Add unit tests for record protection using CID

This commit is contained in:
Hanno Becker 2019-04-29 17:30:59 +01:00
parent 6c87b3f9df
commit d856c82993
2 changed files with 4518 additions and 1406 deletions

File diff suppressed because it is too large Load diff

View file

@ -18,11 +18,18 @@
} \
} while( 0 )
#if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
#define SSL_CID_LEN_MIN MBEDTLS_SSL_CID_IN_LEN_MAX
#else
#define SSL_CID_LEN_MIN MBEDTLS_SSL_CID_OUT_LEN_MAX
#endif
static int build_transforms( mbedtls_ssl_transform *t_in,
mbedtls_ssl_transform *t_out,
int cipher_type, int hash_id,
int etm, int tag_mode, int ver )
int etm, int tag_mode, int ver,
size_t cid0_len,
size_t cid1_len )
{
mbedtls_cipher_info_t const *cipher_info;
int ret = 0;
@ -31,6 +38,12 @@ static int build_transforms( mbedtls_ssl_transform *t_in,
unsigned char *key0 = NULL, *key1 = NULL;
unsigned char iv_enc[16], iv_dec[16];
unsigned char cid0[ SSL_CID_LEN_MIN ];
unsigned char cid1[ SSL_CID_LEN_MIN ];
rnd_std_rand( NULL, cid0, sizeof( cid0 ) );
rnd_std_rand( NULL, cid1, sizeof( cid1 ) );
maclen = 0;
/* Pick cipher */
@ -228,6 +241,16 @@ static int build_transforms( mbedtls_ssl_transform *t_in,
memcpy( &t_out->iv_dec, iv_enc, sizeof( iv_enc ) );
memcpy( &t_out->iv_enc, iv_dec, sizeof( iv_dec ) );
/* Add CID */
memcpy( &t_in->in_cid, cid0, cid0_len );
memcpy( &t_in->out_cid, cid1, cid1_len );
t_in->in_cid_len = cid0_len;
t_in->out_cid_len = cid1_len;
memcpy( &t_out->in_cid, cid1, cid1_len );
memcpy( &t_out->out_cid, cid0, cid0_len );
t_out->in_cid_len = cid1_len;
t_out->out_cid_len = cid0_len;
cleanup:
mbedtls_free( key0 );
@ -290,7 +313,8 @@ void ssl_set_hostname_twice( char *hostname0, char *hostname1 )
/* BEGIN_CASE */
void ssl_crypt_record( int cipher_type, int hash_id,
int etm, int tag_mode, int ver )
int etm, int tag_mode, int ver,
int cid0_len, int cid1_len )
{
/*
* Test several record encryptions and decryptions
@ -311,7 +335,9 @@ void ssl_crypt_record( int cipher_type, int hash_id,
mbedtls_ssl_transform_init( &t0 );
mbedtls_ssl_transform_init( &t1 );
TEST_ASSERT( build_transforms( &t0, &t1, cipher_type, hash_id,
etm, tag_mode, ver ) == 0 );
etm, tag_mode, ver,
(size_t) cid0_len,
(size_t) cid1_len ) == 0 );
TEST_ASSERT( ( buf = mbedtls_calloc( 1, buflen ) ) != NULL );
@ -346,6 +372,7 @@ void ssl_crypt_record( int cipher_type, int hash_id,
rec.type = 42;
rec.ver[0] = num_records;
rec.ver[1] = num_records;
rec.cid_len = 0;
rec.buf = buf;
rec.buf_len = buflen;
@ -369,7 +396,8 @@ void ssl_crypt_record( int cipher_type, int hash_id,
}
/* Decrypt record with t_dec */
TEST_ASSERT( mbedtls_ssl_decrypt_buf( &ssl, t_dec, &rec ) == 0 );
ret = mbedtls_ssl_decrypt_buf( &ssl, t_dec, &rec );
TEST_ASSERT( ret == 0 );
/* Compare results */
TEST_ASSERT( rec.type == rec_backup.type );
@ -396,7 +424,8 @@ exit:
/* BEGIN_CASE */
void ssl_crypt_record_small( int cipher_type, int hash_id,
int etm, int tag_mode, int ver )
int etm, int tag_mode, int ver,
int cid0_len, int cid1_len )
{
/*
* Test pairs of encryption and decryption with an increasing
@ -422,16 +451,16 @@ void ssl_crypt_record_small( int cipher_type, int hash_id,
mbedtls_ssl_transform t0, t1;
unsigned char *buf = NULL;
size_t const buflen = 150;
size_t const buflen = 256;
mbedtls_record rec, rec_backup;
int ret;
int mode; /* Mode 1, 2 or 3 as explained above */
size_t offset; /* Available space at beginning/end/both */
size_t threshold = 64; /* Maximum offset to test against */
int mode; /* Mode 1, 2 or 3 as explained above */
size_t offset; /* Available space at beginning/end/both */
size_t threshold = 96; /* Maximum offset to test against */
size_t default_pre_padding = 64; /* Pre-padding to use in mode 2 */
size_t default_post_padding = 64; /* Post-padding to use in mode 1 */
size_t default_pre_padding = 64; /* Pre-padding to use in mode 2 */
size_t default_post_padding = 128; /* Post-padding to use in mode 1 */
int seen_success; /* Indicates if in the current mode we've
* already seen a successful test. */
@ -440,7 +469,9 @@ void ssl_crypt_record_small( int cipher_type, int hash_id,
mbedtls_ssl_transform_init( &t0 );
mbedtls_ssl_transform_init( &t1 );
TEST_ASSERT( build_transforms( &t0, &t1, cipher_type, hash_id,
etm, tag_mode, ver ) == 0 );
etm, tag_mode, ver,
(size_t) cid0_len,
(size_t) cid1_len ) == 0 );
TEST_ASSERT( ( buf = mbedtls_calloc( 1, buflen ) ) != NULL );
@ -459,6 +490,7 @@ void ssl_crypt_record_small( int cipher_type, int hash_id,
rec.ver[1] = offset;
rec.buf = buf;
rec.buf_len = buflen;
rec.cid_len = 0;
switch( mode )
{