_SIZE));
EXPECT_SUCCESS(s2n_read_test_pem(S2N_RSA_2048_PKCS1_LEAF_CERT, client_chain, S2N_MAX_TEST_PEM_SIZE));
struct s2n_cert_chain_and_key *chain_and_key;
EXPECT_NOT_NULL(chain_and_key = s2n_cert_chain_and_key_new());
EXPECT_SUCCESS(s2n_cert_chain_and_key_load_pem(chain_and_key, cert_chain, private_key));
EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
GUARD(s2n_set_signature_hash_pair_from_preference_list(server_conn, &server_conn->handshake_params.client_sig_hash_algs, &server_conn->secure.conn_hash_alg, &server_conn->secure.conn_sig_alg));
DEFER_CLEANUP(struct s2n_stuffer certificate_in = {{0}}, s2n_stuffer_free);
EXPECT_SUCCESS(s2n_stuffer_alloc(&certificate_in, S2N_MAX_TEST_PEM_SIZE));
DEFER_CLEANUP(struct s2n_stuffer certificate_out = {{0}}, s2n_stuffer_free);
EXPECT_SUCCESS(s2n_stuffer_alloc(&certificate_out, S2N_MAX_TEST_PEM_SIZE));
struct s2n_blob temp_blob;
temp_blob.data = (uint8_t *) client_chain;
temp_blob.size = strlen(client_chain) + 1;
EXPECT_SUCCESS(s2n_stuffer_write(&certificate_in, &temp_blob));
EXPECT_SUCCESS(s2n_stuffer_certificate_from_pem(&certificate_in, &certificate_out));
temp_blob.size = s2n_stuffer_data_available(&certificate_out);
temp_blob.data = s2n_stuffer_raw_read(&certificate_out, temp_blob.size);
s2n_cert_type cert_type;
EXPECT_SUCCESS(s2n_asn1der_to_public_key_and_type(&client_conn->secure.server_public_key, &cert_type, &temp_blob));
server_conn->handshake_params.our_chain_and_key = chain_and_key;
EXPECT_SUCCESS(setup_connection(server_conn));
EXPECT_SUCCESS(setup_connection(client_conn));
#if S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND
/* Read the seed from the RSP_FILE and create the DRBG for the test. Since the seed is the same (and prediction
* resistance is off) all calls to generate random data will return the same sequence. Thus the server always
* generates the same ECDHE point and KEM public key, the client does the same. */
FILE *kat_file = fopen(RSP_FILE_NAME, "r");
EXPECT_NOT_NULL(kat_file);
EXPECT_SUCCESS(s2n_alloc(&kat_entropy_blob, 48));
EXPECT_SUCCESS(ReadHex(kat_file, kat_entropy_blob.data, 48, "seed = "));
struct s2n_drbg drbg = {.entropy_generator = &s2n_entropy_generator};
s2n_stack_blob(personalization_string, 32, 32);
EXPECT_SUCCESS(s2n_drbg_instantiate(&drbg, &personalization_string, S2N_DANGEROUS_AES_256_CTR_NO_DF_NO_PR));
EXPECT_SUCCESS(s2n_set_private_drbg_for_test(drbg));
#endif
/* Part 2 server sends key first */
EXPECT_SUCCESS(s2n_server_key_send(server_conn));
/* Part 2.1 verify the results as best we can */
EXPECT_EQUAL(server_conn->handshake.io.write_cursor, SERVER_KEY_MESSAGE_LENGTH);
struct s2n_blob server_key_message = {.size = SERVER_KEY_MESSAGE_LENGTH, .data = s2n_stuffer_raw_read(&server_conn->handshake.io, SERVER_KEY_MESSAGE_LENGTH)};
#if S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND
/* Part 2.1.1 if we're running in known answer mode check the server's key exchange message matches the expected value */
uint8_t expected_server_key_message[SERVER_KEY_MESSAGE_LENGTH];
EXPECT_SUCCESS(ReadHex(kat_file, expected_server_key_message, SERVER_KEY_MESSAGE_LENGTH, "expected_server_key_exchange = "));
EXPECT_BYTEARRAY_EQUAL(expected_server_key_message, server_key_message.data, SERVER_KEY_MESSAGE_LENGTH);
#endif
/* Part 2.2 copy server's message to the client's stuffer */
s2n_stuffer_write(&client_conn->handshake.io, &server_key_message);
/* Part 3 client recvs the server's key and sends the client key exchange message */
EXPECT_SUCCESS(s2n_server_key_recv(client_conn));
EXPECT_SUCCESS(s2n_client_key_send(client_conn));
/* Part 3.1 verify the results as best we can */
EXPECT_EQUAL(client_conn->handshake.io.write_cursor - client_conn->handshake.io.read_cursor, CLIENT_KEY_MESSAGE_LENGTH);
struct s2n_blob client_key_message = {.size = CLIENT_KEY_MESSAGE_LENGTH, .data = s2n_stuffer_raw_read(&client_conn->handshake.io, CLIENT_KEY_MESSAGE_LENGTH)};
#if S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND
/* Part 3.1.1 if we're running in known answer mode check the client's key exchange message matches the expected value */
uint8_t expected_client_key_message[CLIENT_KEY_MESSAGE_LENGTH];
EXPECT_SUCCESS(ReadHex(kat_file, expected_client_key_message, CLIENT_KEY_MESSAGE_LENGTH, "expected_client_key_exchange = "));
EXPECT_BYTEARRAY_EQUAL(expected_client_key_message, client_key_message.data, CLIENT_KEY_MESSAGE_LENGTH);
#endif
/* Part 3.2 copy the client's message back to the server's stuffer */
s2n_stuffer_write(&server_conn->handshake.io, &client_key_message);
/* Part 4 server receives the client's message */
EXPECT_SUCCESS(s2n_client_key_recv(server_conn));
/* Part 4.1 verify results as best we can, the client and server should at least have the same master secret */
EXPECT_BYTEARRAY_EQUAL(server_conn->secure.master_secret, client_conn->secure.master_secret, S2N_TLS_SECRET_LEN);
#if S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND
/* Part 4.1.1 if we're running in known answer mode check that both the client and server got the expected master secret
* from the RSP_FILE */
uint8_t expected_master_secret[S2N_TLS_SECRET_LEN];
EXPECT_SUCCESS(ReadHex(kat_file, expected_master_secret, S2N_TLS_SECRET_LEN, "expected_master_secret = "));
EXPECT_BYTEARRAY_EQUAL(expected_master_secret, client_conn->secure.master_secret, S2N_TLS_SECRET_LEN);
EXPECT_BYTEARRAY_EQUAL(expected_master_secret, server_conn->secure.master_secret, S2N_TLS_SECRET_LEN);
#endif
EXPECT_SUCCESS(s2n_cert_chain_and_key_free(chain_and_key));
EXPECT_SUCCESS(s2n_connection_free(client_conn));
EXPECT_SUCCESS(s2n_connection_free(server_conn));
EXPECT_SUCCESS(s2n_config_free(server_config));
free(cert_chain);
free(client_chain);
free(private_key);
#if S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND
/* Extra cleanup needed for the known answer test */
fclose(kat_file);
#endif
END_TEST();
}
