21851334357

Committed 10 Feb 2026 01:47AM UTC coverage: 90.073% (+0.004%) from 90.069%

Build # 21851334357

Build Type

push

github

Committed by

web-flow

Commit Message

Merge pull request #5296 from randombit/jack/tls-header-patrol

Various changes to reduce header dependencies in TLS

Run Details

102230 of 113497 relevant lines covered (90.07%)

11359047.13 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

99.5

/src/tests/test_tls_cipher_state.cpp

/*
* (C) 2021 Jack Lloyd
* (C) 2021 Hannes Rantzsch, René Meusel - neXenio
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include "tests.h"

#if defined(BOTAN_HAS_TLS_13)

   #include <botan/hex.h>
   #include <botan/secmem.h>
   #include <botan/tls_ciphersuite.h>

   #include <botan/internal/tls_channel_impl_13.h>
   #include <botan/internal/tls_cipher_state.h>
   #include <map>

namespace Botan_Tests {

namespace {

using namespace Botan;
using namespace Botan::TLS;

class Journaling_Secret_Logger : public Secret_Logger {
   public:
      void maybe_log_secret(std::string_view label, std::span<const uint8_t> secret) const override {
         secrets[std::string(label)] = std::vector<uint8_t>(secret.begin(), secret.end());
      }

   public:
      mutable std::map<std::string, std::vector<uint8_t>> secrets;  // NOLINT(*-non-private-member-variable*)
};

decltype(auto) make_CHECK_both(Cipher_State* cs_client,
                               Journaling_Secret_Logger* sl_client,
                               Cipher_State* cs_server,
                               Journaling_Secret_Logger* sl_server) {
   using namespace std::placeholders;
   return [=](const std::string& name, auto lambda) -> std::vector<Test::Result> {
      // NOLINTBEGIN(*-avoid-bind)
      return {CHECK(std::string(name + " (client)").c_str(),
                    std::bind(lambda, cs_client, sl_client, Connection_Side::Client, _1)),
              CHECK(std::string(name + " (server)").c_str(),
                    std::bind(lambda, cs_server, sl_server, Connection_Side::Server, _1))};
      // NOLINTEND(*-avoid-bind)
   };
}

class RFC8448_TestData {
   private:
      const std::string name;
      const Connection_Side emitter;
      const std::vector<uint8_t> record_header;
      const secure_vector<uint8_t> encrypted_fragment;
      const secure_vector<uint8_t> plaintext_fragment;

   public:
      RFC8448_TestData(std::string n,
                       Connection_Side em,
                       std::vector<uint8_t> rh,
                       secure_vector<uint8_t> ef,
                       secure_vector<uint8_t> pf) :
            name(std::move(n)),
            emitter(em),
            record_header(std::move(rh)),
            encrypted_fragment(std::move(ef)),
            plaintext_fragment(std::move(pf)) {}

      void encrypt(Test::Result& result, Cipher_State* cs) const {
         auto plaintext_fragment_copy = plaintext_fragment;
         result.test_no_throw("encryption is successful for " + name,
                              [&] { cs->encrypt_record_fragment(record_header, plaintext_fragment_copy); });

         result.test_eq("encrypted payload for " + name, plaintext_fragment_copy, encrypted_fragment);
      }

      void decrypt(Test::Result& result, Cipher_State* cs) const {
         auto encrypted_fragment_copy = encrypted_fragment;
         result.test_no_throw("decryption is successful for " + name,
                              [&] { cs->decrypt_record_fragment(record_header, encrypted_fragment_copy); });

         result.test_eq("plaintext for " + name, encrypted_fragment_copy, plaintext_fragment);
      }

      void xxcrypt(Test::Result& result, Cipher_State* cs, Connection_Side side) const {
         if(emitter == side) {
            encrypt(result, cs);
         } else {
            decrypt(result, cs);
         }
      }
};

std::vector<Test::Result> test_secret_derivation_rfc8448_rtt1() {
   // shared secret
   const auto shared_secret = Botan::hex_decode_locked(
      "8b d4 05 4f b5 5b 9d 63 fd fb ac f9 f0 4b 9f 0d"
      "35 e6 d6 3f 53 75 63 ef d4 62 72 90 0f 89 49 2d");

   const auto expected_psk = Botan::hex_decode_locked(
      "4e cd 0e b6 ec 3b 4d 87 f5 d6 02 8f 92 2c a4 c5"
      "85 1a 27 7f d4 13 11 c9 e6 2d 2c 94 92 e1 c4 f3");

   // this is not part of RFC 8448
   const std::string export_label = "export_test_label";
   const std::string export_context = "rfc8448_rtt1";
   const auto expected_key_export = Botan::hex_decode_locked("f2 00 58 a6 5c e0 43 0a 19 79 44 c8 12 43 1c 2d");

   // transcript hash from client hello and server hello
   const auto th_server_hello = Botan::hex_decode(
      "86 0c 06 ed c0 78 58 ee 8e 78 f0 e7 42 8c 58 ed"
      "d6 b4 3f 2c a3 e6 e9 5f 02 ed 06 3c f0 e1 ca d8");

   // transcript hash from client hello up to (excluding) server finished
   const auto th_pre_server_finished = Botan::hex_decode(
      "ed b7 72 5f a7 a3 47 3b 03 1e c8 ef 65 a2 48 54"
      "93 90 01 38 a2 b9 12 91 40 7d 79 51 a0 61 10 ed");

   // transcript hash from client hello up to (including) server finished
   const auto th_server_finished = Botan::hex_decode(
      "96 08 10 2a 0f 1c cc 6d b6 25 0b 7b 7e 41 7b 1a"
      "00 0e aa da 3d aa e4 77 7a 76 86 c9 ff 83 df 13");

   // transcript hash from client hello up to (including) client finished
   const auto th_client_finished = Botan::hex_decode(
      "20 91 45 a9 6e e8 e2 a1 22 ff 81 00 47 cc 95 26"
      "84 65 8d 60 49 e8 64 29 42 6d b8 7c 54 ad 14 3d");

   // handshake traffic secret for the client
   const auto client_handshake_traffic_secret = Botan::hex_decode(
      "b3 ed db 12 6e 06 7f 35 a7 80 b3 ab f4 5e 2d 8f"
      "3b 1a 95 07 38 f5 2e 96 00 74 6a 0e 27 a5 5a 21");

   // handshake traffic secret for the server
   const auto server_handshake_traffic_secret = Botan::hex_decode(
      "b6 7b 7d 69 0c c1 6c 4e 75 e5 42 13 cb 2d 37 b4"
      "e9 c9 12 bc de d9 10 5d 42 be fd 59 d3 91 ad 38");

   // application traffic secret (0) for the client
   const auto client_traffic_secret = Botan::hex_decode(
      "9e 40 64 6c e7 9a 7f 9d c0 5a f8 88 9b ce 65 52"
      "87 5a fa 0b 06 df 00 87 f7 92 eb b7 c1 75 04 a5");

   // application traffic secret (0) for the server
   const auto server_traffic_secret = Botan::hex_decode(
      "a1 1a f9 f0 55 31 f8 56 ad 47 11 6b 45 a9 50 32"
      "82 04 b4 f4 4b fb 6b 3a 4b 4f 1f 3f cb 63 16 43");

   // application traffic secret (1) for the client (not in RFC 8448)
   const auto updated_client_traffic_secret = Botan::hex_decode(
      "fc df cc 72 72 5a ae e4 8b f6 4e 4f d8 b7 49 cd"
      "bd ba b3 9d 90 da 0b 26 e2 24 5c a6 ea 16 72 07");

   // application traffic secret (1) for the server (not in RFC 8448)
   const auto updated_server_traffic_secret = Botan::hex_decode(
      "51 92 1b 8a a3 00 19 76 eb 40 1d 0a 43 19 a8 51"
      "64 16 a6 c5 60 01 a3 57 e5 d1 62 03 1e 84 f9 16");

   // encrypted with server_handshake_traffic_secret
   const auto encrypted_extensions =
      RFC8448_TestData("encrypted_extensions",
                       Connection_Side::Server,
                       Botan::hex_decode("17 03 03 02 a2"),
                       Botan::hex_decode_locked("d1 ff 33 4a 56 f5 bf"
                                                "f6 59 4a 07 cc 87 b5 80 23 3f 50 0f 45 e4 89 e7 f3 3a f3 5e df"
                                                "78 69 fc f4 0a a4 0a a2 b8 ea 73 f8 48 a7 ca 07 61 2e f9 f9 45"
                                                "cb 96 0b 40 68 90 51 23 ea 78 b1 11 b4 29 ba 91 91 cd 05 d2 a3"
                                                "89 28 0f 52 61 34 aa dc 7f c7 8c 4b 72 9d f8 28 b5 ec f7 b1 3b"
                                                "d9 ae fb 0e 57 f2 71 58 5b 8e a9 bb 35 5c 7c 79 02 07 16 cf b9"
                                                "b1 18 3e f3 ab 20 e3 7d 57 a6 b9 d7 47 76 09 ae e6 e1 22 a4 cf"
                                                "51 42 73 25 25 0c 7d 0e 50 92 89 44 4c 9b 3a 64 8f 1d 71 03 5d"
                                                "2e d6 5b 0e 3c dd 0c ba e8 bf 2d 0b 22 78 12 cb b3 60 98 72 55"
                                                "cc 74 41 10 c4 53 ba a4 fc d6 10 92 8d 80 98 10 e4 b7 ed 1a 8f"
                                                "d9 91 f0 6a a6 24 82 04 79 7e 36 a6 a7 3b 70 a2 55 9c 09 ea d6"
                                                "86 94 5b a2 46 ab 66 e5 ed d8 04 4b 4c 6d e3 fc f2 a8 94 41 ac"
                                                "66 27 2f d8 fb 33 0e f8 19 05 79 b3 68 45 96 c9 60 bd 59 6e ea"
                                                "52 0a 56 a8 d6 50 f5 63 aa d2 74 09 96 0d ca 63 d3 e6 88 61 1e"
                                                "a5 e2 2f 44 15 cf 95 38 d5 1a 20 0c 27 03 42 72 96 8a 26 4e d6"
                                                "54 0c 84 83 8d 89 f7 2c 24 46 1a ad 6d 26 f5 9e ca ba 9a cb bb"
                                                "31 7b 66 d9 02 f4 f2 92 a3 6a c1 b6 39 c6 37 ce 34 31 17 b6 59"
                                                "62 22 45 31 7b 49 ee da 0c 62 58 f1 00 d7 d9 61 ff b1 38 64 7e"
                                                "92 ea 33 0f ae ea 6d fa 31 c7 a8 4d c3 bd 7e 1b 7a 6c 71 78 af"
                                                "36 87 90 18 e3 f2 52 10 7f 24 3d 24 3d c7 33 9d 56 84 c8 b0 37"
                                                "8b f3 02 44 da 8c 87 c8 43 f5 e5 6e b4 c5 e8 28 0a 2b 48 05 2c"
                                                "f9 3b 16 49 9a 66 db 7c ca 71 e4 59 94 26 f7 d4 61 e6 6f 99 88"
                                                "2b d8 9f c5 08 00 be cc a6 2d 6c 74 11 6d bd 29 72 fd a1 fa 80"
                                                "f8 5d f8 81 ed be 5a 37 66 89 36 b3 35 58 3b 59 91 86 dc 5c 69"
                                                "18 a3 96 fa 48 a1 81 d6 b6 fa 4f 9d 62 d5 13 af bb 99 2f 2b 99"
                                                "2f 67 f8 af e6 7f 76 91 3f a3 88 cb 56 30 c8 ca 01 e0 c6 5d 11"
                                                "c6 6a 1e 2a c4 c8 59 77 b7 c7 a6 99 9b bf 10 dc 35 ae 69 f5 51"
                                                "56 14 63 6c 0b 9b 68 c1 9e d2 e3 1c 0b 3b 66 76 30 38 eb ba 42"
                                                "f3 b3 8e dc 03 99 f3 a9 f2 3f aa 63 97 8c 31 7f c9 fa 66 a7 3f"
                                                "60 f0 50 4d e9 3b 5b 84 5e 27 55 92 c1 23 35 ee 34 0b bc 4f dd"
                                                "d5 02 78 40 16 e4 b3 be 7e f0 4d da 49 f4 b4 40 a3 0c b5 d2 af"
                                                "93 98 28 fd 4a e3 79 4e 44 f9 4d f5 a6 31 ed e4 2c 17 19 bf da"
                                                "bf 02 53 fe 51 75 be 89 8e 75 0e dc 53 37 0d 2b"),
                       Botan::hex_decode_locked("08 00 00 24 00 22 00 0a 00 14 00 12 00 1d"
                                                "00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40"
                                                "01 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30"
                                                "82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d"
                                                "01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61"
                                                "30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36"
                                                "30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04"
                                                "03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01"
                                                "01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30"
                                                "3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a"
                                                "24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e"
                                                "aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01"
                                                "8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53"
                                                "0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab"
                                                "9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01"
                                                "a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d"
                                                "0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05"
                                                "00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17"
                                                "06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5"
                                                "8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72"
                                                "60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63"
                                                "a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84"
                                                "e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29"
                                                "ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 80 5a 74 7c 5d"
                                                "88 fa 9b d2 e5 5a b0 85 a6 10 15 b7 21 1f 82 4c d4 84 14 5a b3"
                                                "ff 52 f1 fd a8 47 7b 0b 7a bc 90 db 78 e2 d3 3a 5c 14 1a 07 86"
                                                "53 fa 6b ef 78 0c 5e a2 48 ee aa a7 85 c4 f3 94 ca b6 d3 0b be"
                                                "8d 48 59 ee 51 1f 60 29 57 b1 54 11 ac 02 76 71 45 9e 46 44 5c"
                                                "9e a5 8c 18 1e 81 8e 95 b8 c3 fb 0b f3 27 84 09 d3 be 15 2a 3d"
                                                "a5 04 3e 06 3d da 65 cd f5 ae a2 0d 53 df ac d4 2f 74 f3 14 00"
                                                "00 20 9b 9b 14 1d 90 63 37 fb d2 cb dc e7 1d f4 de da 4a b4 2c"
                                                "30 95 72 cb 7f ff ee 54 54 b7 8f 07 18"
                                                "16" /* to-be-encrypted content type */));

   // encrypted with client_handshake_traffic_secret
   const auto encrypted_client_finished_message =
      RFC8448_TestData("encrypted_client_finished_message",
                       Connection_Side::Client,
                       Botan::hex_decode("17 03 03 00 35"),
                       Botan::hex_decode_locked("75 ec 4d c2 38 cc e6"
                                                "0b 29 80 44 a7 1e 21 9c 56 cc 77 b0 51 7f e9 b9 3c 7a 4b fc 44"
                                                "d8 7f 38 f8 03 38 ac 98 fc 46 de b3 84 bd 1c ae ac ab 68 67 d7"
                                                "26 c4 05 46"),
                       Botan::hex_decode_locked("14 00 00 20 a8 ec 43 6d 67 76 34 ae 52 5a c1"
                                                "fc eb e1 1a 03 9e c1 76 94 fa c6 e9 85 27 b6 42 f2 ed d5 ce 61"
                                                "16" /* to-be-encrypted content type */));

   // encrypted with server_application_traffic_secret
   const auto encrypted_new_session_ticket =
      RFC8448_TestData("encrypted_new_session_ticket",
                       Connection_Side::Server,
                       Botan::hex_decode("17 03 03 00 de"),
                       Botan::hex_decode_locked("3a 6b 8f 90 41 4a 97"
                                                "d6 95 9c 34 87 68 0d e5 13 4a 2b 24 0e 6c ff ac 11 6e 95 d4 1d"
                                                "6a f8 f6 b5 80 dc f3 d1 1d 63 c7 58 db 28 9a 01 59 40 25 2f 55"
                                                "71 3e 06 1d c1 3e 07 88 91 a3 8e fb cf 57 53 ad 8e f1 70 ad 3c"
                                                "73 53 d1 6d 9d a7 73 b9 ca 7f 2b 9f a1 b6 c0 d4 a3 d0 3f 75 e0"
                                                "9c 30 ba 1e 62 97 2a c4 6f 75 f7 b9 81 be 63 43 9b 29 99 ce 13"
                                                "06 46 15 13 98 91 d5 e4 c5 b4 06 f1 6e 3f c1 81 a7 7c a4 75 84"
                                                "00 25 db 2f 0a 77 f8 1b 5a b0 5b 94 c0 13 46 75 5f 69 23 2c 86"
                                                "51 9d 86 cb ee ac 87 aa c3 47 d1 43 f9 60 5d 64 f6 50 db 4d 02"
                                                "3e 70 e9 52 ca 49 fe 51 37 12 1c 74 bc 26 97 68 7e 24 87 46 d6"
                                                "df 35 30 05 f3 bc e1 86 96 12 9c 81 53 55 6b 3b 6c 67 79 b3 7b"
                                                "f1 59 85 68 4f"),
                       Botan::hex_decode_locked("04 00 00 c9 00 00 00 1e fa d6 aa c5 02 00"
                                                "00 00 b2 2c 03 5d 82 93 59 ee 5f f7 af 4e c9 00 00 00 00 26 2a"
                                                "64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf 1b 00 70 ad 3c 49 88 83"
                                                "c9 36 7c 09 a2 be 78 5a bc 55 cd 22 60 97 a3 a9 82 11 72 83 f8"
                                                "2a 03 a1 43 ef d3 ff 5d d3 6d 64 e8 61 be 7f d6 1d 28 27 db 27"
                                                "9c ce 14 50 77 d4 54 a3 66 4d 4e 6d a4 d2 9e e0 37 25 a6 a4 da"
                                                "fc d0 fc 67 d2 ae a7 05 29 51 3e 3d a2 67 7f a5 90 6c 5b 3f 7d"
                                                "8f 92 f2 28 bd a4 0d da 72 14 70 f9 fb f2 97 b5 ae a6 17 64 6f"
                                                "ac 5c 03 27 2e 97 07 27 c6 21 a7 91 41 ef 5f 7d e6 50 5e 5b fb"
                                                "c3 88 e9 33 43 69 40 93 93 4a e4 d3 57 00 08 00 2a 00 04 00 00"
                                                "04 00"
                                                "16" /* to-be-encrypted content type */));

   // encrypted with client_application_traffic_secret
   const auto encrypted_application_data_client =
      RFC8448_TestData("encrypted_application_data_client",
                       Connection_Side::Client,
                       Botan::hex_decode("17 03 03 00 43"),
                       Botan::hex_decode_locked("a2 3f 70 54 b6 2c 94"
                                                "d0 af fa fe 82 28 ba 55 cb ef ac ea 42 f9 14 aa 66 bc ab 3f 2b"
                                                "98 19 a8 a5 b4 6b 39 5b d5 4a 9a 20 44 1e 2b 62 97 4e 1f 5a 62"
                                                "92 a2 97 70 14 bd 1e 3d ea e6 3a ee bb 21 69 49 15 e4"),
                       Botan::hex_decode_locked("00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e"
                                                "0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23"
                                                "24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31"
                                                "17" /* to-be-encrypted content type */));

   // encrypted with server_application_traffic_secret
   const auto encrypted_application_data_server =
      RFC8448_TestData("encrypted_application_data_server",
                       Connection_Side::Server,
                       Botan::hex_decode("17 03 03 00 43"),
                       Botan::hex_decode_locked("2e 93 7e 11 ef 4a c7"
                                                "40 e5 38 ad 36 00 5f c4 a4 69 32 fc 32 25 d0 5f 82 aa 1b 36 e3"
                                                "0e fa f9 7d 90 e6 df fc 60 2d cb 50 1a 59 a8 fc c4 9c 4b f2 e5"
                                                "f0 a2 1c 00 47 c2 ab f3 32 54 0d d0 32 e1 67 c2 95 5d"),
                       Botan::hex_decode_locked("00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e"
                                                "0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23"
                                                "24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31"
                                                "17" /* to-be-encrypted content type */));

   auto cipher = Ciphersuite::from_name("AES_128_GCM_SHA256").value();

   // initialize Cipher_State with client_hello...server_hello
   Journaling_Secret_Logger sl_client;
   Journaling_Secret_Logger sl_server;
   auto cs_client = Cipher_State::init_with_server_hello(
      Connection_Side::Client, secure_vector<uint8_t>(shared_secret), cipher, th_server_hello, sl_client);
   auto cs_server = Cipher_State::init_with_server_hello(
      Connection_Side::Server, secure_vector<uint8_t>(shared_secret), cipher, th_server_hello, sl_server);

   auto CHECK_both = make_CHECK_both(cs_client.get(), &sl_client, cs_server.get(), &sl_server);

   return Test::flatten_result_lists(
      {CHECK_both(
          "secret logging during initialization",
          [&](Cipher_State*, Journaling_Secret_Logger* sl, Connection_Side, Test::Result& result) {
             result.test_eq("logged expected secrets", sl->secrets.size(), 2);
             result.require("has client traffic secret", sl->secrets.contains("CLIENT_HANDSHAKE_TRAFFIC_SECRET"));
             result.require("has server traffic secret", sl->secrets.contains("SERVER_HANDSHAKE_TRAFFIC_SECRET"));

             result.test_is_eq("client traffic secret",
                               sl->secrets.at("CLIENT_HANDSHAKE_TRAFFIC_SECRET"),
                               client_handshake_traffic_secret);
             result.test_is_eq("server traffic secret",
                               sl->secrets.at("SERVER_HANDSHAKE_TRAFFIC_SECRET"),
                               server_handshake_traffic_secret);
          }),

       CHECK_both("ciphersuite compatibility",
                  [&](Cipher_State* cs, Journaling_Secret_Logger*, Connection_Side side, Test::Result& result) {
                     result.confirm("self-compatibility", cs->is_compatible_with(cipher));
                     result.confirm(
                        "fully defined state is not compatible to other suites",
                        !cs->is_compatible_with(Ciphersuite::from_name("CHACHA20_POLY1305_SHA256").value()) &&
                           !cs->is_compatible_with(Ciphersuite::from_name("AES_128_CCM_SHA256").value()) &&
                           !cs->is_compatible_with(Ciphersuite::from_name("PSK_WITH_AES_128_GCM_SHA256").value()));
                     if(side == Connection_Side::Client) {
                        result.confirm("Clients don't expect unprotected alerts after server hello",
                                       !cs->must_expect_unprotected_alert_traffic());
                     } else {
                        result.confirm("Servers must expect unprotected alerts in response to their server hello",
                                       cs->must_expect_unprotected_alert_traffic());
                     }
                  }),

       CHECK_both("ticket nonce counter is not yet available",
                  [&](Cipher_State* cs, Journaling_Secret_Logger*, Connection_Side, Test::Result& result) {
                     result.test_throws<Botan::Invalid_State>("nonce counter is disabled",
                                                              [&] { cs->next_ticket_nonce(); });
                  }),

       CHECK_both("handshake traffic without PSK",
                  [&](Cipher_State* cs, Journaling_Secret_Logger* sl, Connection_Side side, Test::Result& result) {
                     result.confirm("can not yet write application data", !cs->can_encrypt_application_traffic());
                     result.confirm("can not yet export key material", !cs->can_export_keys());

                     // decrypt encrypted extensions from server
                     encrypted_extensions.xxcrypt(result, cs, side);

                     // validate the MAC we receive in server Finished message
                     const auto expected_server_mac = Botan::hex_decode(
                        "9b 9b 14 1d 90 63 37 fb d2 cb dc e7 1d f4"
                        "de da 4a b4 2c 30 95 72 cb 7f ff ee 54 54 b7 8f 07 18");
                     if(side == Connection_Side::Client) {
                        result.confirm("expecting the correct MAC for server finished",
                                       cs->verify_peer_finished_mac(th_pre_server_finished, expected_server_mac));
                     } else {
                        result.test_eq("expecting the correct MAC for server finished",
                                       cs->finished_mac(th_pre_server_finished),
                                       expected_server_mac);
                     }

                     // advance Cipher_State with client_hello...server_Finished
                     // (allows receiving of application data, but does not yet allow such sending)
                     result.test_no_throw("state advancement is legal",
                                          [&] { cs->advance_with_server_finished(th_server_finished, *sl); });

                     if(side == Connection_Side::Client) {
                        result.confirm("can read application data", cs->can_decrypt_application_traffic());
                        result.confirm("can not yet write application data", !cs->can_encrypt_application_traffic());
                        result.confirm("Clients don't expect unprotected alerts after server hello",
                                       !cs->must_expect_unprotected_alert_traffic());
                     } else {
                        result.confirm("can not yet read application data", !cs->can_decrypt_application_traffic());
                        result.confirm("can write application data", cs->can_encrypt_application_traffic());
                        result.confirm("Servers must expect unprotected alerts in response to their first flight",
                                       cs->must_expect_unprotected_alert_traffic());
                     }

                     // check the logged key material
                     result.test_eq("contains expected number of keys", sl->secrets.size(), 5);
                     result.require("has client traffic secret", sl->secrets.contains("CLIENT_TRAFFIC_SECRET_0"));
                     result.require("has server traffic secret", sl->secrets.contains("SERVER_TRAFFIC_SECRET_0"));
                     result.require("has exporter secret", sl->secrets.contains("EXPORTER_SECRET"));
                     result.test_eq(
                        "client traffic secret (0)", sl->secrets.at("CLIENT_TRAFFIC_SECRET_0"), client_traffic_secret);
                     result.test_eq(
                        "server traffic secret (0)", sl->secrets.at("SERVER_TRAFFIC_SECRET_0"), server_traffic_secret);

                     // generate the MAC for the client Finished message
                     const auto expected_client_mac = Botan::hex_decode(
                        "a8 ec 43 6d 67 76 34 ae 52 5a c1 fc eb e1 1a 03"
                        "9e c1 76 94 fa c6 e9 85 27 b6 42 f2 ed d5 ce 61");
                     if(side == Connection_Side::Client) {
                        result.test_eq("generating the correct MAC for client finished",
                                       cs->finished_mac(th_server_finished),
                                       expected_client_mac);
                     } else {
                        result.confirm("verify the correct MAC for client finished",
                                       cs->verify_peer_finished_mac(th_server_finished, expected_client_mac));
                     }

                     // encrypt client Finished message by client
                     // (under the client handshake traffic secret)
                     encrypted_client_finished_message.xxcrypt(result, cs, side);

                     // advance Cipher_State with client_hello...client_Finished
                     // (allows generation of resumption PSKs)
                     result.test_no_throw("state advancement is legal",
                                          [&] { cs->advance_with_client_finished(th_client_finished); });

                     result.confirm("can write application data", cs->can_encrypt_application_traffic());
                     result.confirm("can read application data", cs->can_decrypt_application_traffic());
                     result.confirm("doesn't need to expect unprotected alerts",
                                    !cs->must_expect_unprotected_alert_traffic());
                     result.confirm("can export key material", cs->can_export_keys());
                     result.test_eq("key export produces expected result",
                                    cs->export_key(export_label, export_context, 16),
                                    expected_key_export);

                     // decrypt "new session ticket" post-handshake message from server
                     // (encrypted under the application traffic secret)
                     encrypted_new_session_ticket.xxcrypt(result, cs, side);

                     // encrypt application data by client
                     encrypted_application_data_client.xxcrypt(result, cs, side);

                     // decrypt application data from server
                     // (encrypted under the application traffic secret -- and a new sequence number)
                     encrypted_application_data_server.xxcrypt(result, cs, side);

                     result.confirm("can export key material still", cs->can_export_keys());
                     result.test_eq("key export result did not change",
                                    cs->export_key(export_label, export_context, 16),
                                    expected_key_export);
                  }),

       CHECK_both("ticket nonce counter counts",
                  [&](Cipher_State* cs, Journaling_Secret_Logger*, Connection_Side, Test::Result& result) {
                     result.test_is_eq("nonce is 0x00, 0x00",
                                       cs->next_ticket_nonce(),
                                       Botan::TLS::Ticket_Nonce(std::vector<uint8_t>{0x00, 0x00}));
                     result.test_is_eq("nonce is 0x00, 0x01",
                                       cs->next_ticket_nonce(),
                                       Botan::TLS::Ticket_Nonce(std::vector<uint8_t>{0x00, 0x01}));
                     result.test_is_eq("nonce is 0x00, 0x02",
                                       cs->next_ticket_nonce(),
                                       Botan::TLS::Ticket_Nonce(std::vector<uint8_t>{0x00, 0x02}));

                     for(uint32_t i = 3; i < std::numeric_limits<uint16_t>::max(); ++i) {
                        cs->next_ticket_nonce();
                     }

                     // Cannot generate more than 2^16 ticket nonces
                     result.test_throws<Botan::Invalid_State>("nonces are depleted", [&] { cs->next_ticket_nonce(); });
                  }),

       CHECK_both("PSK",
                  [&](Cipher_State* cs, Journaling_Secret_Logger*, Connection_Side, Test::Result& result) {
                     // derive PSK for resumption
                     const auto psk = cs->psk(Botan::TLS::Ticket_Nonce(
                        std::vector<uint8_t>{0x00, 0x00}) /* ticket_nonce as defined in RFC 8448 */);
                     result.test_eq("PSK matches", psk, expected_psk);
                  }),

       CHECK_both("key update",
                  [&](Cipher_State* cs, Journaling_Secret_Logger* sl, Connection_Side side, Test::Result& result) {
                     const auto* const read_label =
                        side == Connection_Side::Client ? "SERVER_TRAFFIC_SECRET_1" : "CLIENT_TRAFFIC_SECRET_1";
                     const auto* const write_label =
                        side == Connection_Side::Client ? "CLIENT_TRAFFIC_SECRET_1" : "SERVER_TRAFFIC_SECRET_1";

                     cs->update_read_keys(*sl);
                     result.test_eq("read secret update is here", sl->secrets.size(), 6);
                     result.require("has new read traffic secret", sl->secrets.contains(read_label));

                     cs->update_write_keys(*sl);
                     result.test_eq("write secret update is here", sl->secrets.size(), 7);
                     result.require("has new write traffic secret", sl->secrets.contains(write_label));

                     result.test_eq("client traffic secret (1)",
                                    sl->secrets.at("CLIENT_TRAFFIC_SECRET_1"),
                                    updated_client_traffic_secret);
                     result.test_eq("server traffic secret (1)",
                                    sl->secrets.at("SERVER_TRAFFIC_SECRET_1"),
                                    updated_server_traffic_secret);

                     result.confirm("can encrypt application traffic", cs->can_encrypt_application_traffic());
                  }),

       CHECK_both("cleanup", [&](Cipher_State* cs, Journaling_Secret_Logger*, Connection_Side, Test::Result& result) {
          // cleanup
          cs->clear_write_keys();
          result.confirm("can no longer write application data", !cs->can_encrypt_application_traffic());
          result.confirm("can still read application data", cs->can_decrypt_application_traffic());

          cs->clear_read_keys();
          result.confirm("can no longer write application data", !cs->can_encrypt_application_traffic());
          result.confirm("can no longer read application data", !cs->can_decrypt_application_traffic());
       })});
}

std::vector<Test::Result> test_secret_derivation_rfc8448_rtt0() {
   // this is the PSK that was negotiated for session resumption in RFC 8448 (see test case above)
   const auto psk = Botan::hex_decode_locked(
      "4e cd 0e b6 ec 3b 4d 87 f5 d6 02 8f 92 2c a4 c5"
      "85 1a 27 7f d4 13 11 c9 e6 2d 2c 94 92 e1 c4 f3");

   // this shared secret is obtained by a key exchange performed additionally to
   // the pre-shared-key.
   const auto shared_secret = Botan::hex_decode_locked(
      "f4 41 94 75 6f f9 ec 9d 25 18 06 35 d6 6e a6 82"
      "4c 6a b3 bf 17 99 77 be 37 f7 23 57 0e 7c cb 2e");

   // transcript hash of the client hello up to (including) the PSK modes
   // (used to calculate the PSK binder)
   const auto th_client_hello_prefix = Botan::hex_decode(
      "63 22 4b 2e 45 73 f2 d3 45 4c a8 4b 9d 00 9a 04"
      "f6 be 9e 05 71 1a 83 96 47 3a ef a0 1e 92 4a 14");

   // transcript hash of the client hello including the PSK identity and binders
   const auto th_client_hello = Botan::hex_decode(
      "08 ad 0f a0 5d 7c 72 33 b1 77 5b a2 ff 9f 4c 5b"
      "8b 59 27 6b 7f 22 7f 13 a9 76 24 5f 5d 96 09 13");

   const auto th_server_hello = Botan::hex_decode(
      "f7 36 cb 34 fe 25 e7 01 55 1b ee 6f d2 4c 1c c7"
      "10 2a 7d af 94 05 cb 15 d9 7a af e1 6f 75 7d 03");

   // this is not directly exposed in RFC 8448 but calculated as
   // SHA-256(ClientHello..EncryptedExtensions)
   const auto th_pre_server_finished = Botan::hex_decode(
      "04 05 54 55 ef 74 b2 32 2b a3 66 cb c4 cf e0 27"
      "23 43 4b 37 b9 b3 67 1b b5 a3 00 60 56 d8 f0 2f");

   const auto th_server_finished = Botan::hex_decode(
      "b0 ae ff c4 6a 2c fe 33 11 4e 6f d7 d5 1f 9f 04"
      "b1 ca 3c 49 7d ab 08 93 4a 77 4a 9d 9a d7 db f3");

   // this is not directly exposed in RFC 8448 but calculated as
   // SHA-256(ClientHello..EndOfEarlyData)
   const auto th_end_of_early_data = Botan::hex_decode(
      "9f 23 a0 0c 1f 08 fc 18 80 7b 8b 68 23 7b 56 5d"
      "f2 0d 4c 50 dd 8e 49 ef 61 2e 1a 5b b1 6c 58 67");

   const auto th_client_finished = Botan::hex_decode(
      "c3 c1 22 e0 bd 90 7a 4a 3f f6 11 2d 8f d5 3d bf"
      "89 c7 73 d9 55 2e 8b 6b 9d 56 d3 61 b3 a9 7b f6");

   const auto expected_psk_binder = Botan::hex_decode(
      "3a dd 4f b2 d8 fd f8 22 a0 ca 3c f7 67 8e f5 e8"
      "8d ae 99 01 41 c5 92 4d 57 bb 6f a3 1b 9e 5f 9d");

   const auto early_exporter_secret = Botan::hex_decode(
      "b2 02 68 66 61 09 37 d7 42 3e 5b e9 08 62 cc f2"
      "4c 0e 60 91 18 6d 34 f8 12 08 9f f5 be 2e f7 df");

   const auto client_handshake_traffic_secret = Botan::hex_decode(
      "2f aa c0 8f 85 1d 35 fe a3 60 4f cb 4d e8 2d c6"
      "2c 9b 16 4a 70 97 4d 04 62 e2 7f 1a b2 78 70 0f");

   const auto server_handshake_traffic_secret = Botan::hex_decode(
      "fe 92 7a e2 71 31 2e 8b f0 27 5b 58 1c 54 ee f0"
      "20 45 0d c4 ec ff aa 05 a1 a3 5d 27 51 8e 78 03");

   const auto client_traffic_secret = Botan::hex_decode(
      "2a bb f2 b8 e3 81 d2 3d be be 1d d2 a7 d1 6a 8b"
      "f4 84 cb 49 50 d2 3f b7 fb 7f a8 54 70 62 d9 a1");

   const auto server_traffic_secret = Botan::hex_decode(
      "cc 21 f1 bf 8f eb 7d d5 fa 50 5b d9 c4 b4 68 a9"
      "98 4d 55 4a 99 3d c4 9e 6d 28 55 98 fb 67 26 91");

   const auto exporter_secret = Botan::hex_decode(
      "3f d9 3d 4f fd dc 98 e6 4b 14 dd 10 7a ed f8 ee"
      "4a dd 23 f4 51 0f 58 a4 59 2d 0b 20 1b ee 56 b4");

   // this is not part of RFC 8448
   const std::string export_label = "export_test_label";
   const std::string export_context = "rfc8448_psk";
   const auto expected_key_export = Botan::hex_decode_locked("b5 89 bc b4 0b 7f 94 d7 6f 2d d6 fc f9 e5 87 8e");

   // this is not part of RFC 8448
   const std::string early_export_label = "export_test_label_early";
   const std::string early_export_context = "rfc8448_psk_early";
   const auto early_expected_key_export = Botan::hex_decode_locked("b6 fb 7d 9e b5 4e 97 59 6f e4 ed 93 cc b0 bf 0c");

   // encrypted with server_handshake_traffic_secret
   const auto encrypted_extensions =
      RFC8448_TestData("encrypted_extensions",
                       Connection_Side::Server,
                       Botan::hex_decode("17 03 03 00 61"),
                       Botan::hex_decode_locked("dc 48 23 7b 4b 87 9f"
                                                "50 d0 d4 d2 62 ea 8b 47 16 eb 40 dd c1 eb 95 7e 11 12 6e 8a 71"
                                                "49 c2 d0 12 d3 7a 71 15 95 7e 64 ce 30 00 8b 9e 03 23 f2 c0 5a"
                                                "9c 1c 77 b4 f3 78 49 a6 95 ab 25 50 60 a3 3f ee 77 0c a9 5c b8"
                                                "48 6b fd 08 43 b8 70 24 86 5c a3 5c c4 1c 4e 51 5c 64 dc b1 36"
                                                "9f 98 63 5b c7 a5"),
                       Botan::hex_decode_locked("08 00 00 28 00 26 00 0a 00 14 00 12 00 1d 00"
                                                "17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40 01"
                                                "00 00 00 00 00 2a 00 00 14 00 00 20 48 d3 e0 e1 b3 d9 07 c6 ac"
                                                "ff 14 5e 16 09 03 88 c7 7b 05 c0 50 b6 34 ab 1a 88 bb d0 dd 1a"
                                                "34 b2"
                                                "16" /* to-be-encrypted content type */));

   // encrypted with client_handshake_traffic_secret
   const auto encrypted_client_finished_message =
      RFC8448_TestData("encrypted_client_finished_message",
                       Connection_Side::Client,
                       Botan::hex_decode("17 03 03 00 35"),
                       Botan::hex_decode_locked("00 f8 b4 67 d1 4c f2"
                                                "2a 4b 3f 0b 6a e0 d8 e6 cc 8d 08 e0 db 35 15 ef 5c 2b df 19 22"
                                                "ea fb b7 00 09 96 47 16 d8 34 fb 70 c3 d2 a5 6c 5b 1f 5f 6b db"
                                                "a6 c3 33 cf"),
                       Botan::hex_decode_locked("14 00 00 20 72 30 a9 c9 52 c2 5c d6 13 8f"
                                                "c5 e6 62 83 08 c4 1c 53 35 dd 81 b9 f9 6b ce a5 0f d3 2b da 41 6d"
                                                "16" /* to-be-encrypted content type */));

   // encrypted with client_application_traffic_secret
   const auto encrypted_application_data_client =
      RFC8448_TestData("encrypted_application_data_client",
                       Connection_Side::Client,
                       Botan::hex_decode("17 03 03 00 43"),
                       Botan::hex_decode_locked("b1 ce bc e2 42 aa 20"
                                                "1b e9 ae 5e 1c b2 a9 aa 4b 33 d4 e8 66 af 1e db 06 89 19 23 77"
                                                "41 aa 03 1d 7a 74 d4 91 c9 9b 9d 4e 23 2b 74 20 6b c6 fb aa 04"
                                                "fe 78 be 44 a9 b4 f5 43 20 a1 7e b7 69 92 af ac 31 03"),
                       Botan::hex_decode_locked("00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e"
                                                "0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23"
                                                "24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31"
                                                "17" /* to-be-encrypted content type */));

   // encrypted with server_application_traffic_secret
   const auto encrypted_application_data_server =
      RFC8448_TestData("encrypted_application_data_server",
                       Connection_Side::Server,
                       Botan::hex_decode("17 03 03 00 43"),
                       Botan::hex_decode_locked("27 5e 9f 20 ac ff 57"
                                                "bc 00 06 57 d3 86 7d f0 39 cc cf 79 04 78 84 cf 75 77 17 46 f7"
                                                "40 b5 a8 3f 46 2a 09 54 c3 58 13 93 a2 03 a2 5a 7d d1 41 41 ef"
                                                "1a 37 90 0c db 62 ff 62 de e1 ba 39 ab 25 90 cb f1 94"),
                       Botan::hex_decode_locked("00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e"
                                                "0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23"
                                                "24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31"
                                                "17" /* to-be-encrypted content type */));

   auto cipher = Ciphersuite::from_name("AES_128_GCM_SHA256").value();

   Journaling_Secret_Logger sl_client;
   Journaling_Secret_Logger sl_server;

   auto cs_client = Cipher_State::init_with_psk(Connection_Side::Client,
                                                Cipher_State::PSK_Type::Resumption,
                                                secure_vector<uint8_t>(psk.begin(), psk.end()),
                                                cipher.prf_algo());
   auto cs_server = Cipher_State::init_with_psk(Connection_Side::Server,
                                                Cipher_State::PSK_Type::Resumption,
                                                secure_vector<uint8_t>(psk.begin(), psk.end()),
                                                cipher.prf_algo());

   auto CHECK_both = make_CHECK_both(cs_client.get(), &sl_client, cs_server.get(), &sl_server);

   return Test::flatten_result_lists(
      {CHECK_both("no secrets logged for PSK initialization",
                  [&](Cipher_State*, Journaling_Secret_Logger* sl, Connection_Side, Test::Result& result) {
                     result.test_eq("no secrets logged", sl->secrets.size(), 0);
                  }),

       CHECK_both("calculating PSK binder",
                  [&](Cipher_State* cs, Journaling_Secret_Logger*, Connection_Side, Test::Result& result) {
                     const auto mac = cs->psk_binder_mac(th_client_hello_prefix);
                     result.test_eq("PSK binder is as expected", mac, expected_psk_binder);
                  }),

       CHECK_both(
          "ciphersuite compatibility",
          [&](Cipher_State* cs, Journaling_Secret_Logger*, Connection_Side, Test::Result& result) {
             result.confirm("self-compatibility", cs->is_compatible_with(cipher));
             result.confirm("partially defined state is compatible with suites using the same hash",
                            cs->is_compatible_with(Ciphersuite::from_name("CHACHA20_POLY1305_SHA256").value()) &&
                               cs->is_compatible_with(Ciphersuite::from_name("AES_128_CCM_SHA256").value()) &&
                               cs->is_compatible_with(Ciphersuite::from_name("AES_128_CCM_8_SHA256").value()));

             result.confirm("partially defined state is not compatible with other hashes or protocol versions",
                            !cs->is_compatible_with(Ciphersuite::from_name("PSK_WITH_AES_128_GCM_SHA256").value()) &&
                               !cs->is_compatible_with(Ciphersuite::from_name("AES_256_GCM_SHA384").value()));
          }),

       CHECK_both("calculate the early traffic secrets",
                  [&](Cipher_State* cs, Journaling_Secret_Logger* sl, Connection_Side side, Test::Result& result) {
                     cs->advance_with_client_hello(th_client_hello, *sl);
                     result.require("early key export is possible", cs->can_export_keys());
                     result.test_eq("early key export produces expected result",
                                    cs->export_key(early_export_label, early_export_context, 16),
                                    early_expected_key_export);

                     if(side == Connection_Side::Client) {
                        result.confirm("Clients must expect servers to respond with an unprotected alert",
                                       cs->must_expect_unprotected_alert_traffic());
                     } else {
                        result.confirm(
                           "Servers do not expect clients to send alerts protected with the early data secret",
                           !cs->must_expect_unprotected_alert_traffic());
                     }

                     result.test_eq("logged early secrets", sl->secrets.size(), 1);
                     result.require("has early exporter secret", sl->secrets.contains("EARLY_EXPORTER_MASTER_SECRET"));
                     result.test_eq(
                        "early exporter secret", sl->secrets.at("EARLY_EXPORTER_MASTER_SECRET"), early_exporter_secret);

                     // TODO: Once 0-RTT traffic is implemented this will likely allow handling of
                     //       application traffic in this state.
                     result.confirm("can not yet write application data", !cs->can_encrypt_application_traffic());
                     result.confirm("can not yet read application data", !cs->can_decrypt_application_traffic());
                  }),

       CHECK_both(
          "handshake traffic after PSK",
          [&](Cipher_State* cs, Journaling_Secret_Logger* sl, Connection_Side side, Test::Result& result) {
             cs->advance_with_server_hello(cipher, secure_vector<uint8_t>(shared_secret), th_server_hello, *sl);

             // decrypt encrypted extensions from server
             encrypted_extensions.xxcrypt(result, cs, side);

             // check the logged key material
             result.test_eq("contains expected number of keys", sl->secrets.size(), 3);
             result.require("has client handshake traffic secret",
                            sl->secrets.contains("CLIENT_HANDSHAKE_TRAFFIC_SECRET"));
             result.require("has server handshake traffic secret",
                            sl->secrets.contains("SERVER_HANDSHAKE_TRAFFIC_SECRET"));
             result.test_eq("client handshake traffic secret",
                            sl->secrets.at("CLIENT_HANDSHAKE_TRAFFIC_SECRET"),
                            client_handshake_traffic_secret);
             result.test_eq("server handshake traffic secret",
                            sl->secrets.at("SERVER_HANDSHAKE_TRAFFIC_SECRET"),
                            server_handshake_traffic_secret);

             // TODO: Handling of early traffic is left out as 0-RTT is not implemented yet.

             // validate the MAC we receive in server Finished message
             const auto expected_server_mac = Botan::hex_decode(
                "48 d3 e0 e1 b3 d9 07 c6 ac ff 14 5e 16 09 03 88"
                "c7 7b 05 c0 50 b6 34 ab 1a 88 bb d0 dd 1a 34 b2");
             if(side == Connection_Side::Client) {
                result.confirm("expecting the correct MAC for server finished",
                               cs->verify_peer_finished_mac(th_pre_server_finished, expected_server_mac));
                result.confirm("Clients don't expect unprotected alerts after server hello",
                               !cs->must_expect_unprotected_alert_traffic());
             } else {
                result.test_eq("expecting the correct MAC for server finished",
                               cs->finished_mac(th_pre_server_finished),
                               expected_server_mac);
                result.confirm("Servers must expect unprotected alerts in response to their server hello",
                               cs->must_expect_unprotected_alert_traffic());
             }

             result.confirm("cannot read application data", !cs->can_decrypt_application_traffic());
             result.confirm("cannot write application data", !cs->can_encrypt_application_traffic());

             // advance Cipher_State with client_hello...server_Finished
             // (allows receiving of application data, but no such sending)
             result.test_no_throw("state advancement is legal",
                                  [&] { cs->advance_with_server_finished(th_server_finished, *sl); });

             if(side == Connection_Side::Client) {
                result.confirm("can read application data", cs->can_decrypt_application_traffic());
                result.confirm("cannot write application data", !cs->can_encrypt_application_traffic());
                result.confirm("Clients don't expect unprotected alerts after server hello",
                               !cs->must_expect_unprotected_alert_traffic());
             } else {
                result.confirm("cannot read application data", !cs->can_decrypt_application_traffic());
                result.confirm("can write application data", cs->can_encrypt_application_traffic());
                result.confirm("Servers must expect unprotected alerts in response to their first flight",
                               cs->must_expect_unprotected_alert_traffic());
             }

             // check the logged key material
             result.test_eq("contains expected number of keys", sl->secrets.size(), 6);
             result.require("has client traffic secret", sl->secrets.contains("CLIENT_TRAFFIC_SECRET_0"));
             result.require("has server traffic secret", sl->secrets.contains("SERVER_TRAFFIC_SECRET_0"));
             result.require("has exporter secret", sl->secrets.contains("EXPORTER_SECRET"));
             result.test_eq("client traffic secret", sl->secrets.at("CLIENT_TRAFFIC_SECRET_0"), client_traffic_secret);
             result.test_eq("server traffic secret", sl->secrets.at("SERVER_TRAFFIC_SECRET_0"), server_traffic_secret);
             result.test_eq("exporter secret", sl->secrets.at("EXPORTER_SECRET"), exporter_secret);

             // generate the MAC for the client Finished message
             const auto expected_client_mac = Botan::hex_decode(
                "72 30 a9 c9 52 c2 5c d6 13 8f c5 e6 62 83 08 c4"
                "1c 53 35 dd 81 b9 f9 6b ce a5 0f d3 2b da 41 6d");
             if(side == Connection_Side::Client) {
                result.test_eq("generating the correct MAC for client finished",
                               cs->finished_mac(th_end_of_early_data),
                               expected_client_mac);
             } else {
                result.confirm("verify the correct MAC for client finished",
                               cs->verify_peer_finished_mac(th_end_of_early_data, expected_client_mac));
             }

             // encrypt client Finished message by client
             // (under the client handshake traffic secret)
             encrypted_client_finished_message.xxcrypt(result, cs, side);
          }),

       CHECK_both("application traffic after PSK",
                  [&](Cipher_State* cs, Journaling_Secret_Logger*, Connection_Side side, Test::Result& result) {
                     // advance Cipher_State with client_hello...client_Finished
                     // (allows generation of resumption PSKs)
                     result.test_no_throw("state advancement is legal",
                                          [&] { cs->advance_with_client_finished(th_client_finished); });

                     result.confirm("can read application data", cs->can_decrypt_application_traffic());
                     result.confirm("can write application data", cs->can_encrypt_application_traffic());
                     result.confirm("doesn't need to expect unprotected alerts",
                                    !cs->must_expect_unprotected_alert_traffic());
                     result.confirm("can export key material", cs->can_export_keys());
                     result.test_eq("key export produces expected result",
                                    cs->export_key(export_label, export_context, 16),
                                    expected_key_export);

                     // encrypt application data by client
                     encrypted_application_data_client.xxcrypt(result, cs, side);

                     // decrypt application data from server
                     // (encrypted under the application traffic secret -- and a new sequence number)
                     encrypted_application_data_server.xxcrypt(result, cs, side);
                  })});
}

BOTAN_REGISTER_TEST_FN("tls",
                       "tls_cipher_state",
                       test_secret_derivation_rfc8448_rtt1,
                       test_secret_derivation_rfc8448_rtt0);
}  // namespace

}  // namespace Botan_Tests

#endif

randombit / botan / 21851334357

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous