1a74702c6SGeorge Wang/* Copyright (c) 2017 - 2022 LiteSpeed Technologies Inc.  See LICENSE. */
25392f7a3SLiteSpeed Tech/*
35392f7a3SLiteSpeed Tech * See
45392f7a3SLiteSpeed Tech *  https://github.com/quicwg/base-drafts/wiki/Test-Vector-for-the-Clear-Text-AEAD-key-derivation
55392f7a3SLiteSpeed Tech */
65392f7a3SLiteSpeed Tech
75392f7a3SLiteSpeed Tech#include <assert.h>
85392f7a3SLiteSpeed Tech#include <string.h>
95392f7a3SLiteSpeed Tech
105392f7a3SLiteSpeed Tech#include <openssl/ssl.h>
115392f7a3SLiteSpeed Tech#include <openssl/hkdf.h>
125392f7a3SLiteSpeed Tech
135392f7a3SLiteSpeed Tech#include "lsquic_types.h"
145392f7a3SLiteSpeed Tech#include "lsquic_hkdf.h"
155392f7a3SLiteSpeed Tech
165392f7a3SLiteSpeed Techint
175392f7a3SLiteSpeed Techmain (void)
185392f7a3SLiteSpeed Tech{
195392f7a3SLiteSpeed Tech    const EVP_MD *const md = EVP_sha256();
205392f7a3SLiteSpeed Tech
215392f7a3SLiteSpeed Tech    const lsquic_cid_t dcid = {
225392f7a3SLiteSpeed Tech        .idbuf = "\xc6\x54\xef\xd8\xa3\x1b\x47\x92",
235392f7a3SLiteSpeed Tech        .len = 8,
245392f7a3SLiteSpeed Tech    };
255392f7a3SLiteSpeed Tech    unsigned char secret[100];
265392f7a3SLiteSpeed Tech    size_t secret_len;
275392f7a3SLiteSpeed Tech
285392f7a3SLiteSpeed Tech    const unsigned char expected_secret[] = {
295392f7a3SLiteSpeed Tech        0x5f, 0x8d, 0xa5, 0x94, 0xfe, 0xca, 0x72, 0xc1,
305392f7a3SLiteSpeed Tech        0x0f, 0x9e, 0xc8, 0x78, 0x81, 0x11, 0x05, 0x57,
315392f7a3SLiteSpeed Tech        0x81, 0xa9, 0x6f, 0x6a, 0x06, 0x53, 0x58, 0xbf,
325392f7a3SLiteSpeed Tech        0xb4, 0x5a, 0xba, 0x4b, 0xc0, 0x37, 0xf3, 0xb2,
335392f7a3SLiteSpeed Tech    };
345392f7a3SLiteSpeed Tech
355392f7a3SLiteSpeed Tech    HKDF_extract(secret, &secret_len, md, dcid.idbuf, dcid.len,
364051ae3aSDmitri Tikhonov                                                HSK_SALT_PRE29, HSK_SALT_SZ);
375392f7a3SLiteSpeed Tech
385392f7a3SLiteSpeed Tech    assert(sizeof(expected_secret) == secret_len);
395392f7a3SLiteSpeed Tech    assert(0 == memcmp(secret, expected_secret, sizeof(expected_secret)));
405392f7a3SLiteSpeed Tech
415392f7a3SLiteSpeed Tech    unsigned char client_secret[32];
425392f7a3SLiteSpeed Tech    const unsigned char expected_client_secret[] = {
435392f7a3SLiteSpeed Tech        0x0c, 0x74, 0xbb, 0x95, 0xa1, 0x04, 0x8e, 0x52,
445392f7a3SLiteSpeed Tech        0xef, 0x3b, 0x72, 0xe1, 0x28, 0x89, 0x35, 0x1c,
455392f7a3SLiteSpeed Tech        0xd7, 0x3a, 0x55, 0x0f, 0xb6, 0x2c, 0x4b, 0xb0,
465392f7a3SLiteSpeed Tech        0x87, 0xe9, 0x15, 0xcc, 0xe9, 0x6c, 0xe3, 0xa0,
475392f7a3SLiteSpeed Tech    };
485392f7a3SLiteSpeed Tech    lsquic_qhkdf_expand(md, secret, secret_len, CLIENT_LABEL, CLIENT_LABEL_SZ,
495392f7a3SLiteSpeed Tech                        client_secret, sizeof(client_secret));
505392f7a3SLiteSpeed Tech    assert(0 == memcmp(client_secret, expected_client_secret,
515392f7a3SLiteSpeed Tech                        sizeof(client_secret)));
525392f7a3SLiteSpeed Tech    const unsigned char expected_client_key[] = {
535392f7a3SLiteSpeed Tech        0x86, 0xd1, 0x83, 0x04, 0x80, 0xb4, 0x0f, 0x86,
545392f7a3SLiteSpeed Tech        0xcf, 0x9d, 0x68, 0xdc, 0xad, 0xf3, 0x5d, 0xfe,
555392f7a3SLiteSpeed Tech    };
565392f7a3SLiteSpeed Tech    const unsigned char expected_client_iv[] = {
575392f7a3SLiteSpeed Tech        0x12, 0xf3, 0x93, 0x8a, 0xca, 0x34, 0xaa, 0x02,
585392f7a3SLiteSpeed Tech        0x54, 0x31, 0x63, 0xd4,
595392f7a3SLiteSpeed Tech    };
605392f7a3SLiteSpeed Tech    const unsigned char expected_client_hp[] = {
615392f7a3SLiteSpeed Tech        0xcd, 0x25, 0x3a, 0x36, 0xff, 0x93, 0x93, 0x7c,
625392f7a3SLiteSpeed Tech        0x46, 0x93, 0x84, 0xa8, 0x23, 0xaf, 0x6c, 0x56,
635392f7a3SLiteSpeed Tech    };
645392f7a3SLiteSpeed Tech    unsigned char client_key[sizeof(expected_client_key)],
655392f7a3SLiteSpeed Tech                  client_iv[sizeof(expected_client_iv)],
665392f7a3SLiteSpeed Tech                  client_hp[sizeof(expected_client_hp)];
675392f7a3SLiteSpeed Tech    lsquic_qhkdf_expand(md, client_secret, sizeof(client_secret), "quic key", 8,
685392f7a3SLiteSpeed Tech                        client_key, sizeof(client_key));
695392f7a3SLiteSpeed Tech    assert(0 == memcmp(client_key, expected_client_key,
705392f7a3SLiteSpeed Tech                        sizeof(expected_client_key)));
715392f7a3SLiteSpeed Tech    lsquic_qhkdf_expand(md, client_secret, sizeof(client_secret), "quic iv", 7,
725392f7a3SLiteSpeed Tech                        client_iv, sizeof(client_iv));
735392f7a3SLiteSpeed Tech    assert(0 == memcmp(client_iv, expected_client_iv,
745392f7a3SLiteSpeed Tech                        sizeof(expected_client_iv)));
755392f7a3SLiteSpeed Tech    lsquic_qhkdf_expand(md, client_secret, sizeof(client_secret), "quic hp", 7,
765392f7a3SLiteSpeed Tech                        client_hp, sizeof(client_hp));
775392f7a3SLiteSpeed Tech    assert(0 == memcmp(client_hp, expected_client_hp,
785392f7a3SLiteSpeed Tech                        sizeof(expected_client_hp)));
795392f7a3SLiteSpeed Tech
805392f7a3SLiteSpeed Tech    unsigned char server_secret[32];
815392f7a3SLiteSpeed Tech    const unsigned char expected_server_secret[] = {
825392f7a3SLiteSpeed Tech        0x4c, 0x9e, 0xdf, 0x24, 0xb0, 0xe5, 0xe5, 0x06,
835392f7a3SLiteSpeed Tech        0xdd, 0x3b, 0xfa, 0x4e, 0x0a, 0x03, 0x11, 0xe8,
845392f7a3SLiteSpeed Tech        0xc4, 0x1f, 0x35, 0x42, 0x73, 0xd8, 0xcb, 0x49,
855392f7a3SLiteSpeed Tech        0xdd, 0xd8, 0x46, 0x41, 0x38, 0xd4, 0x7e, 0xc6,
865392f7a3SLiteSpeed Tech    };
875392f7a3SLiteSpeed Tech    lsquic_qhkdf_expand(md, secret, secret_len, SERVER_LABEL, SERVER_LABEL_SZ,
885392f7a3SLiteSpeed Tech                        server_secret, sizeof(server_secret));
895392f7a3SLiteSpeed Tech    assert(0 == memcmp(server_secret, expected_server_secret,
905392f7a3SLiteSpeed Tech                        sizeof(server_secret)));
915392f7a3SLiteSpeed Tech    const unsigned char expected_server_key[] = {
925392f7a3SLiteSpeed Tech        0x2c, 0x78, 0x63, 0x3e, 0x20, 0x6e, 0x99, 0xad,
935392f7a3SLiteSpeed Tech        0x25, 0x19, 0x64, 0xf1, 0x9f, 0x6d, 0xcd, 0x6d,
945392f7a3SLiteSpeed Tech    };
955392f7a3SLiteSpeed Tech    const unsigned char expected_server_iv[] = {
965392f7a3SLiteSpeed Tech        0x7b, 0x50, 0xbf, 0x36, 0x98, 0xa0, 0x6d, 0xfa,
975392f7a3SLiteSpeed Tech        0xbf, 0x75, 0xf2, 0x87,
985392f7a3SLiteSpeed Tech    };
995392f7a3SLiteSpeed Tech    const unsigned char expected_server_hp[] = {
1005392f7a3SLiteSpeed Tech        0x25, 0x79, 0xd8, 0x69, 0x6f, 0x85, 0xed, 0xa6,
1015392f7a3SLiteSpeed Tech        0x8d, 0x35, 0x02, 0xb6, 0x55, 0x96, 0x58, 0x6b,
1025392f7a3SLiteSpeed Tech    };
1035392f7a3SLiteSpeed Tech    unsigned char server_key[sizeof(expected_server_key)],
1045392f7a3SLiteSpeed Tech                  server_iv[sizeof(expected_server_iv)],
1055392f7a3SLiteSpeed Tech                  server_hp[sizeof(expected_server_hp)];
1065392f7a3SLiteSpeed Tech    lsquic_qhkdf_expand(md, server_secret, sizeof(server_secret), "quic key", 8,
1075392f7a3SLiteSpeed Tech                        server_key, sizeof(server_key));
1085392f7a3SLiteSpeed Tech    assert(0 == memcmp(server_key, expected_server_key,
1095392f7a3SLiteSpeed Tech                        sizeof(expected_server_key)));
1105392f7a3SLiteSpeed Tech    lsquic_qhkdf_expand(md, server_secret, sizeof(server_secret), "quic iv", 7,
1115392f7a3SLiteSpeed Tech                        server_iv, sizeof(server_iv));
1125392f7a3SLiteSpeed Tech    assert(0 == memcmp(server_iv, expected_server_iv,
1135392f7a3SLiteSpeed Tech                        sizeof(expected_server_iv)));
1145392f7a3SLiteSpeed Tech    lsquic_qhkdf_expand(md, server_secret, sizeof(server_secret), "quic hp", 7,
1155392f7a3SLiteSpeed Tech                        server_hp, sizeof(server_hp));
1165392f7a3SLiteSpeed Tech    assert(0 == memcmp(server_hp, expected_server_hp,
1175392f7a3SLiteSpeed Tech                        sizeof(expected_server_hp)));
1185392f7a3SLiteSpeed Tech
1195392f7a3SLiteSpeed Tech    return 0;
1205392f7a3SLiteSpeed Tech}
121