mbedtls/tests/suites/test_suite_ssl.function

5661 lines
194 KiB
Text
Raw Normal View History

2014-09-24 11:13:44 +02:00
/* BEGIN_HEADER */
2015-03-09 18:05:11 +01:00
#include <mbedtls/ssl.h>
#include <ssl_misc.h>
#include <mbedtls/ctr_drbg.h>
#include <mbedtls/entropy.h>
#include <mbedtls/timing.h>
#include <mbedtls/debug.h>
#include <ssl_tls13_keys.h>
#include <ssl_tls13_invasive.h>
#include "test/certs.h"
#if defined(MBEDTLS_SSL_CACHE_C)
#include "mbedtls/ssl_cache.h"
#endif
#include <psa/crypto.h>
#include <constant_time_internal.h>
#include <test/constant_flow.h>
enum
{
#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \
tls13_label_ ## name,
MBEDTLS_SSL_TLS1_3_LABEL_LIST
#undef MBEDTLS_SSL_TLS1_3_LABEL
};
typedef struct log_pattern
{
const char *pattern;
size_t counter;
} log_pattern;
/*
* This function can be passed to mbedtls to receive output logs from it. In
* this case, it will count the instances of a log_pattern in the received
* logged messages.
*/
void log_analyzer( void *ctx, int level,
const char *file, int line,
const char *str )
{
log_pattern *p = (log_pattern *) ctx;
(void) level;
(void) line;
(void) file;
if( NULL != p &&
NULL != p->pattern &&
NULL != strstr( str, p->pattern ) )
{
p->counter++;
}
}
typedef struct handshake_test_options
{
const char *cipher;
mbedtls_ssl_protocol_version client_min_version;
mbedtls_ssl_protocol_version client_max_version;
mbedtls_ssl_protocol_version server_min_version;
mbedtls_ssl_protocol_version server_max_version;
mbedtls_ssl_protocol_version expected_negotiated_version;
int expected_handshake_result;
int expected_ciphersuite;
int pk_alg;
int opaque_alg;
int opaque_alg2;
int opaque_usage;
data_t *psk_str;
int dtls;
int srv_auth_mode;
int serialize;
int mfl;
int cli_msg_len;
int srv_msg_len;
int expected_cli_fragments;
int expected_srv_fragments;
int renegotiate;
int legacy_renegotiation;
void *srv_log_obj;
void *cli_log_obj;
void (*srv_log_fun)(void *, int, const char *, int, const char *);
void (*cli_log_fun)(void *, int, const char *, int, const char *);
int resize_buffers;
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_context* cache;
#endif
} handshake_test_options;
void init_handshake_options( handshake_test_options *opts )
{
opts->cipher = "";
opts->client_min_version = MBEDTLS_SSL_VERSION_UNKNOWN;
opts->client_max_version = MBEDTLS_SSL_VERSION_UNKNOWN;
opts->server_min_version = MBEDTLS_SSL_VERSION_UNKNOWN;
opts->server_max_version = MBEDTLS_SSL_VERSION_UNKNOWN;
opts->expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;
opts->expected_handshake_result = 0;
opts->expected_ciphersuite = 0;
opts->pk_alg = MBEDTLS_PK_RSA;
opts->opaque_alg = 0;
opts->opaque_alg2 = 0;
opts->opaque_usage = 0;
opts->psk_str = NULL;
opts->dtls = 0;
opts->srv_auth_mode = MBEDTLS_SSL_VERIFY_NONE;
opts->serialize = 0;
opts->mfl = MBEDTLS_SSL_MAX_FRAG_LEN_NONE;
opts->cli_msg_len = 100;
opts->srv_msg_len = 100;
opts->expected_cli_fragments = 1;
opts->expected_srv_fragments = 1;
opts->renegotiate = 0;
opts->legacy_renegotiation = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION;
opts->srv_log_obj = NULL;
opts->srv_log_obj = NULL;
opts->srv_log_fun = NULL;
opts->cli_log_fun = NULL;
opts->resize_buffers = 1;
#if defined(MBEDTLS_SSL_CACHE_C)
opts->cache = malloc( sizeof( mbedtls_ssl_cache_context ) );
mbedtls_ssl_cache_init( opts->cache );
#endif
}
void free_handshake_options( handshake_test_options *opts )
{
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_free( opts->cache );
free( opts->cache );
#else
(void) opts;
#endif
}
/*
* Buffer structure for custom I/O callbacks.
*/
typedef struct mbedtls_test_buffer
{
size_t start;
size_t content_length;
size_t capacity;
unsigned char *buffer;
} mbedtls_test_buffer;
/*
* Initialises \p buf. After calling this function it is safe to call
* `mbedtls_test_buffer_free()` on \p buf.
*/
void mbedtls_test_buffer_init( mbedtls_test_buffer *buf )
{
memset( buf, 0, sizeof( *buf ) );
}
/*
* Sets up \p buf. After calling this function it is safe to call
* `mbedtls_test_buffer_put()` and `mbedtls_test_buffer_get()` on \p buf.
*/
int mbedtls_test_buffer_setup( mbedtls_test_buffer *buf, size_t capacity )
{
buf->buffer = (unsigned char*) mbedtls_calloc( capacity,
sizeof(unsigned char) );
if( NULL == buf->buffer )
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
buf->capacity = capacity;
return 0;
}
void mbedtls_test_buffer_free( mbedtls_test_buffer *buf )
{
if( buf->buffer != NULL )
mbedtls_free( buf->buffer );
memset( buf, 0, sizeof( *buf ) );
}
/*
* Puts \p input_len bytes from the \p input buffer into the ring buffer \p buf.
*
* \p buf must have been initialized and set up by calling
* `mbedtls_test_buffer_init()` and `mbedtls_test_buffer_setup()`.
*
* \retval \p input_len, if the data fits.
* \retval 0 <= value < \p input_len, if the data does not fit.
* \retval -1, if \p buf is NULL, it hasn't been set up or \p input_len is not
* zero and \p input is NULL.
*/
int mbedtls_test_buffer_put( mbedtls_test_buffer *buf,
const unsigned char *input, size_t input_len )
{
size_t overflow = 0;
if( ( buf == NULL ) || ( buf->buffer == NULL ) )
return -1;
/* Reduce input_len to a number that fits in the buffer. */
if ( ( buf->content_length + input_len ) > buf->capacity )
{
input_len = buf->capacity - buf->content_length;
}
if( input == NULL )
{
return ( input_len == 0 ) ? 0 : -1;
}
/* Check if the buffer has not come full circle and free space is not in
* the middle */
if( buf->start + buf->content_length < buf->capacity )
{
/* Calculate the number of bytes that need to be placed at lower memory
* address */
if( buf->start + buf->content_length + input_len
> buf->capacity )
{
overflow = ( buf->start + buf->content_length + input_len )
% buf->capacity;
}
memcpy( buf->buffer + buf->start + buf->content_length, input,
input_len - overflow );
memcpy( buf->buffer, input + input_len - overflow, overflow );
}
else
{
/* The buffer has come full circle and free space is in the middle */
memcpy( buf->buffer + buf->start + buf->content_length - buf->capacity,
input, input_len );
}
buf->content_length += input_len;
return input_len;
}
/*
* Gets \p output_len bytes from the ring buffer \p buf into the
* \p output buffer. The output buffer can be NULL, in this case a part of the
* ring buffer will be dropped, if the requested length is available.
*
* \p buf must have been initialized and set up by calling
* `mbedtls_test_buffer_init()` and `mbedtls_test_buffer_setup()`.
*
* \retval \p output_len, if the data is available.
* \retval 0 <= value < \p output_len, if the data is not available.
* \retval -1, if \buf is NULL or it hasn't been set up.
*/
int mbedtls_test_buffer_get( mbedtls_test_buffer *buf,
unsigned char* output, size_t output_len )
{
size_t overflow = 0;
if( ( buf == NULL ) || ( buf->buffer == NULL ) )
return -1;
if( output == NULL && output_len == 0 )
return 0;
if( buf->content_length < output_len )
output_len = buf->content_length;
/* Calculate the number of bytes that need to be drawn from lower memory
* address */
if( buf->start + output_len > buf->capacity )
{
overflow = ( buf->start + output_len ) % buf->capacity;
}
if( output != NULL )
{
memcpy( output, buf->buffer + buf->start, output_len - overflow );
memcpy( output + output_len - overflow, buf->buffer, overflow );
}
buf->content_length -= output_len;
buf->start = ( buf->start + output_len ) % buf->capacity;
return output_len;
}
/*
* Errors used in the message transport mock tests
*/
#define MBEDTLS_TEST_ERROR_ARG_NULL -11
#define MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED -44
/*
* Context for a message metadata queue (fifo) that is on top of the ring buffer.
*/
typedef struct mbedtls_test_message_queue
{
size_t *messages;
int pos;
int num;
int capacity;
} mbedtls_test_message_queue;
/*
* Setup and free functions for the message metadata queue.
*
* \p capacity describes the number of message metadata chunks that can be held
* within the queue.
*
* \retval 0, if a metadata queue of a given length can be allocated.
* \retval MBEDTLS_ERR_SSL_ALLOC_FAILED, if allocation failed.
*/
int mbedtls_test_message_queue_setup( mbedtls_test_message_queue *queue,
size_t capacity )
{
queue->messages = (size_t*) mbedtls_calloc( capacity, sizeof(size_t) );
if( NULL == queue->messages )
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
queue->capacity = capacity;
queue->pos = 0;
queue->num = 0;
return 0;
}
void mbedtls_test_message_queue_free( mbedtls_test_message_queue *queue )
{
if( queue == NULL )
return;
if( queue->messages != NULL )
mbedtls_free( queue->messages );
memset( queue, 0, sizeof( *queue ) );
}
/*
* Push message length information onto the message metadata queue.
* This will become the last element to leave it (fifo).
*
* \retval MBEDTLS_TEST_ERROR_ARG_NULL, if the queue is null.
* \retval MBEDTLS_ERR_SSL_WANT_WRITE, if the queue is full.
* \retval \p len, if the push was successful.
*/
int mbedtls_test_message_queue_push_info( mbedtls_test_message_queue *queue,
size_t len )
{
int place;
if( queue == NULL )
return MBEDTLS_TEST_ERROR_ARG_NULL;
if( queue->num >= queue->capacity )
return MBEDTLS_ERR_SSL_WANT_WRITE;
place = ( queue->pos + queue->num ) % queue->capacity;
queue->messages[place] = len;
queue->num++;
return len;
}
/*
* Pop information about the next message length from the queue. This will be
* the oldest inserted message length(fifo). \p msg_len can be null, in which
* case the data will be popped from the queue but not copied anywhere.
*
* \retval MBEDTLS_TEST_ERROR_ARG_NULL, if the queue is null.
* \retval MBEDTLS_ERR_SSL_WANT_READ, if the queue is empty.
* \retval message length, if the pop was successful, up to the given
\p buf_len.
*/
int mbedtls_test_message_queue_pop_info( mbedtls_test_message_queue *queue,
size_t buf_len )
{
size_t message_length;
if( queue == NULL )
return MBEDTLS_TEST_ERROR_ARG_NULL;
if( queue->num == 0 )
return MBEDTLS_ERR_SSL_WANT_READ;
message_length = queue->messages[queue->pos];
queue->messages[queue->pos] = 0;
queue->num--;
queue->pos++;
queue->pos %= queue->capacity;
if( queue->pos < 0 )
queue->pos += queue->capacity;
return ( message_length > buf_len ) ? buf_len : message_length;
}
/*
* Take a peek on the info about the next message length from the queue.
* This will be the oldest inserted message length(fifo).
*
* \retval MBEDTLS_TEST_ERROR_ARG_NULL, if the queue is null.
* \retval MBEDTLS_ERR_SSL_WANT_READ, if the queue is empty.
* \retval 0, if the peek was successful.
* \retval MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED, if the given buffer length is
* too small to fit the message. In this case the \p msg_len will be
* set to the full message length so that the
* caller knows what portion of the message can be dropped.
*/
int mbedtls_test_message_queue_peek_info( mbedtls_test_message_queue *queue,
size_t buf_len, size_t* msg_len )
{
if( queue == NULL || msg_len == NULL )
return MBEDTLS_TEST_ERROR_ARG_NULL;
if( queue->num == 0 )
return MBEDTLS_ERR_SSL_WANT_READ;
*msg_len = queue->messages[queue->pos];
return ( *msg_len > buf_len ) ? MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED : 0;
}
/*
* Context for the I/O callbacks simulating network connection.
*/
#define MBEDTLS_MOCK_SOCKET_CONNECTED 1
typedef struct mbedtls_mock_socket
{
int status;
mbedtls_test_buffer *input;
mbedtls_test_buffer *output;
struct mbedtls_mock_socket *peer;
} mbedtls_mock_socket;
/*
* Setup and teardown functions for mock sockets.
*/
void mbedtls_mock_socket_init( mbedtls_mock_socket *socket )
{
memset( socket, 0, sizeof( *socket ) );
}
/*
* Closes the socket \p socket.
*
* \p socket must have been previously initialized by calling
* mbedtls_mock_socket_init().
*
* This function frees all allocated resources and both sockets are aware of the
* new connection state.
*
* That is, this function does not simulate half-open TCP connections and the
* phenomenon that when closing a UDP connection the peer is not aware of the
* connection having been closed.
*/
void mbedtls_mock_socket_close( mbedtls_mock_socket* socket )
{
if( socket == NULL )
return;
if( socket->input != NULL )
{
mbedtls_test_buffer_free( socket->input );
mbedtls_free( socket->input );
}
if( socket->output != NULL )
{
mbedtls_test_buffer_free( socket->output );
mbedtls_free( socket->output );
}
if( socket->peer != NULL )
memset( socket->peer, 0, sizeof( *socket->peer ) );
memset( socket, 0, sizeof( *socket ) );
}
/*
* Establishes a connection between \p peer1 and \p peer2.
*
* \p peer1 and \p peer2 must have been previously initialized by calling
* mbedtls_mock_socket_init().
*
* The capacites of the internal buffers are set to \p bufsize. Setting this to
* the correct value allows for simulation of MTU, sanity testing the mock
* implementation and mocking TCP connections with lower memory cost.
*/
int mbedtls_mock_socket_connect( mbedtls_mock_socket* peer1,
mbedtls_mock_socket* peer2,
size_t bufsize )
{
int ret = -1;
peer1->output =
(mbedtls_test_buffer*) mbedtls_calloc( 1, sizeof(mbedtls_test_buffer) );
if( peer1->output == NULL )
{
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
goto exit;
}
mbedtls_test_buffer_init( peer1->output );
if( 0 != ( ret = mbedtls_test_buffer_setup( peer1->output, bufsize ) ) )
{
goto exit;
}
peer2->output =
(mbedtls_test_buffer*) mbedtls_calloc( 1, sizeof(mbedtls_test_buffer) );
if( peer2->output == NULL )
{
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
goto exit;
}
mbedtls_test_buffer_init( peer2->output );
if( 0 != ( ret = mbedtls_test_buffer_setup( peer2->output, bufsize ) ) )
{
goto exit;
}
peer1->peer = peer2;
peer2->peer = peer1;
peer1->input = peer2->output;
peer2->input = peer1->output;
peer1->status = peer2->status = MBEDTLS_MOCK_SOCKET_CONNECTED;
ret = 0;
exit:
if( ret != 0 )
{
mbedtls_mock_socket_close( peer1 );
mbedtls_mock_socket_close( peer2 );
}
return ret;
}
/*
* Callbacks for simulating blocking I/O over connection-oriented transport.
*/
int mbedtls_mock_tcp_send_b( void *ctx, const unsigned char *buf, size_t len )
{
mbedtls_mock_socket *socket = (mbedtls_mock_socket*) ctx;
if( socket == NULL || socket->status != MBEDTLS_MOCK_SOCKET_CONNECTED )
return -1;
return mbedtls_test_buffer_put( socket->output, buf, len );
}
int mbedtls_mock_tcp_recv_b( void *ctx, unsigned char *buf, size_t len )
{
mbedtls_mock_socket *socket = (mbedtls_mock_socket*) ctx;
if( socket == NULL || socket->status != MBEDTLS_MOCK_SOCKET_CONNECTED )
return -1;
return mbedtls_test_buffer_get( socket->input, buf, len );
}
/*
* Callbacks for simulating non-blocking I/O over connection-oriented transport.
*/
int mbedtls_mock_tcp_send_nb( void *ctx, const unsigned char *buf, size_t len )
{
mbedtls_mock_socket *socket = (mbedtls_mock_socket*) ctx;
if( socket == NULL || socket->status != MBEDTLS_MOCK_SOCKET_CONNECTED )
return -1;
if( socket->output->capacity == socket->output->content_length )
{
return MBEDTLS_ERR_SSL_WANT_WRITE;
}
return mbedtls_test_buffer_put( socket->output, buf, len );
}
int mbedtls_mock_tcp_recv_nb( void *ctx, unsigned char *buf, size_t len )
{
mbedtls_mock_socket *socket = (mbedtls_mock_socket*) ctx;
if( socket == NULL || socket->status != MBEDTLS_MOCK_SOCKET_CONNECTED )
return -1;
if( socket->input->content_length == 0 )
{
return MBEDTLS_ERR_SSL_WANT_READ;
}
return mbedtls_test_buffer_get( socket->input, buf, len );
}
/* Errors used in the message socket mocks */
#define MBEDTLS_TEST_ERROR_CONTEXT_ERROR -55
#define MBEDTLS_TEST_ERROR_SEND_FAILED -66
#define MBEDTLS_TEST_ERROR_RECV_FAILED -77
/*
* Structure used as an addon, or a wrapper, around the mocked sockets.
* Contains an input queue, to which the other socket pushes metadata,
* and an output queue, to which this one pushes metadata. This context is
* considered as an owner of the input queue only, which is initialized and
* freed in the respective setup and free calls.
*/
typedef struct mbedtls_test_message_socket_context
{
mbedtls_test_message_queue* queue_input;
mbedtls_test_message_queue* queue_output;
mbedtls_mock_socket* socket;
} mbedtls_test_message_socket_context;
void mbedtls_message_socket_init( mbedtls_test_message_socket_context *ctx )
{
ctx->queue_input = NULL;
ctx->queue_output = NULL;
ctx->socket = NULL;
}
/*
* Setup a given mesasge socket context including initialization of
* input/output queues to a chosen capacity of messages. Also set the
* corresponding mock socket.
*
* \retval 0, if everything succeeds.
* \retval MBEDTLS_ERR_SSL_ALLOC_FAILED, if allocation of a message
* queue failed.
*/
int mbedtls_message_socket_setup( mbedtls_test_message_queue* queue_input,
mbedtls_test_message_queue* queue_output,
size_t queue_capacity,
mbedtls_mock_socket* socket,
mbedtls_test_message_socket_context* ctx )
{
int ret = mbedtls_test_message_queue_setup( queue_input, queue_capacity );
if( ret != 0 )
return ret;
ctx->queue_input = queue_input;
ctx->queue_output = queue_output;
ctx->socket = socket;
mbedtls_mock_socket_init( socket );
return 0;
}
/*
* Close a given message socket context, along with the socket itself. Free the
* memory allocated by the input queue.
*/
void mbedtls_message_socket_close( mbedtls_test_message_socket_context* ctx )
{
if( ctx == NULL )
return;
mbedtls_test_message_queue_free( ctx->queue_input );
mbedtls_mock_socket_close( ctx->socket );
memset( ctx, 0, sizeof( *ctx ) );
}
/*
* Send one message through a given message socket context.
*
* \retval \p len, if everything succeeds.
* \retval MBEDTLS_TEST_ERROR_CONTEXT_ERROR, if any of the needed context
* elements or the context itself is null.
* \retval MBEDTLS_TEST_ERROR_SEND_FAILED if mbedtls_mock_tcp_send_b failed.
* \retval MBEDTLS_ERR_SSL_WANT_WRITE, if the output queue is full.
*
* This function will also return any error from
* mbedtls_test_message_queue_push_info.
*/
int mbedtls_mock_tcp_send_msg( void *ctx, const unsigned char *buf, size_t len )
{
mbedtls_test_message_queue* queue;
mbedtls_mock_socket* socket;
mbedtls_test_message_socket_context *context = (mbedtls_test_message_socket_context*) ctx;
if( context == NULL || context->socket == NULL
|| context->queue_output == NULL )
{
return MBEDTLS_TEST_ERROR_CONTEXT_ERROR;
}
queue = context->queue_output;
socket = context->socket;
if( queue->num >= queue->capacity )
return MBEDTLS_ERR_SSL_WANT_WRITE;
if( mbedtls_mock_tcp_send_b( socket, buf, len ) != (int) len )
return MBEDTLS_TEST_ERROR_SEND_FAILED;
return mbedtls_test_message_queue_push_info( queue, len );
}
/*
* Receive one message from a given message socket context and return message
* length or an error.
*
* \retval message length, if everything succeeds.
* \retval MBEDTLS_TEST_ERROR_CONTEXT_ERROR, if any of the needed context
* elements or the context itself is null.
* \retval MBEDTLS_TEST_ERROR_RECV_FAILED if mbedtls_mock_tcp_recv_b failed.
*
* This function will also return any error other than
* MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED from mbedtls_test_message_queue_peek_info.
*/
int mbedtls_mock_tcp_recv_msg( void *ctx, unsigned char *buf, size_t buf_len )
{
mbedtls_test_message_queue* queue;
mbedtls_mock_socket* socket;
mbedtls_test_message_socket_context *context = (mbedtls_test_message_socket_context*) ctx;
size_t drop_len = 0;
size_t msg_len;
int ret;
if( context == NULL || context->socket == NULL
|| context->queue_input == NULL )
{
return MBEDTLS_TEST_ERROR_CONTEXT_ERROR;
}
queue = context->queue_input;
socket = context->socket;
/* Peek first, so that in case of a socket error the data remains in
* the queue. */
ret = mbedtls_test_message_queue_peek_info( queue, buf_len, &msg_len );
if( ret == MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED )
{
/* Calculate how much to drop */
drop_len = msg_len - buf_len;
/* Set the requested message len to be buffer length */
msg_len = buf_len;
} else if( ret != 0 )
{
return ret;
}
if( mbedtls_mock_tcp_recv_b( socket, buf, msg_len ) != (int) msg_len )
return MBEDTLS_TEST_ERROR_RECV_FAILED;
if( ret == MBEDTLS_TEST_ERROR_MESSAGE_TRUNCATED )
{
/* Drop the remaining part of the message */
if( mbedtls_mock_tcp_recv_b( socket, NULL, drop_len ) != (int) drop_len )
{
/* Inconsistent state - part of the message was read,
* and a part couldn't. Not much we can do here, but it should not
* happen in test environment, unless forced manually. */
}
}
mbedtls_test_message_queue_pop_info( queue, buf_len );
return msg_len;
}
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C)
/*
* Structure with endpoint's certificates for SSL communication tests.
*/
typedef struct mbedtls_endpoint_certificate
{
mbedtls_x509_crt ca_cert;
mbedtls_x509_crt cert;
mbedtls_pk_context pkey;
} mbedtls_endpoint_certificate;
/*
* Endpoint structure for SSL communication tests.
*/
typedef struct mbedtls_endpoint
{
const char *name;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
mbedtls_mock_socket socket;
mbedtls_endpoint_certificate cert;
} mbedtls_endpoint;
/*
* Initializes \p ep_cert structure and assigns it to endpoint
* represented by \p ep.
*
* \retval 0 on success, otherwise error code.
*/
int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg,
int opaque_alg, int opaque_alg2,
int opaque_usage )
{
int i = 0;
int ret = -1;
mbedtls_endpoint_certificate *cert;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT;
#endif
if( ep == NULL )
{
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
cert = &( ep->cert );
mbedtls_x509_crt_init( &( cert->ca_cert ) );
mbedtls_x509_crt_init( &( cert->cert ) );
mbedtls_pk_init( &( cert->pkey ) );
/* Load the trusted CA */
for( i = 0; mbedtls_test_cas_der[i] != NULL; i++ )
{
ret = mbedtls_x509_crt_parse_der( &( cert->ca_cert ),
(const unsigned char *) mbedtls_test_cas_der[i],
mbedtls_test_cas_der_len[i] );
TEST_ASSERT( ret == 0 );
}
/* Load own certificate and private key */
if( ep->conf.endpoint == MBEDTLS_SSL_IS_SERVER )
{
if( pk_alg == MBEDTLS_PK_RSA )
{
ret = mbedtls_x509_crt_parse( &( cert->cert ),
(const unsigned char*) mbedtls_test_srv_crt_rsa_sha256_der,
mbedtls_test_srv_crt_rsa_sha256_der_len );
TEST_ASSERT( ret == 0 );
ret = mbedtls_pk_parse_key( &( cert->pkey ),
(const unsigned char*) mbedtls_test_srv_key_rsa_der,
mbedtls_test_srv_key_rsa_der_len, NULL, 0,
mbedtls_test_rnd_std_rand, NULL );
TEST_ASSERT( ret == 0 );
}
else
{
ret = mbedtls_x509_crt_parse( &( cert->cert ),
(const unsigned char*) mbedtls_test_srv_crt_ec_der,
mbedtls_test_srv_crt_ec_der_len );
TEST_ASSERT( ret == 0 );
ret = mbedtls_pk_parse_key( &( cert->pkey ),
(const unsigned char*) mbedtls_test_srv_key_ec_der,
mbedtls_test_srv_key_ec_der_len, NULL, 0,
mbedtls_test_rnd_std_rand, NULL );
TEST_ASSERT( ret == 0 );
}
}
else
{
if( pk_alg == MBEDTLS_PK_RSA )
{
ret = mbedtls_x509_crt_parse( &( cert->cert ),
(const unsigned char *) mbedtls_test_cli_crt_rsa_der,
mbedtls_test_cli_crt_rsa_der_len );
TEST_ASSERT( ret == 0 );
ret = mbedtls_pk_parse_key( &( cert->pkey ),
(const unsigned char *) mbedtls_test_cli_key_rsa_der,
mbedtls_test_cli_key_rsa_der_len, NULL, 0,
mbedtls_test_rnd_std_rand, NULL );
TEST_ASSERT( ret == 0 );
}
else
{
ret = mbedtls_x509_crt_parse( &( cert->cert ),
(const unsigned char *) mbedtls_test_cli_crt_ec_der,
mbedtls_test_cli_crt_ec_len );
TEST_ASSERT( ret == 0 );
ret = mbedtls_pk_parse_key( &( cert->pkey ),
(const unsigned char *) mbedtls_test_cli_key_ec_der,
mbedtls_test_cli_key_ec_der_len, NULL, 0,
mbedtls_test_rnd_std_rand, NULL );
TEST_ASSERT( ret == 0 );
}
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( opaque_alg != 0 )
{
TEST_EQUAL( mbedtls_pk_wrap_as_opaque( &( cert->pkey ), &key_slot,
opaque_alg, opaque_usage,
opaque_alg2 ), 0 );
}
#else
(void) opaque_alg;
(void) opaque_alg2;
(void) opaque_usage;
#endif
mbedtls_ssl_conf_ca_chain( &( ep->conf ), &( cert->ca_cert ), NULL );
ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), &( cert->cert ),
&( cert->pkey ) );
TEST_ASSERT( ret == 0 );
TEST_ASSERT( ep->conf.key_cert != NULL );
ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), NULL, NULL );
TEST_ASSERT( ret == 0 );
TEST_ASSERT( ep->conf.key_cert == NULL );
ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), &( cert->cert ),
&( cert->pkey ) );
TEST_ASSERT( ret == 0 );
exit:
if( ret != 0 )
{
mbedtls_x509_crt_free( &( cert->ca_cert ) );
mbedtls_x509_crt_free( &( cert->cert ) );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( opaque_alg != 0 )
psa_destroy_key( key_slot );
#endif
mbedtls_pk_free( &( cert->pkey ) );
}
return ret;
}
/*
* Initializes \p ep structure. It is important to call `mbedtls_endpoint_free()`
* after calling this function even if it fails.
*
* \p endpoint_type must be set as MBEDTLS_SSL_IS_SERVER or
* MBEDTLS_SSL_IS_CLIENT.
* \p pk_alg the algorithm to use, currently only MBEDTLS_PK_RSA and
* MBEDTLS_PK_ECDSA are supported.
* \p dtls_context - in case of DTLS - this is the context handling metadata.
* \p input_queue - used only in case of DTLS.
* \p output_queue - used only in case of DTLS.
*
* \retval 0 on success, otherwise error code.
*/
int mbedtls_endpoint_init( mbedtls_endpoint *ep, int endpoint_type,
handshake_test_options* options,
mbedtls_test_message_socket_context *dtls_context,
mbedtls_test_message_queue *input_queue,
mbedtls_test_message_queue *output_queue,
uint16_t* group_list )
{
int ret = -1;
uintptr_t user_data_n;
if( dtls_context != NULL && ( input_queue == NULL || output_queue == NULL ) )
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
if( ep == NULL )
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
memset( ep, 0, sizeof( *ep ) );
ep->name = ( endpoint_type == MBEDTLS_SSL_IS_SERVER ) ? "Server" : "Client";
mbedtls_ssl_init( &( ep->ssl ) );
mbedtls_ssl_config_init( &( ep->conf ) );
mbedtls_ctr_drbg_init( &( ep->ctr_drbg ) );
mbedtls_ssl_conf_rng( &( ep->conf ),
mbedtls_ctr_drbg_random,
&( ep->ctr_drbg ) );
mbedtls_entropy_init( &( ep->entropy ) );
TEST_ASSERT( mbedtls_ssl_conf_get_user_data_p( &ep->conf ) == NULL );
TEST_EQUAL( mbedtls_ssl_conf_get_user_data_n( &ep->conf ), 0 );
TEST_ASSERT( mbedtls_ssl_get_user_data_p( &ep->ssl ) == NULL );
TEST_EQUAL( mbedtls_ssl_get_user_data_n( &ep->ssl ), 0 );
(void) mbedtls_test_rnd_std_rand( NULL,
(void*) &user_data_n,
sizeof( user_data_n ) );
mbedtls_ssl_conf_set_user_data_n( &ep->conf, user_data_n );
mbedtls_ssl_set_user_data_n( &ep->ssl, user_data_n );
if( dtls_context != NULL )
{
TEST_ASSERT( mbedtls_message_socket_setup( input_queue, output_queue,
100, &( ep->socket ),
dtls_context ) == 0 );
}
else
{
mbedtls_mock_socket_init( &( ep->socket ) );
}
ret = mbedtls_ctr_drbg_seed( &( ep->ctr_drbg ), mbedtls_entropy_func,
&( ep->entropy ), (const unsigned char *) ( ep->name ),
strlen( ep->name ) );
TEST_ASSERT( ret == 0 );
/* Non-blocking callbacks without timeout */
if( dtls_context != NULL )
{
mbedtls_ssl_set_bio( &( ep->ssl ), dtls_context,
mbedtls_mock_tcp_send_msg,
mbedtls_mock_tcp_recv_msg,
NULL );
}
else
{
mbedtls_ssl_set_bio( &( ep->ssl ), &( ep->socket ),
mbedtls_mock_tcp_send_nb,
mbedtls_mock_tcp_recv_nb,
NULL );
}
ret = mbedtls_ssl_config_defaults( &( ep->conf ), endpoint_type,
( dtls_context != NULL ) ?
MBEDTLS_SSL_TRANSPORT_DATAGRAM :
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT );
TEST_ASSERT( ret == 0 );
if( group_list != NULL )
mbedtls_ssl_conf_groups( &(ep->conf), group_list );
mbedtls_ssl_conf_authmode( &( ep->conf ), MBEDTLS_SSL_VERIFY_REQUIRED );
#if defined(MBEDTLS_SSL_CACHE_C)
if( endpoint_type == MBEDTLS_SSL_IS_SERVER && options->cache != NULL )
{
mbedtls_ssl_conf_session_cache( &( ep->conf ), options->cache,
mbedtls_ssl_cache_get,
mbedtls_ssl_cache_set );
}
#endif
ret = mbedtls_ssl_setup( &( ep->ssl ), &( ep->conf ) );
TEST_ASSERT( ret == 0 );
#if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_SSL_SRV_C)
if( endpoint_type == MBEDTLS_SSL_IS_SERVER && dtls_context != NULL )
mbedtls_ssl_conf_dtls_cookies( &( ep->conf ), NULL, NULL, NULL );
#endif
ret = mbedtls_endpoint_certificate_init( ep, options->pk_alg,
options->opaque_alg,
options->opaque_alg2,
options->opaque_usage );
TEST_ASSERT( ret == 0 );
TEST_EQUAL( mbedtls_ssl_conf_get_user_data_n( &ep->conf ), user_data_n );
mbedtls_ssl_conf_set_user_data_p( &ep->conf, ep );
TEST_EQUAL( mbedtls_ssl_get_user_data_n( &ep->ssl ), user_data_n );
mbedtls_ssl_set_user_data_p( &ep->ssl, ep );
exit:
return ret;
}
/*
* Deinitializes certificates from endpoint represented by \p ep.
*/
void mbedtls_endpoint_certificate_free( mbedtls_endpoint *ep )
{
mbedtls_endpoint_certificate *cert = &( ep->cert );
mbedtls_x509_crt_free( &( cert->ca_cert ) );
mbedtls_x509_crt_free( &( cert->cert ) );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( mbedtls_pk_get_type( &( cert->pkey ) ) == MBEDTLS_PK_OPAQUE )
{
mbedtls_svc_key_id_t *key_slot = cert->pkey.pk_ctx;
psa_destroy_key( *key_slot );
}
#endif
mbedtls_pk_free( &( cert->pkey ) );
}
/*
* Deinitializes endpoint represented by \p ep.
*/
void mbedtls_endpoint_free( mbedtls_endpoint *ep,
mbedtls_test_message_socket_context *context )
{
mbedtls_endpoint_certificate_free( ep );
mbedtls_ssl_free( &( ep->ssl ) );
mbedtls_ssl_config_free( &( ep->conf ) );
mbedtls_ctr_drbg_free( &( ep->ctr_drbg ) );
mbedtls_entropy_free( &( ep->entropy ) );
if( context != NULL )
{
mbedtls_message_socket_close( context );
}
else
{
mbedtls_mock_socket_close( &( ep->socket ) );
}
}
/*
* This function moves ssl handshake from \p ssl to prescribed \p state.
* /p second_ssl is used as second endpoint and their sockets have to be
* connected before calling this function.
*
* \retval 0 on success, otherwise error code.
*/
int mbedtls_move_handshake_to_state( mbedtls_ssl_context *ssl,
mbedtls_ssl_context *second_ssl,
int state )
{
enum { BUFFSIZE = 1024 };
int max_steps = 1000;
int ret = 0;
if( ssl == NULL || second_ssl == NULL )
{
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
/* Perform communication via connected sockets */
while( ( ssl->state != state ) && ( --max_steps >= 0 ) )
{
/* If /p second_ssl ends the handshake procedure before /p ssl then
* there is no need to call the next step */
if( !mbedtls_ssl_is_handshake_over( second_ssl ) )
{
ret = mbedtls_ssl_handshake_step( second_ssl );
if( ret != 0 && ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
return ret;
}
}
/* We only care about the \p ssl state and returns, so we call it last,
* to leave the iteration as soon as the state is as expected. */
ret = mbedtls_ssl_handshake_step( ssl );
if( ret != 0 && ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
return ret;
}
}
return ( max_steps >= 0 ) ? ret : -1;
}
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
/*
* Write application data. Increase write counter if necessary.
*/
int mbedtls_ssl_write_fragment( mbedtls_ssl_context *ssl, unsigned char *buf,
int buf_len, int *written,
const int expected_fragments )
{
int ret = mbedtls_ssl_write( ssl, buf + *written, buf_len - *written );
if( ret > 0 )
{
*written += ret;
}
if( expected_fragments == 0 )
{
/* Used for DTLS and the message size larger than MFL. In that case
* the message can not be fragmented and the library should return
* MBEDTLS_ERR_SSL_BAD_INPUT_DATA error. This error must be returned
* to prevent a dead loop inside mbedtls_exchange_data(). */
return ret;
}
else if( expected_fragments == 1 )
{
/* Used for TLS/DTLS and the message size lower than MFL */
TEST_ASSERT( ret == buf_len ||
ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
}
else
{
/* Used for TLS and the message size larger than MFL */
TEST_ASSERT( expected_fragments > 1 );
TEST_ASSERT( ( ret >= 0 && ret <= buf_len ) ||
ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
}
return 0;
exit:
/* Some of the tests failed */
return -1;
}
/*
* Read application data and increase read counter and fragments counter if necessary.
*/
int mbedtls_ssl_read_fragment( mbedtls_ssl_context *ssl, unsigned char *buf,
int buf_len, int *read,
int *fragments, const int expected_fragments )
{
int ret = mbedtls_ssl_read( ssl, buf + *read, buf_len - *read );
if( ret > 0 )
{
( *fragments )++;
*read += ret;
}
if( expected_fragments == 0 )
{
TEST_ASSERT( ret == 0 );
}
else if( expected_fragments == 1 )
{
TEST_ASSERT( ret == buf_len ||
ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
}
else
{
TEST_ASSERT( expected_fragments > 1 );
TEST_ASSERT( ( ret >= 0 && ret <= buf_len ) ||
ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
}
return 0;
exit:
/* Some of the tests failed */
return -1;
}
/*
* Helper function setting up inverse record transformations
* using given cipher, hash, EtM mode, authentication tag length,
* and version.
*/
#define CHK( x ) \
do \
{ \
if( !( x ) ) \
{ \
ret = -1; \
goto cleanup; \
} \
} while( 0 )
void set_ciphersuite( mbedtls_ssl_config *conf, const char *cipher,
int* forced_ciphersuite )
{
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
forced_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id( cipher );
forced_ciphersuite[1] = 0;
ciphersuite_info =
mbedtls_ssl_ciphersuite_from_id( forced_ciphersuite[0] );
TEST_ASSERT( ciphersuite_info != NULL );
TEST_ASSERT( ciphersuite_info->min_tls_version <= conf->max_tls_version );
TEST_ASSERT( ciphersuite_info->max_tls_version >= conf->min_tls_version );
if( conf->max_tls_version > ciphersuite_info->max_tls_version )
{
conf->max_tls_version = ciphersuite_info->max_tls_version;
}
if( conf->min_tls_version < ciphersuite_info->min_tls_version )
{
conf->min_tls_version = ciphersuite_info->min_tls_version;
}
mbedtls_ssl_conf_ciphersuites( conf, forced_ciphersuite );
exit:
return;
}
int psk_dummy_callback( void *p_info, mbedtls_ssl_context *ssl,
const unsigned char *name, size_t name_len )
{
(void) p_info;
(void) ssl;
(void) name;
(void) name_len;
return ( 0 );
}
#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
#define SSL_CID_LEN_MIN MBEDTLS_SSL_CID_IN_LEN_MAX
#else
#define SSL_CID_LEN_MIN MBEDTLS_SSL_CID_OUT_LEN_MAX
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_CIPHER_MODE_CBC) && defined(MBEDTLS_AES_C)
static int psa_cipher_encrypt_helper( mbedtls_ssl_transform *transform,
const unsigned char *iv, size_t iv_len,
const unsigned char *input, size_t ilen,
unsigned char *output, size_t *olen )
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
size_t part_len;
status = psa_cipher_encrypt_setup( &cipher_op,
transform->psa_key_enc, transform->psa_alg );
if( status != PSA_SUCCESS )
return( psa_ssl_status_to_mbedtls( status ) );
status = psa_cipher_set_iv( &cipher_op, iv, iv_len );
if( status != PSA_SUCCESS )
return( psa_ssl_status_to_mbedtls( status ) );
status = psa_cipher_update( &cipher_op,
input, ilen, output, ilen, olen );
if( status != PSA_SUCCESS )
return( psa_ssl_status_to_mbedtls( status ) );
status = psa_cipher_finish( &cipher_op,
output + *olen, ilen - *olen, &part_len );
if( status != PSA_SUCCESS )
return( psa_ssl_status_to_mbedtls( status ) );
*olen += part_len;
return( 0 );
#else
return mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
iv, iv_len, input, ilen, output, olen );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_CIPHER_MODE_CBC && MBEDTLS_AES_C */
static int build_transforms( mbedtls_ssl_transform *t_in,
mbedtls_ssl_transform *t_out,
int cipher_type, int hash_id,
int etm, int tag_mode,
mbedtls_ssl_protocol_version tls_version,
size_t cid0_len,
size_t cid1_len )
{
mbedtls_cipher_info_t const *cipher_info;
int ret = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_type_t key_type;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t alg;
size_t key_bits;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
#endif
size_t keylen, maclen, ivlen;
unsigned char *key0 = NULL, *key1 = NULL;
unsigned char *md0 = NULL, *md1 = NULL;
unsigned char iv_enc[16], iv_dec[16];
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
unsigned char cid0[ SSL_CID_LEN_MIN ];
unsigned char cid1[ SSL_CID_LEN_MIN ];
mbedtls_test_rnd_std_rand( NULL, cid0, sizeof( cid0 ) );
mbedtls_test_rnd_std_rand( NULL, cid1, sizeof( cid1 ) );
#else
((void) cid0_len);
((void) cid1_len);
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
maclen = 0;
/* Pick cipher */
cipher_info = mbedtls_cipher_info_from_type( cipher_type );
CHK( cipher_info != NULL );
CHK( cipher_info->iv_size <= 16 );
CHK( cipher_info->key_bitlen % 8 == 0 );
/* Pick keys */
keylen = cipher_info->key_bitlen / 8;
/* Allocate `keylen + 1` bytes to ensure that we get
* a non-NULL pointers from `mbedtls_calloc` even if
* `keylen == 0` in the case of the NULL cipher. */
CHK( ( key0 = mbedtls_calloc( 1, keylen + 1 ) ) != NULL );
CHK( ( key1 = mbedtls_calloc( 1, keylen + 1 ) ) != NULL );
memset( key0, 0x1, keylen );
memset( key1, 0x2, keylen );
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
/* Setup cipher contexts */
CHK( mbedtls_cipher_setup( &t_in->cipher_ctx_enc, cipher_info ) == 0 );
CHK( mbedtls_cipher_setup( &t_in->cipher_ctx_dec, cipher_info ) == 0 );
CHK( mbedtls_cipher_setup( &t_out->cipher_ctx_enc, cipher_info ) == 0 );
CHK( mbedtls_cipher_setup( &t_out->cipher_ctx_dec, cipher_info ) == 0 );
#if defined(MBEDTLS_CIPHER_MODE_CBC)
if( cipher_info->mode == MBEDTLS_MODE_CBC )
{
CHK( mbedtls_cipher_set_padding_mode( &t_in->cipher_ctx_enc,
MBEDTLS_PADDING_NONE ) == 0 );
CHK( mbedtls_cipher_set_padding_mode( &t_in->cipher_ctx_dec,
MBEDTLS_PADDING_NONE ) == 0 );
CHK( mbedtls_cipher_set_padding_mode( &t_out->cipher_ctx_enc,
MBEDTLS_PADDING_NONE ) == 0 );
CHK( mbedtls_cipher_set_padding_mode( &t_out->cipher_ctx_dec,
MBEDTLS_PADDING_NONE ) == 0 );
}
#endif /* MBEDTLS_CIPHER_MODE_CBC */
CHK( mbedtls_cipher_setkey( &t_in->cipher_ctx_enc, key0,
keylen << 3, MBEDTLS_ENCRYPT ) == 0 );
CHK( mbedtls_cipher_setkey( &t_in->cipher_ctx_dec, key1,
keylen << 3, MBEDTLS_DECRYPT ) == 0 );
CHK( mbedtls_cipher_setkey( &t_out->cipher_ctx_enc, key1,
keylen << 3, MBEDTLS_ENCRYPT ) == 0 );
CHK( mbedtls_cipher_setkey( &t_out->cipher_ctx_dec, key0,
keylen << 3, MBEDTLS_DECRYPT ) == 0 );
#endif
/* Setup MAC contexts */
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
if( cipher_info->mode == MBEDTLS_MODE_CBC ||
cipher_info->mode == MBEDTLS_MODE_STREAM )
{
mbedtls_md_info_t const *md_info;
/* Pick hash */
md_info = mbedtls_md_info_from_type( hash_id );
CHK( md_info != NULL );
/* Pick hash keys */
maclen = mbedtls_md_get_size( md_info );
CHK( ( md0 = mbedtls_calloc( 1, maclen ) ) != NULL );
CHK( ( md1 = mbedtls_calloc( 1, maclen ) ) != NULL );
memset( md0, 0x5, maclen );
memset( md1, 0x6, maclen );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
alg = mbedtls_psa_translate_md( mbedtls_md_get_type( md_info ) );
CHK( alg != 0 );
t_out->psa_mac_alg = PSA_ALG_HMAC( alg );
t_in->psa_mac_alg = PSA_ALG_HMAC( alg );
t_in->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
t_out->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
t_in->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
t_out->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
psa_reset_key_attributes( &attributes );
psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_SIGN_MESSAGE );
psa_set_key_algorithm( &attributes, PSA_ALG_HMAC( alg ) );
psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC );
CHK( psa_import_key( &attributes,
md0, maclen,
&t_in->psa_mac_enc ) == PSA_SUCCESS );
CHK( psa_import_key( &attributes,
md1, maclen,
&t_out->psa_mac_enc ) == PSA_SUCCESS );
if( cipher_info->mode == MBEDTLS_MODE_STREAM ||
etm == MBEDTLS_SSL_ETM_DISABLED )
/* mbedtls_ct_hmac() requires the key to be exportable */
psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT |
PSA_KEY_USAGE_VERIFY_HASH );
else
psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_VERIFY_HASH );
CHK( psa_import_key( &attributes,
md1, maclen,
&t_in->psa_mac_dec ) == PSA_SUCCESS );
CHK( psa_import_key( &attributes,
md0, maclen,
&t_out->psa_mac_dec ) == PSA_SUCCESS );
#else
CHK( mbedtls_md_setup( &t_out->md_ctx_enc, md_info, 1 ) == 0 );
CHK( mbedtls_md_setup( &t_out->md_ctx_dec, md_info, 1 ) == 0 );
CHK( mbedtls_md_setup( &t_in->md_ctx_enc, md_info, 1 ) == 0 );
CHK( mbedtls_md_setup( &t_in->md_ctx_dec, md_info, 1 ) == 0 );
CHK( mbedtls_md_hmac_starts( &t_in->md_ctx_enc,
md0, maclen ) == 0 );
CHK( mbedtls_md_hmac_starts( &t_in->md_ctx_dec,
md1, maclen ) == 0 );
CHK( mbedtls_md_hmac_starts( &t_out->md_ctx_enc,
md1, maclen ) == 0 );
CHK( mbedtls_md_hmac_starts( &t_out->md_ctx_dec,
md0, maclen ) == 0 );
#endif
}
#else
((void) hash_id);
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
/* Pick IV's (regardless of whether they
* are being used by the transform). */
ivlen = cipher_info->iv_size;
memset( iv_enc, 0x3, sizeof( iv_enc ) );
memset( iv_dec, 0x4, sizeof( iv_dec ) );
/*
* Setup transforms
*/
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \
defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
t_out->encrypt_then_mac = etm;
t_in->encrypt_then_mac = etm;
#else
((void) etm);
#endif
t_out->tls_version = tls_version;
t_in->tls_version = tls_version;
t_out->ivlen = ivlen;
t_in->ivlen = ivlen;
switch( cipher_info->mode )
{
case MBEDTLS_MODE_GCM:
case MBEDTLS_MODE_CCM:
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
{
t_out->fixed_ivlen = 12;
t_in->fixed_ivlen = 12;
}
else
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
{
t_out->fixed_ivlen = 4;
t_in->fixed_ivlen = 4;
}
t_out->maclen = 0;
t_in->maclen = 0;
switch( tag_mode )
{
case 0: /* Full tag */
t_out->taglen = 16;
t_in->taglen = 16;
break;
case 1: /* Partial tag */
t_out->taglen = 8;
t_in->taglen = 8;
break;
default:
ret = 1;
goto cleanup;
}
break;
case MBEDTLS_MODE_CHACHAPOLY:
t_out->fixed_ivlen = 12;
t_in->fixed_ivlen = 12;
t_out->maclen = 0;
t_in->maclen = 0;
switch( tag_mode )
{
case 0: /* Full tag */
t_out->taglen = 16;
t_in->taglen = 16;
break;
case 1: /* Partial tag */
t_out->taglen = 8;
t_in->taglen = 8;
break;
default:
ret = 1;
goto cleanup;
}
break;
case MBEDTLS_MODE_STREAM:
case MBEDTLS_MODE_CBC:
t_out->fixed_ivlen = 0; /* redundant, must be 0 */
t_in->fixed_ivlen = 0; /* redundant, must be 0 */
t_out->taglen = 0;
t_in->taglen = 0;
switch( tag_mode )
{
case 0: /* Full tag */
t_out->maclen = maclen;
t_in->maclen = maclen;
break;
default:
ret = 1;
goto cleanup;
}
break;
default:
ret = 1;
goto cleanup;
break;
}
/* Setup IV's */
memcpy( &t_in->iv_dec, iv_dec, sizeof( iv_dec ) );
memcpy( &t_in->iv_enc, iv_enc, sizeof( iv_enc ) );
memcpy( &t_out->iv_dec, iv_enc, sizeof( iv_enc ) );
memcpy( &t_out->iv_enc, iv_dec, sizeof( iv_dec ) );
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
/* Add CID */
memcpy( &t_in->in_cid, cid0, cid0_len );
memcpy( &t_in->out_cid, cid1, cid1_len );
t_in->in_cid_len = cid0_len;
t_in->out_cid_len = cid1_len;
memcpy( &t_out->in_cid, cid1, cid1_len );
memcpy( &t_out->out_cid, cid0, cid0_len );
t_out->in_cid_len = cid1_len;
t_out->out_cid_len = cid0_len;
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = mbedtls_ssl_cipher_to_psa( cipher_type,
t_in->taglen,
&alg,
&key_type,
&key_bits );
if ( status != PSA_SUCCESS )
{
ret = psa_ssl_status_to_mbedtls( status );
goto cleanup;
}
t_in->psa_alg = alg;
t_out->psa_alg = alg;
if ( alg != MBEDTLS_SSL_NULL_CIPHER )
{
psa_reset_key_attributes( &attributes );
psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_ENCRYPT );
psa_set_key_algorithm( &attributes, alg );
psa_set_key_type( &attributes, key_type );
status = psa_import_key( &attributes,
key0,
PSA_BITS_TO_BYTES( key_bits ),
&t_in->psa_key_enc );
if ( status != PSA_SUCCESS )
{
ret = psa_ssl_status_to_mbedtls( status );
goto cleanup;
}
status = psa_import_key( &attributes,
key1,
PSA_BITS_TO_BYTES( key_bits ),
&t_out->psa_key_enc );
if ( status != PSA_SUCCESS )
{
ret = psa_ssl_status_to_mbedtls( status );
goto cleanup;
}
psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DECRYPT );
status = psa_import_key( &attributes,
key1,
PSA_BITS_TO_BYTES( key_bits ),
&t_in->psa_key_dec );
if ( status != PSA_SUCCESS )
{
ret = psa_ssl_status_to_mbedtls( status );
goto cleanup;
}
status = psa_import_key( &attributes,
key0,
PSA_BITS_TO_BYTES( key_bits ),
&t_out->psa_key_dec );
if ( status != PSA_SUCCESS )
{
ret = psa_ssl_status_to_mbedtls( status );
goto cleanup;
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
cleanup:
mbedtls_free( key0 );
mbedtls_free( key1 );
mbedtls_free( md0 );
mbedtls_free( md1 );
return( ret );
}
/*
* Populate a session structure for serialization tests.
* Choose dummy values, mostly non-0 to distinguish from the init default.
*/
Store TLS version in SSL session structure Instances of `mbedtls_ssl_session` represent data enabling session resumption. With the introduction of TLS 1.3, the format of this data changes. We therefore need TLS-version field as part of `mbedtlsl_ssl_session` which allows distinguish 1.2 and 1.3 sessions. This commit introduces such a TLS-version field to mbedtls_ssl_session. The change has a few ramifications: - Session serialization/deserialization routines need to be adjusted. This is achieved by adding the TLS-version after the header of Mbed TLS version+config, and by having the subsequent structure of the serialized data depend on the value of this field. The details are described in terms of the RFC 8446 presentation language. The 1.2 session (de)serialization are moved into static helper functions, while the top-level session (de)serialization only parses the Mbed TLS version+config header and the TLS-version field, and dispatches according to the found version. This way, it will be easy to add support for TLS 1.3 sessions in the future. - Tests for session serialization need to be adjusted - Once we add support for TLS 1.3, with runtime negotiation of 1.2 vs. 1.3, we will need to have some logic comparing the TLS version of the proposed session to the negotiated TLS version. For now, however, we only support TLS 1.2, and no such logic is needed. Instead, we just store the TLS version in the session structure at the same point when we populate mbedtls_ssl_context.minor_ver. The change introduces some overlap between `mbedtls_ssl_session.minor_ver` and `mbedtls_ssl_context.minor_ver`, which should be studied and potentially resolved. However, with both fields being private and explicitly marked so, this can happen in a later change. Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-07-23 07:25:48 +02:00
static int ssl_populate_session_tls12( mbedtls_ssl_session *session,
int ticket_len,
const char *crt_file )
{
#if defined(MBEDTLS_HAVE_TIME)
session->start = mbedtls_time( NULL ) - 42;
#endif
session->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
session->ciphersuite = 0xabcd;
session->compression = 1;
session->id_len = sizeof( session->id );
memset( session->id, 66, session->id_len );
memset( session->master, 17, sizeof( session->master ) );
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_FS_IO)
Store TLS version in SSL session structure Instances of `mbedtls_ssl_session` represent data enabling session resumption. With the introduction of TLS 1.3, the format of this data changes. We therefore need TLS-version field as part of `mbedtlsl_ssl_session` which allows distinguish 1.2 and 1.3 sessions. This commit introduces such a TLS-version field to mbedtls_ssl_session. The change has a few ramifications: - Session serialization/deserialization routines need to be adjusted. This is achieved by adding the TLS-version after the header of Mbed TLS version+config, and by having the subsequent structure of the serialized data depend on the value of this field. The details are described in terms of the RFC 8446 presentation language. The 1.2 session (de)serialization are moved into static helper functions, while the top-level session (de)serialization only parses the Mbed TLS version+config header and the TLS-version field, and dispatches according to the found version. This way, it will be easy to add support for TLS 1.3 sessions in the future. - Tests for session serialization need to be adjusted - Once we add support for TLS 1.3, with runtime negotiation of 1.2 vs. 1.3, we will need to have some logic comparing the TLS version of the proposed session to the negotiated TLS version. For now, however, we only support TLS 1.2, and no such logic is needed. Instead, we just store the TLS version in the session structure at the same point when we populate mbedtls_ssl_context.minor_ver. The change introduces some overlap between `mbedtls_ssl_session.minor_ver` and `mbedtls_ssl_context.minor_ver`, which should be studied and potentially resolved. However, with both fields being private and explicitly marked so, this can happen in a later change. Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-07-23 07:25:48 +02:00
if( crt_file != NULL && strlen( crt_file ) != 0 )
{
mbedtls_x509_crt tmp_crt;
int ret;
mbedtls_x509_crt_init( &tmp_crt );
ret = mbedtls_x509_crt_parse_file( &tmp_crt, crt_file );
if( ret != 0 )
return( ret );
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* Move temporary CRT. */
session->peer_cert = mbedtls_calloc( 1, sizeof( *session->peer_cert ) );
if( session->peer_cert == NULL )
return( -1 );
*session->peer_cert = tmp_crt;
memset( &tmp_crt, 0, sizeof( tmp_crt ) );
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
/* Calculate digest of temporary CRT. */
session->peer_cert_digest =
mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN );
if( session->peer_cert_digest == NULL )
return( -1 );
ret = mbedtls_md( mbedtls_md_info_from_type(
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ),
tmp_crt.raw.p, tmp_crt.raw.len,
session->peer_cert_digest );
if( ret != 0 )
return( ret );
session->peer_cert_digest_type =
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
session->peer_cert_digest_len =
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
mbedtls_x509_crt_free( &tmp_crt );
}
#else /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_FS_IO */
(void) crt_file;
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_FS_IO */
session->verify_result = 0xdeadbeef;
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
if( ticket_len != 0 )
{
session->ticket = mbedtls_calloc( 1, ticket_len );
if( session->ticket == NULL )
return( -1 );
memset( session->ticket, 33, ticket_len );
}
session->ticket_len = ticket_len;
session->ticket_lifetime = 86401;
#else
(void) ticket_len;
#endif
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
session->mfl_code = 1;
#endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
session->encrypt_then_mac = 1;
#endif
return( 0 );
}
/*
* Perform data exchanging between \p ssl_1 and \p ssl_2 and check if the
* message was sent in the correct number of fragments.
*
* /p ssl_1 and /p ssl_2 Endpoints represented by mbedtls_ssl_context. Both
* of them must be initialized and connected beforehand.
* /p msg_len_1 and /p msg_len_2 specify the size of the message to send.
* /p expected_fragments_1 and /p expected_fragments_2 determine in how many
* fragments the message should be sent.
* expected_fragments is 0: can be used for DTLS testing while the message
* size is larger than MFL. In that case the message
* cannot be fragmented and sent to the second endpoint.
* This value can be used for negative tests.
* expected_fragments is 1: can be used for TLS/DTLS testing while the
* message size is below MFL
* expected_fragments > 1: can be used for TLS testing while the message
* size is larger than MFL
*
* \retval 0 on success, otherwise error code.
*/
int mbedtls_exchange_data( mbedtls_ssl_context *ssl_1,
int msg_len_1, const int expected_fragments_1,
mbedtls_ssl_context *ssl_2,
int msg_len_2, const int expected_fragments_2 )
{
unsigned char *msg_buf_1 = malloc( msg_len_1 );
unsigned char *msg_buf_2 = malloc( msg_len_2 );
unsigned char *in_buf_1 = malloc( msg_len_2 );
unsigned char *in_buf_2 = malloc( msg_len_1 );
int msg_type, ret = -1;
/* Perform this test with two message types. At first use a message
* consisting of only 0x00 for the client and only 0xFF for the server.
* At the second time use message with generated data */
for( msg_type = 0; msg_type < 2; msg_type++ )
{
int written_1 = 0;
int written_2 = 0;
int read_1 = 0;
int read_2 = 0;
int fragments_1 = 0;
int fragments_2 = 0;
if( msg_type == 0 )
{
memset( msg_buf_1, 0x00, msg_len_1 );
memset( msg_buf_2, 0xff, msg_len_2 );
}
else
{
int i, j = 0;
for( i = 0; i < msg_len_1; i++ )
{
msg_buf_1[i] = j++ & 0xFF;
}
for( i = 0; i < msg_len_2; i++ )
{
msg_buf_2[i] = ( j -= 5 ) & 0xFF;
}
}
while( read_1 < msg_len_2 || read_2 < msg_len_1 )
{
/* ssl_1 sending */
if( msg_len_1 > written_1 )
{
ret = mbedtls_ssl_write_fragment( ssl_1, msg_buf_1,
msg_len_1, &written_1,
expected_fragments_1 );
if( expected_fragments_1 == 0 )
{
/* This error is expected when the message is too large and
* cannot be fragmented */
TEST_ASSERT( ret == MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
msg_len_1 = 0;
}
else
{
TEST_ASSERT( ret == 0 );
}
}
/* ssl_2 sending */
if( msg_len_2 > written_2 )
{
ret = mbedtls_ssl_write_fragment( ssl_2, msg_buf_2,
msg_len_2, &written_2,
expected_fragments_2 );
if( expected_fragments_2 == 0 )
{
/* This error is expected when the message is too large and
* cannot be fragmented */
TEST_ASSERT( ret == MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
msg_len_2 = 0;
}
else
{
TEST_ASSERT( ret == 0 );
}
}
/* ssl_1 reading */
if( read_1 < msg_len_2 )
{
ret = mbedtls_ssl_read_fragment( ssl_1, in_buf_1,
msg_len_2, &read_1,
&fragments_2,
expected_fragments_2 );
TEST_ASSERT( ret == 0 );
}
/* ssl_2 reading */
if( read_2 < msg_len_1 )
{
ret = mbedtls_ssl_read_fragment( ssl_2, in_buf_2,
msg_len_1, &read_2,
&fragments_1,
expected_fragments_1 );
TEST_ASSERT( ret == 0 );
}
}
ret = -1;
TEST_ASSERT( 0 == memcmp( msg_buf_1, in_buf_2, msg_len_1 ) );
TEST_ASSERT( 0 == memcmp( msg_buf_2, in_buf_1, msg_len_2 ) );
TEST_ASSERT( fragments_1 == expected_fragments_1 );
TEST_ASSERT( fragments_2 == expected_fragments_2 );
}
ret = 0;
exit:
free( msg_buf_1 );
free( in_buf_1 );
free( msg_buf_2 );
free( in_buf_2 );
return ret;
}
/*
* Perform data exchanging between \p ssl_1 and \p ssl_2. Both of endpoints
* must be initialized and connected beforehand.
*
* \retval 0 on success, otherwise error code.
*/
int exchange_data( mbedtls_ssl_context *ssl_1,
mbedtls_ssl_context *ssl_2 )
{
return mbedtls_exchange_data( ssl_1, 256, 1,
ssl_2, 256, 1 );
}
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C)
static int check_ssl_version( mbedtls_ssl_protocol_version expected_negotiated_version,
const mbedtls_ssl_context *ssl )
{
const char *version_string = mbedtls_ssl_get_version( ssl );
mbedtls_ssl_protocol_version version_number =
mbedtls_ssl_get_version_number( ssl );
TEST_EQUAL( ssl->tls_version, expected_negotiated_version );
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
TEST_EQUAL( version_string[0], 'D' );
++version_string;
}
switch( expected_negotiated_version )
{
case MBEDTLS_SSL_VERSION_TLS1_2:
TEST_EQUAL( version_number, MBEDTLS_SSL_VERSION_TLS1_2 );
TEST_ASSERT( strcmp( version_string, "TLSv1.2" ) == 0 );
break;
case MBEDTLS_SSL_VERSION_TLS1_3:
TEST_EQUAL( version_number, MBEDTLS_SSL_VERSION_TLS1_3 );
TEST_ASSERT( strcmp( version_string, "TLSv1.3" ) == 0 );
break;
default:
TEST_ASSERT( ! "Version check not implemented for this protocol version" );
}
return( 1 );
exit:
return( 0 );
}
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_CTR_DRBG_C)
void perform_handshake( handshake_test_options* options )
{
/* forced_ciphersuite needs to last until the end of the handshake */
int forced_ciphersuite[2];
enum { BUFFSIZE = 17000 };
mbedtls_endpoint client, server;
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
const char *psk_identity = "foo";
#endif
#if defined(MBEDTLS_TIMING_C)
mbedtls_timing_delay_context timer_client, timer_server;
#endif
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
unsigned char *context_buf = NULL;
size_t context_buf_len;
#endif
#if defined(MBEDTLS_SSL_RENEGOTIATION)
int ret = -1;
#endif
int expected_handshake_result = options->expected_handshake_result;
USE_PSA_INIT( );
mbedtls_test_message_queue server_queue, client_queue;
mbedtls_test_message_socket_context server_context, client_context;
mbedtls_message_socket_init( &server_context );
mbedtls_message_socket_init( &client_context );
/* Client side */
if( options->dtls != 0 )
{
TEST_ASSERT( mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT,
options, &client_context,
&client_queue,
&server_queue, NULL ) == 0 );
#if defined(MBEDTLS_TIMING_C)
mbedtls_ssl_set_timer_cb( &client.ssl, &timer_client,
mbedtls_timing_set_delay,
mbedtls_timing_get_delay );
#endif
}
else
{
TEST_ASSERT( mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT,
options, NULL, NULL,
NULL, NULL ) == 0 );
}
if( options->client_min_version != MBEDTLS_SSL_VERSION_UNKNOWN )
{
mbedtls_ssl_conf_min_tls_version( &client.conf,
options->client_min_version );
}
if( options->client_max_version != MBEDTLS_SSL_VERSION_UNKNOWN )
{
mbedtls_ssl_conf_max_tls_version( &client.conf,
options->client_max_version );
}
if( strlen( options->cipher ) > 0 )
{
set_ciphersuite( &client.conf, options->cipher, forced_ciphersuite );
}
#if defined (MBEDTLS_DEBUG_C)
if( options->cli_log_fun )
{
mbedtls_debug_set_threshold( 4 );
mbedtls_ssl_conf_dbg( &client.conf, options->cli_log_fun,
options->cli_log_obj );
}
#endif
/* Server side */
if( options->dtls != 0 )
{
TEST_ASSERT( mbedtls_endpoint_init( &server, MBEDTLS_SSL_IS_SERVER,
options, &server_context,
&server_queue,
&client_queue, NULL ) == 0 );
#if defined(MBEDTLS_TIMING_C)
mbedtls_ssl_set_timer_cb( &server.ssl, &timer_server,
mbedtls_timing_set_delay,
mbedtls_timing_get_delay );
#endif
}
else
{
TEST_ASSERT( mbedtls_endpoint_init( &server, MBEDTLS_SSL_IS_SERVER,
options, NULL, NULL, NULL,
NULL ) == 0 );
}
mbedtls_ssl_conf_authmode( &server.conf, options->srv_auth_mode );
if( options->server_min_version != MBEDTLS_SSL_VERSION_UNKNOWN )
{
mbedtls_ssl_conf_min_tls_version( &server.conf,
options->server_min_version );
}
if( options->server_max_version != MBEDTLS_SSL_VERSION_UNKNOWN )
{
mbedtls_ssl_conf_max_tls_version( &server.conf,
options->server_max_version );
}
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
TEST_ASSERT( mbedtls_ssl_conf_max_frag_len( &(server.conf),
(unsigned char) options->mfl ) == 0 );
TEST_ASSERT( mbedtls_ssl_conf_max_frag_len( &(client.conf),
(unsigned char) options->mfl ) == 0 );
#else
TEST_ASSERT( MBEDTLS_SSL_MAX_FRAG_LEN_NONE == options->mfl );
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if( options->psk_str != NULL && options->psk_str->len > 0 )
{
TEST_ASSERT( mbedtls_ssl_conf_psk( &client.conf, options->psk_str->x,
options->psk_str->len,
(const unsigned char *) psk_identity,
strlen( psk_identity ) ) == 0 );
TEST_ASSERT( mbedtls_ssl_conf_psk( &server.conf, options->psk_str->x,
options->psk_str->len,
(const unsigned char *) psk_identity,
strlen( psk_identity ) ) == 0 );
mbedtls_ssl_conf_psk_cb( &server.conf, psk_dummy_callback, NULL );
}
#endif
#if defined(MBEDTLS_SSL_RENEGOTIATION)
if( options->renegotiate )
{
mbedtls_ssl_conf_renegotiation( &(server.conf),
MBEDTLS_SSL_RENEGOTIATION_ENABLED );
mbedtls_ssl_conf_renegotiation( &(client.conf),
MBEDTLS_SSL_RENEGOTIATION_ENABLED );
mbedtls_ssl_conf_legacy_renegotiation( &(server.conf),
options->legacy_renegotiation );
mbedtls_ssl_conf_legacy_renegotiation( &(client.conf),
options->legacy_renegotiation );
}
#endif /* MBEDTLS_SSL_RENEGOTIATION */
#if defined (MBEDTLS_DEBUG_C)
if( options->srv_log_fun )
{
mbedtls_debug_set_threshold( 4 );
mbedtls_ssl_conf_dbg( &server.conf, options->srv_log_fun,
options->srv_log_obj );
}
#endif
TEST_ASSERT( mbedtls_mock_socket_connect( &(client.socket),
&(server.socket),
BUFFSIZE ) == 0 );
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
if( options->resize_buffers != 0 )
{
/* Ensure that the buffer sizes are appropriate before resizes */
TEST_ASSERT( client.ssl.out_buf_len == MBEDTLS_SSL_OUT_BUFFER_LEN );
TEST_ASSERT( client.ssl.in_buf_len == MBEDTLS_SSL_IN_BUFFER_LEN );
TEST_ASSERT( server.ssl.out_buf_len == MBEDTLS_SSL_OUT_BUFFER_LEN );
TEST_ASSERT( server.ssl.in_buf_len == MBEDTLS_SSL_IN_BUFFER_LEN );
}
#endif
if( options->expected_negotiated_version == MBEDTLS_SSL_VERSION_UNKNOWN )
{
expected_handshake_result = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
}
TEST_ASSERT( mbedtls_move_handshake_to_state( &(client.ssl),
&(server.ssl),
MBEDTLS_SSL_HANDSHAKE_OVER )
== expected_handshake_result );
if( expected_handshake_result != 0 )
{
/* Connection will have failed by this point, skip to cleanup */
goto exit;
}
TEST_ASSERT( mbedtls_ssl_is_handshake_over( &client.ssl ) == 1 );
/* Make sure server state is moved to HANDSHAKE_OVER also. */
TEST_EQUAL( mbedtls_move_handshake_to_state( &(server.ssl),
&(client.ssl),
MBEDTLS_SSL_HANDSHAKE_OVER ), 0 );
TEST_ASSERT( mbedtls_ssl_is_handshake_over( &server.ssl ) == 1 );
/* Check that both sides have negotiated the expected version. */
mbedtls_test_set_step( 0 );
if( ! check_ssl_version( options->expected_negotiated_version,
&client.ssl ) )
goto exit;
mbedtls_test_set_step( 1 );
if( ! check_ssl_version( options->expected_negotiated_version,
&server.ssl ) )
goto exit;
if( options->expected_ciphersuite != 0 )
{
TEST_EQUAL( server.ssl.session->ciphersuite,
options->expected_ciphersuite );
}
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
if( options->resize_buffers != 0 )
{
/* A server, when using DTLS, might delay a buffer resize to happen
* after it receives a message, so we force it. */
TEST_ASSERT( exchange_data( &(client.ssl), &(server.ssl) ) == 0 );
TEST_ASSERT( client.ssl.out_buf_len ==
mbedtls_ssl_get_output_buflen( &client.ssl ) );
TEST_ASSERT( client.ssl.in_buf_len ==
mbedtls_ssl_get_input_buflen( &client.ssl ) );
TEST_ASSERT( server.ssl.out_buf_len ==
mbedtls_ssl_get_output_buflen( &server.ssl ) );
TEST_ASSERT( server.ssl.in_buf_len ==
mbedtls_ssl_get_input_buflen( &server.ssl ) );
}
#endif
if( options->cli_msg_len != 0 || options->srv_msg_len != 0 )
{
/* Start data exchanging test */
TEST_ASSERT( mbedtls_exchange_data( &(client.ssl), options->cli_msg_len,
options->expected_cli_fragments,
&(server.ssl), options->srv_msg_len,
options->expected_srv_fragments )
== 0 );
}
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
if( options->serialize == 1 )
{
TEST_ASSERT( options->dtls == 1 );
TEST_ASSERT( mbedtls_ssl_context_save( &(server.ssl), NULL,
0, &context_buf_len )
== MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
context_buf = mbedtls_calloc( 1, context_buf_len );
TEST_ASSERT( context_buf != NULL );
TEST_ASSERT( mbedtls_ssl_context_save( &(server.ssl), context_buf,
context_buf_len,
&context_buf_len ) == 0 );
mbedtls_ssl_free( &(server.ssl) );
mbedtls_ssl_init( &(server.ssl) );
TEST_ASSERT( mbedtls_ssl_setup( &(server.ssl), &(server.conf) ) == 0 );
mbedtls_ssl_set_bio( &( server.ssl ), &server_context,
mbedtls_mock_tcp_send_msg,
mbedtls_mock_tcp_recv_msg,
NULL );
mbedtls_ssl_set_user_data_p( &server.ssl, &server );
#if defined(MBEDTLS_TIMING_C)
mbedtls_ssl_set_timer_cb( &server.ssl, &timer_server,
mbedtls_timing_set_delay,
mbedtls_timing_get_delay );
#endif
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
if( options->resize_buffers != 0 )
{
/* Ensure that the buffer sizes are appropriate before resizes */
TEST_ASSERT( server.ssl.out_buf_len == MBEDTLS_SSL_OUT_BUFFER_LEN );
TEST_ASSERT( server.ssl.in_buf_len == MBEDTLS_SSL_IN_BUFFER_LEN );
}
#endif
TEST_ASSERT( mbedtls_ssl_context_load( &( server.ssl ), context_buf,
context_buf_len ) == 0 );
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
/* Validate buffer sizes after context deserialization */
if( options->resize_buffers != 0 )
{
TEST_ASSERT( server.ssl.out_buf_len ==
mbedtls_ssl_get_output_buflen( &server.ssl ) );
TEST_ASSERT( server.ssl.in_buf_len ==
mbedtls_ssl_get_input_buflen( &server.ssl ) );
}
#endif
/* Retest writing/reading */
if( options->cli_msg_len != 0 || options->srv_msg_len != 0 )
{
TEST_ASSERT( mbedtls_exchange_data( &(client.ssl),
options->cli_msg_len,
options->expected_cli_fragments,
&(server.ssl),
options->srv_msg_len,
options->expected_srv_fragments )
== 0 );
}
}
#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
if( options->renegotiate )
{
/* Start test with renegotiation */
TEST_ASSERT( server.ssl.renego_status ==
MBEDTLS_SSL_INITIAL_HANDSHAKE );
TEST_ASSERT( client.ssl.renego_status ==
MBEDTLS_SSL_INITIAL_HANDSHAKE );
/* After calling this function for the server, it only sends a handshake
* request. All renegotiation should happen during data exchanging */
TEST_ASSERT( mbedtls_ssl_renegotiate( &(server.ssl) ) == 0 );
TEST_ASSERT( server.ssl.renego_status ==
MBEDTLS_SSL_RENEGOTIATION_PENDING );
TEST_ASSERT( client.ssl.renego_status ==
MBEDTLS_SSL_INITIAL_HANDSHAKE );
TEST_ASSERT( exchange_data( &(client.ssl), &(server.ssl) ) == 0 );
TEST_ASSERT( server.ssl.renego_status ==
MBEDTLS_SSL_RENEGOTIATION_DONE );
TEST_ASSERT( client.ssl.renego_status ==
MBEDTLS_SSL_RENEGOTIATION_DONE );
/* After calling mbedtls_ssl_renegotiate for the client all renegotiation
* should happen inside this function. However in this test, we cannot
* perform simultaneous communication between client and server so this
* function will return waiting error on the socket. All rest of
* renegotiation should happen during data exchanging */
ret = mbedtls_ssl_renegotiate( &(client.ssl) );
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
if( options->resize_buffers != 0 )
{
/* Ensure that the buffer sizes are appropriate before resizes */
TEST_ASSERT( client.ssl.out_buf_len == MBEDTLS_SSL_OUT_BUFFER_LEN );
TEST_ASSERT( client.ssl.in_buf_len == MBEDTLS_SSL_IN_BUFFER_LEN );
}
#endif
TEST_ASSERT( ret == 0 ||
ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
TEST_ASSERT( server.ssl.renego_status ==
MBEDTLS_SSL_RENEGOTIATION_DONE );
TEST_ASSERT( client.ssl.renego_status ==
MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS );
TEST_ASSERT( exchange_data( &(client.ssl), &(server.ssl) ) == 0 );
TEST_ASSERT( server.ssl.renego_status ==
MBEDTLS_SSL_RENEGOTIATION_DONE );
TEST_ASSERT( client.ssl.renego_status ==
MBEDTLS_SSL_RENEGOTIATION_DONE );
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
/* Validate buffer sizes after renegotiation */
if( options->resize_buffers != 0 )
{
TEST_ASSERT( client.ssl.out_buf_len ==
mbedtls_ssl_get_output_buflen( &client.ssl ) );
TEST_ASSERT( client.ssl.in_buf_len ==
mbedtls_ssl_get_input_buflen( &client.ssl ) );
TEST_ASSERT( server.ssl.out_buf_len ==
mbedtls_ssl_get_output_buflen( &server.ssl ) );
TEST_ASSERT( server.ssl.in_buf_len ==
mbedtls_ssl_get_input_buflen( &server.ssl ) );
}
#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
}
#endif /* MBEDTLS_SSL_RENEGOTIATION */
TEST_ASSERT( mbedtls_ssl_conf_get_user_data_p( &client.conf ) == &client );
TEST_ASSERT( mbedtls_ssl_get_user_data_p( &client.ssl ) == &client );
TEST_ASSERT( mbedtls_ssl_conf_get_user_data_p( &server.conf ) == &server );
TEST_ASSERT( mbedtls_ssl_get_user_data_p( &server.ssl ) == &server );
exit:
mbedtls_endpoint_free( &client, options->dtls != 0 ? &client_context : NULL );
mbedtls_endpoint_free( &server, options->dtls != 0 ? &server_context : NULL );
#if defined (MBEDTLS_DEBUG_C)
if( options->cli_log_fun || options->srv_log_fun )
{
mbedtls_debug_set_threshold( 0 );
}
#endif
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
if( context_buf != NULL )
mbedtls_free( context_buf );
#endif
USE_PSA_DONE( );
}
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
2014-09-24 11:13:44 +02:00
/* END_HEADER */
/* BEGIN_DEPENDENCIES
* depends_on:MBEDTLS_SSL_TLS_C
2014-09-24 11:13:44 +02:00
* END_DEPENDENCIES
*/
/* BEGIN_CASE */
void test_callback_buffer_sanity()
{
enum { MSGLEN = 10 };
mbedtls_test_buffer buf;
unsigned char input[MSGLEN];
unsigned char output[MSGLEN];
memset( input, 0, sizeof(input) );
/* Make sure calling put and get on NULL buffer results in error. */
TEST_ASSERT( mbedtls_test_buffer_put( NULL, input, sizeof( input ) )
== -1 );
TEST_ASSERT( mbedtls_test_buffer_get( NULL, output, sizeof( output ) )
== -1 );
TEST_ASSERT( mbedtls_test_buffer_put( NULL, NULL, sizeof( input ) ) == -1 );
TEST_ASSERT( mbedtls_test_buffer_put( NULL, NULL, 0 ) == -1 );
TEST_ASSERT( mbedtls_test_buffer_get( NULL, NULL, 0 ) == -1 );
/* Make sure calling put and get on a buffer that hasn't been set up results
* in error. */
mbedtls_test_buffer_init( &buf );
TEST_ASSERT( mbedtls_test_buffer_put( &buf, input, sizeof( input ) ) == -1 );
TEST_ASSERT( mbedtls_test_buffer_get( &buf, output, sizeof( output ) )
== -1 );
TEST_ASSERT( mbedtls_test_buffer_put( &buf, NULL, sizeof( input ) ) == -1 );
TEST_ASSERT( mbedtls_test_buffer_put( &buf, NULL, 0 ) == -1 );
TEST_ASSERT( mbedtls_test_buffer_get( &buf, NULL, 0 ) == -1 );
/* Make sure calling put and get on NULL input only results in
* error if the length is not zero, and that a NULL output is valid for data
* dropping.
*/
TEST_ASSERT( mbedtls_test_buffer_setup( &buf, sizeof( input ) ) == 0 );
TEST_ASSERT( mbedtls_test_buffer_put( &buf, NULL, sizeof( input ) ) == -1 );
TEST_ASSERT( mbedtls_test_buffer_get( &buf, NULL, sizeof( output ) )
== 0 );
TEST_ASSERT( mbedtls_test_buffer_put( &buf, NULL, 0 ) == 0 );
TEST_ASSERT( mbedtls_test_buffer_get( &buf, NULL, 0 ) == 0 );
/* Make sure calling put several times in the row is safe */
TEST_ASSERT( mbedtls_test_buffer_put( &buf, input, sizeof( input ) )
== sizeof( input ) );
TEST_ASSERT( mbedtls_test_buffer_get( &buf, output, 2 ) == 2 );
TEST_ASSERT( mbedtls_test_buffer_put( &buf, input, 1 ) == 1 );
TEST_ASSERT( mbedtls_test_buffer_put( &buf, input, 2 ) == 1 );
TEST_ASSERT( mbedtls_test_buffer_put( &buf, input, 2 ) == 0 );
exit:
mbedtls_test_buffer_free( &buf );
}
/* END_CASE */
/*
* Test if the implementation of `mbedtls_test_buffer` related functions is
* correct and works as expected.
*
* That is
* - If we try to put in \p put1 bytes then we can put in \p put1_ret bytes.
* - Afterwards if we try to get \p get1 bytes then we can get \get1_ret bytes.
* - Next, if we try to put in \p put1 bytes then we can put in \p put1_ret
* bytes.
* - Afterwards if we try to get \p get1 bytes then we can get \get1_ret bytes.
* - All of the bytes we got match the bytes we put in in a FIFO manner.
*/
/* BEGIN_CASE */
void test_callback_buffer( int size, int put1, int put1_ret,
int get1, int get1_ret, int put2, int put2_ret,
int get2, int get2_ret )
{
enum { ROUNDS = 2 };
size_t put[ROUNDS];
int put_ret[ROUNDS];
size_t get[ROUNDS];
int get_ret[ROUNDS];
mbedtls_test_buffer buf;
unsigned char* input = NULL;
size_t input_len;
unsigned char* output = NULL;
size_t output_len;
size_t i, j, written, read;
mbedtls_test_buffer_init( &buf );
TEST_ASSERT( mbedtls_test_buffer_setup( &buf, size ) == 0 );
/* Check the sanity of input parameters and initialise local variables. That
* is, ensure that the amount of data is not negative and that we are not
* expecting more to put or get than we actually asked for. */
TEST_ASSERT( put1 >= 0 );
put[0] = put1;
put_ret[0] = put1_ret;
TEST_ASSERT( put1_ret <= put1 );
TEST_ASSERT( put2 >= 0 );
put[1] = put2;
put_ret[1] = put2_ret;
TEST_ASSERT( put2_ret <= put2 );
TEST_ASSERT( get1 >= 0 );
get[0] = get1;
get_ret[0] = get1_ret;
TEST_ASSERT( get1_ret <= get1 );
TEST_ASSERT( get2 >= 0 );
get[1] = get2;
get_ret[1] = get2_ret;
TEST_ASSERT( get2_ret <= get2 );
input_len = 0;
/* Calculate actual input and output lengths */
for( j = 0; j < ROUNDS; j++ )
{
if( put_ret[j] > 0 )
{
input_len += put_ret[j];
}
}
/* In order to always have a valid pointer we always allocate at least 1
* byte. */
if( input_len == 0 )
input_len = 1;
ASSERT_ALLOC( input, input_len );
output_len = 0;
for( j = 0; j < ROUNDS; j++ )
{
if( get_ret[j] > 0 )
{
output_len += get_ret[j];
}
}
TEST_ASSERT( output_len <= input_len );
/* In order to always have a valid pointer we always allocate at least 1
* byte. */
if( output_len == 0 )
output_len = 1;
ASSERT_ALLOC( output, output_len );
/* Fill up the buffer with structured data so that unwanted changes
* can be detected */
for( i = 0; i < input_len; i++ )
{
input[i] = i & 0xFF;
}
written = read = 0;
for( j = 0; j < ROUNDS; j++ )
{
TEST_ASSERT( put_ret[j] == mbedtls_test_buffer_put( &buf,
input + written, put[j] ) );
written += put_ret[j];
TEST_ASSERT( get_ret[j] == mbedtls_test_buffer_get( &buf,
output + read, get[j] ) );
read += get_ret[j];
TEST_ASSERT( read <= written );
if( get_ret[j] > 0 )
{
TEST_ASSERT( memcmp( output + read - get_ret[j],
input + read - get_ret[j], get_ret[j] )
== 0 );
}
}
exit:
mbedtls_free( input );
mbedtls_free( output );
mbedtls_test_buffer_free( &buf );
}
/* END_CASE */
/*
* Test if the implementation of `mbedtls_mock_socket` related I/O functions is
* correct and works as expected on unconnected sockets.
*/
/* BEGIN_CASE */
void ssl_mock_sanity( )
{
enum { MSGLEN = 105 };
unsigned char message[MSGLEN] = { 0 };
unsigned char received[MSGLEN] = { 0 };
mbedtls_mock_socket socket;
mbedtls_mock_socket_init( &socket );
TEST_ASSERT( mbedtls_mock_tcp_send_b( &socket, message, MSGLEN ) < 0 );
mbedtls_mock_socket_close( &socket );
mbedtls_mock_socket_init( &socket );
TEST_ASSERT( mbedtls_mock_tcp_recv_b( &socket, received, MSGLEN ) < 0 );
mbedtls_mock_socket_close( &socket );
mbedtls_mock_socket_init( &socket );
TEST_ASSERT( mbedtls_mock_tcp_send_nb( &socket, message, MSGLEN ) < 0 );
mbedtls_mock_socket_close( &socket );
mbedtls_mock_socket_init( &socket );
TEST_ASSERT( mbedtls_mock_tcp_recv_nb( &socket, received, MSGLEN ) < 0 );
mbedtls_mock_socket_close( &socket );
exit:
mbedtls_mock_socket_close( &socket );
}
/* END_CASE */
/*
* Test if the implementation of `mbedtls_mock_socket` related functions can
* send a single message from the client to the server.
*/
/* BEGIN_CASE */
void ssl_mock_tcp( int blocking )
{
enum { MSGLEN = 105 };
enum { BUFLEN = MSGLEN / 5 };
unsigned char message[MSGLEN];
unsigned char received[MSGLEN];
mbedtls_mock_socket client;
mbedtls_mock_socket server;
size_t written, read;
int send_ret, recv_ret;
mbedtls_ssl_send_t *send;
mbedtls_ssl_recv_t *recv;
unsigned i;
if( blocking == 0 )
{
send = mbedtls_mock_tcp_send_nb;
recv = mbedtls_mock_tcp_recv_nb;
}
else
{
send = mbedtls_mock_tcp_send_b;
recv = mbedtls_mock_tcp_recv_b;
}
mbedtls_mock_socket_init( &client );
mbedtls_mock_socket_init( &server );
/* Fill up the buffer with structured data so that unwanted changes
* can be detected */
for( i = 0; i < MSGLEN; i++ )
{
message[i] = i & 0xFF;
}
/* Make sure that sending a message takes a few iterations. */
TEST_ASSERT( 0 == mbedtls_mock_socket_connect( &client, &server, BUFLEN ) );
/* Send the message to the server */
send_ret = recv_ret = 1;
written = read = 0;
while( send_ret != 0 || recv_ret != 0 )
{
send_ret = send( &client, message + written, MSGLEN - written );
TEST_ASSERT( send_ret >= 0 );
TEST_ASSERT( send_ret <= BUFLEN );
written += send_ret;
/* If the buffer is full we can test blocking and non-blocking send */
if ( send_ret == BUFLEN )
{
int blocking_ret = send( &client, message , 1 );
if ( blocking )
{
TEST_ASSERT( blocking_ret == 0 );
}
else
{
TEST_ASSERT( blocking_ret == MBEDTLS_ERR_SSL_WANT_WRITE );
}
}
recv_ret = recv( &server, received + read, MSGLEN - read );
/* The result depends on whether any data was sent */
if ( send_ret > 0 )
{
TEST_ASSERT( recv_ret > 0 );
TEST_ASSERT( recv_ret <= BUFLEN );
read += recv_ret;
}
else if( blocking )
{
TEST_ASSERT( recv_ret == 0 );
}
else
{
TEST_ASSERT( recv_ret == MBEDTLS_ERR_SSL_WANT_READ );
recv_ret = 0;
}
/* If the buffer is empty we can test blocking and non-blocking read */
if ( recv_ret == BUFLEN )
{
int blocking_ret = recv( &server, received, 1 );
if ( blocking )
{
TEST_ASSERT( blocking_ret == 0 );
}
else
{
TEST_ASSERT( blocking_ret == MBEDTLS_ERR_SSL_WANT_READ );
}
}
}
TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
exit:
mbedtls_mock_socket_close( &client );
mbedtls_mock_socket_close( &server );
}
/* END_CASE */
/*
* Test if the implementation of `mbedtls_mock_socket` related functions can
* send messages in both direction at the same time (with the I/O calls
* interleaving).
*/
/* BEGIN_CASE */
void ssl_mock_tcp_interleaving( int blocking )
{
enum { ROUNDS = 2 };
enum { MSGLEN = 105 };
enum { BUFLEN = MSGLEN / 5 };
unsigned char message[ROUNDS][MSGLEN];
unsigned char received[ROUNDS][MSGLEN];
mbedtls_mock_socket client;
mbedtls_mock_socket server;
size_t written[ROUNDS];
size_t read[ROUNDS];
int send_ret[ROUNDS];
int recv_ret[ROUNDS];
unsigned i, j, progress;
mbedtls_ssl_send_t *send;
mbedtls_ssl_recv_t *recv;
if( blocking == 0 )
{
send = mbedtls_mock_tcp_send_nb;
recv = mbedtls_mock_tcp_recv_nb;
}
else
{
send = mbedtls_mock_tcp_send_b;
recv = mbedtls_mock_tcp_recv_b;
}
mbedtls_mock_socket_init( &client );
mbedtls_mock_socket_init( &server );
/* Fill up the buffers with structured data so that unwanted changes
* can be detected */
for( i = 0; i < ROUNDS; i++ )
{
for( j = 0; j < MSGLEN; j++ )
{
message[i][j] = ( i * MSGLEN + j ) & 0xFF;
}
}
/* Make sure that sending a message takes a few iterations. */
TEST_ASSERT( 0 == mbedtls_mock_socket_connect( &client, &server, BUFLEN ) );
/* Send the message from both sides, interleaving. */
progress = 1;
for( i = 0; i < ROUNDS; i++ )
{
written[i] = 0;
read[i] = 0;
}
/* This loop does not stop as long as there was a successful write or read
* of at least one byte on either side. */
while( progress != 0 )
{
mbedtls_mock_socket *socket;
for( i = 0; i < ROUNDS; i++ )
{
/* First sending is from the client */
socket = ( i % 2 == 0 ) ? ( &client ) : ( &server );
send_ret[i] = send( socket, message[i] + written[i],
MSGLEN - written[i] );
TEST_ASSERT( send_ret[i] >= 0 );
TEST_ASSERT( send_ret[i] <= BUFLEN );
written[i] += send_ret[i];
/* If the buffer is full we can test blocking and non-blocking
* send */
if ( send_ret[i] == BUFLEN )
{
int blocking_ret = send( socket, message[i] , 1 );
if ( blocking )
{
TEST_ASSERT( blocking_ret == 0 );
}
else
{
TEST_ASSERT( blocking_ret == MBEDTLS_ERR_SSL_WANT_WRITE );
}
}
}
for( i = 0; i < ROUNDS; i++ )
{
/* First receiving is from the server */
socket = ( i % 2 == 0 ) ? ( &server ) : ( &client );
recv_ret[i] = recv( socket, received[i] + read[i],
MSGLEN - read[i] );
/* The result depends on whether any data was sent */
if ( send_ret[i] > 0 )
{
TEST_ASSERT( recv_ret[i] > 0 );
TEST_ASSERT( recv_ret[i] <= BUFLEN );
read[i] += recv_ret[i];
}
else if( blocking )
{
TEST_ASSERT( recv_ret[i] == 0 );
}
else
{
TEST_ASSERT( recv_ret[i] == MBEDTLS_ERR_SSL_WANT_READ );
recv_ret[i] = 0;
}
/* If the buffer is empty we can test blocking and non-blocking
* read */
if ( recv_ret[i] == BUFLEN )
{
int blocking_ret = recv( socket, received[i], 1 );
if ( blocking )
{
TEST_ASSERT( blocking_ret == 0 );
}
else
{
TEST_ASSERT( blocking_ret == MBEDTLS_ERR_SSL_WANT_READ );
}
}
}
progress = 0;
for( i = 0; i < ROUNDS; i++ )
{
progress += send_ret[i] + recv_ret[i];
}
}
for( i = 0; i < ROUNDS; i++ )
TEST_ASSERT( memcmp( message[i], received[i], MSGLEN ) == 0 );
exit:
mbedtls_mock_socket_close( &client );
mbedtls_mock_socket_close( &server );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_queue_sanity( )
{
mbedtls_test_message_queue queue;
/* Trying to push/pull to an empty queue */
TEST_ASSERT( mbedtls_test_message_queue_push_info( NULL, 1 )
== MBEDTLS_TEST_ERROR_ARG_NULL );
TEST_ASSERT( mbedtls_test_message_queue_pop_info( NULL, 1 )
== MBEDTLS_TEST_ERROR_ARG_NULL );
TEST_ASSERT( mbedtls_test_message_queue_setup( &queue, 3 ) == 0 );
TEST_ASSERT( queue.capacity == 3 );
TEST_ASSERT( queue.num == 0 );
exit:
mbedtls_test_message_queue_free( &queue );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_queue_basic( )
{
mbedtls_test_message_queue queue;
TEST_ASSERT( mbedtls_test_message_queue_setup( &queue, 3 ) == 0 );
/* Sanity test - 3 pushes and 3 pops with sufficient space */
TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 1 ) == 1 );
TEST_ASSERT( queue.capacity == 3 );
TEST_ASSERT( queue.num == 1 );
TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 1 ) == 1 );
TEST_ASSERT( queue.capacity == 3 );
TEST_ASSERT( queue.num == 2 );
TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 2 ) == 2 );
TEST_ASSERT( queue.capacity == 3 );
TEST_ASSERT( queue.num == 3 );
TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 1 ) == 1 );
TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 1 ) == 1 );
TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 2 ) == 2 );
exit:
mbedtls_test_message_queue_free( &queue );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_queue_overflow_underflow( )
{
mbedtls_test_message_queue queue;
TEST_ASSERT( mbedtls_test_message_queue_setup( &queue, 3 ) == 0 );
/* 4 pushes (last one with an error), 4 pops (last one with an error) */
TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 1 ) == 1 );
TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 1 ) == 1 );
TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 2 ) == 2 );
TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 3 )
== MBEDTLS_ERR_SSL_WANT_WRITE );
TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 1 ) == 1 );
TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 1 ) == 1 );
TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 2 ) == 2 );
TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 1 )
== MBEDTLS_ERR_SSL_WANT_READ );
exit:
mbedtls_test_message_queue_free( &queue );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_queue_interleaved( )
{
mbedtls_test_message_queue queue;
TEST_ASSERT( mbedtls_test_message_queue_setup( &queue, 3 ) == 0 );
/* Interleaved test - [2 pushes, 1 pop] twice, and then two pops
* (to wrap around the buffer) */
TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 1 ) == 1 );
TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 1 ) == 1 );
TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 1 ) == 1 );
TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 2 ) == 2 );
TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 3 ) == 3 );
TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 1 ) == 1 );
TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 2 ) == 2 );
TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 5 ) == 5 );
TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, 8 ) == 8 );
TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 3 ) == 3 );
TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 5 ) == 5 );
TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, 8 ) == 8 );
exit:
mbedtls_test_message_queue_free( &queue );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_queue_insufficient_buffer( )
{
mbedtls_test_message_queue queue;
size_t message_len = 10;
size_t buffer_len = 5;
TEST_ASSERT( mbedtls_test_message_queue_setup( &queue, 1 ) == 0 );
/* Popping without a sufficient buffer */
TEST_ASSERT( mbedtls_test_message_queue_push_info( &queue, message_len )
== (int) message_len );
TEST_ASSERT( mbedtls_test_message_queue_pop_info( &queue, buffer_len )
== (int) buffer_len );
exit:
mbedtls_test_message_queue_free( &queue );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_mock_uninitialized( )
{
enum { MSGLEN = 10 };
unsigned char message[MSGLEN] = {0}, received[MSGLEN];
mbedtls_mock_socket client, server;
mbedtls_test_message_queue server_queue, client_queue;
mbedtls_test_message_socket_context server_context, client_context;
mbedtls_message_socket_init( &server_context );
mbedtls_message_socket_init( &client_context );
/* Send with a NULL context */
TEST_ASSERT( mbedtls_mock_tcp_send_msg( NULL, message, MSGLEN )
== MBEDTLS_TEST_ERROR_CONTEXT_ERROR );
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( NULL, message, MSGLEN )
== MBEDTLS_TEST_ERROR_CONTEXT_ERROR );
TEST_ASSERT( mbedtls_message_socket_setup( &server_queue, &client_queue, 1,
&server,
&server_context ) == 0 );
TEST_ASSERT( mbedtls_message_socket_setup( &client_queue, &server_queue, 1,
&client,
&client_context ) == 0 );
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message, MSGLEN )
== MBEDTLS_TEST_ERROR_SEND_FAILED );
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
== MBEDTLS_ERR_SSL_WANT_READ );
/* Push directly to a queue to later simulate a disconnected behavior */
TEST_ASSERT( mbedtls_test_message_queue_push_info( &server_queue, MSGLEN )
== MSGLEN );
/* Test if there's an error when trying to read from a disconnected
* socket */
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
== MBEDTLS_TEST_ERROR_RECV_FAILED );
exit:
mbedtls_message_socket_close( &server_context );
mbedtls_message_socket_close( &client_context );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_mock_basic( )
{
enum { MSGLEN = 10 };
unsigned char message[MSGLEN], received[MSGLEN];
mbedtls_mock_socket client, server;
unsigned i;
mbedtls_test_message_queue server_queue, client_queue;
mbedtls_test_message_socket_context server_context, client_context;
mbedtls_message_socket_init( &server_context );
mbedtls_message_socket_init( &client_context );
TEST_ASSERT( mbedtls_message_socket_setup( &server_queue, &client_queue, 1,
&server,
&server_context ) == 0 );
TEST_ASSERT( mbedtls_message_socket_setup( &client_queue, &server_queue, 1,
&client,
&client_context ) == 0 );
/* Fill up the buffer with structured data so that unwanted changes
* can be detected */
for( i = 0; i < MSGLEN; i++ )
{
message[i] = i & 0xFF;
}
TEST_ASSERT( 0 == mbedtls_mock_socket_connect( &client, &server,
MSGLEN ) );
/* Send the message to the server */
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
MSGLEN ) == MSGLEN );
/* Read from the server */
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
== MSGLEN );
TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
memset( received, 0, MSGLEN );
/* Send the message to the client */
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &server_context, message,
MSGLEN ) == MSGLEN );
/* Read from the client */
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &client_context, received, MSGLEN )
== MSGLEN );
TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
exit:
mbedtls_message_socket_close( &server_context );
mbedtls_message_socket_close( &client_context );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_mock_queue_overflow_underflow( )
{
enum { MSGLEN = 10 };
unsigned char message[MSGLEN], received[MSGLEN];
mbedtls_mock_socket client, server;
unsigned i;
mbedtls_test_message_queue server_queue, client_queue;
mbedtls_test_message_socket_context server_context, client_context;
mbedtls_message_socket_init( &server_context );
mbedtls_message_socket_init( &client_context );
TEST_ASSERT( mbedtls_message_socket_setup( &server_queue, &client_queue, 2,
&server,
&server_context ) == 0 );
TEST_ASSERT( mbedtls_message_socket_setup( &client_queue, &server_queue, 2,
&client,
&client_context ) == 0 );
/* Fill up the buffer with structured data so that unwanted changes
* can be detected */
for( i = 0; i < MSGLEN; i++ )
{
message[i] = i & 0xFF;
}
TEST_ASSERT( 0 == mbedtls_mock_socket_connect( &client, &server,
MSGLEN*2 ) );
/* Send three message to the server, last one with an error */
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
MSGLEN - 1 ) == MSGLEN - 1 );
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
MSGLEN ) == MSGLEN );
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
MSGLEN )
== MBEDTLS_ERR_SSL_WANT_WRITE );
/* Read three messages from the server, last one with an error */
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received,
MSGLEN - 1 ) == MSGLEN - 1 );
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
== MSGLEN );
TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
== MBEDTLS_ERR_SSL_WANT_READ );
exit:
mbedtls_message_socket_close( &server_context );
mbedtls_message_socket_close( &client_context );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_mock_socket_overflow( )
{
enum { MSGLEN = 10 };
unsigned char message[MSGLEN], received[MSGLEN];
mbedtls_mock_socket client, server;
unsigned i;
mbedtls_test_message_queue server_queue, client_queue;
mbedtls_test_message_socket_context server_context, client_context;
mbedtls_message_socket_init( &server_context );
mbedtls_message_socket_init( &client_context );
TEST_ASSERT( mbedtls_message_socket_setup( &server_queue, &client_queue, 2,
&server,
&server_context ) == 0 );
TEST_ASSERT( mbedtls_message_socket_setup( &client_queue, &server_queue, 2,
&client,
&client_context ) == 0 );
/* Fill up the buffer with structured data so that unwanted changes
* can be detected */
for( i = 0; i < MSGLEN; i++ )
{
message[i] = i & 0xFF;
}
TEST_ASSERT( 0 == mbedtls_mock_socket_connect( &client, &server,
MSGLEN ) );
/* Send two message to the server, second one with an error */
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
MSGLEN ) == MSGLEN );
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
MSGLEN )
== MBEDTLS_TEST_ERROR_SEND_FAILED );
/* Read the only message from the server */
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
== MSGLEN );
TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
exit:
mbedtls_message_socket_close( &server_context );
mbedtls_message_socket_close( &client_context );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_mock_truncated( )
{
enum { MSGLEN = 10 };
unsigned char message[MSGLEN], received[MSGLEN];
mbedtls_mock_socket client, server;
unsigned i;
mbedtls_test_message_queue server_queue, client_queue;
mbedtls_test_message_socket_context server_context, client_context;
mbedtls_message_socket_init( &server_context );
mbedtls_message_socket_init( &client_context );
TEST_ASSERT( mbedtls_message_socket_setup( &server_queue, &client_queue, 2,
&server,
&server_context ) == 0 );
TEST_ASSERT( mbedtls_message_socket_setup( &client_queue, &server_queue, 2,
&client,
&client_context ) == 0 );
memset( received, 0, MSGLEN );
/* Fill up the buffer with structured data so that unwanted changes
* can be detected */
for( i = 0; i < MSGLEN; i++ )
{
message[i] = i & 0xFF;
}
TEST_ASSERT( 0 == mbedtls_mock_socket_connect( &client, &server,
2 * MSGLEN ) );
/* Send two messages to the server, the second one small enough to fit in the
* receiver's buffer. */
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
MSGLEN ) == MSGLEN );
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
MSGLEN / 2 ) == MSGLEN / 2 );
/* Read a truncated message from the server */
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN/2 )
== MSGLEN/2 );
/* Test that the first half of the message is valid, and second one isn't */
TEST_ASSERT( memcmp( message, received, MSGLEN/2 ) == 0 );
TEST_ASSERT( memcmp( message + MSGLEN/2, received + MSGLEN/2, MSGLEN/2 )
!= 0 );
memset( received, 0, MSGLEN );
/* Read a full message from the server */
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN/2 )
== MSGLEN / 2 );
/* Test that the first half of the message is valid */
TEST_ASSERT( memcmp( message, received, MSGLEN/2 ) == 0 );
exit:
mbedtls_message_socket_close( &server_context );
mbedtls_message_socket_close( &client_context );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_mock_socket_read_error( )
{
enum { MSGLEN = 10 };
unsigned char message[MSGLEN], received[MSGLEN];
mbedtls_mock_socket client, server;
unsigned i;
mbedtls_test_message_queue server_queue, client_queue;
mbedtls_test_message_socket_context server_context, client_context;
mbedtls_message_socket_init( &server_context );
mbedtls_message_socket_init( &client_context );
TEST_ASSERT( mbedtls_message_socket_setup( &server_queue, &client_queue, 1,
&server,
&server_context ) == 0 );
TEST_ASSERT( mbedtls_message_socket_setup( &client_queue, &server_queue, 1,
&client,
&client_context ) == 0 );
/* Fill up the buffer with structured data so that unwanted changes
* can be detected */
for( i = 0; i < MSGLEN; i++ )
{
message[i] = i & 0xFF;
}
TEST_ASSERT( 0 == mbedtls_mock_socket_connect( &client, &server,
MSGLEN ) );
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
MSGLEN ) == MSGLEN );
/* Force a read error by disconnecting the socket by hand */
server.status = 0;
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
== MBEDTLS_TEST_ERROR_RECV_FAILED );
/* Return to a valid state */
server.status = MBEDTLS_MOCK_SOCKET_CONNECTED;
memset( received, 0, sizeof( received ) );
/* Test that even though the server tried to read once disconnected, the
* continuity is preserved */
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
== MSGLEN );
TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
exit:
mbedtls_message_socket_close( &server_context );
mbedtls_message_socket_close( &client_context );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_mock_interleaved_one_way( )
{
enum { MSGLEN = 10 };
unsigned char message[MSGLEN], received[MSGLEN];
mbedtls_mock_socket client, server;
unsigned i;
mbedtls_test_message_queue server_queue, client_queue;
mbedtls_test_message_socket_context server_context, client_context;
mbedtls_message_socket_init( &server_context );
mbedtls_message_socket_init( &client_context );
TEST_ASSERT( mbedtls_message_socket_setup( &server_queue, &client_queue, 3,
&server,
&server_context ) == 0 );
TEST_ASSERT( mbedtls_message_socket_setup( &client_queue, &server_queue, 3,
&client,
&client_context ) == 0 );
/* Fill up the buffer with structured data so that unwanted changes
* can be detected */
for( i = 0; i < MSGLEN; i++ )
{
message[i] = i & 0xFF;
}
TEST_ASSERT( 0 == mbedtls_mock_socket_connect( &client, &server,
MSGLEN*3 ) );
/* Interleaved test - [2 sends, 1 read] twice, and then two reads
* (to wrap around the buffer) */
for( i = 0; i < 2; i++ )
{
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
MSGLEN ) == MSGLEN );
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
MSGLEN ) == MSGLEN );
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received,
MSGLEN ) == MSGLEN );
TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
memset( received, 0, sizeof( received ) );
}
for( i = 0; i < 2; i++ )
{
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received,
MSGLEN ) == MSGLEN );
TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
}
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
== MBEDTLS_ERR_SSL_WANT_READ );
exit:
mbedtls_message_socket_close( &server_context );
mbedtls_message_socket_close( &client_context );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_message_mock_interleaved_two_ways( )
{
enum { MSGLEN = 10 };
unsigned char message[MSGLEN], received[MSGLEN];
mbedtls_mock_socket client, server;
unsigned i;
mbedtls_test_message_queue server_queue, client_queue;
mbedtls_test_message_socket_context server_context, client_context;
mbedtls_message_socket_init( &server_context );
mbedtls_message_socket_init( &client_context );
TEST_ASSERT( mbedtls_message_socket_setup( &server_queue, &client_queue, 3,
&server,
&server_context ) == 0 );
TEST_ASSERT( mbedtls_message_socket_setup( &client_queue, &server_queue, 3,
&client,
&client_context ) == 0 );
/* Fill up the buffer with structured data so that unwanted changes
* can be detected */
for( i = 0; i < MSGLEN; i++ )
{
message[i] = i & 0xFF;
}
TEST_ASSERT( 0 == mbedtls_mock_socket_connect( &client, &server,
MSGLEN*3 ) );
/* Interleaved test - [2 sends, 1 read] twice, both ways, and then two reads
* (to wrap around the buffer) both ways. */
for( i = 0; i < 2; i++ )
{
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
MSGLEN ) == MSGLEN );
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &client_context, message,
MSGLEN ) == MSGLEN );
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &server_context, message,
MSGLEN ) == MSGLEN );
TEST_ASSERT( mbedtls_mock_tcp_send_msg( &server_context, message,
MSGLEN ) == MSGLEN );
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received,
MSGLEN ) == MSGLEN );
TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
memset( received, 0, sizeof( received ) );
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &client_context, received,
MSGLEN ) == MSGLEN );
TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
memset( received, 0, sizeof( received ) );
}
for( i = 0; i < 2; i++ )
{
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received,
MSGLEN ) == MSGLEN );
TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
memset( received, 0, sizeof( received ) );
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &client_context, received,
MSGLEN ) == MSGLEN );
TEST_ASSERT( memcmp( message, received, MSGLEN ) == 0 );
memset( received, 0, sizeof( received ) );
}
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &server_context, received, MSGLEN )
== MBEDTLS_ERR_SSL_WANT_READ );
TEST_ASSERT( mbedtls_mock_tcp_recv_msg( &client_context, received, MSGLEN )
== MBEDTLS_ERR_SSL_WANT_READ );
exit:
mbedtls_message_socket_close( &server_context );
mbedtls_message_socket_close( &client_context );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_DTLS_ANTI_REPLAY */
void ssl_dtls_replay( data_t * prevs, data_t * new, int ret )
2014-09-24 11:13:44 +02:00
{
2017-06-09 05:32:58 +02:00
uint32_t len = 0;
mbedtls_ssl_context ssl;
2015-05-04 14:56:36 +02:00
mbedtls_ssl_config conf;
2014-09-24 11:13:44 +02:00
2015-04-29 00:48:22 +02:00
mbedtls_ssl_init( &ssl );
2015-05-04 14:56:36 +02:00
mbedtls_ssl_config_init( &conf );
2015-04-29 00:48:22 +02:00
TEST_ASSERT( mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT ) == 0 );
2015-05-04 14:56:36 +02:00
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
2014-09-24 11:13:44 +02:00
/* Read previous record numbers */
2017-06-09 05:32:58 +02:00
for( len = 0; len < prevs->len; len += 6 )
2014-09-24 11:13:44 +02:00
{
2017-06-09 05:32:58 +02:00
memcpy( ssl.in_ctr + 2, prevs->x + len, 6 );
mbedtls_ssl_dtls_replay_update( &ssl );
2014-09-24 11:13:44 +02:00
}
/* Check new number */
2017-06-09 05:32:58 +02:00
memcpy( ssl.in_ctr + 2, new->x, 6 );
TEST_ASSERT( mbedtls_ssl_dtls_replay_check( &ssl ) == ret );
2014-09-24 11:13:44 +02:00
mbedtls_ssl_free( &ssl );
2015-05-04 14:56:36 +02:00
mbedtls_ssl_config_free( &conf );
2014-09-24 11:13:44 +02:00
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */
void ssl_set_hostname_twice( char *hostname0, char *hostname1 )
{
mbedtls_ssl_context ssl;
mbedtls_ssl_init( &ssl );
TEST_ASSERT( mbedtls_ssl_set_hostname( &ssl, hostname0 ) == 0 );
TEST_ASSERT( mbedtls_ssl_set_hostname( &ssl, hostname1 ) == 0 );
mbedtls_ssl_free( &ssl );
}
2018-03-13 16:22:58 +01:00
/* END_CASE */
/* BEGIN_CASE */
void ssl_crypt_record( int cipher_type, int hash_id,
int etm, int tag_mode, int ver,
int cid0_len, int cid1_len )
{
/*
* Test several record encryptions and decryptions
* with plenty of space before and after the data
* within the record buffer.
*/
int ret;
int num_records = 16;
mbedtls_ssl_context ssl; /* ONLY for debugging */
mbedtls_ssl_transform t0, t1;
unsigned char *buf = NULL;
size_t const buflen = 512;
mbedtls_record rec, rec_backup;
USE_PSA_INIT( );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_transform_init( &t0 );
mbedtls_ssl_transform_init( &t1 );
ret = build_transforms( &t0, &t1, cipher_type, hash_id,
etm, tag_mode, ver,
(size_t) cid0_len,
(size_t) cid1_len );
TEST_ASSERT( ret == 0 );
TEST_ASSERT( ( buf = mbedtls_calloc( 1, buflen ) ) != NULL );
while( num_records-- > 0 )
{
mbedtls_ssl_transform *t_dec, *t_enc;
/* Take turns in who's sending and who's receiving. */
if( num_records % 3 == 0 )
{
t_dec = &t0;
t_enc = &t1;
}
else
{
t_dec = &t1;
t_enc = &t0;
}
/*
* The record header affects the transformation in two ways:
* 1) It determines the AEAD additional data
* 2) The record counter sometimes determines the IV.
*
* Apart from that, the fields don't have influence.
* In particular, it is currently not the responsibility
* of ssl_encrypt/decrypt_buf to check if the transform
* version matches the record version, or that the
* type is sensible.
*/
memset( rec.ctr, num_records, sizeof( rec.ctr ) );
rec.type = 42;
rec.ver[0] = num_records;
rec.ver[1] = num_records;
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
rec.cid_len = 0;
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
rec.buf = buf;
rec.buf_len = buflen;
rec.data_offset = 16;
/* Make sure to vary the length to exercise different
* paddings. */
rec.data_len = 1 + num_records;
memset( rec.buf + rec.data_offset, 42, rec.data_len );
/* Make a copy for later comparison */
rec_backup = rec;
/* Encrypt record */
ret = mbedtls_ssl_encrypt_buf( &ssl, t_enc, &rec,
mbedtls_test_rnd_std_rand, NULL );
TEST_ASSERT( ret == 0 || ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
if( ret != 0 )
{
continue;
}
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if( rec.cid_len != 0 )
{
/* DTLS 1.2 + CID hides the real content type and
* uses a special CID content type in the protected
* record. Double-check this. */
TEST_ASSERT( rec.type == MBEDTLS_SSL_MSG_CID );
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( t_enc->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
{
/* TLS 1.3 hides the real content type and
* always uses Application Data as the content type
* for protected records. Double-check this. */
TEST_ASSERT( rec.type == MBEDTLS_SSL_MSG_APPLICATION_DATA );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
/* Decrypt record with t_dec */
ret = mbedtls_ssl_decrypt_buf( &ssl, t_dec, &rec );
TEST_ASSERT( ret == 0 );
/* Compare results */
TEST_ASSERT( rec.type == rec_backup.type );
TEST_ASSERT( memcmp( rec.ctr, rec_backup.ctr, 8 ) == 0 );
TEST_ASSERT( rec.ver[0] == rec_backup.ver[0] );
TEST_ASSERT( rec.ver[1] == rec_backup.ver[1] );
TEST_ASSERT( rec.data_len == rec_backup.data_len );
TEST_ASSERT( rec.data_offset == rec_backup.data_offset );
TEST_ASSERT( memcmp( rec.buf + rec.data_offset,
rec_backup.buf + rec_backup.data_offset,
rec.data_len ) == 0 );
}
exit:
/* Cleanup */
mbedtls_ssl_free( &ssl );
mbedtls_ssl_transform_free( &t0 );
mbedtls_ssl_transform_free( &t1 );
mbedtls_free( buf );
USE_PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_crypt_record_small( int cipher_type, int hash_id,
int etm, int tag_mode, int ver,
int cid0_len, int cid1_len )
{
/*
* Test pairs of encryption and decryption with an increasing
* amount of space in the record buffer - in more detail:
* 1) Try to encrypt with 0, 1, 2, ... bytes available
* in front of the plaintext, and expect the encryption
* to succeed starting from some offset. Always keep
* enough space in the end of the buffer.
* 2) Try to encrypt with 0, 1, 2, ... bytes available
* at the end of the plaintext, and expect the encryption
* to succeed starting from some offset. Always keep
* enough space at the beginning of the buffer.
* 3) Try to encrypt with 0, 1, 2, ... bytes available
* both at the front and end of the plaintext,
* and expect the encryption to succeed starting from
* some offset.
*
* If encryption succeeds, check that decryption succeeds
* and yields the original record.
*/
mbedtls_ssl_context ssl; /* ONLY for debugging */
mbedtls_ssl_transform t0, t1;
unsigned char *buf = NULL;
size_t const buflen = 256;
mbedtls_record rec, rec_backup;
int ret;
int mode; /* Mode 1, 2 or 3 as explained above */
size_t offset; /* Available space at beginning/end/both */
size_t threshold = 96; /* Maximum offset to test against */
size_t default_pre_padding = 64; /* Pre-padding to use in mode 2 */
size_t default_post_padding = 128; /* Post-padding to use in mode 1 */
int seen_success; /* Indicates if in the current mode we've
* already seen a successful test. */
USE_PSA_INIT( );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_transform_init( &t0 );
mbedtls_ssl_transform_init( &t1 );
ret = build_transforms( &t0, &t1, cipher_type, hash_id,
etm, tag_mode, ver,
(size_t) cid0_len,
(size_t) cid1_len );
TEST_ASSERT( ret == 0 );
TEST_ASSERT( ( buf = mbedtls_calloc( 1, buflen ) ) != NULL );
for( mode=1; mode <= 3; mode++ )
{
seen_success = 0;
for( offset=0; offset <= threshold; offset++ )
{
mbedtls_ssl_transform *t_dec, *t_enc;
t_dec = &t0;
t_enc = &t1;
memset( rec.ctr, offset, sizeof( rec.ctr ) );
rec.type = 42;
rec.ver[0] = offset;
rec.ver[1] = offset;
rec.buf = buf;
rec.buf_len = buflen;
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
rec.cid_len = 0;
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
switch( mode )
{
case 1: /* Space in the beginning */
rec.data_offset = offset;
rec.data_len = buflen - offset - default_post_padding;
break;
case 2: /* Space in the end */
rec.data_offset = default_pre_padding;
rec.data_len = buflen - default_pre_padding - offset;
break;
case 3: /* Space in the beginning and end */
rec.data_offset = offset;
rec.data_len = buflen - 2 * offset;
break;
default:
TEST_ASSERT( 0 );
break;
}
memset( rec.buf + rec.data_offset, 42, rec.data_len );
/* Make a copy for later comparison */
rec_backup = rec;
/* Encrypt record */
ret = mbedtls_ssl_encrypt_buf( &ssl, t_enc, &rec,
mbedtls_test_rnd_std_rand, NULL );
if( ( mode == 1 || mode == 2 ) && seen_success )
{
TEST_ASSERT( ret == 0 );
}
else
{
TEST_ASSERT( ret == 0 || ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
if( ret == 0 )
seen_success = 1;
}
if( ret != 0 )
continue;
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
if( rec.cid_len != 0 )
{
/* DTLS 1.2 + CID hides the real content type and
* uses a special CID content type in the protected
* record. Double-check this. */
TEST_ASSERT( rec.type == MBEDTLS_SSL_MSG_CID );
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( t_enc->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
{
/* TLS 1.3 hides the real content type and
* always uses Application Data as the content type
* for protected records. Double-check this. */
TEST_ASSERT( rec.type == MBEDTLS_SSL_MSG_APPLICATION_DATA );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
/* Decrypt record with t_dec */
TEST_ASSERT( mbedtls_ssl_decrypt_buf( &ssl, t_dec, &rec ) == 0 );
/* Compare results */
TEST_ASSERT( rec.type == rec_backup.type );
TEST_ASSERT( memcmp( rec.ctr, rec_backup.ctr, 8 ) == 0 );
TEST_ASSERT( rec.ver[0] == rec_backup.ver[0] );
TEST_ASSERT( rec.ver[1] == rec_backup.ver[1] );
TEST_ASSERT( rec.data_len == rec_backup.data_len );
TEST_ASSERT( rec.data_offset == rec_backup.data_offset );
TEST_ASSERT( memcmp( rec.buf + rec.data_offset,
rec_backup.buf + rec_backup.data_offset,
rec.data_len ) == 0 );
}
TEST_ASSERT( seen_success == 1 );
}
exit:
/* Cleanup */
mbedtls_ssl_free( &ssl );
mbedtls_ssl_transform_free( &t0 );
mbedtls_ssl_transform_free( &t1 );
mbedtls_free( buf );
USE_PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2 */
void ssl_decrypt_non_etm_cbc( int cipher_type, int hash_id, int trunc_hmac,
int length_selector )
{
/*
* Test record decryption for CBC without EtM, focused on the verification
* of padding and MAC.
*
* Actually depends on TLS 1.2 and either AES, ARIA or Camellia, but since
* the test framework doesn't support alternation in dependency statements,
* just depend on AES.
*
* The length_selector argument is interpreted as follows:
* - if it's -1, the plaintext length is 0 and minimal padding is applied
* - if it's -2, the plaintext length is 0 and maximal padding is applied
* - otherwise it must be in [0, 255] and is padding_length from RFC 5246:
* it's the length of the rest of the padding, that is, excluding the
* byte that encodes the length. The minimal non-zero plaintext length
* that gives this padding_length is automatically selected.
*/
mbedtls_ssl_context ssl; /* ONLY for debugging */
mbedtls_ssl_transform t0, t1;
mbedtls_record rec, rec_save;
unsigned char *buf = NULL, *buf_save = NULL;
size_t buflen, olen = 0;
size_t plaintext_len, block_size, i;
unsigned char padlen; /* excluding the padding_length byte */
unsigned char add_data[13];
unsigned char mac[MBEDTLS_MD_MAX_SIZE];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
size_t sign_mac_length = 0;
#endif
int exp_ret;
int ret;
const unsigned char pad_max_len = 255; /* Per the standard */
USE_PSA_INIT( );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_transform_init( &t0 );
mbedtls_ssl_transform_init( &t1 );
/* Set up transforms with dummy keys */
ret = build_transforms( &t0, &t1, cipher_type, hash_id,
0, trunc_hmac,
MBEDTLS_SSL_VERSION_TLS1_2,
0 , 0 );
TEST_ASSERT( ret == 0 );
/* Determine padding/plaintext length */
TEST_ASSERT( length_selector >= -2 && length_selector <= 255 );
block_size = t0.ivlen;
if( length_selector < 0 )
{
plaintext_len = 0;
/* Minimal padding
* The +1 is for the padding_length byte, not counted in padlen. */
padlen = block_size - ( t0.maclen + 1 ) % block_size;
/* Maximal padding? */
if( length_selector == -2 )
padlen += block_size * ( ( pad_max_len - padlen ) / block_size );
}
else
{
padlen = length_selector;
/* Minimal non-zero plaintext_length giving desired padding.
* The +1 is for the padding_length byte, not counted in padlen. */
plaintext_len = block_size - ( padlen + t0.maclen + 1 ) % block_size;
}
/* Prepare a buffer for record data */
buflen = block_size
+ plaintext_len
+ t0.maclen
+ padlen + 1;
ASSERT_ALLOC( buf, buflen );
ASSERT_ALLOC( buf_save, buflen );
/* Prepare a dummy record header */
memset( rec.ctr, 0, sizeof( rec.ctr ) );
rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
mbedtls_ssl_write_version( rec.ver, MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_VERSION_TLS1_2 );
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
rec.cid_len = 0;
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
/* Prepare dummy record content */
rec.buf = buf;
rec.buf_len = buflen;
rec.data_offset = block_size;
rec.data_len = plaintext_len;
memset( rec.buf + rec.data_offset, 42, rec.data_len );
/* Serialized version of record header for MAC purposes */
memcpy( add_data, rec.ctr, 8 );
add_data[8] = rec.type;
add_data[9] = rec.ver[0];
add_data[10] = rec.ver[1];
add_data[11] = ( rec.data_len >> 8 ) & 0xff;
add_data[12] = ( rec.data_len >> 0 ) & 0xff;
/* Set dummy IV */
memset( t0.iv_enc, 0x55, t0.ivlen );
memcpy( rec.buf, t0.iv_enc, t0.ivlen );
/*
* Prepare a pre-encryption record (with MAC and padding), and save it.
*/
/* MAC with additional data */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
TEST_EQUAL( PSA_SUCCESS, psa_mac_sign_setup( &operation,
t0.psa_mac_enc,
t0.psa_mac_alg ) );
TEST_EQUAL( PSA_SUCCESS, psa_mac_update( &operation, add_data, 13 ) );
TEST_EQUAL( PSA_SUCCESS, psa_mac_update( &operation,
rec.buf + rec.data_offset,
rec.data_len ) );
TEST_EQUAL( PSA_SUCCESS, psa_mac_sign_finish( &operation,
mac, MBEDTLS_MD_MAX_SIZE,
&sign_mac_length ) );
#else
TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc, add_data, 13 ) );
TEST_EQUAL( 0, mbedtls_md_hmac_update( &t0.md_ctx_enc,
rec.buf + rec.data_offset,
rec.data_len ) );
TEST_EQUAL( 0, mbedtls_md_hmac_finish( &t0.md_ctx_enc, mac ) );
#endif
memcpy( rec.buf + rec.data_offset + rec.data_len, mac, t0.maclen );
rec.data_len += t0.maclen;
/* Pad */
memset( rec.buf + rec.data_offset + rec.data_len, padlen, padlen + 1 );
rec.data_len += padlen + 1;
/* Save correct pre-encryption record */
rec_save = rec;
rec_save.buf = buf_save;
memcpy( buf_save, buf, buflen );
/*
* Encrypt and decrypt the correct record, expecting success
*/
TEST_EQUAL( 0, psa_cipher_encrypt_helper(&t0, t0.iv_enc, t0.ivlen,
rec.buf + rec.data_offset, rec.data_len,
rec.buf + rec.data_offset, &olen ) );
rec.data_offset -= t0.ivlen;
rec.data_len += t0.ivlen;
TEST_EQUAL( 0, mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) );
/*
* Modify each byte of the pre-encryption record before encrypting and
* decrypting it, expecting failure every time.
*/
for( i = block_size; i < buflen; i++ )
{
mbedtls_test_set_step( i );
/* Restore correct pre-encryption record */
rec = rec_save;
rec.buf = buf;
memcpy( buf, buf_save, buflen );
/* Corrupt one byte of the data (could be plaintext, MAC or padding) */
rec.buf[i] ^= 0x01;
/* Encrypt */
TEST_EQUAL( 0, psa_cipher_encrypt_helper(&t0, t0.iv_enc, t0.ivlen,
rec.buf + rec.data_offset, rec.data_len,
rec.buf + rec.data_offset, &olen ) );
rec.data_offset -= t0.ivlen;
rec.data_len += t0.ivlen;
/* Decrypt and expect failure */
TEST_EQUAL( MBEDTLS_ERR_SSL_INVALID_MAC,
mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) );
}
/*
* Use larger values of the padding bytes - with small buffers, this tests
* the case where the announced padlen would be larger than the buffer
* (and before that, than the buffer minus the size of the MAC), to make
* sure our padding checking code does not perform any out-of-bounds reads
* in this case. (With larger buffers, ie when the plaintext is long or
* maximal length padding is used, this is less relevant but still doesn't
* hurt to test.)
*
* (Start the loop with correct padding, just to double-check that record
* saving did work, and that we're overwriting the correct bytes.)
*/
for( i = padlen; i <= pad_max_len; i++ )
{
mbedtls_test_set_step( i );
/* Restore correct pre-encryption record */
rec = rec_save;
rec.buf = buf;
memcpy( buf, buf_save, buflen );
/* Set padding bytes to new value */
memset( buf + buflen - padlen - 1, i, padlen + 1 );
/* Encrypt */
TEST_EQUAL( 0, psa_cipher_encrypt_helper(&t0, t0.iv_enc, t0.ivlen,
rec.buf + rec.data_offset, rec.data_len,
rec.buf + rec.data_offset, &olen ) );
rec.data_offset -= t0.ivlen;
rec.data_len += t0.ivlen;
/* Decrypt and expect failure except the first time */
exp_ret = ( i == padlen ) ? 0 : MBEDTLS_ERR_SSL_INVALID_MAC;
TEST_EQUAL( exp_ret, mbedtls_ssl_decrypt_buf( &ssl, &t1, &rec ) );
}
exit:
mbedtls_ssl_free( &ssl );
mbedtls_ssl_transform_free( &t0 );
mbedtls_ssl_transform_free( &t1 );
mbedtls_free( buf );
mbedtls_free( buf_save );
USE_PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_hkdf_expand_label( int hash_alg,
data_t *secret,
int label_idx,
data_t *ctx,
int desired_length,
data_t *expected )
{
unsigned char dst[ 100 ];
unsigned char const *lbl = NULL;
size_t lbl_len;
#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \
if( label_idx == (int) tls13_label_ ## name ) \
{ \
lbl = mbedtls_ssl_tls13_labels.name; \
lbl_len = sizeof( mbedtls_ssl_tls13_labels.name ); \
}
MBEDTLS_SSL_TLS1_3_LABEL_LIST
#undef MBEDTLS_SSL_TLS1_3_LABEL
TEST_ASSERT( lbl != NULL );
/* Check sanity of test parameters. */
TEST_ASSERT( (size_t) desired_length <= sizeof(dst) );
TEST_ASSERT( (size_t) desired_length == expected->len );
PSA_INIT( );
TEST_ASSERT( mbedtls_ssl_tls13_hkdf_expand_label(
(psa_algorithm_t) hash_alg,
secret->x, secret->len,
lbl, lbl_len,
ctx->x, ctx->len,
dst, desired_length ) == 0 );
ASSERT_COMPARE( dst, (size_t) desired_length,
expected->x, (size_t) expected->len );
PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_traffic_key_generation( int hash_alg,
data_t *server_secret,
data_t *client_secret,
int desired_iv_len,
int desired_key_len,
data_t *expected_server_write_key,
data_t *expected_server_write_iv,
data_t *expected_client_write_key,
data_t *expected_client_write_iv )
{
mbedtls_ssl_key_set keys;
/* Check sanity of test parameters. */
TEST_ASSERT( client_secret->len == server_secret->len );
TEST_ASSERT( expected_client_write_iv->len == expected_server_write_iv->len &&
expected_client_write_iv->len == (size_t) desired_iv_len );
TEST_ASSERT( expected_client_write_key->len == expected_server_write_key->len &&
expected_client_write_key->len == (size_t) desired_key_len );
PSA_INIT( );
TEST_ASSERT( mbedtls_ssl_tls13_make_traffic_keys(
(psa_algorithm_t) hash_alg,
client_secret->x,
server_secret->x,
client_secret->len /* == server_secret->len */,
desired_key_len, desired_iv_len,
&keys ) == 0 );
ASSERT_COMPARE( keys.client_write_key,
keys.key_len,
expected_client_write_key->x,
(size_t) desired_key_len );
ASSERT_COMPARE( keys.server_write_key,
keys.key_len,
expected_server_write_key->x,
(size_t) desired_key_len );
ASSERT_COMPARE( keys.client_write_iv,
keys.iv_len,
expected_client_write_iv->x,
(size_t) desired_iv_len );
ASSERT_COMPARE( keys.server_write_iv,
keys.iv_len,
expected_server_write_iv->x,
(size_t) desired_iv_len );
PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_derive_secret( int hash_alg,
data_t *secret,
int label_idx,
data_t *ctx,
int desired_length,
int already_hashed,
data_t *expected )
{
unsigned char dst[ 100 ];
unsigned char const *lbl = NULL;
size_t lbl_len;
#define MBEDTLS_SSL_TLS1_3_LABEL( name, string ) \
if( label_idx == (int) tls13_label_ ## name ) \
{ \
lbl = mbedtls_ssl_tls13_labels.name; \
lbl_len = sizeof( mbedtls_ssl_tls13_labels.name ); \
}
MBEDTLS_SSL_TLS1_3_LABEL_LIST
#undef MBEDTLS_SSL_TLS1_3_LABEL
TEST_ASSERT( lbl != NULL );
/* Check sanity of test parameters. */
TEST_ASSERT( (size_t) desired_length <= sizeof(dst) );
TEST_ASSERT( (size_t) desired_length == expected->len );
PSA_INIT( );
TEST_ASSERT( mbedtls_ssl_tls13_derive_secret(
(psa_algorithm_t) hash_alg,
secret->x, secret->len,
lbl, lbl_len,
ctx->x, ctx->len,
already_hashed,
dst, desired_length ) == 0 );
ASSERT_COMPARE( dst, desired_length,
expected->x, desired_length );
PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_derive_early_secrets( int hash_alg,
data_t *secret,
data_t *transcript,
data_t *traffic_expected,
data_t *exporter_expected )
{
mbedtls_ssl_tls13_early_secrets secrets;
/* Double-check that we've passed sane parameters. */
psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
size_t const hash_len = PSA_HASH_LENGTH( alg );
TEST_ASSERT( PSA_ALG_IS_HASH( alg ) &&
secret->len == hash_len &&
transcript->len == hash_len &&
traffic_expected->len == hash_len &&
exporter_expected->len == hash_len );
PSA_INIT( );
TEST_ASSERT( mbedtls_ssl_tls13_derive_early_secrets(
alg, secret->x, transcript->x, transcript->len,
&secrets ) == 0 );
ASSERT_COMPARE( secrets.client_early_traffic_secret, hash_len,
traffic_expected->x, traffic_expected->len );
ASSERT_COMPARE( secrets.early_exporter_master_secret, hash_len,
exporter_expected->x, exporter_expected->len );
PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_derive_handshake_secrets( int hash_alg,
data_t *secret,
data_t *transcript,
data_t *client_expected,
data_t *server_expected )
{
mbedtls_ssl_tls13_handshake_secrets secrets;
/* Double-check that we've passed sane parameters. */
psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
size_t const hash_len = PSA_HASH_LENGTH( alg );
TEST_ASSERT( PSA_ALG_IS_HASH( alg ) &&
secret->len == hash_len &&
transcript->len == hash_len &&
client_expected->len == hash_len &&
server_expected->len == hash_len );
PSA_INIT( );
TEST_ASSERT( mbedtls_ssl_tls13_derive_handshake_secrets(
alg, secret->x, transcript->x, transcript->len,
&secrets ) == 0 );
ASSERT_COMPARE( secrets.client_handshake_traffic_secret, hash_len,
client_expected->x, client_expected->len );
ASSERT_COMPARE( secrets.server_handshake_traffic_secret, hash_len,
server_expected->x, server_expected->len );
PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_derive_application_secrets( int hash_alg,
data_t *secret,
data_t *transcript,
data_t *client_expected,
data_t *server_expected,
data_t *exporter_expected )
{
mbedtls_ssl_tls13_application_secrets secrets;
/* Double-check that we've passed sane parameters. */
psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
size_t const hash_len = PSA_HASH_LENGTH( alg );
TEST_ASSERT( PSA_ALG_IS_HASH( alg ) &&
secret->len == hash_len &&
transcript->len == hash_len &&
client_expected->len == hash_len &&
server_expected->len == hash_len &&
exporter_expected->len == hash_len );
PSA_INIT( );
TEST_ASSERT( mbedtls_ssl_tls13_derive_application_secrets(
alg, secret->x, transcript->x, transcript->len,
&secrets ) == 0 );
ASSERT_COMPARE( secrets.client_application_traffic_secret_N, hash_len,
client_expected->x, client_expected->len );
ASSERT_COMPARE( secrets.server_application_traffic_secret_N, hash_len,
server_expected->x, server_expected->len );
ASSERT_COMPARE( secrets.exporter_master_secret, hash_len,
exporter_expected->x, exporter_expected->len );
PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_derive_resumption_secrets( int hash_alg,
data_t *secret,
data_t *transcript,
data_t *resumption_expected )
{
mbedtls_ssl_tls13_application_secrets secrets;
/* Double-check that we've passed sane parameters. */
psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
size_t const hash_len = PSA_HASH_LENGTH( alg );
TEST_ASSERT( PSA_ALG_IS_HASH( alg ) &&
secret->len == hash_len &&
transcript->len == hash_len &&
resumption_expected->len == hash_len );
PSA_INIT( );
TEST_ASSERT( mbedtls_ssl_tls13_derive_resumption_master_secret(
alg, secret->x, transcript->x, transcript->len,
&secrets ) == 0 );
ASSERT_COMPARE( secrets.resumption_master_secret, hash_len,
resumption_expected->x, resumption_expected->len );
PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_create_psk_binder( int hash_alg,
data_t *psk,
int psk_type,
data_t *transcript,
data_t *binder_expected )
{
unsigned char binder[ MBEDTLS_MD_MAX_SIZE ];
/* Double-check that we've passed sane parameters. */
psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
size_t const hash_len = PSA_HASH_LENGTH( alg );
TEST_ASSERT( PSA_ALG_IS_HASH( alg ) &&
transcript->len == hash_len &&
binder_expected->len == hash_len );
PSA_INIT( );
TEST_ASSERT( mbedtls_ssl_tls13_create_psk_binder(
NULL, /* SSL context for debugging only */
alg,
psk->x, psk->len,
psk_type,
transcript->x,
binder ) == 0 );
ASSERT_COMPARE( binder, hash_len,
binder_expected->x, binder_expected->len );
PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_record_protection( int ciphersuite,
int endpoint,
int ctr,
int padding_used,
data_t *server_write_key,
data_t *server_write_iv,
data_t *client_write_key,
data_t *client_write_iv,
data_t *plaintext,
data_t *ciphertext )
{
mbedtls_ssl_key_set keys;
mbedtls_ssl_transform transform_send;
mbedtls_ssl_transform transform_recv;
mbedtls_record rec;
unsigned char *buf = NULL;
size_t buf_len;
int other_endpoint;
USE_PSA_INIT( );
TEST_ASSERT( endpoint == MBEDTLS_SSL_IS_CLIENT ||
endpoint == MBEDTLS_SSL_IS_SERVER );
if( endpoint == MBEDTLS_SSL_IS_SERVER )
other_endpoint = MBEDTLS_SSL_IS_CLIENT;
if( endpoint == MBEDTLS_SSL_IS_CLIENT )
other_endpoint = MBEDTLS_SSL_IS_SERVER;
TEST_ASSERT( server_write_key->len == client_write_key->len );
TEST_ASSERT( server_write_iv->len == client_write_iv->len );
memcpy( keys.client_write_key,
client_write_key->x, client_write_key->len );
memcpy( keys.client_write_iv,
client_write_iv->x, client_write_iv->len );
memcpy( keys.server_write_key,
server_write_key->x, server_write_key->len );
memcpy( keys.server_write_iv,
server_write_iv->x, server_write_iv->len );
keys.key_len = server_write_key->len;
keys.iv_len = server_write_iv->len;
mbedtls_ssl_transform_init( &transform_recv );
mbedtls_ssl_transform_init( &transform_send );
TEST_ASSERT( mbedtls_ssl_tls13_populate_transform(
&transform_send, endpoint,
ciphersuite, &keys, NULL ) == 0 );
TEST_ASSERT( mbedtls_ssl_tls13_populate_transform(
&transform_recv, other_endpoint,
ciphersuite, &keys, NULL ) == 0 );
/* Make sure we have enough space in the buffer even if
* we use more padding than the KAT. */
buf_len = ciphertext->len + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY;
ASSERT_ALLOC( buf, buf_len );
rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
/* TLS 1.3 uses the version identifier from TLS 1.2 on the wire. */
mbedtls_ssl_write_version( rec.ver,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_VERSION_TLS1_2 );
/* Copy plaintext into record structure */
rec.buf = buf;
rec.buf_len = buf_len;
rec.data_offset = 0;
TEST_ASSERT( plaintext->len <= ciphertext->len );
memcpy( rec.buf + rec.data_offset, plaintext->x, plaintext->len );
rec.data_len = plaintext->len;
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
rec.cid_len = 0;
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
memset( &rec.ctr[0], 0, 8 );
rec.ctr[7] = ctr;
TEST_ASSERT( mbedtls_ssl_encrypt_buf( NULL, &transform_send, &rec,
NULL, NULL ) == 0 );
if( padding_used == MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY )
{
ASSERT_COMPARE( rec.buf + rec.data_offset, rec.data_len,
ciphertext->x, ciphertext->len );
}
TEST_ASSERT( mbedtls_ssl_decrypt_buf( NULL, &transform_recv, &rec ) == 0 );
ASSERT_COMPARE( rec.buf + rec.data_offset, rec.data_len,
plaintext->x, plaintext->len );
mbedtls_free( buf );
mbedtls_ssl_transform_free( &transform_send );
mbedtls_ssl_transform_free( &transform_recv );
USE_PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
void ssl_tls13_key_evolution( int hash_alg,
data_t *secret,
data_t *input,
data_t *expected )
{
unsigned char secret_new[ MBEDTLS_MD_MAX_SIZE ];
PSA_INIT();
TEST_ASSERT( mbedtls_ssl_tls13_evolve_secret(
(psa_algorithm_t) hash_alg,
secret->len ? secret->x : NULL,
input->len ? input->x : NULL, input->len,
secret_new ) == 0 );
ASSERT_COMPARE( secret_new, (size_t) expected->len,
expected->x, (size_t) expected->len );
PSA_DONE();
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2 */
void ssl_tls_prf( int type, data_t * secret, data_t * random,
char *label, data_t *result_str, int exp_ret )
{
unsigned char *output;
output = mbedtls_calloc( 1, result_str->len );
if( output == NULL )
goto exit;
USE_PSA_INIT( );
TEST_ASSERT( mbedtls_ssl_tls_prf( type, secret->x, secret->len,
label, random->x, random->len,
output, result_str->len ) == exp_ret );
if( exp_ret == 0 )
{
TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x,
result_str->len, result_str->len ) == 0 );
}
exit:
mbedtls_free( output );
USE_PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_serialize_session_save_load( int ticket_len, char *crt_file )
{
mbedtls_ssl_session original, restored;
unsigned char *buf = NULL;
size_t len;
/*
* Test that a save-load pair is the identity
*/
mbedtls_ssl_session_init( &original );
mbedtls_ssl_session_init( &restored );
/* Prepare a dummy session to work on */
Store TLS version in SSL session structure Instances of `mbedtls_ssl_session` represent data enabling session resumption. With the introduction of TLS 1.3, the format of this data changes. We therefore need TLS-version field as part of `mbedtlsl_ssl_session` which allows distinguish 1.2 and 1.3 sessions. This commit introduces such a TLS-version field to mbedtls_ssl_session. The change has a few ramifications: - Session serialization/deserialization routines need to be adjusted. This is achieved by adding the TLS-version after the header of Mbed TLS version+config, and by having the subsequent structure of the serialized data depend on the value of this field. The details are described in terms of the RFC 8446 presentation language. The 1.2 session (de)serialization are moved into static helper functions, while the top-level session (de)serialization only parses the Mbed TLS version+config header and the TLS-version field, and dispatches according to the found version. This way, it will be easy to add support for TLS 1.3 sessions in the future. - Tests for session serialization need to be adjusted - Once we add support for TLS 1.3, with runtime negotiation of 1.2 vs. 1.3, we will need to have some logic comparing the TLS version of the proposed session to the negotiated TLS version. For now, however, we only support TLS 1.2, and no such logic is needed. Instead, we just store the TLS version in the session structure at the same point when we populate mbedtls_ssl_context.minor_ver. The change introduces some overlap between `mbedtls_ssl_session.minor_ver` and `mbedtls_ssl_context.minor_ver`, which should be studied and potentially resolved. However, with both fields being private and explicitly marked so, this can happen in a later change. Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-07-23 07:25:48 +02:00
TEST_ASSERT( ssl_populate_session_tls12( &original, ticket_len, crt_file ) == 0 );
/* Serialize it */
TEST_ASSERT( mbedtls_ssl_session_save( &original, NULL, 0, &len )
== MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
TEST_ASSERT( ( buf = mbedtls_calloc( 1, len ) ) != NULL );
TEST_ASSERT( mbedtls_ssl_session_save( &original, buf, len, &len )
== 0 );
/* Restore session from serialized data */
TEST_ASSERT( mbedtls_ssl_session_load( &restored, buf, len) == 0 );
/*
* Make sure both session structures are identical
*/
#if defined(MBEDTLS_HAVE_TIME)
TEST_ASSERT( original.start == restored.start );
#endif
TEST_ASSERT( original.tls_version == restored.tls_version );
TEST_ASSERT( original.ciphersuite == restored.ciphersuite );
TEST_ASSERT( original.compression == restored.compression );
TEST_ASSERT( original.id_len == restored.id_len );
TEST_ASSERT( memcmp( original.id,
restored.id, sizeof( original.id ) ) == 0 );
TEST_ASSERT( memcmp( original.master,
restored.master, sizeof( original.master ) ) == 0 );
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
TEST_ASSERT( ( original.peer_cert == NULL ) ==
( restored.peer_cert == NULL ) );
if( original.peer_cert != NULL )
{
TEST_ASSERT( original.peer_cert->raw.len ==
restored.peer_cert->raw.len );
TEST_ASSERT( memcmp( original.peer_cert->raw.p,
restored.peer_cert->raw.p,
original.peer_cert->raw.len ) == 0 );
}
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
TEST_ASSERT( original.peer_cert_digest_type ==
restored.peer_cert_digest_type );
TEST_ASSERT( original.peer_cert_digest_len ==
restored.peer_cert_digest_len );
TEST_ASSERT( ( original.peer_cert_digest == NULL ) ==
( restored.peer_cert_digest == NULL ) );
if( original.peer_cert_digest != NULL )
{
TEST_ASSERT( memcmp( original.peer_cert_digest,
restored.peer_cert_digest,
original.peer_cert_digest_len ) == 0 );
}
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
TEST_ASSERT( original.verify_result == restored.verify_result );
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
TEST_ASSERT( original.ticket_len == restored.ticket_len );
if( original.ticket_len != 0 )
{
TEST_ASSERT( original.ticket != NULL );
TEST_ASSERT( restored.ticket != NULL );
TEST_ASSERT( memcmp( original.ticket,
restored.ticket, original.ticket_len ) == 0 );
}
TEST_ASSERT( original.ticket_lifetime == restored.ticket_lifetime );
#endif
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
TEST_ASSERT( original.mfl_code == restored.mfl_code );
#endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
TEST_ASSERT( original.encrypt_then_mac == restored.encrypt_then_mac );
#endif
exit:
mbedtls_ssl_session_free( &original );
mbedtls_ssl_session_free( &restored );
mbedtls_free( buf );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_serialize_session_load_save( int ticket_len, char *crt_file )
{
mbedtls_ssl_session session;
unsigned char *buf1 = NULL, *buf2 = NULL;
size_t len0, len1, len2;
/*
* Test that a load-save pair is the identity
*/
mbedtls_ssl_session_init( &session );
/* Prepare a dummy session to work on */
Store TLS version in SSL session structure Instances of `mbedtls_ssl_session` represent data enabling session resumption. With the introduction of TLS 1.3, the format of this data changes. We therefore need TLS-version field as part of `mbedtlsl_ssl_session` which allows distinguish 1.2 and 1.3 sessions. This commit introduces such a TLS-version field to mbedtls_ssl_session. The change has a few ramifications: - Session serialization/deserialization routines need to be adjusted. This is achieved by adding the TLS-version after the header of Mbed TLS version+config, and by having the subsequent structure of the serialized data depend on the value of this field. The details are described in terms of the RFC 8446 presentation language. The 1.2 session (de)serialization are moved into static helper functions, while the top-level session (de)serialization only parses the Mbed TLS version+config header and the TLS-version field, and dispatches according to the found version. This way, it will be easy to add support for TLS 1.3 sessions in the future. - Tests for session serialization need to be adjusted - Once we add support for TLS 1.3, with runtime negotiation of 1.2 vs. 1.3, we will need to have some logic comparing the TLS version of the proposed session to the negotiated TLS version. For now, however, we only support TLS 1.2, and no such logic is needed. Instead, we just store the TLS version in the session structure at the same point when we populate mbedtls_ssl_context.minor_ver. The change introduces some overlap between `mbedtls_ssl_session.minor_ver` and `mbedtls_ssl_context.minor_ver`, which should be studied and potentially resolved. However, with both fields being private and explicitly marked so, this can happen in a later change. Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-07-23 07:25:48 +02:00
TEST_ASSERT( ssl_populate_session_tls12( &session, ticket_len, crt_file ) == 0 );
/* Get desired buffer size for serializing */
TEST_ASSERT( mbedtls_ssl_session_save( &session, NULL, 0, &len0 )
== MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
/* Allocate first buffer */
buf1 = mbedtls_calloc( 1, len0 );
TEST_ASSERT( buf1 != NULL );
/* Serialize to buffer and free live session */
TEST_ASSERT( mbedtls_ssl_session_save( &session, buf1, len0, &len1 )
== 0 );
TEST_ASSERT( len0 == len1 );
mbedtls_ssl_session_free( &session );
/* Restore session from serialized data */
TEST_ASSERT( mbedtls_ssl_session_load( &session, buf1, len1 ) == 0 );
/* Allocate second buffer and serialize to it */
buf2 = mbedtls_calloc( 1, len0 );
TEST_ASSERT( buf2 != NULL );
TEST_ASSERT( mbedtls_ssl_session_save( &session, buf2, len0, &len2 )
== 0 );
/* Make sure both serialized versions are identical */
TEST_ASSERT( len1 == len2 );
TEST_ASSERT( memcmp( buf1, buf2, len1 ) == 0 );
exit:
mbedtls_ssl_session_free( &session );
mbedtls_free( buf1 );
mbedtls_free( buf2 );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_serialize_session_save_buf_size( int ticket_len, char *crt_file )
{
mbedtls_ssl_session session;
unsigned char *buf = NULL;
size_t good_len, bad_len, test_len;
/*
* Test that session_save() fails cleanly on small buffers
*/
mbedtls_ssl_session_init( &session );
/* Prepare dummy session and get serialized size */
Store TLS version in SSL session structure Instances of `mbedtls_ssl_session` represent data enabling session resumption. With the introduction of TLS 1.3, the format of this data changes. We therefore need TLS-version field as part of `mbedtlsl_ssl_session` which allows distinguish 1.2 and 1.3 sessions. This commit introduces such a TLS-version field to mbedtls_ssl_session. The change has a few ramifications: - Session serialization/deserialization routines need to be adjusted. This is achieved by adding the TLS-version after the header of Mbed TLS version+config, and by having the subsequent structure of the serialized data depend on the value of this field. The details are described in terms of the RFC 8446 presentation language. The 1.2 session (de)serialization are moved into static helper functions, while the top-level session (de)serialization only parses the Mbed TLS version+config header and the TLS-version field, and dispatches according to the found version. This way, it will be easy to add support for TLS 1.3 sessions in the future. - Tests for session serialization need to be adjusted - Once we add support for TLS 1.3, with runtime negotiation of 1.2 vs. 1.3, we will need to have some logic comparing the TLS version of the proposed session to the negotiated TLS version. For now, however, we only support TLS 1.2, and no such logic is needed. Instead, we just store the TLS version in the session structure at the same point when we populate mbedtls_ssl_context.minor_ver. The change introduces some overlap between `mbedtls_ssl_session.minor_ver` and `mbedtls_ssl_context.minor_ver`, which should be studied and potentially resolved. However, with both fields being private and explicitly marked so, this can happen in a later change. Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-07-23 07:25:48 +02:00
TEST_ASSERT( ssl_populate_session_tls12( &session, ticket_len, crt_file ) == 0 );
TEST_ASSERT( mbedtls_ssl_session_save( &session, NULL, 0, &good_len )
== MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
/* Try all possible bad lengths */
for( bad_len = 1; bad_len < good_len; bad_len++ )
{
/* Allocate exact size so that asan/valgrind can detect any overwrite */
mbedtls_free( buf );
TEST_ASSERT( ( buf = mbedtls_calloc( 1, bad_len ) ) != NULL );
TEST_ASSERT( mbedtls_ssl_session_save( &session, buf, bad_len,
&test_len )
== MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
TEST_ASSERT( test_len == good_len );
}
exit:
mbedtls_ssl_session_free( &session );
mbedtls_free( buf );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_serialize_session_load_buf_size( int ticket_len, char *crt_file )
{
mbedtls_ssl_session session;
unsigned char *good_buf = NULL, *bad_buf = NULL;
size_t good_len, bad_len;
/*
* Test that session_load() fails cleanly on small buffers
*/
mbedtls_ssl_session_init( &session );
/* Prepare serialized session data */
Store TLS version in SSL session structure Instances of `mbedtls_ssl_session` represent data enabling session resumption. With the introduction of TLS 1.3, the format of this data changes. We therefore need TLS-version field as part of `mbedtlsl_ssl_session` which allows distinguish 1.2 and 1.3 sessions. This commit introduces such a TLS-version field to mbedtls_ssl_session. The change has a few ramifications: - Session serialization/deserialization routines need to be adjusted. This is achieved by adding the TLS-version after the header of Mbed TLS version+config, and by having the subsequent structure of the serialized data depend on the value of this field. The details are described in terms of the RFC 8446 presentation language. The 1.2 session (de)serialization are moved into static helper functions, while the top-level session (de)serialization only parses the Mbed TLS version+config header and the TLS-version field, and dispatches according to the found version. This way, it will be easy to add support for TLS 1.3 sessions in the future. - Tests for session serialization need to be adjusted - Once we add support for TLS 1.3, with runtime negotiation of 1.2 vs. 1.3, we will need to have some logic comparing the TLS version of the proposed session to the negotiated TLS version. For now, however, we only support TLS 1.2, and no such logic is needed. Instead, we just store the TLS version in the session structure at the same point when we populate mbedtls_ssl_context.minor_ver. The change introduces some overlap between `mbedtls_ssl_session.minor_ver` and `mbedtls_ssl_context.minor_ver`, which should be studied and potentially resolved. However, with both fields being private and explicitly marked so, this can happen in a later change. Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-07-23 07:25:48 +02:00
TEST_ASSERT( ssl_populate_session_tls12( &session, ticket_len, crt_file ) == 0 );
TEST_ASSERT( mbedtls_ssl_session_save( &session, NULL, 0, &good_len )
== MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
TEST_ASSERT( ( good_buf = mbedtls_calloc( 1, good_len ) ) != NULL );
TEST_ASSERT( mbedtls_ssl_session_save( &session, good_buf, good_len,
&good_len ) == 0 );
mbedtls_ssl_session_free( &session );
/* Try all possible bad lengths */
for( bad_len = 0; bad_len < good_len; bad_len++ )
{
/* Allocate exact size so that asan/valgrind can detect any overread */
mbedtls_free( bad_buf );
bad_buf = mbedtls_calloc( 1, bad_len ? bad_len : 1 );
TEST_ASSERT( bad_buf != NULL );
memcpy( bad_buf, good_buf, bad_len );
TEST_ASSERT( mbedtls_ssl_session_load( &session, bad_buf, bad_len )
== MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
exit:
mbedtls_ssl_session_free( &session );
mbedtls_free( good_buf );
mbedtls_free( bad_buf );
}
/* END_CASE */
/* BEGIN_CASE */
void ssl_session_serialize_version_check( int corrupt_major,
int corrupt_minor,
int corrupt_patch,
int corrupt_config )
{
unsigned char serialized_session[ 2048 ];
size_t serialized_session_len;
unsigned cur_byte;
mbedtls_ssl_session session;
uint8_t should_corrupt_byte[] = { corrupt_major == 1,
corrupt_minor == 1,
corrupt_patch == 1,
corrupt_config == 1,
corrupt_config == 1 };
mbedtls_ssl_session_init( &session );
TEST_ASSERT( ssl_populate_session_tls12( &session, 0, NULL ) == 0 );
/* Infer length of serialized session. */
TEST_ASSERT( mbedtls_ssl_session_save( &session,
serialized_session,
sizeof( serialized_session ),
&serialized_session_len ) == 0 );
mbedtls_ssl_session_free( &session );
/* Without any modification, we should be able to successfully
* de-serialize the session - double-check that. */
TEST_ASSERT( mbedtls_ssl_session_load( &session,
serialized_session,
serialized_session_len ) == 0 );
mbedtls_ssl_session_free( &session );
/* Go through the bytes in the serialized session header and
* corrupt them bit-by-bit. */
for( cur_byte = 0; cur_byte < sizeof( should_corrupt_byte ); cur_byte++ )
{
int cur_bit;
unsigned char * const byte = &serialized_session[ cur_byte ];
if( should_corrupt_byte[ cur_byte ] == 0 )
continue;
for( cur_bit = 0; cur_bit < CHAR_BIT; cur_bit++ )
{
unsigned char const corrupted_bit = 0x1u << cur_bit;
/* Modify a single bit in the serialized session. */
*byte ^= corrupted_bit;
/* Attempt to deserialize */
TEST_ASSERT( mbedtls_ssl_session_load( &session,
serialized_session,
serialized_session_len ) ==
MBEDTLS_ERR_SSL_VERSION_MISMATCH );
/* Undo the change */
*byte ^= corrupted_bit;
}
}
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_ENTROPY_C:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void mbedtls_endpoint_sanity( int endpoint_type )
{
enum { BUFFSIZE = 1024 };
mbedtls_endpoint ep;
int ret = -1;
handshake_test_options options;
init_handshake_options( &options );
options.pk_alg = MBEDTLS_PK_RSA;
ret = mbedtls_endpoint_init( NULL, endpoint_type, &options,
NULL, NULL, NULL, NULL );
TEST_ASSERT( MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret );
ret = mbedtls_endpoint_certificate_init( NULL, options.pk_alg, 0, 0, 0 );
TEST_ASSERT( MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret );
ret = mbedtls_endpoint_init( &ep, endpoint_type, &options,
NULL, NULL, NULL, NULL );
TEST_ASSERT( ret == 0 );
exit:
mbedtls_endpoint_free( &ep, NULL );
free_handshake_options( &options );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void move_handshake_to_state(int endpoint_type, int state, int need_pass)
{
enum { BUFFSIZE = 1024 };
mbedtls_endpoint base_ep, second_ep;
int ret = -1;
handshake_test_options options;
init_handshake_options( &options );
options.pk_alg = MBEDTLS_PK_RSA;
USE_PSA_INIT( );
ret = mbedtls_endpoint_init( &base_ep, endpoint_type, &options,
NULL, NULL, NULL, NULL );
TEST_ASSERT( ret == 0 );
ret = mbedtls_endpoint_init( &second_ep,
( endpoint_type == MBEDTLS_SSL_IS_SERVER ) ?
MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER,
&options, NULL, NULL, NULL, NULL );
TEST_ASSERT( ret == 0 );
ret = mbedtls_mock_socket_connect( &(base_ep.socket),
&(second_ep.socket),
BUFFSIZE );
TEST_ASSERT( ret == 0 );
ret = mbedtls_move_handshake_to_state( &(base_ep.ssl),
&(second_ep.ssl),
state );
if( need_pass )
{
TEST_ASSERT( ret == 0 ||
ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
TEST_ASSERT( base_ep.ssl.state == state );
}
else
{
TEST_ASSERT( ret != 0 &&
ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE );
TEST_ASSERT( base_ep.ssl.state != state );
}
exit:
free_handshake_options( &options );
mbedtls_endpoint_free( &base_ep, NULL );
mbedtls_endpoint_free( &second_ep, NULL );
USE_PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void handshake_version( int dtls, int client_min_version, int client_max_version,
int server_min_version, int server_max_version,
int expected_negotiated_version )
{
handshake_test_options options;
init_handshake_options( &options );
options.client_min_version = client_min_version;
options.client_max_version = client_max_version;
options.server_min_version = server_min_version;
options.server_max_version = server_max_version;
options.expected_negotiated_version = expected_negotiated_version;
options.dtls = dtls;
perform_handshake( &options );
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void handshake_psk_cipher( char* cipher, int pk_alg, data_t *psk_str, int dtls )
{
handshake_test_options options;
init_handshake_options( &options );
options.cipher = cipher;
options.dtls = dtls;
options.psk_str = psk_str;
options.pk_alg = pk_alg;
perform_handshake( &options );
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void handshake_cipher( char* cipher, int pk_alg, int dtls )
{
test_handshake_psk_cipher( cipher, pk_alg, NULL, dtls );
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void handshake_ciphersuite_select( char* cipher, int pk_alg, data_t *psk_str,
int psa_alg, int psa_alg2, int psa_usage,
int expected_handshake_result,
int expected_ciphersuite )
{
handshake_test_options options;
init_handshake_options( &options );
options.cipher = cipher;
options.psk_str = psk_str;
options.pk_alg = pk_alg;
options.opaque_alg = psa_alg;
options.opaque_alg2 = psa_alg2;
options.opaque_usage = psa_usage;
options.expected_handshake_result = expected_handshake_result;
options.expected_ciphersuite = expected_ciphersuite;
perform_handshake( &options );
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void app_data( int mfl, int cli_msg_len, int srv_msg_len,
int expected_cli_fragments,
int expected_srv_fragments, int dtls )
{
handshake_test_options options;
init_handshake_options( &options );
options.mfl = mfl;
options.cli_msg_len = cli_msg_len;
options.srv_msg_len = srv_msg_len;
options.expected_cli_fragments = expected_cli_fragments;
options.expected_srv_fragments = expected_srv_fragments;
options.dtls = dtls;
#if ! defined(MBEDTLS_SSL_PROTO_TLS1_2)
options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_3;
#endif
perform_handshake( &options );
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
exit:
free_handshake_options( &options );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void app_data_tls( int mfl, int cli_msg_len, int srv_msg_len,
int expected_cli_fragments,
int expected_srv_fragments )
{
test_app_data( mfl, cli_msg_len, srv_msg_len, expected_cli_fragments,
expected_srv_fragments, 0 );
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void app_data_dtls( int mfl, int cli_msg_len, int srv_msg_len,
int expected_cli_fragments,
int expected_srv_fragments )
{
test_app_data( mfl, cli_msg_len, srv_msg_len, expected_cli_fragments,
expected_srv_fragments, 1 );
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void handshake_serialization( )
{
handshake_test_options options;
init_handshake_options( &options );
options.serialize = 1;
options.dtls = 1;
perform_handshake( &options );
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void handshake_fragmentation( int mfl, int expected_srv_hs_fragmentation, int expected_cli_hs_fragmentation)
{
handshake_test_options options;
log_pattern srv_pattern, cli_pattern;
srv_pattern.pattern = cli_pattern.pattern = "found fragmented DTLS handshake";
srv_pattern.counter = 0;
cli_pattern.counter = 0;
init_handshake_options( &options );
options.dtls = 1;
options.mfl = mfl;
/* Set cipher to one using CBC so that record splitting can be tested */
options.cipher = "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256";
options.srv_auth_mode = MBEDTLS_SSL_VERIFY_REQUIRED;
options.srv_log_obj = &srv_pattern;
options.cli_log_obj = &cli_pattern;
options.srv_log_fun = log_analyzer;
options.cli_log_fun = log_analyzer;
perform_handshake( &options );
/* Test if the server received a fragmented handshake */
if( expected_srv_hs_fragmentation )
{
TEST_ASSERT( srv_pattern.counter >= 1 );
}
/* Test if the client received a fragmented handshake */
if( expected_cli_hs_fragmentation )
{
TEST_ASSERT( cli_pattern.counter >= 1 );
}
exit:
free_handshake_options( &options );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void renegotiation( int legacy_renegotiation )
{
handshake_test_options options;
init_handshake_options( &options );
options.renegotiate = 1;
options.legacy_renegotiation = legacy_renegotiation;
options.dtls = 1;
perform_handshake( &options );
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
exit:
free_handshake_options( &options );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void resize_buffers( int mfl, int renegotiation, int legacy_renegotiation,
int serialize, int dtls, char *cipher )
{
handshake_test_options options;
init_handshake_options( &options );
options.mfl = mfl;
options.cipher = cipher;
options.renegotiate = renegotiation;
options.legacy_renegotiation = legacy_renegotiation;
options.serialize = serialize;
options.dtls = dtls;
options.resize_buffers = 1;
perform_handshake( &options );
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
exit:
free_handshake_options( &options );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void resize_buffers_serialize_mfl( int mfl )
{
test_resize_buffers( mfl, 0, MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION, 1, 1,
(char *) "" );
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
exit:
free_handshake_options( &options );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_CTR_DRBG_C */
void resize_buffers_renegotiate_mfl( int mfl, int legacy_renegotiation,
char *cipher )
{
test_resize_buffers( mfl, 1, legacy_renegotiation, 0, 1, cipher );
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
exit:
free_handshake_options( &options );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC:MBEDTLS_TEST_HOOKS */
void ssl_cf_hmac( int hash )
{
/*
* Test the function mbedtls_ct_hmac() against a reference
* implementation.
*/
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t alg;
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
#else
mbedtls_md_context_t ctx, ref_ctx;
const mbedtls_md_info_t *md_info;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
size_t out_len, block_size;
size_t min_in_len, in_len, max_in_len, i;
/* TLS additional data is 13 bytes (hence the "lucky 13" name) */
unsigned char add_data[13];
unsigned char ref_out[MBEDTLS_MD_MAX_SIZE];
unsigned char *data = NULL;
unsigned char *out = NULL;
unsigned char rec_num = 0;
USE_PSA_INIT( );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
alg = PSA_ALG_HMAC( mbedtls_psa_translate_md( hash ) );
out_len = PSA_HASH_LENGTH( alg );
block_size = PSA_HASH_BLOCK_LENGTH( alg );
/* mbedtls_ct_hmac() requires the key to be exportable */
psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_EXPORT |
PSA_KEY_USAGE_VERIFY_HASH );
psa_set_key_algorithm( &attributes, PSA_ALG_HMAC( alg ) );
psa_set_key_type( &attributes, PSA_KEY_TYPE_HMAC );
#else
mbedtls_md_init( &ctx );
mbedtls_md_init( &ref_ctx );
md_info = mbedtls_md_info_from_type( hash );
TEST_ASSERT( md_info != NULL );
out_len = mbedtls_md_get_size( md_info );
TEST_ASSERT( out_len != 0 );
block_size = hash == MBEDTLS_MD_SHA384 ? 128 : 64;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Use allocated out buffer to catch overwrites */
ASSERT_ALLOC( out, out_len );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Set up dummy key */
memset( ref_out, 42, sizeof( ref_out ) );
TEST_EQUAL( PSA_SUCCESS, psa_import_key( &attributes,
ref_out, out_len,
&key ) );
#else
/* Set up contexts with the given hash and a dummy key */
TEST_EQUAL( 0, mbedtls_md_setup( &ctx, md_info, 1 ) );
TEST_EQUAL( 0, mbedtls_md_setup( &ref_ctx, md_info, 1 ) );
memset( ref_out, 42, sizeof( ref_out ) );
TEST_EQUAL( 0, mbedtls_md_hmac_starts( &ctx, ref_out, out_len ) );
TEST_EQUAL( 0, mbedtls_md_hmac_starts( &ref_ctx, ref_out, out_len ) );
memset( ref_out, 0, sizeof( ref_out ) );
#endif
/*
* Test all possible lengths up to a point. The difference between
* max_in_len and min_in_len is at most 255, and make sure they both vary
* by at least one block size.
*/
for( max_in_len = 0; max_in_len <= 255 + block_size; max_in_len++ )
{
mbedtls_test_set_step( max_in_len * 10000 );
/* Use allocated in buffer to catch overreads */
ASSERT_ALLOC( data, max_in_len );
min_in_len = max_in_len > 255 ? max_in_len - 255 : 0;
for( in_len = min_in_len; in_len <= max_in_len; in_len++ )
{
mbedtls_test_set_step( max_in_len * 10000 + in_len );
/* Set up dummy data and add_data */
rec_num++;
memset( add_data, rec_num, sizeof( add_data ) );
for( i = 0; i < in_len; i++ )
data[i] = ( i & 0xff ) ^ rec_num;
/* Get the function's result */
TEST_CF_SECRET( &in_len, sizeof( in_len ) );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
TEST_EQUAL( 0, mbedtls_ct_hmac( key, PSA_ALG_HMAC( alg ),
add_data, sizeof( add_data ),
data, in_len,
min_in_len, max_in_len,
out ) );
#else
TEST_EQUAL( 0, mbedtls_ct_hmac( &ctx, add_data, sizeof( add_data ),
data, in_len,
min_in_len, max_in_len,
out ) );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
TEST_CF_PUBLIC( &in_len, sizeof( in_len ) );
TEST_CF_PUBLIC( out, out_len );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
TEST_EQUAL( PSA_SUCCESS, psa_mac_verify_setup( &operation,
key, alg ) );
TEST_EQUAL( PSA_SUCCESS, psa_mac_update( &operation, add_data,
sizeof( add_data ) ) );
TEST_EQUAL( PSA_SUCCESS, psa_mac_update( &operation,
data, in_len ) );
TEST_EQUAL( PSA_SUCCESS, psa_mac_verify_finish( &operation,
out, out_len ) );
#else
/* Compute the reference result */
TEST_EQUAL( 0, mbedtls_md_hmac_update( &ref_ctx, add_data,
sizeof( add_data ) ) );
TEST_EQUAL( 0, mbedtls_md_hmac_update( &ref_ctx, data, in_len ) );
TEST_EQUAL( 0, mbedtls_md_hmac_finish( &ref_ctx, ref_out ) );
TEST_EQUAL( 0, mbedtls_md_hmac_reset( &ref_ctx ) );
/* Compare */
ASSERT_COMPARE( out, out_len, ref_out, out_len );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
mbedtls_free( data );
data = NULL;
}
exit:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_abort( &operation );
psa_destroy_key( key );
#else
mbedtls_md_free( &ref_ctx );
mbedtls_md_free( &ctx );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_free( data );
mbedtls_free( out );
USE_PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC:MBEDTLS_TEST_HOOKS */
void ssl_cf_memcpy_offset( int offset_min, int offset_max, int len )
{
unsigned char *dst = NULL;
unsigned char *src = NULL;
size_t src_len = offset_max + len;
size_t secret;
ASSERT_ALLOC( dst, len );
ASSERT_ALLOC( src, src_len );
/* Fill src in a way that we can detect if we copied the right bytes */
mbedtls_test_rnd_std_rand( NULL, src, src_len );
for( secret = offset_min; secret <= (size_t) offset_max; secret++ )
{
mbedtls_test_set_step( (int) secret );
TEST_CF_SECRET( &secret, sizeof( secret ) );
mbedtls_ct_memcpy_offset( dst, src, secret,
offset_min, offset_max, len );
TEST_CF_PUBLIC( &secret, sizeof( secret ) );
TEST_CF_PUBLIC( dst, len );
ASSERT_COMPARE( dst, len, src + secret, len );
}
exit:
mbedtls_free( dst );
mbedtls_free( src );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
void test_multiple_psks()
{
unsigned char psk0[10] = { 0 };
unsigned char psk0_identity[] = { 'f', 'o', 'o' };
unsigned char psk1[10] = { 0 };
unsigned char psk1_identity[] = { 'b', 'a', 'r' };
mbedtls_ssl_config conf;
USE_PSA_INIT( );
mbedtls_ssl_config_init( &conf );
TEST_ASSERT( mbedtls_ssl_conf_psk( &conf,
psk0, sizeof( psk0 ),
psk0_identity, sizeof( psk0_identity ) ) == 0 );
TEST_ASSERT( mbedtls_ssl_conf_psk( &conf,
psk1, sizeof( psk1 ),
psk1_identity, sizeof( psk1_identity ) ) ==
MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
exit:
mbedtls_ssl_config_free( &conf );
USE_PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO */
void test_multiple_psks_opaque( int mode )
{
/*
* Mode 0: Raw PSK, then opaque PSK
* Mode 1: Opaque PSK, then raw PSK
* Mode 2: 2x opaque PSK
*/
unsigned char psk0_raw[10] = { 0 };
unsigned char psk0_raw_identity[] = { 'f', 'o', 'o' };
mbedtls_svc_key_id_t psk0_opaque = mbedtls_svc_key_id_make( 0x1, (psa_key_id_t) 1 );
unsigned char psk0_opaque_identity[] = { 'f', 'o', 'o' };
unsigned char psk1_raw[10] = { 0 };
unsigned char psk1_raw_identity[] = { 'b', 'a', 'r' };
mbedtls_svc_key_id_t psk1_opaque = mbedtls_svc_key_id_make( 0x1, (psa_key_id_t) 2 );
unsigned char psk1_opaque_identity[] = { 'b', 'a', 'r' };
mbedtls_ssl_config conf;
USE_PSA_INIT( );
mbedtls_ssl_config_init( &conf );
switch( mode )
{
case 0:
TEST_ASSERT( mbedtls_ssl_conf_psk( &conf,
psk0_raw, sizeof( psk0_raw ),
psk0_raw_identity, sizeof( psk0_raw_identity ) )
== 0 );
TEST_ASSERT( mbedtls_ssl_conf_psk_opaque( &conf,
psk1_opaque,
psk1_opaque_identity, sizeof( psk1_opaque_identity ) )
== MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
break;
case 1:
TEST_ASSERT( mbedtls_ssl_conf_psk_opaque( &conf,
psk0_opaque,
psk0_opaque_identity, sizeof( psk0_opaque_identity ) )
== 0 );
TEST_ASSERT( mbedtls_ssl_conf_psk( &conf,
psk1_raw, sizeof( psk1_raw ),
psk1_raw_identity, sizeof( psk1_raw_identity ) )
== MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
break;
case 2:
TEST_ASSERT( mbedtls_ssl_conf_psk_opaque( &conf,
psk0_opaque,
psk0_opaque_identity, sizeof( psk0_opaque_identity ) )
== 0 );
TEST_ASSERT( mbedtls_ssl_conf_psk_opaque( &conf,
psk1_opaque,
psk1_opaque_identity, sizeof( psk1_opaque_identity ) )
== MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
break;
default:
TEST_ASSERT( 0 );
break;
}
exit:
mbedtls_ssl_config_free( &conf );
USE_PSA_DONE( );
}
/* END_CASE */
/* BEGIN_CASE */
void conf_version( int endpoint, int transport,
int min_tls_version, int max_tls_version,
int expected_ssl_setup_result )
{
mbedtls_ssl_config conf;
mbedtls_ssl_context ssl;
mbedtls_ssl_config_init( &conf );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_conf_endpoint( &conf, endpoint );
mbedtls_ssl_conf_transport( &conf, transport );
mbedtls_ssl_conf_min_tls_version( &conf, min_tls_version );
mbedtls_ssl_conf_max_tls_version( &conf, max_tls_version );
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == expected_ssl_setup_result );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_ECP_C:!MBEDTLS_DEPRECATED_REMOVED:!MBEDTLS_DEPRECATED_WARNING:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_ECP_DP_SECP224R1_ENABLED:MBEDTLS_ECP_DP_SECP256R1_ENABLED */
void conf_curve()
{
mbedtls_ecp_group_id curve_list[] = { MBEDTLS_ECP_DP_SECP192R1,
MBEDTLS_ECP_DP_SECP224R1,
MBEDTLS_ECP_DP_SECP256R1,
MBEDTLS_ECP_DP_NONE };
mbedtls_ecp_group_id iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1,
MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1,
MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
MBEDTLS_SSL_IANA_TLS_GROUP_NONE };
mbedtls_ssl_config conf;
mbedtls_ssl_config_init( &conf );
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_conf_max_tls_version( &conf, MBEDTLS_SSL_VERSION_TLS1_2 );
mbedtls_ssl_conf_min_tls_version( &conf, MBEDTLS_SSL_VERSION_TLS1_2 );
#else
mbedtls_ssl_conf_max_tls_version( &conf, MBEDTLS_SSL_VERSION_TLS1_3 );
mbedtls_ssl_conf_min_tls_version( &conf, MBEDTLS_SSL_VERSION_TLS1_3 );
#endif
mbedtls_ssl_conf_curves( &conf, curve_list );
mbedtls_ssl_context ssl;
mbedtls_ssl_init( &ssl );
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
TEST_ASSERT( ssl.handshake != NULL && ssl.handshake->group_list != NULL );
TEST_ASSERT( ssl.conf != NULL && ssl.conf->group_list == NULL );
TEST_EQUAL( ssl.handshake->group_list[ARRAY_LENGTH( iana_tls_group_list ) - 1], MBEDTLS_SSL_IANA_TLS_GROUP_NONE );
for( size_t i = 0; i < ARRAY_LENGTH( iana_tls_group_list ); i++ )
TEST_EQUAL( iana_tls_group_list[i], ssl.handshake->group_list[i] );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_DEPRECATED_REMOVED */
void conf_group()
{
uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1,
MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1,
MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
MBEDTLS_SSL_IANA_TLS_GROUP_NONE };
mbedtls_ssl_config conf;
mbedtls_ssl_config_init( &conf );
mbedtls_ssl_conf_max_tls_version( &conf, MBEDTLS_SSL_VERSION_TLS1_2 );
mbedtls_ssl_conf_min_tls_version( &conf, MBEDTLS_SSL_VERSION_TLS1_2 );
mbedtls_ssl_conf_groups( &conf, iana_tls_group_list );
mbedtls_ssl_context ssl;
mbedtls_ssl_init( &ssl );
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
TEST_ASSERT( ssl.conf != NULL && ssl.conf->group_list != NULL );
TEST_EQUAL( ssl.conf->group_list[ARRAY_LENGTH( iana_tls_group_list ) - 1], MBEDTLS_SSL_IANA_TLS_GROUP_NONE );
for( size_t i = 0; i < ARRAY_LENGTH( iana_tls_group_list ); i++ )
TEST_EQUAL( iana_tls_group_list[i], ssl.conf->group_list[i] );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_TIMING_C:MBEDTLS_HAVE_TIME */
void timing_final_delay_accessor( )
{
mbedtls_timing_delay_context delay_context;
mbedtls_timing_set_delay( &delay_context, 50, 100 );
TEST_ASSERT( mbedtls_timing_get_final_delay( &delay_context ) == 100 );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID */
void cid_sanity( )
{
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
unsigned char test_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
int cid_enabled;
size_t own_cid_len;
mbedtls_test_rnd_std_rand( NULL, own_cid, sizeof( own_cid ) );
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
TEST_ASSERT( mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT )
== 0 );
TEST_ASSERT( mbedtls_ssl_setup( &ssl, &conf ) == 0 );
/* Can't use CID functions with stream transport. */
TEST_ASSERT( mbedtls_ssl_set_cid( &ssl, MBEDTLS_SSL_CID_ENABLED, own_cid,
sizeof( own_cid ) )
== MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
TEST_ASSERT( mbedtls_ssl_get_own_cid( &ssl, &cid_enabled, test_cid,
&own_cid_len )
== MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
TEST_ASSERT( mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT )
== 0 );
/* Attempt to set config cid size too big. */
TEST_ASSERT( mbedtls_ssl_conf_cid( &conf, MBEDTLS_SSL_CID_IN_LEN_MAX + 1,
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
== MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
TEST_ASSERT( mbedtls_ssl_conf_cid( &conf, sizeof( own_cid ),
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
== 0 );
/* Attempt to set CID length not matching config. */
TEST_ASSERT( mbedtls_ssl_set_cid( &ssl, MBEDTLS_SSL_CID_ENABLED, own_cid,
MBEDTLS_SSL_CID_IN_LEN_MAX - 1 )
== MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
TEST_ASSERT( mbedtls_ssl_set_cid( &ssl, MBEDTLS_SSL_CID_ENABLED, own_cid,
sizeof( own_cid ) )
== 0 );
/* Test we get back what we put in. */
TEST_ASSERT( mbedtls_ssl_get_own_cid( &ssl, &cid_enabled, test_cid,
&own_cid_len )
== 0 );
TEST_EQUAL( cid_enabled, MBEDTLS_SSL_CID_ENABLED );
ASSERT_COMPARE( own_cid, own_cid_len, test_cid, own_cid_len );
/* Test disabling works. */
TEST_ASSERT( mbedtls_ssl_set_cid( &ssl, MBEDTLS_SSL_CID_DISABLED, NULL,
0 )
== 0 );
TEST_ASSERT( mbedtls_ssl_get_own_cid( &ssl, &cid_enabled, test_cid,
&own_cid_len )
== 0 );
TEST_EQUAL( cid_enabled, MBEDTLS_SSL_CID_DISABLED );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_config_free( &conf );
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ENTROPY_C:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_CTR_DRBG_C:MBEDTLS_ECP_C:MBEDTLS_ECDSA_C */
void raw_key_agreement_fail( int bad_server_ecdhe_key )
{
enum { BUFFSIZE = 17000 };
mbedtls_endpoint client, server;
mbedtls_psa_stats_t stats;
size_t free_slots_before = -1;
uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
MBEDTLS_SSL_IANA_TLS_GROUP_NONE };
USE_PSA_INIT( );
/* Client side, force SECP256R1 to make one key bitflip fail
* the raw key agreement. Flipping the first byte makes the
* required 0x04 identifier invalid. */
TEST_EQUAL( mbedtls_endpoint_init( &client, MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_PK_ECDSA, 0, 0, 0, NULL, NULL,
NULL, iana_tls_group_list ), 0 );
/* Server side */
TEST_EQUAL( mbedtls_endpoint_init( &server, MBEDTLS_SSL_IS_SERVER,
MBEDTLS_PK_ECDSA, 0, 0, 0,
NULL, NULL, NULL, NULL ), 0 );
TEST_EQUAL( mbedtls_mock_socket_connect( &(client.socket),
&(server.socket),
BUFFSIZE ), 0 );
TEST_EQUAL( mbedtls_move_handshake_to_state( &(client.ssl),
&(server.ssl),
MBEDTLS_SSL_CLIENT_KEY_EXCHANGE )
, 0 );
mbedtls_psa_get_stats( &stats );
/* Save the number of slots in use up to this point.
* With PSA, one can be used for the ECDH private key. */
free_slots_before = stats.empty_slots;
if( bad_server_ecdhe_key )
{
/* Force a simulated bitflip in the server key. to make the
* raw key agreement in ssl_write_client_key_exchange fail. */
(client.ssl).handshake->ecdh_psa_peerkey[0] ^= 0x02;
}
TEST_EQUAL( mbedtls_move_handshake_to_state( &(client.ssl),
&(server.ssl),
MBEDTLS_SSL_HANDSHAKE_OVER ),
bad_server_ecdhe_key ? MBEDTLS_ERR_SSL_HW_ACCEL_FAILED : 0 );
mbedtls_psa_get_stats( &stats );
/* Make sure that the key slot is already destroyed in case of failure,
* without waiting to close the connection. */
if( bad_server_ecdhe_key )
TEST_EQUAL( free_slots_before, stats.empty_slots );
exit:
mbedtls_endpoint_free( &client, NULL );
mbedtls_endpoint_free( &server, NULL );
USE_PSA_DONE( );
}
/* END_CASE */