diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/ssl/src/ssl_cipher.erl | 48 | ||||
| -rw-r--r-- | lib/ssl/src/tls_v1.erl | 78 | ||||
| -rw-r--r-- | lib/ssl/test/Makefile | 1 | ||||
| -rw-r--r-- | lib/ssl/test/ssl_rfc_5869_SUITE.erl | 316 | 
4 files changed, 412 insertions, 31 deletions
| diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl index e12faba824..ff3e0d9c90 100644 --- a/lib/ssl/src/ssl_cipher.erl +++ b/lib/ssl/src/ssl_cipher.erl @@ -44,7 +44,7 @@  	 hash_algorithm/1, sign_algorithm/1, is_acceptable_hash/2, is_fallback/1,  	 random_bytes/1, calc_mac_hash/4,           is_stream_ciphersuite/1, signature_scheme/1, -         scheme_to_components/1]). +         scheme_to_components/1, hash_size/1]).  -compile(inline). @@ -651,6 +651,29 @@ is_stream_ciphersuite(#{cipher := rc4_128}) ->      true;  is_stream_ciphersuite(_) ->      false. + +-spec  hash_size(atom()) -> integer(). +hash_size(null) -> +    0; +%% The AEAD MAC hash size is not used in the context  +%% of calculating the master secret. See RFC 5246 Section 6.2.3.3. +hash_size(aead) -> +    0; +hash_size(md5) -> +    16; +hash_size(sha) -> +    20; +%% Uncomment when adding cipher suite that needs it +%hash_size(sha224) -> +%    28; +hash_size(sha256) -> +    32; +hash_size(sha384) -> +    48. +%% Uncomment when adding cipher suite that needs it +%hash_size(sha512) -> +%    64. +  %%--------------------------------------------------------------------  %%% Internal functions  %%-------------------------------------------------------------------- @@ -861,29 +884,6 @@ scheme_to_components(rsa_pss_pss_sha512) -> {sha512, rsa_pss_pss, undefined};  scheme_to_components(rsa_pkcs1_sha1) -> {sha1, rsa_pkcs1, undefined};  scheme_to_components(ecdsa_sha1) -> {sha1, ecdsa, undefined}. - - -hash_size(null) -> -    0; -%% The AEAD MAC hash size is not used in the context  -%% of calculating the master secret. See RFC 5246 Section 6.2.3.3. -hash_size(aead) -> -    0; -hash_size(md5) -> -    16; -hash_size(sha) -> -    20; -%% Uncomment when adding cipher suite that needs it -%hash_size(sha224) -> -%    28; -hash_size(sha256) -> -    32; -hash_size(sha384) -> -    48. -%% Uncomment when adding cipher suite that needs it -%hash_size(sha512) -> -%    64. -  %% RFC 5246: 6.2.3.2.  CBC Block Cipher  %%  %%   Implementation note: Canvel et al. [CBCTIME] have demonstrated a diff --git a/lib/ssl/src/tls_v1.erl b/lib/ssl/src/tls_v1.erl index e7218c8c8a..68ba598612 100644 --- a/lib/ssl/src/tls_v1.erl +++ b/lib/ssl/src/tls_v1.erl @@ -36,6 +36,8 @@           default_signature_schemes/1, signature_schemes/2,           groups/1, groups/2, group_to_enum/1, enum_to_group/1]). +-export([derive_secret/4, hkdf_expand_label/5, hkdf_extract/3, hkdf_expand/4]). +  -type named_curve() :: sect571r1 | sect571k1 | secp521r1 | brainpoolP512r1 |                         sect409k1 | sect409r1 | brainpoolP384r1 | secp384r1 |                         sect283k1 | sect283r1 | brainpoolP256r1 | secp256k1 | secp256r1 | @@ -52,6 +54,44 @@  %% Internal application API  %%==================================================================== +%% TLS 1.3 --------------------------------------------------- +-spec derive_secret(Secret::binary(), Label::binary(), +                    Messages::binary(), Algo::ssl_cipher_format:hash()) -> Key::binary(). +derive_secret(Secret, Label, Messages, Algo) -> +    Hash = crypto:hash(mac_algo(Algo), Messages), +    hkdf_expand_label(Secret, Label, +                      Hash, ssl_cipher:hash_size(Algo), Algo). + +-spec hkdf_expand_label(Secret::binary(), Label0::binary(), +                        Context::binary(), Length::integer(),   +                        Algo::ssl_cipher_format:hash()) -> KeyingMaterial::binary(). +hkdf_expand_label(Secret, Label0, Context, Length, Algo) -> +    %% struct { +    %%     uint16 length = Length; +    %%     opaque label<7..255> = "tls13 " + Label; +    %%     opaque context<0..255> = Context; +    %% } HkdfLabel; +    Content = << <<"tls13">>/binary, Label0/binary, Context/binary>>, +    Len = size(Content), +    HkdfLabel = <<?UINT16(Len), Content/binary>>, +    hkdf_expand(Secret, HkdfLabel, Length, Algo). +     +-spec hkdf_extract(MacAlg::ssl_cipher_format:hash(), Salt::binary(),  +                   KeyingMaterial::binary()) -> PseudoRandKey::binary(). + +hkdf_extract(MacAlg, Salt, KeyingMaterial) ->  +    hmac_hash(MacAlg, Salt, KeyingMaterial). + + +-spec hkdf_expand(PseudoRandKey::binary(), ContextInfo::binary(), +                  Length::integer(), Algo::ssl_cipher_format:hash()) -> KeyingMaterial::binary(). +                      +hkdf_expand(PseudoRandKey, ContextInfo, Length, Algo) ->  +    Iterations = erlang:ceil(Length / ssl_cipher:hash_size(Algo)), +    hkdf_expand(Algo, PseudoRandKey, ContextInfo, Length, 1, Iterations, <<>>, <<>>). +%% TLS 1.3 --------------------------------------------------- + +%% TLS 1.0 -1.2  ---------------------------------------------------  -spec master_secret(integer(), binary(), binary(), binary()) -> binary().  master_secret(PrfAlgo, PreMasterSecret, ClientRandom, ServerRandom) -> @@ -61,9 +101,10 @@ master_secret(PrfAlgo, PreMasterSecret, ClientRandom, ServerRandom) ->      prf(PrfAlgo, PreMasterSecret, <<"master secret">>,  	[ClientRandom, ServerRandom], 48). +%% TLS 1.0 -1.2  ---------------------------------------------------  -spec finished(client | server, integer(), integer(), binary(), [binary()]) -> binary(). - +%% TLS 1.0 -1.1  ---------------------------------------------------  finished(Role, Version, PrfAlgo, MasterSecret, Handshake)    when Version == 1; Version == 2; PrfAlgo == ?MD5SHA ->      %% RFC 2246 & 4346 - 7.4.9. Finished @@ -77,9 +118,11 @@ finished(Role, Version, PrfAlgo, MasterSecret, Handshake)      MD5 = crypto:hash(md5, Handshake),      SHA = crypto:hash(sha, Handshake),      prf(?MD5SHA, MasterSecret, finished_label(Role), [MD5, SHA], 12); +%% TLS 1.0 -1.1  --------------------------------------------------- +%% TLS 1.2 ---------------------------------------------------  finished(Role, Version, PrfAlgo, MasterSecret, Handshake) -  when Version == 3; Version == 4 -> +  when Version == 3 ->      %% RFC 5246 - 7.4.9. Finished      %% struct {      %%          opaque verify_data[12]; @@ -89,22 +132,28 @@ finished(Role, Version, PrfAlgo, MasterSecret, Handshake)      %%          PRF(master_secret, finished_label, Hash(handshake_messages)) [0..11];      Hash = crypto:hash(mac_algo(PrfAlgo), Handshake),      prf(PrfAlgo, MasterSecret, finished_label(Role), Hash, 12). +%% TLS 1.2 --------------------------------------------------- +%% TODO 1.3 finished  -spec certificate_verify(md5sha | sha, integer(), [binary()]) -> binary(). +%% TLS 1.0 -1.1  ---------------------------------------------------  certificate_verify(md5sha, _Version, Handshake) ->      MD5 = crypto:hash(md5, Handshake),      SHA = crypto:hash(sha, Handshake),      <<MD5/binary, SHA/binary>>; +%% TLS 1.0 -1.1  --------------------------------------------------- +%% TLS 1.2 ---------------------------------------------------  certificate_verify(HashAlgo, _Version, Handshake) ->      crypto:hash(HashAlgo, Handshake). +%% TLS 1.2 ---------------------------------------------------  -spec setup_keys(integer(), integer(), binary(), binary(), binary(), integer(),  		 integer(), integer()) -> {binary(), binary(), binary(),  					  binary(), binary(), binary()}. - +%% TLS v1.0  ---------------------------------------------------  setup_keys(Version, _PrfAlgo, MasterSecret, ServerRandom, ClientRandom, HashSize,  	   KeyMatLen, IVSize)    when Version == 1 -> @@ -129,8 +178,9 @@ setup_keys(Version, _PrfAlgo, MasterSecret, ServerRandom, ClientRandom, HashSize       ClientIV:IVSize/binary, ServerIV:IVSize/binary>> = KeyBlock,      {ClientWriteMacSecret, ServerWriteMacSecret, ClientWriteKey,       ServerWriteKey, ClientIV, ServerIV}; +%% TLS v1.0  --------------------------------------------------- -%% TLS v1.1 +%% TLS v1.1 ---------------------------------------------------  setup_keys(Version, _PrfAlgo, MasterSecret, ServerRandom, ClientRandom, HashSize,  	   KeyMatLen, IVSize)    when Version == 2 -> @@ -156,8 +206,9 @@ setup_keys(Version, _PrfAlgo, MasterSecret, ServerRandom, ClientRandom, HashSize       ClientIV:IVSize/binary, ServerIV:IVSize/binary>> = KeyBlock,      {ClientWriteMacSecret, ServerWriteMacSecret, ClientWriteKey,       ServerWriteKey, ClientIV, ServerIV}; +%% TLS v1.1 --------------------------------------------------- -%% TLS v1.2 +%% TLS v1.2  ---------------------------------------------------  setup_keys(Version, PrfAlgo, MasterSecret, ServerRandom, ClientRandom, HashSize,  	   KeyMatLen, IVSize)    when Version == 3; Version == 4 -> @@ -182,8 +233,10 @@ setup_keys(Version, PrfAlgo, MasterSecret, ServerRandom, ClientRandom, HashSize,       ClientIV:IVSize/binary, ServerIV:IVSize/binary>> = KeyBlock,      {ClientWriteMacSecret, ServerWriteMacSecret, ClientWriteKey,       ServerWriteKey, ClientIV, ServerIV}. +%% TLS v1.2  --------------------------------------------------- --spec mac_hash(integer(), binary(), integer(), integer(), tls_record:tls_version(), +%% TLS 1.0 -1.2  --------------------------------------------------- +-spec mac_hash(integer() | atom(), binary(), integer(), integer(), tls_record:tls_version(),  	       integer(), binary()) -> binary().  mac_hash(Method, Mac_write_secret, Seq_num, Type, {Major, Minor}, @@ -197,6 +250,9 @@ mac_hash(Method, Mac_write_secret, Seq_num, Type, {Major, Minor},  		      ?BYTE(Major), ?BYTE(Minor), ?UINT16(Length)>>,  		     Fragment]),      Mac. +%% TLS 1.0 -1.2  --------------------------------------------------- + +%% TODO 1.3 same as above?  -spec suites(1|2|3|4) -> [ssl_cipher_format:cipher_suite()]. @@ -345,7 +401,6 @@ signature_schemes(Version, SignatureSchemes) when is_tuple(Version)  signature_schemes(_, _) ->      []. -  default_signature_schemes(Version) ->      Default = [                 rsa_pkcs1_sha256, @@ -371,12 +426,21 @@ default_signature_schemes(Version) ->  %%--------------------------------------------------------------------  %%% Internal functions  %%-------------------------------------------------------------------- +hkdf_expand(Algo, PseudoRandKey, ContextInfo, Length, N, N, Prev, Acc) -> +    Keyingmaterial = hmac_hash(Algo, PseudoRandKey, <<Prev/binary, ContextInfo/binary, ?BYTE(N)>>), +    binary:part(<<Acc/binary, Keyingmaterial/binary>>, {0, Length}); +hkdf_expand(Algo, PseudoRandKey, ContextInfo, Length, M, N, Prev, Acc) -> +    Keyingmaterial = hmac_hash(Algo, PseudoRandKey, <<Prev/binary, ContextInfo/binary, ?BYTE(M)>>), +    hkdf_expand(Algo, PseudoRandKey, ContextInfo, Length, M + 1, N, Keyingmaterial, <<Acc/binary, Keyingmaterial/binary>>). +  %%%% HMAC and the Pseudorandom Functions RFC 2246 & 4346 - 5.%%%%  hmac_hash(?NULL, _, _) ->      <<>>;  hmac_hash(Alg, Key, Value) ->      crypto:hmac(mac_algo(Alg), Key, Value). +mac_algo(Alg) when is_atom(Alg) ->  +    Alg;  mac_algo(?MD5)    -> md5;  mac_algo(?SHA)    -> sha;  mac_algo(?SHA256) -> sha256; diff --git a/lib/ssl/test/Makefile b/lib/ssl/test/Makefile index d5ba105478..a4adc7561b 100644 --- a/lib/ssl/test/Makefile +++ b/lib/ssl/test/Makefile @@ -62,6 +62,7 @@ MODULES = \  	ssl_upgrade_SUITE\  	ssl_sni_SUITE \  	ssl_eqc_SUITE \ +	ssl_rfc_5869_SUITE \  	make_certs\          x509_test diff --git a/lib/ssl/test/ssl_rfc_5869_SUITE.erl b/lib/ssl/test/ssl_rfc_5869_SUITE.erl new file mode 100644 index 0000000000..8b2d1c2082 --- /dev/null +++ b/lib/ssl/test/ssl_rfc_5869_SUITE.erl @@ -0,0 +1,316 @@ +%% +%% %CopyrightBegin% +%% +%% Copyright Ericsson AB 2018-2018. All Rights Reserved. +%% +%% Licensed under the Apache License, Version 2.0 (the "License"); +%% you may not use this file except in compliance with the License. +%% You may obtain a copy of the License at +%% +%%     http://www.apache.org/licenses/LICENSE-2.0 +%% +%% Unless required by applicable law or agreed to in writing, software +%% distributed under the License is distributed on an "AS IS" BASIS, +%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +%% See the License for the specific language governing permissions and +%% limitations under the License. +%% +%% %CopyrightEnd% +%% + +%% +-module(ssl_rfc_5869_SUITE). + +%% Note: This directive should only be used in test suites. +-compile(export_all). + +-include_lib("common_test/include/ct.hrl"). + +%%-------------------------------------------------------------------- +%% Common Test interface functions ----------------------------------- +%%-------------------------------------------------------------------- +all() ->  +    [sha_256_basic, +     sha_256_long, +     sha_256_no_salt, +     sha_basic, +     sha_long, +     sha_no_salt, +     sha_default_salt +    ]. + +%%-------------------------------------------------------------------- +init_per_suite(Config) -> +    catch crypto:stop(), +    try crypto:start() of +	ok -> +            Config +    catch _:_ -> +	    {skip, "Crypto did not start"} +    end. + +end_per_suite(_Config) -> +    application:stop(crypto). + +%%-------------------------------------------------------------------- +init_per_testcase(_TestCase, Config) -> +    ct:timetrap({seconds, 5}), +    Config. + +end_per_testcase(_TestCase, Config) -> +    Config. + +%%-------------------------------------------------------------------- +%% Test Cases -------------------------------------------------------- +%%-------------------------------------------------------------------- +   +sha_256_basic() -> +    [{doc, "Basic test case with SHA-256"}]. +sha_256_basic(Config) when is_list(Config) -> +    %% Hash = SHA-256 +    %% IKM  = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (22 octets) +    %% salt = 0x000102030405060708090a0b0c (13 octets) +    %% info = 0xf0f1f2f3f4f5f6f7f8f9 (10 octets) +    %% L    = 42 +    %% PRK  = 0x077709362c2e32df0ddc3f0dc47bba63 +    %%        90b6c73bb50f9c3122ec844ad7c2b3e5 (32 octets) +    %% OKM  = 0x3cb25f25faacd57a90434f64d0362f2a +    %%        2d2d0a90cf1a5a4c5db02d56ecc4c5bf +    %%        34007208d5b887185865 (42 octets) +    IKM  = hexstr2bin("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), +    Salt = hexstr2bin("000102030405060708090a0b0c"), +    Info = hexstr2bin("f0f1f2f3f4f5f6f7f8f9"), +    PRK  = hexstr2bin("077709362c2e32df0ddc3f0dc47bba63" +                      "90b6c73bb50f9c3122ec844ad7c2b3e5"), +    OKM  = hexstr2bin("3cb25f25faacd57a90434f64d0362f2a" +                      "2d2d0a90cf1a5a4c5db02d56ecc4c5bf" +                      "34007208d5b887185865"), +    hkdf_test(sha256, Salt, IKM, PRK, Info, 42, OKM). + +sha_256_long() -> +    [{doc, "Test with SHA-256 and longer inputs/outputs"}]. +sha_256_long(Config) when is_list(Config) -> +    %% Hash = SHA-256 +    %% IKM  = 0x000102030405060708090a0b0c0d0e0f +    %%        101112131415161718191a1b1c1d1e1f +    %%        202122232425262728292a2b2c2d2e2f +    %%        303132333435363738393a3b3c3d3e3f +    %%        404142434445464748494a4b4c4d4e4f (80 octets) +    %% salt = 0x606162636465666768696a6b6c6d6e6f +    %%        707172737475767778797a7b7c7d7e7f +    %%        808182838485868788898a8b8c8d8e8f +    %%        909192939495969798999a9b9c9d9e9f +    %%        a0a1a2a3a4a5a6a7a8a9aaabacadaeaf (80 octets) +    %% info = 0xb0b1b2b3b4b5b6b7b8b9babbbcbdbebf +    %%        c0c1c2c3c4c5c6c7c8c9cacbcccdcecf +    %%        d0d1d2d3d4d5d6d7d8d9dadbdcdddedf +    %%        e0e1e2e3e4e5e6e7e8e9eaebecedeeef +    %%        f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff (80 octets) +    %% L    = 82 +     +    %% PRK  = 0x06a6b88c5853361a06104c9ceb35b45c +    %%        ef760014904671014a193f40c15fc244 (32 octets) +    %% OKM  = 0xb11e398dc80327a1c8e7f78c596a4934 +    %%        4f012eda2d4efad8a050cc4c19afa97c +    %%        59045a99cac7827271cb41c65e590e09 +    %%        da3275600c2f09b8367793a9aca3db71 +    %%        cc30c58179ec3e87c14c01d5c1f3434f +    %%        1d87 (82 octets) +    IKM  = hexstr2bin("000102030405060708090a0b0c0d0e0f" +                      "101112131415161718191a1b1c1d1e1f" +                      "202122232425262728292a2b2c2d2e2f" +                      "303132333435363738393a3b3c3d3e3f" +                      "404142434445464748494a4b4c4d4e4f" +                     ), +    Salt = hexstr2bin("606162636465666768696a6b6c6d6e6f" +                      "707172737475767778797a7b7c7d7e7f" +                      "808182838485868788898a8b8c8d8e8f" +                      "909192939495969798999a9b9c9d9e9f" +                      "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf" +                     ), +    Info = hexstr2bin("b0b1b2b3b4b5b6b7b8b9babbbcbdbebf" +                      "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf" +                      "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf" +                      "e0e1e2e3e4e5e6e7e8e9eaebecedeeef" +                      "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff" +                     ), +    PRK  = hexstr2bin("06a6b88c5853361a06104c9ceb35b45c" +                      "ef760014904671014a193f40c15fc244"), +    OKM  = hexstr2bin("b11e398dc80327a1c8e7f78c596a4934" +                      "4f012eda2d4efad8a050cc4c19afa97c" +                      "59045a99cac7827271cb41c65e590e09" +                      "da3275600c2f09b8367793a9aca3db71" +                      "cc30c58179ec3e87c14c01d5c1f3434f" +                      "1d87" +                     ), +    hkdf_test(sha256, Salt, IKM, PRK, Info, 82, OKM). +sha_256_no_salt() -> +    [{doc, "Test with SHA-256 and zero-length salt/info"}]. +sha_256_no_salt(Config) when is_list(Config) -> +    %% Hash = SHA-256 +    %% IKM  = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (22 octets) +    %% salt = (0 octets) +    %% info = (0 octets) +    %% L    = 42 +     +    %% PRK  = 0x19ef24a32c717b167f33a91d6f648bdf +    %%        96596776afdb6377ac434c1c293ccb04 (32 octets) +    %% OKM  = 0x8da4e775a563c18f715f802a063c5a31 +    %%        b8a11f5c5ee1879ec3454e5f3c738d2d +    %%        9d201395faa4b61a96c8 (42 octets) +    IKM  = hexstr2bin("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), +    Salt = <<>>, +    Info = <<>>, +    PRK  = hexstr2bin("19ef24a32c717b167f33a91d6f648bdf" +                      "96596776afdb6377ac434c1c293ccb04"), +    OKM  = hexstr2bin("8da4e775a563c18f715f802a063c5a31" +                      "b8a11f5c5ee1879ec3454e5f3c738d2d" +                      "9d201395faa4b61a96c8"), +    hkdf_test(sha256, Salt, IKM, PRK, Info, 42, OKM). + +sha_basic() -> +    [{doc, " Basic test case with SHA-1"}]. +sha_basic(Config) when is_list(Config) -> +    %% Hash = SHA-1 +    %% IKM  = 0x0b0b0b0b0b0b0b0b0b0b0b (11 octets) +    %% salt = 0x000102030405060708090a0b0c (13 octets) +    %% info = 0xf0f1f2f3f4f5f6f7f8f9 (10 octets) +    %% L    = 42 +     +    %% PRK  = 0x9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243 (20 octets) +    %% OKM  = 0x085a01ea1b10f36933068b56efa5ad81 +    %%        a4f14b822f5b091568a9cdd4f155fda2 +    %%        c22e422478d305f3f896 (42 octets) +    IKM  = hexstr2bin("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), +    Salt = hexstr2bin("000102030405060708090a0b0c"), +    Info = hexstr2bin("f0f1f2f3f4f5f6f7f8f9"), +    PRK  = hexstr2bin("077709362c2e32df0ddc3f0dc47bba63" +                      "90b6c73bb50f9c3122ec844ad7c2b3e5"), +    OKM  = hexstr2bin("3cb25f25faacd57a90434f64d0362f2a" +                      "2d2d0a90cf1a5a4c5db02d56ecc4c5bf" +                      "34007208d5b887185865"), +    hkdf_test(sha256, Salt, IKM, PRK, Info, 42, OKM). + +sha_long() -> +    [{doc, "Test with SHA-1 and longer inputs/outputs"}]. +sha_long(Config) when is_list(Config) -> +    %% Hash = SHA-1 +    %% IKM  = 0x000102030405060708090a0b0c0d0e0f +    %%        101112131415161718191a1b1c1d1e1f +    %%        202122232425262728292a2b2c2d2e2f +    %%        303132333435363738393a3b3c3d3e3f +    %%        404142434445464748494a4b4c4d4e4f (80 octets) +    %% salt = 0x606162636465666768696a6b6c6d6e6f +    %%        707172737475767778797a7b7c7d7e7f +    %%        808182838485868788898a8b8c8d8e8f +    %%        909192939495969798999a9b9c9d9e9f +    %%        a0a1a2a3a4a5a6a7a8a9aaabacadaeaf (80 octets) +    %% info = 0xb0b1b2b3b4b5b6b7b8b9babbbcbdbebf +    %%        c0c1c2c3c4c5c6c7c8c9cacbcccdcecf +    %%        d0d1d2d3d4d5d6d7d8d9dadbdcdddedf +    %%        e0e1e2e3e4e5e6e7e8e9eaebecedeeef +    %%        f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff (80 octets) +    %% L    = 82 +     +    %% PRK  = 0x8adae09a2a307059478d309b26c4115a224cfaf6 (20 octets) +    %% OKM  = 0x0bd770a74d1160f7c9f12cd5912a06eb +    %%        ff6adcae899d92191fe4305673ba2ffe +    %%        8fa3f1a4e5ad79f3f334b3b202b2173c +    %%        486ea37ce3d397ed034c7f9dfeb15c5e +    %%        927336d0441f4c4300e2cff0d0900b52 +    %%        d3b4 (82 octets) +    IKM  = hexstr2bin("000102030405060708090a0b0c0d0e0f" +                      "101112131415161718191a1b1c1d1e1f" +                      "202122232425262728292a2b2c2d2e2f" +                      "303132333435363738393a3b3c3d3e3f" +                      "404142434445464748494a4b4c4d4e4f" +                     ), +    Salt = hexstr2bin("606162636465666768696a6b6c6d6e6f" +                      "707172737475767778797a7b7c7d7e7f" +                      "808182838485868788898a8b8c8d8e8f" +                      "909192939495969798999a9b9c9d9e9f" +                      "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf" +                     ), +    Info = hexstr2bin("b0b1b2b3b4b5b6b7b8b9babbbcbdbebf" +                      "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf" +                      "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf" +                      "e0e1e2e3e4e5e6e7e8e9eaebecedeeef" +                      "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff" +                     ), +    PRK  = hexstr2bin("8adae09a2a307059478d309b26c4115a224cfaf6"), +    OKM  = hexstr2bin("0bd770a74d1160f7c9f12cd5912a06eb" +                      "ff6adcae899d92191fe4305673ba2ffe" +                      "8fa3f1a4e5ad79f3f334b3b202b2173c" +                      "486ea37ce3d397ed034c7f9dfeb15c5e" +                      "927336d0441f4c4300e2cff0d0900b52" +                      "d3b4" +                     ), +    hkdf_test(sha, Salt, IKM, PRK, Info, 82, OKM). + +sha_no_salt() -> +    [{doc, "Test with SHA-1 and zero-length salt/info"}]. +sha_no_salt(Config) when is_list(Config) -> +    %%   Hash = SHA-1 +    %% IKM  = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b (22 octets) +    %% salt = (0 octets) +    %% info = (0 octets) +    %% L    = 42 + +    %% PRK  = 0xda8c8a73c7fa77288ec6f5e7c297786aa0d32d01 (20 octets) +    %% OKM  = 0x0ac1af7002b3d761d1e55298da9d0506 +    %%        b9ae52057220a306e07b6b87e8df21d0 +    %%        ea00033de03984d34918 (42 octets) +    IKM  = hexstr2bin("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), +    Salt = <<>>, +    Info = <<>>, +    PRK  = hexstr2bin("da8c8a73c7fa77288ec6f5e7c297786aa0d32d01"), +    OKM  = hexstr2bin("0ac1af7002b3d761d1e55298da9d0506" +                      "b9ae52057220a306e07b6b87e8df21d0" +                      "ea00033de03984d34918"), +    hkdf_test(sha, Salt, IKM, PRK, Info, 42, OKM). + + +sha_default_salt() -> +    [{doc, "Test with SHA-1, salt not provided (defaults to HashLen zero octets), +   zero-length info"}]. +sha_default_salt(Config) when is_list(Config) ->      +    %% Hash = SHA-1 +    %% IKM  = 0x0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c (22 octets) +    %% salt = not provided (defaults to HashLen zero octets) +    %% info = (0 octets) +    %% L    = 42 + +    %% PRK  = 0x2adccada18779e7c2077ad2eb19d3f3e731385dd (20 octets) +    %% OKM  = 0x2c91117204d745f3500d636a62f64f0a +    %%        b3bae548aa53d423b0d1f27ebba6f5e5 +    %%        673a081d70cce7acfc48 (42 octets) +    IKM  = hexstr2bin("0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c"), +    Salt = binary:copy(<<0>>, 20), +    Info = <<>>, +    PRK  = hexstr2bin("2adccada18779e7c2077ad2eb19d3f3e731385dd"), +    OKM  = hexstr2bin("2c91117204d745f3500d636a62f64f0a" +                      "b3bae548aa53d423b0d1f27ebba6f5e5" +                      "673a081d70cce7acfc48"), +    hkdf_test(sha, Salt, IKM, PRK, Info, 42, OKM). + +hkdf_test(HashAlg, Salt, KeyingMaterial, PsedoRandKey, ContextInfo, Length, Key) ->    +    PsedoRandKey = tls_v1:hkdf_extract(HashAlg, Salt, KeyingMaterial), +    Key = tls_v1:hkdf_expand(PsedoRandKey, ContextInfo, Length, HashAlg). +     +hexstr2bin(S) when is_binary(S) -> +    list_to_binary(hexstr2list(binary_to_list(S))); +hexstr2bin(S) -> +    list_to_binary(hexstr2list(S)). + +hexstr2list([$ |T]) -> +    hexstr2list(T); +hexstr2list([X,Y|T]) -> +    [mkint(X)*16 + mkint(Y) | hexstr2list(T)]; +hexstr2list([]) -> +    []. +mkint(C) when $0 =< C, C =< $9 -> +    C - $0; +mkint(C) when $A =< C, C =< $F -> +    C - $A + 10; +mkint(C) when $a =< C, C =< $f -> +    C - $a + 10. | 
