EXT_RETURN tls_construct_stoc_key_share(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al) { #ifndef OPENSSL_NO_TLS1_3 unsigned char *encodedPoint; size_t encoded_pt_len = 0; EVP_PKEY *ckey = s->s3->peer_tmp, *skey = NULL; if (ckey == NULL) { /* No key_share received from client */ if (s->hello_retry_request) { if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) || !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_put_bytes_u16(pkt, s->s3->group_id) || !WPACKET_close(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } return EXT_RETURN_SENT; } /* Must be resuming. */ if (!s->hit || !tls13_generate_handshake_secret(s, NULL, 0)) { *al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } return EXT_RETURN_NOT_SENT; } if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_key_share) || !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_put_bytes_u16(pkt, s->s3->group_id)) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } skey = ssl_generate_pkey(ckey); if (skey == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_MALLOC_FAILURE); return EXT_RETURN_FAIL; } /* Generate encoding of server key */ encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, &encodedPoint); if (encoded_pt_len == 0) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_EC_LIB); EVP_PKEY_free(skey); return EXT_RETURN_FAIL; } if (!WPACKET_sub_memcpy_u16(pkt, encodedPoint, encoded_pt_len) || !WPACKET_close(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); EVP_PKEY_free(skey); OPENSSL_free(encodedPoint); return EXT_RETURN_FAIL; } OPENSSL_free(encodedPoint); /* This causes the crypto state to be updated based on the derived keys */ s->s3->tmp.pkey = skey; if (ssl_derive(s, skey, ckey, 1) == 0) { SSLerr(SSL_F_TLS_CONSTRUCT_STOC_KEY_SHARE, ERR_R_INTERNAL_ERROR); return EXT_RETURN_FAIL; } #endif return EXT_RETURN_SENT; }
static int test_handshake_secrets(void) { SSL_CTX *ctx = NULL; SSL *s = NULL; int ret = 0; size_t hashsize; unsigned char out_master_secret[EVP_MAX_MD_SIZE]; size_t master_secret_length; ctx = SSL_CTX_new(TLS_method()); if (!TEST_ptr(ctx)) goto err; s = SSL_new(ctx); if (!TEST_ptr(s )) goto err; s->session = SSL_SESSION_new(); if (!TEST_ptr(s->session)) goto err; if (!TEST_true(tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0, (unsigned char *)&s->early_secret))) { TEST_info("Early secret generation failed"); goto err; } if (!TEST_mem_eq(s->early_secret, sizeof(early_secret), early_secret, sizeof(early_secret))) { TEST_info("Early secret does not match"); goto err; } if (!TEST_true(tls13_generate_handshake_secret(s, ecdhe_secret, sizeof(ecdhe_secret)))) { TEST_info("Hanshake secret generation failed"); goto err; } if (!TEST_mem_eq(s->handshake_secret, sizeof(handshake_secret), handshake_secret, sizeof(handshake_secret))) goto err; hashsize = EVP_MD_size(ssl_handshake_md(s)); if (!TEST_size_t_eq(sizeof(client_hts), hashsize)) goto err; if (!TEST_size_t_eq(sizeof(client_hts_key), KEYLEN)) goto err; if (!TEST_size_t_eq(sizeof(client_hts_iv), IVLEN)) goto err; if (!TEST_true(test_secret(s, s->handshake_secret, (unsigned char *)client_hts_label, strlen(client_hts_label), client_hts, client_hts_key, client_hts_iv))) { TEST_info("Client handshake secret test failed"); goto err; } if (!TEST_size_t_eq(sizeof(server_hts), hashsize)) goto err; if (!TEST_size_t_eq(sizeof(server_hts_key), KEYLEN)) goto err; if (!TEST_size_t_eq(sizeof(server_hts_iv), IVLEN)) goto err; if (!TEST_true(test_secret(s, s->handshake_secret, (unsigned char *)server_hts_label, strlen(server_hts_label), server_hts, server_hts_key, server_hts_iv))) { TEST_info("Server handshake secret test failed"); goto err; } /* * Ensure the mocked out ssl_handshake_hash() returns the full handshake * hash. */ full_hash = 1; if (!TEST_true(tls13_generate_master_secret(s, out_master_secret, s->handshake_secret, hashsize, &master_secret_length))) { TEST_info("Master secret generation failed"); goto err; } if (!TEST_mem_eq(out_master_secret, master_secret_length, master_secret, sizeof(master_secret))) { TEST_info("Master secret does not match"); goto err; } if (!TEST_size_t_eq(sizeof(client_ats), hashsize)) goto err; if (!TEST_size_t_eq(sizeof(client_ats_key), KEYLEN)) goto err; if (!TEST_size_t_eq(sizeof(client_ats_iv), IVLEN)) goto err; if (!TEST_true(test_secret(s, out_master_secret, (unsigned char *)client_ats_label, strlen(client_ats_label), client_ats, client_ats_key, client_ats_iv))) { TEST_info("Client application data secret test failed"); goto err; } if (!TEST_size_t_eq(sizeof(server_ats), hashsize)) goto err; if (!TEST_size_t_eq(sizeof(server_ats_key), KEYLEN)) goto err; if (!TEST_size_t_eq(sizeof(server_ats_iv), IVLEN)) goto err; if (!TEST_true(test_secret(s, out_master_secret, (unsigned char *)server_ats_label, strlen(server_ats_label), server_ats, server_ats_key, server_ats_iv))) { TEST_info("Server application data secret test failed"); goto err; } ret = 1; err: SSL_free(s); SSL_CTX_free(ctx); return ret; }
static int test_handshake_secrets(void) { SSL_CTX *ctx = NULL; SSL *s = NULL; int ret = 0; size_t hashsize; unsigned char out_master_secret[EVP_MAX_MD_SIZE]; size_t master_secret_length; ctx = SSL_CTX_new(TLS_method()); if (ctx == NULL) goto err; s = SSL_new(ctx); if (s == NULL) goto err; s->session = SSL_SESSION_new(); if (s->session == NULL) goto err; if (!tls13_generate_secret(s, ssl_handshake_md(s), NULL, NULL, 0, (unsigned char *)&s->early_secret)) { fprintf(stderr, "Early secret generation failed\n"); goto err; } if (memcmp(s->early_secret, early_secret, sizeof(early_secret)) != 0) { fprintf(stderr, "Early secret does not match\n"); goto err; } if (!tls13_generate_handshake_secret(s, ecdhe_secret, sizeof(ecdhe_secret))) { fprintf(stderr, "Hanshake secret generation failed\n"); goto err; } if (memcmp(s->handshake_secret, handshake_secret, sizeof(handshake_secret)) != 0) { fprintf(stderr, "Handshake secret does not match\n"); goto err; } hashsize = EVP_MD_size(ssl_handshake_md(s)); if (sizeof(client_hts) != hashsize || sizeof(client_hts_key) != KEYLEN || sizeof(client_hts_iv) != IVLEN) { fprintf(stderr, "Internal test error\n"); goto err; } if (!test_secret(s, s->handshake_secret, (unsigned char *)client_hts_label, strlen(client_hts_label), client_hts, client_hts_key, client_hts_iv)) { fprintf(stderr, "Client handshake secret test failed\n"); goto err; } if (sizeof(server_hts) != hashsize || sizeof(server_hts_key) != KEYLEN || sizeof(server_hts_iv) != IVLEN) { fprintf(stderr, "Internal test error\n"); goto err; } if (!test_secret(s, s->handshake_secret, (unsigned char *)server_hts_label, strlen(server_hts_label), server_hts, server_hts_key, server_hts_iv)) { fprintf(stderr, "Server handshake secret test failed\n"); goto err; } /* * Ensure the mocked out ssl_handshake_hash() returns the full handshake * hash. */ full_hash = 1; if (!tls13_generate_master_secret(s, out_master_secret, s->handshake_secret, hashsize, &master_secret_length)) { fprintf(stderr, "Master secret generation failed\n"); goto err; } if (master_secret_length != sizeof(master_secret) || memcmp(out_master_secret, master_secret, sizeof(master_secret)) != 0) { fprintf(stderr, "Master secret does not match\n"); goto err; } if (sizeof(client_ats) != hashsize || sizeof(client_ats_key) != KEYLEN || sizeof(client_ats_iv) != IVLEN) { fprintf(stderr, "Internal test error\n"); goto err; } if (!test_secret(s, out_master_secret, (unsigned char *)client_ats_label, strlen(client_ats_label), client_ats, client_ats_key, client_ats_iv)) { fprintf(stderr, "Client application data secret test failed\n"); goto err; } if (sizeof(server_ats) != hashsize || sizeof(server_ats_key) != KEYLEN || sizeof(server_ats_iv) != IVLEN) { fprintf(stderr, "Internal test error\n"); goto err; } if (!test_secret(s, out_master_secret, (unsigned char *)server_ats_label, strlen(server_ats_label), server_ats, server_ats_key, server_ats_iv)) { fprintf(stderr, "Server application data secret test failed\n"); goto err; } ret = 1; err: SSL_free(s); SSL_CTX_free(ctx); return ret; }