test_suite_ssl.function (230201B)
1 /* BEGIN_HEADER */ 2 #include <ssl_misc.h> 3 #include <mbedtls/timing.h> 4 #include <mbedtls/debug.h> 5 #include <mbedtls/pk.h> 6 #include <ssl_tls13_keys.h> 7 #include <ssl_tls13_invasive.h> 8 #include <test/ssl_helpers.h> 9 10 #include <constant_time_internal.h> 11 #include <test/constant_flow.h> 12 13 #define SSL_MESSAGE_QUEUE_INIT { NULL, 0, 0, 0 } 14 15 /* Mnemonics for the early data test scenarios */ 16 #define TEST_EARLY_DATA_ACCEPTED 0 17 #define TEST_EARLY_DATA_NO_INDICATION_SENT 1 18 #define TEST_EARLY_DATA_SERVER_REJECTS 2 19 #define TEST_EARLY_DATA_HRR 3 20 #define TEST_EARLY_DATA_SAME_ALPN 4 21 #define TEST_EARLY_DATA_DIFF_ALPN 5 22 #define TEST_EARLY_DATA_NO_INITIAL_ALPN 6 23 #define TEST_EARLY_DATA_NO_LATER_ALPN 7 24 25 #if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \ 26 defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \ 27 defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \ 28 defined(MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE) && \ 29 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \ 30 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) && \ 31 defined(MBEDTLS_MD_CAN_SHA256) && \ 32 defined(MBEDTLS_ECP_HAVE_SECP256R1) && defined(MBEDTLS_ECP_HAVE_SECP384R1) && \ 33 defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) && defined(MBEDTLS_SSL_SESSION_TICKETS) 34 /* 35 * Test function to write early data for negative tests where 36 * mbedtls_ssl_write_early_data() cannot be used. 37 */ 38 static int write_early_data(mbedtls_ssl_context *ssl, 39 unsigned char *buf, size_t len) 40 { 41 int ret = mbedtls_ssl_get_max_out_record_payload(ssl); 42 43 TEST_ASSERT(ret > 0); 44 TEST_LE_U(len, (size_t) ret); 45 46 ret = mbedtls_ssl_flush_output(ssl); 47 TEST_EQUAL(ret, 0); 48 TEST_EQUAL(ssl->out_left, 0); 49 50 ssl->out_msglen = len; 51 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; 52 if (len > 0) { 53 memcpy(ssl->out_msg, buf, len); 54 } 55 56 ret = mbedtls_ssl_write_record(ssl, 1); 57 TEST_EQUAL(ret, 0); 58 59 ret = len; 60 61 exit: 62 return ret; 63 } 64 #endif 65 66 typedef enum { 67 RECOMBINE_NOMINAL, /* param: ignored */ 68 RECOMBINE_SPLIT_FIRST, /* param: offset of split (<=0 means from end) */ 69 RECOMBINE_TRUNCATE_FIRST, /* param: offset of truncation (<=0 means from end) */ 70 RECOMBINE_INSERT_EMPTY, /* param: offset (<0 means from end) */ 71 RECOMBINE_INSERT_RECORD, /* param: record type */ 72 RECOMBINE_COALESCE, /* param: number of records (INT_MAX=all) */ 73 RECOMBINE_COALESCE_SPLIT_ONCE, /* param: offset of split (<=0 means from end) */ 74 RECOMBINE_COALESCE_SPLIT_BOTH_ENDS, /* param: offset, must be >0 */ 75 } recombine_records_instruction_t; 76 77 /* Keep this in sync with the recombine_server_first_flight() 78 * See comment there. */ 79 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) && \ 80 defined(MBEDTLS_MD_CAN_SHA256) && \ 81 defined(MBEDTLS_ECP_HAVE_SECP256R1) && \ 82 defined(MBEDTLS_ECP_HAVE_SECP384R1) && \ 83 defined(MBEDTLS_PK_CAN_ECDSA_SIGN) && \ 84 defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) 85 86 /* Split the first record into two pieces of lengths offset and 87 * record_length-offset. If offset is zero or negative, count from the end of 88 * the record. */ 89 static int recombine_split_first_record(mbedtls_test_ssl_buffer *buf, 90 int offset) 91 { 92 const size_t header_length = 5; 93 TEST_LE_U(header_length, buf->content_length); 94 size_t record_length = MBEDTLS_GET_UINT16_BE(buf->buffer, header_length - 2); 95 96 if (offset > 0) { 97 TEST_LE_S(offset, record_length); 98 } else { 99 TEST_LE_S(-offset, record_length); 100 offset = record_length + offset; 101 } 102 103 /* Check that we have room to insert a record header */ 104 TEST_LE_U(buf->content_length + header_length, buf->capacity); 105 106 /* Make room for a record header */ 107 size_t new_record_start = header_length + offset; 108 size_t new_content_start = new_record_start + header_length; 109 memmove(buf->buffer + new_content_start, 110 buf->buffer + new_record_start, 111 buf->content_length - new_record_start); 112 buf->content_length += header_length; 113 114 /* Construct a header for the new record based on the existing one */ 115 memcpy(buf->buffer + new_record_start, buf->buffer, header_length); 116 MBEDTLS_PUT_UINT16_BE(record_length - offset, 117 buf->buffer, new_content_start - 2); 118 119 /* Adjust the length of the first record */ 120 MBEDTLS_PUT_UINT16_BE(offset, buf->buffer, header_length - 2); 121 122 return 0; 123 124 exit: 125 return -1; 126 } 127 128 /* Truncate the first record, keeping only the first offset bytes. 129 * If offset is zero or negative, count from the end of the record. 130 * Remove the subsequent records. 131 */ 132 static int recombine_truncate_first_record(mbedtls_test_ssl_buffer *buf, 133 int offset) 134 { 135 const size_t header_length = 5; 136 TEST_LE_U(header_length, buf->content_length); 137 size_t record_length = MBEDTLS_GET_UINT16_BE(buf->buffer, header_length - 2); 138 139 if (offset > 0) { 140 TEST_LE_S(offset, record_length); 141 } else { 142 TEST_LE_S(-offset, record_length); 143 offset = record_length + offset; 144 } 145 146 /* Adjust the length of the first record */ 147 MBEDTLS_PUT_UINT16_BE(offset, buf->buffer, header_length - 2); 148 149 /* Wipe the rest */ 150 size_t truncated_end = header_length + offset; 151 memset(buf->buffer + truncated_end, '!', 152 buf->content_length - truncated_end); 153 buf->content_length = truncated_end; 154 155 return 0; 156 157 exit: 158 return -1; 159 } 160 161 /* Insert a (dummy) record at the given offset. If offset is negative, 162 * count from the end of the first record. */ 163 static int recombine_insert_record(mbedtls_test_ssl_buffer *buf, 164 int offset, 165 uint8_t inserted_record_type) 166 { 167 const size_t header_length = 5; 168 TEST_LE_U(header_length, buf->content_length); 169 size_t record_length = MBEDTLS_GET_UINT16_BE(buf->buffer, header_length - 2); 170 171 if (offset >= 0) { 172 TEST_LE_S(offset, record_length); 173 } else { 174 TEST_LE_S(-offset, record_length); 175 offset = record_length + offset; 176 } 177 178 uint8_t inserted_content[42] = { 0 }; 179 size_t inserted_content_length = 0; 180 switch (inserted_record_type) { 181 case MBEDTLS_SSL_MSG_ALERT: 182 inserted_content[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING; 183 inserted_content[1] = MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION; 184 inserted_content_length = 2; 185 break; 186 case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC: 187 inserted_content[0] = 0x01; 188 inserted_content_length = 1; 189 break; 190 case MBEDTLS_SSL_MSG_APPLICATION_DATA: 191 inserted_content_length = sizeof(inserted_content); 192 break; 193 default: 194 /* Leave the content empty */ 195 break; 196 } 197 198 /* Check that we have room to insert two record headers plus the new 199 * content. */ 200 TEST_LE_U(buf->content_length + 2 * header_length + inserted_content_length, 201 buf->capacity); 202 203 /* Make room for the inserted record and a record header for the fragment */ 204 size_t inserted_record_start = header_length + offset; 205 size_t inserted_content_start = inserted_record_start + header_length; 206 size_t tail_record_start = inserted_content_start + inserted_content_length; 207 size_t tail_content_start = tail_record_start + header_length; 208 memmove(buf->buffer + tail_content_start, 209 buf->buffer + inserted_record_start, 210 buf->content_length - inserted_record_start); 211 buf->content_length += 2 * header_length; 212 213 /* Construct the inserted record based on the existing one */ 214 memcpy(buf->buffer + inserted_record_start, buf->buffer, header_length); 215 buf->buffer[inserted_record_start] = inserted_record_type; 216 MBEDTLS_PUT_UINT16_BE(inserted_content_length, 217 buf->buffer, inserted_content_start - 2); 218 memcpy(buf->buffer + inserted_content_start, 219 inserted_content, inserted_content_length); 220 221 /* Construct header for the last fragment based on the existing one */ 222 memcpy(buf->buffer + tail_record_start, buf->buffer, header_length); 223 MBEDTLS_PUT_UINT16_BE(record_length - offset, 224 buf->buffer, tail_content_start - 2); 225 226 /* Adjust the length of the first record */ 227 MBEDTLS_PUT_UINT16_BE(offset, buf->buffer, header_length - 2); 228 229 return 0; 230 231 exit: 232 return -1; 233 } 234 235 /* Coalesce TLS handshake records. 236 * DTLS is not supported. 237 * Encrypted or authenticated handshake records are not supported. 238 * Assume the buffer content is a valid sequence of records. 239 * 240 * Coalesce only the first max records, or all the records if there are 241 * fewer than max. 242 * Return the number of coalesced records, or -1 on error. 243 */ 244 static int recombine_coalesce_handshake_records(mbedtls_test_ssl_buffer *buf, 245 int max) 246 { 247 const size_t header_length = 5; 248 TEST_LE_U(header_length, buf->content_length); 249 if (buf->buffer[0] != MBEDTLS_SSL_MSG_HANDSHAKE) { 250 return 0; 251 } 252 253 size_t record_length = MBEDTLS_GET_UINT16_BE(buf->buffer, header_length - 2); 254 TEST_LE_U(header_length + record_length, buf->content_length); 255 256 int count; 257 for (count = 1; count < max; count++) { 258 size_t next_start = header_length + record_length; 259 if (next_start >= buf->content_length) { 260 /* We've already reached the last record. */ 261 break; 262 } 263 264 TEST_LE_U(next_start + header_length, buf->content_length); 265 if (buf->buffer[next_start] != MBEDTLS_SSL_MSG_HANDSHAKE) { 266 /* There's another record, but it isn't a handshake record. */ 267 break; 268 } 269 size_t next_length = 270 MBEDTLS_GET_UINT16_BE(buf->buffer, next_start + header_length - 2); 271 TEST_LE_U(next_start + header_length + next_length, buf->content_length); 272 273 /* Erase the next record header */ 274 memmove(buf->buffer + next_start, 275 buf->buffer + next_start + header_length, 276 buf->content_length - next_start); 277 buf->content_length -= header_length; 278 /* Update the first record length */ 279 record_length += next_length; 280 TEST_LE_U(record_length, 0xffff); 281 MBEDTLS_PUT_UINT16_BE(record_length, buf->buffer, header_length - 2); 282 } 283 284 return count; 285 286 exit: 287 return -1; 288 } 289 290 static int recombine_records(mbedtls_test_ssl_endpoint *server, 291 recombine_records_instruction_t instruction, 292 int param) 293 { 294 mbedtls_test_ssl_buffer *buf = server->socket.output; 295 int ret; 296 297 /* buf is a circular buffer. For simplicity, this code assumes that 298 * the data is located at the beginning. This should be ok since 299 * this function is only meant to be used on the first flight 300 * emitted by a server. */ 301 TEST_EQUAL(buf->start, 0); 302 303 switch (instruction) { 304 case RECOMBINE_NOMINAL: 305 break; 306 307 case RECOMBINE_SPLIT_FIRST: 308 ret = recombine_split_first_record(buf, param); 309 TEST_LE_S(0, ret); 310 break; 311 312 case RECOMBINE_TRUNCATE_FIRST: 313 ret = recombine_truncate_first_record(buf, param); 314 TEST_LE_S(0, ret); 315 break; 316 317 case RECOMBINE_INSERT_EMPTY: 318 /* Insert an empty handshake record. */ 319 ret = recombine_insert_record(buf, param, MBEDTLS_SSL_MSG_HANDSHAKE); 320 TEST_LE_S(0, ret); 321 break; 322 323 case RECOMBINE_INSERT_RECORD: 324 /* Insert an extra record at a position where splitting 325 * would be ok. */ 326 ret = recombine_insert_record(buf, 5, param); 327 TEST_LE_S(0, ret); 328 break; 329 330 case RECOMBINE_COALESCE: 331 ret = recombine_coalesce_handshake_records(buf, param); 332 /* If param != INT_MAX, enforce that there were that many 333 * records to coalesce. In particular, 1 < param < INT_MAX 334 * ensures that library will see some coalesced records. */ 335 if (param == INT_MAX) { 336 TEST_LE_S(1, ret); 337 } else { 338 TEST_EQUAL(ret, param); 339 } 340 break; 341 342 case RECOMBINE_COALESCE_SPLIT_ONCE: 343 ret = recombine_coalesce_handshake_records(buf, INT_MAX); 344 /* Require at least two coalesced records, otherwise this 345 * doesn't lead to a meaningful test (use 346 * RECOMBINE_SPLIT_FIRST instead). */ 347 TEST_LE_S(2, ret); 348 ret = recombine_split_first_record(buf, param); 349 TEST_LE_S(0, ret); 350 break; 351 352 case RECOMBINE_COALESCE_SPLIT_BOTH_ENDS: 353 ret = recombine_coalesce_handshake_records(buf, INT_MAX); 354 /* Accept a single record, which will be split at both ends */ 355 TEST_LE_S(1, ret); 356 TEST_LE_S(1, param); 357 ret = recombine_split_first_record(buf, -param); 358 TEST_LE_S(0, ret); 359 ret = recombine_split_first_record(buf, param); 360 TEST_LE_S(0, ret); 361 break; 362 363 default: 364 TEST_FAIL("Instructions not understood"); 365 } 366 367 return 1; 368 369 exit: 370 return 0; 371 } 372 373 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED etc */ 374 375 /* END_HEADER */ 376 377 /* BEGIN_DEPENDENCIES 378 * depends_on:MBEDTLS_SSL_TLS_C 379 * END_DEPENDENCIES 380 */ 381 382 /* BEGIN_CASE */ 383 void test_callback_buffer_sanity() 384 { 385 enum { MSGLEN = 10 }; 386 mbedtls_test_ssl_buffer buf; 387 mbedtls_test_ssl_buffer_init(&buf); 388 unsigned char input[MSGLEN]; 389 unsigned char output[MSGLEN]; 390 391 USE_PSA_INIT(); 392 memset(input, 0, sizeof(input)); 393 394 /* Make sure calling put and get on NULL buffer results in error. */ 395 TEST_ASSERT(mbedtls_test_ssl_buffer_put(NULL, input, sizeof(input)) 396 == -1); 397 TEST_ASSERT(mbedtls_test_ssl_buffer_get(NULL, output, sizeof(output)) 398 == -1); 399 TEST_ASSERT(mbedtls_test_ssl_buffer_put(NULL, NULL, sizeof(input)) 400 == -1); 401 402 TEST_ASSERT(mbedtls_test_ssl_buffer_put(NULL, NULL, 0) == -1); 403 TEST_ASSERT(mbedtls_test_ssl_buffer_get(NULL, NULL, 0) == -1); 404 405 /* Make sure calling put and get on a buffer that hasn't been set up results 406 * in error. */ 407 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, sizeof(input)) 408 == -1); 409 TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, output, sizeof(output)) 410 == -1); 411 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, NULL, sizeof(input)) 412 == -1); 413 414 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, NULL, 0) == -1); 415 TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, NULL, 0) == -1); 416 417 /* Make sure calling put and get on NULL input only results in 418 * error if the length is not zero, and that a NULL output is valid for data 419 * dropping. 420 */ 421 422 TEST_ASSERT(mbedtls_test_ssl_buffer_setup(&buf, sizeof(input)) == 0); 423 424 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, NULL, sizeof(input)) 425 == -1); 426 TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, NULL, sizeof(output)) 427 == 0); 428 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, NULL, 0) == 0); 429 TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, NULL, 0) == 0); 430 431 /* Make sure calling put several times in the row is safe */ 432 433 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, sizeof(input)) 434 == sizeof(input)); 435 TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, output, 2) == 2); 436 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, 1) == 1); 437 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, 2) == 1); 438 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, 2) == 0); 439 440 441 exit: 442 mbedtls_test_ssl_buffer_free(&buf); 443 USE_PSA_DONE(); 444 } 445 /* END_CASE */ 446 447 /* 448 * Test if the implementation of `mbedtls_test_ssl_buffer` related functions is 449 * correct and works as expected. 450 * 451 * That is 452 * - If we try to put in \p put1 bytes then we can put in \p put1_ret bytes. 453 * - Afterwards if we try to get \p get1 bytes then we can get \get1_ret bytes. 454 * - Next, if we try to put in \p put1 bytes then we can put in \p put1_ret 455 * bytes. 456 * - Afterwards if we try to get \p get1 bytes then we can get \get1_ret bytes. 457 * - All of the bytes we got match the bytes we put in in a FIFO manner. 458 */ 459 460 /* BEGIN_CASE */ 461 void test_callback_buffer(int size, int put1, int put1_ret, 462 int get1, int get1_ret, int put2, int put2_ret, 463 int get2, int get2_ret) 464 { 465 enum { ROUNDS = 2 }; 466 size_t put[ROUNDS]; 467 int put_ret[ROUNDS]; 468 size_t get[ROUNDS]; 469 int get_ret[ROUNDS]; 470 mbedtls_test_ssl_buffer buf; 471 unsigned char *input = NULL; 472 size_t input_len; 473 unsigned char *output = NULL; 474 size_t output_len; 475 size_t i, j, written, read; 476 477 mbedtls_test_ssl_buffer_init(&buf); 478 USE_PSA_INIT(); 479 TEST_ASSERT(mbedtls_test_ssl_buffer_setup(&buf, size) == 0); 480 481 /* Check the sanity of input parameters and initialise local variables. That 482 * is, ensure that the amount of data is not negative and that we are not 483 * expecting more to put or get than we actually asked for. */ 484 TEST_ASSERT(put1 >= 0); 485 put[0] = put1; 486 put_ret[0] = put1_ret; 487 TEST_ASSERT(put1_ret <= put1); 488 TEST_ASSERT(put2 >= 0); 489 put[1] = put2; 490 put_ret[1] = put2_ret; 491 TEST_ASSERT(put2_ret <= put2); 492 493 TEST_ASSERT(get1 >= 0); 494 get[0] = get1; 495 get_ret[0] = get1_ret; 496 TEST_ASSERT(get1_ret <= get1); 497 TEST_ASSERT(get2 >= 0); 498 get[1] = get2; 499 get_ret[1] = get2_ret; 500 TEST_ASSERT(get2_ret <= get2); 501 502 input_len = 0; 503 /* Calculate actual input and output lengths */ 504 for (j = 0; j < ROUNDS; j++) { 505 if (put_ret[j] > 0) { 506 input_len += put_ret[j]; 507 } 508 } 509 /* In order to always have a valid pointer we always allocate at least 1 510 * byte. */ 511 if (input_len == 0) { 512 input_len = 1; 513 } 514 TEST_CALLOC(input, input_len); 515 516 output_len = 0; 517 for (j = 0; j < ROUNDS; j++) { 518 if (get_ret[j] > 0) { 519 output_len += get_ret[j]; 520 } 521 } 522 TEST_ASSERT(output_len <= input_len); 523 /* In order to always have a valid pointer we always allocate at least 1 524 * byte. */ 525 if (output_len == 0) { 526 output_len = 1; 527 } 528 TEST_CALLOC(output, output_len); 529 530 /* Fill up the buffer with structured data so that unwanted changes 531 * can be detected */ 532 for (i = 0; i < input_len; i++) { 533 input[i] = i & 0xFF; 534 } 535 536 written = read = 0; 537 for (j = 0; j < ROUNDS; j++) { 538 TEST_ASSERT(put_ret[j] == mbedtls_test_ssl_buffer_put(&buf, 539 input + written, put[j])); 540 written += put_ret[j]; 541 TEST_ASSERT(get_ret[j] == mbedtls_test_ssl_buffer_get(&buf, 542 output + read, get[j])); 543 read += get_ret[j]; 544 TEST_ASSERT(read <= written); 545 if (get_ret[j] > 0) { 546 TEST_ASSERT(memcmp(output + read - get_ret[j], 547 input + read - get_ret[j], get_ret[j]) 548 == 0); 549 } 550 } 551 552 exit: 553 mbedtls_free(input); 554 mbedtls_free(output); 555 mbedtls_test_ssl_buffer_free(&buf); 556 USE_PSA_DONE(); 557 } 558 /* END_CASE */ 559 560 /* 561 * Test if the implementation of `mbedtls_test_mock_socket` related 562 * I/O functions is correct and works as expected on unconnected sockets. 563 */ 564 565 /* BEGIN_CASE */ 566 void ssl_mock_sanity() 567 { 568 enum { MSGLEN = 105 }; 569 unsigned char message[MSGLEN] = { 0 }; 570 unsigned char received[MSGLEN] = { 0 }; 571 mbedtls_test_mock_socket socket; 572 573 mbedtls_test_mock_socket_init(&socket); 574 USE_PSA_INIT(); 575 TEST_ASSERT(mbedtls_test_mock_tcp_send_b(&socket, message, MSGLEN) < 0); 576 mbedtls_test_mock_socket_close(&socket); 577 mbedtls_test_mock_socket_init(&socket); 578 TEST_ASSERT(mbedtls_test_mock_tcp_recv_b(&socket, received, MSGLEN) < 0); 579 mbedtls_test_mock_socket_close(&socket); 580 581 mbedtls_test_mock_socket_init(&socket); 582 TEST_ASSERT(mbedtls_test_mock_tcp_send_nb(&socket, message, MSGLEN) < 0); 583 mbedtls_test_mock_socket_close(&socket); 584 mbedtls_test_mock_socket_init(&socket); 585 TEST_ASSERT(mbedtls_test_mock_tcp_recv_nb(&socket, received, MSGLEN) < 0); 586 mbedtls_test_mock_socket_close(&socket); 587 588 exit: 589 mbedtls_test_mock_socket_close(&socket); 590 USE_PSA_DONE(); 591 } 592 /* END_CASE */ 593 594 /* 595 * Test if the implementation of `mbedtls_test_mock_socket` related functions 596 * can send a single message from the client to the server. 597 */ 598 599 /* BEGIN_CASE */ 600 void ssl_mock_tcp(int blocking) 601 { 602 enum { MSGLEN = 105 }; 603 enum { BUFLEN = MSGLEN / 5 }; 604 unsigned char message[MSGLEN]; 605 unsigned char received[MSGLEN]; 606 mbedtls_test_mock_socket client; 607 mbedtls_test_mock_socket server; 608 size_t written, read; 609 int send_ret, recv_ret; 610 mbedtls_ssl_send_t *send; 611 mbedtls_ssl_recv_t *recv; 612 unsigned i; 613 614 if (blocking == 0) { 615 send = mbedtls_test_mock_tcp_send_nb; 616 recv = mbedtls_test_mock_tcp_recv_nb; 617 } else { 618 send = mbedtls_test_mock_tcp_send_b; 619 recv = mbedtls_test_mock_tcp_recv_b; 620 } 621 622 mbedtls_test_mock_socket_init(&client); 623 mbedtls_test_mock_socket_init(&server); 624 USE_PSA_INIT(); 625 626 /* Fill up the buffer with structured data so that unwanted changes 627 * can be detected */ 628 for (i = 0; i < MSGLEN; i++) { 629 message[i] = i & 0xFF; 630 } 631 632 /* Make sure that sending a message takes a few iterations. */ 633 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 634 BUFLEN)); 635 636 /* Send the message to the server */ 637 send_ret = recv_ret = 1; 638 written = read = 0; 639 while (send_ret != 0 || recv_ret != 0) { 640 send_ret = send(&client, message + written, MSGLEN - written); 641 642 TEST_ASSERT(send_ret >= 0); 643 TEST_ASSERT(send_ret <= BUFLEN); 644 written += send_ret; 645 646 /* If the buffer is full we can test blocking and non-blocking send */ 647 if (send_ret == BUFLEN) { 648 int blocking_ret = send(&client, message, 1); 649 if (blocking) { 650 TEST_ASSERT(blocking_ret == 0); 651 } else { 652 TEST_ASSERT(blocking_ret == MBEDTLS_ERR_SSL_WANT_WRITE); 653 } 654 } 655 656 recv_ret = recv(&server, received + read, MSGLEN - read); 657 658 /* The result depends on whether any data was sent */ 659 if (send_ret > 0) { 660 TEST_ASSERT(recv_ret > 0); 661 TEST_ASSERT(recv_ret <= BUFLEN); 662 read += recv_ret; 663 } else if (blocking) { 664 TEST_ASSERT(recv_ret == 0); 665 } else { 666 TEST_ASSERT(recv_ret == MBEDTLS_ERR_SSL_WANT_READ); 667 recv_ret = 0; 668 } 669 670 /* If the buffer is empty we can test blocking and non-blocking read */ 671 if (recv_ret == BUFLEN) { 672 int blocking_ret = recv(&server, received, 1); 673 if (blocking) { 674 TEST_ASSERT(blocking_ret == 0); 675 } else { 676 TEST_ASSERT(blocking_ret == MBEDTLS_ERR_SSL_WANT_READ); 677 } 678 } 679 } 680 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 681 682 exit: 683 mbedtls_test_mock_socket_close(&client); 684 mbedtls_test_mock_socket_close(&server); 685 USE_PSA_DONE(); 686 } 687 /* END_CASE */ 688 689 /* 690 * Test if the implementation of `mbedtls_test_mock_socket` related functions 691 * can send messages in both direction at the same time (with the I/O calls 692 * interleaving). 693 */ 694 695 /* BEGIN_CASE */ 696 void ssl_mock_tcp_interleaving(int blocking) 697 { 698 enum { ROUNDS = 2 }; 699 enum { MSGLEN = 105 }; 700 enum { BUFLEN = MSGLEN / 5 }; 701 unsigned char message[ROUNDS][MSGLEN]; 702 unsigned char received[ROUNDS][MSGLEN]; 703 mbedtls_test_mock_socket client; 704 mbedtls_test_mock_socket server; 705 size_t written[ROUNDS]; 706 size_t read[ROUNDS]; 707 int send_ret[ROUNDS]; 708 int recv_ret[ROUNDS]; 709 unsigned i, j, progress; 710 mbedtls_ssl_send_t *send; 711 mbedtls_ssl_recv_t *recv; 712 713 if (blocking == 0) { 714 send = mbedtls_test_mock_tcp_send_nb; 715 recv = mbedtls_test_mock_tcp_recv_nb; 716 } else { 717 send = mbedtls_test_mock_tcp_send_b; 718 recv = mbedtls_test_mock_tcp_recv_b; 719 } 720 721 mbedtls_test_mock_socket_init(&client); 722 mbedtls_test_mock_socket_init(&server); 723 USE_PSA_INIT(); 724 725 /* Fill up the buffers with structured data so that unwanted changes 726 * can be detected */ 727 for (i = 0; i < ROUNDS; i++) { 728 for (j = 0; j < MSGLEN; j++) { 729 message[i][j] = (i * MSGLEN + j) & 0xFF; 730 } 731 } 732 733 /* Make sure that sending a message takes a few iterations. */ 734 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 735 BUFLEN)); 736 737 /* Send the message from both sides, interleaving. */ 738 progress = 1; 739 for (i = 0; i < ROUNDS; i++) { 740 written[i] = 0; 741 read[i] = 0; 742 } 743 /* This loop does not stop as long as there was a successful write or read 744 * of at least one byte on either side. */ 745 while (progress != 0) { 746 mbedtls_test_mock_socket *socket; 747 748 for (i = 0; i < ROUNDS; i++) { 749 /* First sending is from the client */ 750 socket = (i % 2 == 0) ? (&client) : (&server); 751 752 send_ret[i] = send(socket, message[i] + written[i], 753 MSGLEN - written[i]); 754 TEST_ASSERT(send_ret[i] >= 0); 755 TEST_ASSERT(send_ret[i] <= BUFLEN); 756 written[i] += send_ret[i]; 757 758 /* If the buffer is full we can test blocking and non-blocking 759 * send */ 760 if (send_ret[i] == BUFLEN) { 761 int blocking_ret = send(socket, message[i], 1); 762 if (blocking) { 763 TEST_ASSERT(blocking_ret == 0); 764 } else { 765 TEST_ASSERT(blocking_ret == MBEDTLS_ERR_SSL_WANT_WRITE); 766 } 767 } 768 } 769 770 for (i = 0; i < ROUNDS; i++) { 771 /* First receiving is from the server */ 772 socket = (i % 2 == 0) ? (&server) : (&client); 773 774 recv_ret[i] = recv(socket, received[i] + read[i], 775 MSGLEN - read[i]); 776 777 /* The result depends on whether any data was sent */ 778 if (send_ret[i] > 0) { 779 TEST_ASSERT(recv_ret[i] > 0); 780 TEST_ASSERT(recv_ret[i] <= BUFLEN); 781 read[i] += recv_ret[i]; 782 } else if (blocking) { 783 TEST_ASSERT(recv_ret[i] == 0); 784 } else { 785 TEST_ASSERT(recv_ret[i] == MBEDTLS_ERR_SSL_WANT_READ); 786 recv_ret[i] = 0; 787 } 788 789 /* If the buffer is empty we can test blocking and non-blocking 790 * read */ 791 if (recv_ret[i] == BUFLEN) { 792 int blocking_ret = recv(socket, received[i], 1); 793 if (blocking) { 794 TEST_ASSERT(blocking_ret == 0); 795 } else { 796 TEST_ASSERT(blocking_ret == MBEDTLS_ERR_SSL_WANT_READ); 797 } 798 } 799 } 800 801 progress = 0; 802 for (i = 0; i < ROUNDS; i++) { 803 progress += send_ret[i] + recv_ret[i]; 804 } 805 } 806 807 for (i = 0; i < ROUNDS; i++) { 808 TEST_ASSERT(memcmp(message[i], received[i], MSGLEN) == 0); 809 } 810 811 exit: 812 mbedtls_test_mock_socket_close(&client); 813 mbedtls_test_mock_socket_close(&server); 814 USE_PSA_DONE(); 815 } 816 /* END_CASE */ 817 818 /* BEGIN_CASE */ 819 void ssl_message_queue_sanity() 820 { 821 mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT; 822 823 USE_PSA_INIT(); 824 /* Trying to push/pull to an empty queue */ 825 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(NULL, 1) 826 == MBEDTLS_TEST_ERROR_ARG_NULL); 827 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(NULL, 1) 828 == MBEDTLS_TEST_ERROR_ARG_NULL); 829 830 TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0); 831 TEST_ASSERT(queue.capacity == 3); 832 TEST_ASSERT(queue.num == 0); 833 834 exit: 835 mbedtls_test_ssl_message_queue_free(&queue); 836 USE_PSA_DONE(); 837 } 838 /* END_CASE */ 839 840 /* BEGIN_CASE */ 841 void ssl_message_queue_basic() 842 { 843 mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT; 844 845 USE_PSA_INIT(); 846 TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0); 847 848 /* Sanity test - 3 pushes and 3 pops with sufficient space */ 849 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1); 850 TEST_ASSERT(queue.capacity == 3); 851 TEST_ASSERT(queue.num == 1); 852 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1); 853 TEST_ASSERT(queue.capacity == 3); 854 TEST_ASSERT(queue.num == 2); 855 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 2) == 2); 856 TEST_ASSERT(queue.capacity == 3); 857 TEST_ASSERT(queue.num == 3); 858 859 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1); 860 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1); 861 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 2) == 2); 862 863 exit: 864 mbedtls_test_ssl_message_queue_free(&queue); 865 USE_PSA_DONE(); 866 } 867 /* END_CASE */ 868 869 /* BEGIN_CASE */ 870 void ssl_message_queue_overflow_underflow() 871 { 872 mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT; 873 874 USE_PSA_INIT(); 875 TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0); 876 877 /* 4 pushes (last one with an error), 4 pops (last one with an error) */ 878 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1); 879 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1); 880 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 2) == 2); 881 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 3) 882 == MBEDTLS_ERR_SSL_WANT_WRITE); 883 884 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1); 885 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1); 886 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 2) == 2); 887 888 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) 889 == MBEDTLS_ERR_SSL_WANT_READ); 890 891 exit: 892 mbedtls_test_ssl_message_queue_free(&queue); 893 USE_PSA_DONE(); 894 } 895 /* END_CASE */ 896 897 /* BEGIN_CASE */ 898 void ssl_message_queue_interleaved() 899 { 900 mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT; 901 902 USE_PSA_INIT(); 903 TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0); 904 905 /* Interleaved test - [2 pushes, 1 pop] twice, and then two pops 906 * (to wrap around the buffer) */ 907 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1); 908 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1); 909 910 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1); 911 912 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 2) == 2); 913 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 3) == 3); 914 915 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1); 916 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 2) == 2); 917 918 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 5) == 5); 919 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 8) == 8); 920 921 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 3) == 3); 922 923 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 5) == 5); 924 925 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 8) == 8); 926 927 exit: 928 mbedtls_test_ssl_message_queue_free(&queue); 929 USE_PSA_DONE(); 930 } 931 /* END_CASE */ 932 933 /* BEGIN_CASE */ 934 void ssl_message_queue_insufficient_buffer() 935 { 936 mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT; 937 size_t message_len = 10; 938 size_t buffer_len = 5; 939 940 USE_PSA_INIT(); 941 TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 1) == 0); 942 943 /* Popping without a sufficient buffer */ 944 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, message_len) 945 == (int) message_len); 946 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, buffer_len) 947 == (int) buffer_len); 948 exit: 949 mbedtls_test_ssl_message_queue_free(&queue); 950 USE_PSA_DONE(); 951 } 952 /* END_CASE */ 953 954 /* BEGIN_CASE */ 955 void ssl_message_mock_uninitialized() 956 { 957 enum { MSGLEN = 10 }; 958 unsigned char message[MSGLEN] = { 0 }, received[MSGLEN]; 959 mbedtls_test_mock_socket client, server; 960 mbedtls_test_ssl_message_queue server_queue, client_queue; 961 mbedtls_test_message_socket_context server_context, client_context; 962 mbedtls_test_message_socket_init(&server_context); 963 mbedtls_test_message_socket_init(&client_context); 964 965 USE_PSA_INIT(); 966 /* Send with a NULL context */ 967 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(NULL, message, MSGLEN) 968 == MBEDTLS_TEST_ERROR_CONTEXT_ERROR); 969 970 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(NULL, message, MSGLEN) 971 == MBEDTLS_TEST_ERROR_CONTEXT_ERROR); 972 973 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue, 974 &client_queue, 1, 975 &server, 976 &server_context) == 0); 977 978 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue, 979 &server_queue, 1, 980 &client, 981 &client_context) == 0); 982 983 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 984 MSGLEN) 985 == MBEDTLS_TEST_ERROR_SEND_FAILED); 986 987 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 988 MSGLEN) 989 == MBEDTLS_ERR_SSL_WANT_READ); 990 991 /* Push directly to a queue to later simulate a disconnected behavior */ 992 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&server_queue, 993 MSGLEN) 994 == MSGLEN); 995 996 /* Test if there's an error when trying to read from a disconnected 997 * socket */ 998 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 999 MSGLEN) 1000 == MBEDTLS_TEST_ERROR_RECV_FAILED); 1001 exit: 1002 mbedtls_test_message_socket_close(&server_context); 1003 mbedtls_test_message_socket_close(&client_context); 1004 USE_PSA_DONE(); 1005 } 1006 /* END_CASE */ 1007 1008 /* BEGIN_CASE */ 1009 void ssl_message_mock_basic() 1010 { 1011 enum { MSGLEN = 10 }; 1012 unsigned char message[MSGLEN], received[MSGLEN]; 1013 mbedtls_test_mock_socket client, server; 1014 unsigned i; 1015 mbedtls_test_ssl_message_queue server_queue, client_queue; 1016 mbedtls_test_message_socket_context server_context, client_context; 1017 1018 mbedtls_test_message_socket_init(&server_context); 1019 mbedtls_test_message_socket_init(&client_context); 1020 USE_PSA_INIT(); 1021 1022 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue, 1023 &client_queue, 1, 1024 &server, 1025 &server_context) == 0); 1026 1027 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue, 1028 &server_queue, 1, 1029 &client, 1030 &client_context) == 0); 1031 1032 /* Fill up the buffer with structured data so that unwanted changes 1033 * can be detected */ 1034 for (i = 0; i < MSGLEN; i++) { 1035 message[i] = i & 0xFF; 1036 } 1037 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 1038 MSGLEN)); 1039 1040 /* Send the message to the server */ 1041 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1042 MSGLEN) == MSGLEN); 1043 1044 /* Read from the server */ 1045 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1046 MSGLEN) 1047 == MSGLEN); 1048 1049 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1050 memset(received, 0, MSGLEN); 1051 1052 /* Send the message to the client */ 1053 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&server_context, message, 1054 MSGLEN) 1055 == MSGLEN); 1056 1057 /* Read from the client */ 1058 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&client_context, received, 1059 MSGLEN) 1060 == MSGLEN); 1061 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1062 1063 exit: 1064 mbedtls_test_message_socket_close(&server_context); 1065 mbedtls_test_message_socket_close(&client_context); 1066 USE_PSA_DONE(); 1067 } 1068 /* END_CASE */ 1069 1070 /* BEGIN_CASE */ 1071 void ssl_message_mock_queue_overflow_underflow() 1072 { 1073 enum { MSGLEN = 10 }; 1074 unsigned char message[MSGLEN], received[MSGLEN]; 1075 mbedtls_test_mock_socket client, server; 1076 unsigned i; 1077 mbedtls_test_ssl_message_queue server_queue, client_queue; 1078 mbedtls_test_message_socket_context server_context, client_context; 1079 1080 mbedtls_test_message_socket_init(&server_context); 1081 mbedtls_test_message_socket_init(&client_context); 1082 USE_PSA_INIT(); 1083 1084 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue, 1085 &client_queue, 2, 1086 &server, 1087 &server_context) == 0); 1088 1089 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue, 1090 &server_queue, 2, 1091 &client, 1092 &client_context) == 0); 1093 1094 /* Fill up the buffer with structured data so that unwanted changes 1095 * can be detected */ 1096 for (i = 0; i < MSGLEN; i++) { 1097 message[i] = i & 0xFF; 1098 } 1099 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 1100 MSGLEN*2)); 1101 1102 /* Send three message to the server, last one with an error */ 1103 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1104 MSGLEN - 1) 1105 == MSGLEN - 1); 1106 1107 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1108 MSGLEN) 1109 == MSGLEN); 1110 1111 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1112 MSGLEN) 1113 == MBEDTLS_ERR_SSL_WANT_WRITE); 1114 1115 /* Read three messages from the server, last one with an error */ 1116 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1117 MSGLEN - 1) 1118 == MSGLEN - 1); 1119 1120 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1121 MSGLEN) 1122 == MSGLEN); 1123 1124 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1125 1126 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1127 MSGLEN) 1128 == MBEDTLS_ERR_SSL_WANT_READ); 1129 1130 exit: 1131 mbedtls_test_message_socket_close(&server_context); 1132 mbedtls_test_message_socket_close(&client_context); 1133 USE_PSA_DONE(); 1134 } 1135 /* END_CASE */ 1136 1137 /* BEGIN_CASE */ 1138 void ssl_message_mock_socket_overflow() 1139 { 1140 enum { MSGLEN = 10 }; 1141 unsigned char message[MSGLEN], received[MSGLEN]; 1142 mbedtls_test_mock_socket client, server; 1143 unsigned i; 1144 mbedtls_test_ssl_message_queue server_queue, client_queue; 1145 mbedtls_test_message_socket_context server_context, client_context; 1146 1147 mbedtls_test_message_socket_init(&server_context); 1148 mbedtls_test_message_socket_init(&client_context); 1149 USE_PSA_INIT(); 1150 1151 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue, 1152 &client_queue, 2, 1153 &server, 1154 &server_context) == 0); 1155 1156 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue, 1157 &server_queue, 2, 1158 &client, 1159 &client_context) == 0); 1160 1161 /* Fill up the buffer with structured data so that unwanted changes 1162 * can be detected */ 1163 for (i = 0; i < MSGLEN; i++) { 1164 message[i] = i & 0xFF; 1165 } 1166 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 1167 MSGLEN)); 1168 1169 /* Send two message to the server, second one with an error */ 1170 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1171 MSGLEN) 1172 == MSGLEN); 1173 1174 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1175 MSGLEN) 1176 == MBEDTLS_TEST_ERROR_SEND_FAILED); 1177 1178 /* Read the only message from the server */ 1179 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1180 MSGLEN) 1181 == MSGLEN); 1182 1183 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1184 1185 exit: 1186 mbedtls_test_message_socket_close(&server_context); 1187 mbedtls_test_message_socket_close(&client_context); 1188 USE_PSA_DONE(); 1189 } 1190 /* END_CASE */ 1191 1192 /* BEGIN_CASE */ 1193 void ssl_message_mock_truncated() 1194 { 1195 enum { MSGLEN = 10 }; 1196 unsigned char message[MSGLEN], received[MSGLEN]; 1197 mbedtls_test_mock_socket client, server; 1198 unsigned i; 1199 mbedtls_test_ssl_message_queue server_queue, client_queue; 1200 mbedtls_test_message_socket_context server_context, client_context; 1201 1202 mbedtls_test_message_socket_init(&server_context); 1203 mbedtls_test_message_socket_init(&client_context); 1204 USE_PSA_INIT(); 1205 1206 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue, 1207 &client_queue, 2, 1208 &server, 1209 &server_context) == 0); 1210 1211 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue, 1212 &server_queue, 2, 1213 &client, 1214 &client_context) == 0); 1215 1216 memset(received, 0, MSGLEN); 1217 /* Fill up the buffer with structured data so that unwanted changes 1218 * can be detected */ 1219 for (i = 0; i < MSGLEN; i++) { 1220 message[i] = i & 0xFF; 1221 } 1222 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 1223 2 * MSGLEN)); 1224 1225 /* Send two messages to the server, the second one small enough to fit in the 1226 * receiver's buffer. */ 1227 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1228 MSGLEN) 1229 == MSGLEN); 1230 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1231 MSGLEN / 2) 1232 == MSGLEN / 2); 1233 /* Read a truncated message from the server */ 1234 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1235 MSGLEN/2) 1236 == MSGLEN/2); 1237 1238 /* Test that the first half of the message is valid, and second one isn't */ 1239 TEST_ASSERT(memcmp(message, received, MSGLEN/2) == 0); 1240 TEST_ASSERT(memcmp(message + MSGLEN/2, received + MSGLEN/2, MSGLEN/2) 1241 != 0); 1242 memset(received, 0, MSGLEN); 1243 1244 /* Read a full message from the server */ 1245 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1246 MSGLEN/2) 1247 == MSGLEN / 2); 1248 1249 /* Test that the first half of the message is valid */ 1250 TEST_ASSERT(memcmp(message, received, MSGLEN/2) == 0); 1251 1252 exit: 1253 mbedtls_test_message_socket_close(&server_context); 1254 mbedtls_test_message_socket_close(&client_context); 1255 USE_PSA_DONE(); 1256 } 1257 /* END_CASE */ 1258 1259 /* BEGIN_CASE */ 1260 void ssl_message_mock_socket_read_error() 1261 { 1262 enum { MSGLEN = 10 }; 1263 unsigned char message[MSGLEN], received[MSGLEN]; 1264 mbedtls_test_mock_socket client, server; 1265 unsigned i; 1266 mbedtls_test_ssl_message_queue server_queue, client_queue; 1267 mbedtls_test_message_socket_context server_context, client_context; 1268 1269 mbedtls_test_message_socket_init(&server_context); 1270 mbedtls_test_message_socket_init(&client_context); 1271 USE_PSA_INIT(); 1272 1273 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue, 1274 &client_queue, 1, 1275 &server, 1276 &server_context) == 0); 1277 1278 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue, 1279 &server_queue, 1, 1280 &client, 1281 &client_context) == 0); 1282 1283 /* Fill up the buffer with structured data so that unwanted changes 1284 * can be detected */ 1285 for (i = 0; i < MSGLEN; i++) { 1286 message[i] = i & 0xFF; 1287 } 1288 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 1289 MSGLEN)); 1290 1291 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1292 MSGLEN) 1293 == MSGLEN); 1294 1295 /* Force a read error by disconnecting the socket by hand */ 1296 server.status = 0; 1297 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1298 MSGLEN) 1299 == MBEDTLS_TEST_ERROR_RECV_FAILED); 1300 /* Return to a valid state */ 1301 server.status = MBEDTLS_MOCK_SOCKET_CONNECTED; 1302 1303 memset(received, 0, sizeof(received)); 1304 1305 /* Test that even though the server tried to read once disconnected, the 1306 * continuity is preserved */ 1307 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1308 MSGLEN) 1309 == MSGLEN); 1310 1311 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1312 1313 exit: 1314 mbedtls_test_message_socket_close(&server_context); 1315 mbedtls_test_message_socket_close(&client_context); 1316 USE_PSA_DONE(); 1317 } 1318 /* END_CASE */ 1319 1320 /* BEGIN_CASE */ 1321 void ssl_message_mock_interleaved_one_way() 1322 { 1323 enum { MSGLEN = 10 }; 1324 unsigned char message[MSGLEN], received[MSGLEN]; 1325 mbedtls_test_mock_socket client, server; 1326 unsigned i; 1327 mbedtls_test_ssl_message_queue server_queue, client_queue; 1328 mbedtls_test_message_socket_context server_context, client_context; 1329 1330 mbedtls_test_message_socket_init(&server_context); 1331 mbedtls_test_message_socket_init(&client_context); 1332 USE_PSA_INIT(); 1333 1334 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue, 1335 &client_queue, 3, 1336 &server, 1337 &server_context) == 0); 1338 1339 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue, 1340 &server_queue, 3, 1341 &client, 1342 &client_context) == 0); 1343 1344 /* Fill up the buffer with structured data so that unwanted changes 1345 * can be detected */ 1346 for (i = 0; i < MSGLEN; i++) { 1347 message[i] = i & 0xFF; 1348 } 1349 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 1350 MSGLEN*3)); 1351 1352 /* Interleaved test - [2 sends, 1 read] twice, and then two reads 1353 * (to wrap around the buffer) */ 1354 for (i = 0; i < 2; i++) { 1355 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1356 MSGLEN) == MSGLEN); 1357 1358 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1359 MSGLEN) == MSGLEN); 1360 1361 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1362 MSGLEN) == MSGLEN); 1363 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1364 memset(received, 0, sizeof(received)); 1365 } 1366 1367 for (i = 0; i < 2; i++) { 1368 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1369 MSGLEN) == MSGLEN); 1370 1371 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1372 } 1373 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1374 MSGLEN) 1375 == MBEDTLS_ERR_SSL_WANT_READ); 1376 exit: 1377 mbedtls_test_message_socket_close(&server_context); 1378 mbedtls_test_message_socket_close(&client_context); 1379 USE_PSA_DONE(); 1380 } 1381 /* END_CASE */ 1382 1383 /* BEGIN_CASE */ 1384 void ssl_message_mock_interleaved_two_ways() 1385 { 1386 enum { MSGLEN = 10 }; 1387 unsigned char message[MSGLEN], received[MSGLEN]; 1388 mbedtls_test_mock_socket client, server; 1389 unsigned i; 1390 mbedtls_test_ssl_message_queue server_queue, client_queue; 1391 mbedtls_test_message_socket_context server_context, client_context; 1392 1393 mbedtls_test_message_socket_init(&server_context); 1394 mbedtls_test_message_socket_init(&client_context); 1395 USE_PSA_INIT(); 1396 1397 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue, 1398 &client_queue, 3, 1399 &server, 1400 &server_context) == 0); 1401 1402 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue, 1403 &server_queue, 3, 1404 &client, 1405 &client_context) == 0); 1406 1407 /* Fill up the buffer with structured data so that unwanted changes 1408 * can be detected */ 1409 for (i = 0; i < MSGLEN; i++) { 1410 message[i] = i & 0xFF; 1411 } 1412 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 1413 MSGLEN*3)); 1414 1415 /* Interleaved test - [2 sends, 1 read] twice, both ways, and then two reads 1416 * (to wrap around the buffer) both ways. */ 1417 for (i = 0; i < 2; i++) { 1418 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1419 MSGLEN) == MSGLEN); 1420 1421 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1422 MSGLEN) == MSGLEN); 1423 1424 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&server_context, message, 1425 MSGLEN) == MSGLEN); 1426 1427 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&server_context, message, 1428 MSGLEN) == MSGLEN); 1429 1430 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1431 MSGLEN) == MSGLEN); 1432 1433 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1434 1435 memset(received, 0, sizeof(received)); 1436 1437 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&client_context, received, 1438 MSGLEN) == MSGLEN); 1439 1440 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1441 1442 memset(received, 0, sizeof(received)); 1443 } 1444 1445 for (i = 0; i < 2; i++) { 1446 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1447 MSGLEN) == MSGLEN); 1448 1449 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1450 memset(received, 0, sizeof(received)); 1451 1452 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&client_context, received, 1453 MSGLEN) == MSGLEN); 1454 1455 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1456 memset(received, 0, sizeof(received)); 1457 } 1458 1459 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1460 MSGLEN) 1461 == MBEDTLS_ERR_SSL_WANT_READ); 1462 1463 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&client_context, received, 1464 MSGLEN) 1465 == MBEDTLS_ERR_SSL_WANT_READ); 1466 exit: 1467 mbedtls_test_message_socket_close(&server_context); 1468 mbedtls_test_message_socket_close(&client_context); 1469 USE_PSA_DONE(); 1470 } 1471 /* END_CASE */ 1472 1473 /* BEGIN_CASE depends_on:MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 1474 void ssl_dtls_replay(data_t *prevs, data_t *new, int ret) 1475 { 1476 uint32_t len = 0; 1477 mbedtls_ssl_context ssl; 1478 mbedtls_ssl_config conf; 1479 1480 mbedtls_ssl_init(&ssl); 1481 mbedtls_ssl_config_init(&conf); 1482 MD_OR_USE_PSA_INIT(); 1483 1484 TEST_ASSERT(mbedtls_ssl_config_defaults(&conf, 1485 MBEDTLS_SSL_IS_CLIENT, 1486 MBEDTLS_SSL_TRANSPORT_DATAGRAM, 1487 MBEDTLS_SSL_PRESET_DEFAULT) == 0); 1488 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); 1489 1490 TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); 1491 1492 /* Read previous record numbers */ 1493 for (len = 0; len < prevs->len; len += 6) { 1494 memcpy(ssl.in_ctr + 2, prevs->x + len, 6); 1495 mbedtls_ssl_dtls_replay_update(&ssl); 1496 } 1497 1498 /* Check new number */ 1499 memcpy(ssl.in_ctr + 2, new->x, 6); 1500 TEST_ASSERT(mbedtls_ssl_dtls_replay_check(&ssl) == ret); 1501 1502 exit: 1503 mbedtls_ssl_free(&ssl); 1504 mbedtls_ssl_config_free(&conf); 1505 MD_OR_USE_PSA_DONE(); 1506 } 1507 /* END_CASE */ 1508 1509 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 1510 void ssl_set_hostname_twice(char *input_hostname0, char *input_hostname1) 1511 { 1512 const char *output_hostname; 1513 mbedtls_ssl_context ssl; 1514 1515 mbedtls_ssl_init(&ssl); 1516 USE_PSA_INIT(); 1517 1518 TEST_ASSERT(mbedtls_ssl_set_hostname(&ssl, input_hostname0) == 0); 1519 output_hostname = mbedtls_ssl_get_hostname(&ssl); 1520 TEST_ASSERT(strcmp(input_hostname0, output_hostname) == 0); 1521 1522 TEST_ASSERT(mbedtls_ssl_set_hostname(&ssl, input_hostname1) == 0); 1523 output_hostname = mbedtls_ssl_get_hostname(&ssl); 1524 TEST_ASSERT(strcmp(input_hostname1, output_hostname) == 0); 1525 1526 exit: 1527 mbedtls_ssl_free(&ssl); 1528 USE_PSA_DONE(); 1529 } 1530 /* END_CASE */ 1531 1532 /* BEGIN_CASE */ 1533 void ssl_crypt_record(int cipher_type, int hash_id, 1534 int etm, int tag_mode, int ver, 1535 int cid0_len, int cid1_len) 1536 { 1537 /* 1538 * Test several record encryptions and decryptions 1539 * with plenty of space before and after the data 1540 * within the record buffer. 1541 */ 1542 1543 int ret; 1544 int num_records = 16; 1545 mbedtls_ssl_context ssl; /* ONLY for debugging */ 1546 1547 mbedtls_ssl_transform t0, t1; 1548 unsigned char *buf = NULL; 1549 size_t const buflen = 512; 1550 mbedtls_record rec, rec_backup; 1551 1552 mbedtls_ssl_init(&ssl); 1553 mbedtls_ssl_transform_init(&t0); 1554 mbedtls_ssl_transform_init(&t1); 1555 MD_OR_USE_PSA_INIT(); 1556 1557 ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id, 1558 etm, tag_mode, ver, 1559 (size_t) cid0_len, 1560 (size_t) cid1_len); 1561 1562 TEST_ASSERT(ret == 0); 1563 1564 TEST_CALLOC(buf, buflen); 1565 1566 while (num_records-- > 0) { 1567 mbedtls_ssl_transform *t_dec, *t_enc; 1568 /* Take turns in who's sending and who's receiving. */ 1569 if (num_records % 3 == 0) { 1570 t_dec = &t0; 1571 t_enc = &t1; 1572 } else { 1573 t_dec = &t1; 1574 t_enc = &t0; 1575 } 1576 1577 /* 1578 * The record header affects the transformation in two ways: 1579 * 1) It determines the AEAD additional data 1580 * 2) The record counter sometimes determines the IV. 1581 * 1582 * Apart from that, the fields don't have influence. 1583 * In particular, it is currently not the responsibility 1584 * of ssl_encrypt/decrypt_buf to check if the transform 1585 * version matches the record version, or that the 1586 * type is sensible. 1587 */ 1588 1589 memset(rec.ctr, num_records, sizeof(rec.ctr)); 1590 rec.type = 42; 1591 rec.ver[0] = num_records; 1592 rec.ver[1] = num_records; 1593 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1594 rec.cid_len = 0; 1595 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1596 1597 rec.buf = buf; 1598 rec.buf_len = buflen; 1599 rec.data_offset = 16; 1600 /* Make sure to vary the length to exercise different 1601 * paddings. */ 1602 rec.data_len = 1 + num_records; 1603 1604 memset(rec.buf + rec.data_offset, 42, rec.data_len); 1605 1606 /* Make a copy for later comparison */ 1607 rec_backup = rec; 1608 1609 /* Encrypt record */ 1610 ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec, 1611 mbedtls_test_rnd_std_rand, NULL); 1612 TEST_ASSERT(ret == 0 || ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); 1613 if (ret != 0) { 1614 continue; 1615 } 1616 1617 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1618 if (rec.cid_len != 0) { 1619 /* DTLS 1.2 + CID hides the real content type and 1620 * uses a special CID content type in the protected 1621 * record. Double-check this. */ 1622 TEST_ASSERT(rec.type == MBEDTLS_SSL_MSG_CID); 1623 } 1624 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1625 1626 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1627 if (t_enc->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 1628 /* TLS 1.3 hides the real content type and 1629 * always uses Application Data as the content type 1630 * for protected records. Double-check this. */ 1631 TEST_ASSERT(rec.type == MBEDTLS_SSL_MSG_APPLICATION_DATA); 1632 } 1633 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1634 1635 /* Decrypt record with t_dec */ 1636 ret = mbedtls_ssl_decrypt_buf(&ssl, t_dec, &rec); 1637 TEST_ASSERT(ret == 0); 1638 1639 /* Compare results */ 1640 TEST_ASSERT(rec.type == rec_backup.type); 1641 TEST_ASSERT(memcmp(rec.ctr, rec_backup.ctr, 8) == 0); 1642 TEST_ASSERT(rec.ver[0] == rec_backup.ver[0]); 1643 TEST_ASSERT(rec.ver[1] == rec_backup.ver[1]); 1644 TEST_ASSERT(rec.data_len == rec_backup.data_len); 1645 TEST_ASSERT(rec.data_offset == rec_backup.data_offset); 1646 TEST_ASSERT(memcmp(rec.buf + rec.data_offset, 1647 rec_backup.buf + rec_backup.data_offset, 1648 rec.data_len) == 0); 1649 } 1650 1651 exit: 1652 1653 /* Cleanup */ 1654 mbedtls_ssl_free(&ssl); 1655 mbedtls_ssl_transform_free(&t0); 1656 mbedtls_ssl_transform_free(&t1); 1657 1658 mbedtls_free(buf); 1659 MD_OR_USE_PSA_DONE(); 1660 } 1661 /* END_CASE */ 1662 1663 /* BEGIN_CASE */ 1664 void ssl_crypt_record_small(int cipher_type, int hash_id, 1665 int etm, int tag_mode, int ver, 1666 int cid0_len, int cid1_len) 1667 { 1668 /* 1669 * Test pairs of encryption and decryption with an increasing 1670 * amount of space in the record buffer - in more detail: 1671 * 1) Try to encrypt with 0, 1, 2, ... bytes available 1672 * in front of the plaintext, and expect the encryption 1673 * to succeed starting from some offset. Always keep 1674 * enough space in the end of the buffer. 1675 * 2) Try to encrypt with 0, 1, 2, ... bytes available 1676 * at the end of the plaintext, and expect the encryption 1677 * to succeed starting from some offset. Always keep 1678 * enough space at the beginning of the buffer. 1679 * 3) Try to encrypt with 0, 1, 2, ... bytes available 1680 * both at the front and end of the plaintext, 1681 * and expect the encryption to succeed starting from 1682 * some offset. 1683 * 1684 * If encryption succeeds, check that decryption succeeds 1685 * and yields the original record. 1686 */ 1687 1688 mbedtls_ssl_context ssl; /* ONLY for debugging */ 1689 1690 mbedtls_ssl_transform t0, t1; 1691 unsigned char *buf = NULL; 1692 size_t const buflen = 256; 1693 mbedtls_record rec, rec_backup; 1694 1695 int ret; 1696 int mode; /* Mode 1, 2 or 3 as explained above */ 1697 size_t offset; /* Available space at beginning/end/both */ 1698 size_t threshold = 96; /* Maximum offset to test against */ 1699 1700 size_t default_pre_padding = 64; /* Pre-padding to use in mode 2 */ 1701 size_t default_post_padding = 128; /* Post-padding to use in mode 1 */ 1702 1703 int seen_success; /* Indicates if in the current mode we've 1704 * already seen a successful test. */ 1705 1706 mbedtls_ssl_init(&ssl); 1707 mbedtls_ssl_transform_init(&t0); 1708 mbedtls_ssl_transform_init(&t1); 1709 MD_OR_USE_PSA_INIT(); 1710 1711 ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id, 1712 etm, tag_mode, ver, 1713 (size_t) cid0_len, 1714 (size_t) cid1_len); 1715 1716 TEST_ASSERT(ret == 0); 1717 1718 TEST_CALLOC(buf, buflen); 1719 1720 for (mode = 1; mode <= 3; mode++) { 1721 seen_success = 0; 1722 for (offset = 0; offset <= threshold; offset++) { 1723 mbedtls_ssl_transform *t_dec, *t_enc; 1724 t_dec = &t0; 1725 t_enc = &t1; 1726 1727 memset(rec.ctr, offset, sizeof(rec.ctr)); 1728 rec.type = 42; 1729 rec.ver[0] = offset; 1730 rec.ver[1] = offset; 1731 rec.buf = buf; 1732 rec.buf_len = buflen; 1733 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1734 rec.cid_len = 0; 1735 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1736 1737 switch (mode) { 1738 case 1: /* Space in the beginning */ 1739 rec.data_offset = offset; 1740 rec.data_len = buflen - offset - default_post_padding; 1741 break; 1742 1743 case 2: /* Space in the end */ 1744 rec.data_offset = default_pre_padding; 1745 rec.data_len = buflen - default_pre_padding - offset; 1746 break; 1747 1748 case 3: /* Space in the beginning and end */ 1749 rec.data_offset = offset; 1750 rec.data_len = buflen - 2 * offset; 1751 break; 1752 1753 default: 1754 TEST_ASSERT(0); 1755 break; 1756 } 1757 1758 memset(rec.buf + rec.data_offset, 42, rec.data_len); 1759 1760 /* Make a copy for later comparison */ 1761 rec_backup = rec; 1762 1763 /* Encrypt record */ 1764 ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec, 1765 mbedtls_test_rnd_std_rand, NULL); 1766 1767 if (ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { 1768 /* It's ok if the output buffer is too small. We do insist 1769 * on at least one mode succeeding; this is tracked by 1770 * seen_success. */ 1771 continue; 1772 } 1773 1774 TEST_EQUAL(ret, 0); 1775 seen_success = 1; 1776 1777 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1778 if (rec.cid_len != 0) { 1779 /* DTLS 1.2 + CID hides the real content type and 1780 * uses a special CID content type in the protected 1781 * record. Double-check this. */ 1782 TEST_ASSERT(rec.type == MBEDTLS_SSL_MSG_CID); 1783 } 1784 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1785 1786 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1787 if (t_enc->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 1788 /* TLS 1.3 hides the real content type and 1789 * always uses Application Data as the content type 1790 * for protected records. Double-check this. */ 1791 TEST_ASSERT(rec.type == MBEDTLS_SSL_MSG_APPLICATION_DATA); 1792 } 1793 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1794 1795 /* Decrypt record with t_dec */ 1796 TEST_ASSERT(mbedtls_ssl_decrypt_buf(&ssl, t_dec, &rec) == 0); 1797 1798 /* Compare results */ 1799 TEST_ASSERT(rec.type == rec_backup.type); 1800 TEST_ASSERT(memcmp(rec.ctr, rec_backup.ctr, 8) == 0); 1801 TEST_ASSERT(rec.ver[0] == rec_backup.ver[0]); 1802 TEST_ASSERT(rec.ver[1] == rec_backup.ver[1]); 1803 TEST_ASSERT(rec.data_len == rec_backup.data_len); 1804 TEST_ASSERT(rec.data_offset == rec_backup.data_offset); 1805 TEST_ASSERT(memcmp(rec.buf + rec.data_offset, 1806 rec_backup.buf + rec_backup.data_offset, 1807 rec.data_len) == 0); 1808 } 1809 1810 TEST_ASSERT(seen_success == 1); 1811 } 1812 1813 exit: 1814 1815 /* Cleanup */ 1816 mbedtls_ssl_free(&ssl); 1817 mbedtls_ssl_transform_free(&t0); 1818 mbedtls_ssl_transform_free(&t1); 1819 1820 mbedtls_free(buf); 1821 MD_OR_USE_PSA_DONE(); 1822 } 1823 /* END_CASE */ 1824 1825 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 1826 void ssl_tls13_hkdf_expand_label(int hash_alg, 1827 data_t *secret, 1828 int label_idx, 1829 data_t *ctx, 1830 int desired_length, 1831 data_t *expected) 1832 { 1833 unsigned char dst[100]; 1834 1835 unsigned char const *lbl = NULL; 1836 size_t lbl_len; 1837 #define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \ 1838 if (label_idx == (int) tls13_label_ ## name) \ 1839 { \ 1840 lbl = mbedtls_ssl_tls13_labels.name; \ 1841 lbl_len = sizeof(mbedtls_ssl_tls13_labels.name); \ 1842 } 1843 MBEDTLS_SSL_TLS1_3_LABEL_LIST 1844 #undef MBEDTLS_SSL_TLS1_3_LABEL 1845 TEST_ASSERT(lbl != NULL); 1846 1847 /* Check sanity of test parameters. */ 1848 TEST_ASSERT((size_t) desired_length <= sizeof(dst)); 1849 TEST_ASSERT((size_t) desired_length == expected->len); 1850 1851 PSA_INIT(); 1852 1853 TEST_ASSERT(mbedtls_ssl_tls13_hkdf_expand_label( 1854 (psa_algorithm_t) hash_alg, 1855 secret->x, secret->len, 1856 lbl, lbl_len, 1857 ctx->x, ctx->len, 1858 dst, desired_length) == 0); 1859 1860 TEST_MEMORY_COMPARE(dst, (size_t) desired_length, 1861 expected->x, (size_t) expected->len); 1862 1863 exit: 1864 PSA_DONE(); 1865 } 1866 /* END_CASE */ 1867 1868 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 1869 void ssl_tls13_traffic_key_generation(int hash_alg, 1870 data_t *server_secret, 1871 data_t *client_secret, 1872 int desired_iv_len, 1873 int desired_key_len, 1874 data_t *expected_server_write_key, 1875 data_t *expected_server_write_iv, 1876 data_t *expected_client_write_key, 1877 data_t *expected_client_write_iv) 1878 { 1879 mbedtls_ssl_key_set keys; 1880 1881 /* Check sanity of test parameters. */ 1882 TEST_ASSERT(client_secret->len == server_secret->len); 1883 TEST_ASSERT( 1884 expected_client_write_iv->len == expected_server_write_iv->len && 1885 expected_client_write_iv->len == (size_t) desired_iv_len); 1886 TEST_ASSERT( 1887 expected_client_write_key->len == expected_server_write_key->len && 1888 expected_client_write_key->len == (size_t) desired_key_len); 1889 1890 PSA_INIT(); 1891 1892 TEST_ASSERT(mbedtls_ssl_tls13_make_traffic_keys( 1893 (psa_algorithm_t) hash_alg, 1894 client_secret->x, 1895 server_secret->x, 1896 client_secret->len /* == server_secret->len */, 1897 desired_key_len, desired_iv_len, 1898 &keys) == 0); 1899 1900 TEST_MEMORY_COMPARE(keys.client_write_key, 1901 keys.key_len, 1902 expected_client_write_key->x, 1903 (size_t) desired_key_len); 1904 TEST_MEMORY_COMPARE(keys.server_write_key, 1905 keys.key_len, 1906 expected_server_write_key->x, 1907 (size_t) desired_key_len); 1908 TEST_MEMORY_COMPARE(keys.client_write_iv, 1909 keys.iv_len, 1910 expected_client_write_iv->x, 1911 (size_t) desired_iv_len); 1912 TEST_MEMORY_COMPARE(keys.server_write_iv, 1913 keys.iv_len, 1914 expected_server_write_iv->x, 1915 (size_t) desired_iv_len); 1916 1917 exit: 1918 PSA_DONE(); 1919 } 1920 /* END_CASE */ 1921 1922 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 1923 void ssl_tls13_derive_secret(int hash_alg, 1924 data_t *secret, 1925 int label_idx, 1926 data_t *ctx, 1927 int desired_length, 1928 int already_hashed, 1929 data_t *expected) 1930 { 1931 unsigned char dst[100]; 1932 1933 unsigned char const *lbl = NULL; 1934 size_t lbl_len; 1935 #define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \ 1936 if (label_idx == (int) tls13_label_ ## name) \ 1937 { \ 1938 lbl = mbedtls_ssl_tls13_labels.name; \ 1939 lbl_len = sizeof(mbedtls_ssl_tls13_labels.name); \ 1940 } 1941 MBEDTLS_SSL_TLS1_3_LABEL_LIST 1942 #undef MBEDTLS_SSL_TLS1_3_LABEL 1943 TEST_ASSERT(lbl != NULL); 1944 1945 /* Check sanity of test parameters. */ 1946 TEST_ASSERT((size_t) desired_length <= sizeof(dst)); 1947 TEST_ASSERT((size_t) desired_length == expected->len); 1948 1949 PSA_INIT(); 1950 1951 TEST_ASSERT(mbedtls_ssl_tls13_derive_secret( 1952 (psa_algorithm_t) hash_alg, 1953 secret->x, secret->len, 1954 lbl, lbl_len, 1955 ctx->x, ctx->len, 1956 already_hashed, 1957 dst, desired_length) == 0); 1958 1959 TEST_MEMORY_COMPARE(dst, desired_length, 1960 expected->x, desired_length); 1961 1962 exit: 1963 PSA_DONE(); 1964 } 1965 /* END_CASE */ 1966 1967 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ 1968 void ssl_tls13_exporter(int hash_alg, 1969 data_t *secret, 1970 char *label, 1971 char *context_value, 1972 int desired_length, 1973 data_t *expected) 1974 { 1975 unsigned char dst[100]; 1976 1977 /* Check sanity of test parameters. */ 1978 TEST_ASSERT((size_t) desired_length <= sizeof(dst)); 1979 TEST_ASSERT((size_t) desired_length == expected->len); 1980 1981 PSA_INIT(); 1982 1983 TEST_ASSERT(mbedtls_ssl_tls13_exporter( 1984 (psa_algorithm_t) hash_alg, 1985 secret->x, secret->len, 1986 (unsigned char *) label, strlen(label), 1987 (unsigned char *) context_value, strlen(context_value), 1988 dst, desired_length) == 0); 1989 1990 TEST_MEMORY_COMPARE(dst, desired_length, 1991 expected->x, desired_length); 1992 1993 exit: 1994 PSA_DONE(); 1995 } 1996 /* END_CASE */ 1997 1998 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 1999 void ssl_tls13_derive_early_secrets(int hash_alg, 2000 data_t *secret, 2001 data_t *transcript, 2002 data_t *traffic_expected, 2003 data_t *exporter_expected) 2004 { 2005 mbedtls_ssl_tls13_early_secrets secrets; 2006 2007 /* Double-check that we've passed sane parameters. */ 2008 psa_algorithm_t alg = (psa_algorithm_t) hash_alg; 2009 size_t const hash_len = PSA_HASH_LENGTH(alg); 2010 TEST_ASSERT(PSA_ALG_IS_HASH(alg) && 2011 secret->len == hash_len && 2012 transcript->len == hash_len && 2013 traffic_expected->len == hash_len && 2014 exporter_expected->len == hash_len); 2015 2016 PSA_INIT(); 2017 2018 TEST_ASSERT(mbedtls_ssl_tls13_derive_early_secrets( 2019 alg, secret->x, transcript->x, transcript->len, 2020 &secrets) == 0); 2021 2022 TEST_MEMORY_COMPARE(secrets.client_early_traffic_secret, hash_len, 2023 traffic_expected->x, traffic_expected->len); 2024 TEST_MEMORY_COMPARE(secrets.early_exporter_master_secret, hash_len, 2025 exporter_expected->x, exporter_expected->len); 2026 2027 exit: 2028 PSA_DONE(); 2029 } 2030 /* END_CASE */ 2031 2032 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 2033 void ssl_tls13_derive_handshake_secrets(int hash_alg, 2034 data_t *secret, 2035 data_t *transcript, 2036 data_t *client_expected, 2037 data_t *server_expected) 2038 { 2039 mbedtls_ssl_tls13_handshake_secrets secrets; 2040 2041 /* Double-check that we've passed sane parameters. */ 2042 psa_algorithm_t alg = (psa_algorithm_t) hash_alg; 2043 size_t const hash_len = PSA_HASH_LENGTH(alg); 2044 TEST_ASSERT(PSA_ALG_IS_HASH(alg) && 2045 secret->len == hash_len && 2046 transcript->len == hash_len && 2047 client_expected->len == hash_len && 2048 server_expected->len == hash_len); 2049 2050 PSA_INIT(); 2051 2052 TEST_ASSERT(mbedtls_ssl_tls13_derive_handshake_secrets( 2053 alg, secret->x, transcript->x, transcript->len, 2054 &secrets) == 0); 2055 2056 TEST_MEMORY_COMPARE(secrets.client_handshake_traffic_secret, hash_len, 2057 client_expected->x, client_expected->len); 2058 TEST_MEMORY_COMPARE(secrets.server_handshake_traffic_secret, hash_len, 2059 server_expected->x, server_expected->len); 2060 2061 exit: 2062 PSA_DONE(); 2063 } 2064 /* END_CASE */ 2065 2066 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 2067 void ssl_tls13_derive_application_secrets(int hash_alg, 2068 data_t *secret, 2069 data_t *transcript, 2070 data_t *client_expected, 2071 data_t *server_expected, 2072 data_t *exporter_expected) 2073 { 2074 mbedtls_ssl_tls13_application_secrets secrets; 2075 2076 /* Double-check that we've passed sane parameters. */ 2077 psa_algorithm_t alg = (psa_algorithm_t) hash_alg; 2078 size_t const hash_len = PSA_HASH_LENGTH(alg); 2079 TEST_ASSERT(PSA_ALG_IS_HASH(alg) && 2080 secret->len == hash_len && 2081 transcript->len == hash_len && 2082 client_expected->len == hash_len && 2083 server_expected->len == hash_len && 2084 exporter_expected->len == hash_len); 2085 2086 PSA_INIT(); 2087 2088 TEST_ASSERT(mbedtls_ssl_tls13_derive_application_secrets( 2089 alg, secret->x, transcript->x, transcript->len, 2090 &secrets) == 0); 2091 2092 TEST_MEMORY_COMPARE(secrets.client_application_traffic_secret_N, hash_len, 2093 client_expected->x, client_expected->len); 2094 TEST_MEMORY_COMPARE(secrets.server_application_traffic_secret_N, hash_len, 2095 server_expected->x, server_expected->len); 2096 TEST_MEMORY_COMPARE(secrets.exporter_master_secret, hash_len, 2097 exporter_expected->x, exporter_expected->len); 2098 2099 exit: 2100 PSA_DONE(); 2101 } 2102 /* END_CASE */ 2103 2104 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 2105 void ssl_tls13_derive_resumption_secrets(int hash_alg, 2106 data_t *secret, 2107 data_t *transcript, 2108 data_t *resumption_expected) 2109 { 2110 mbedtls_ssl_tls13_application_secrets secrets; 2111 2112 /* Double-check that we've passed sane parameters. */ 2113 psa_algorithm_t alg = (psa_algorithm_t) hash_alg; 2114 size_t const hash_len = PSA_HASH_LENGTH(alg); 2115 TEST_ASSERT(PSA_ALG_IS_HASH(alg) && 2116 secret->len == hash_len && 2117 transcript->len == hash_len && 2118 resumption_expected->len == hash_len); 2119 2120 PSA_INIT(); 2121 2122 TEST_ASSERT(mbedtls_ssl_tls13_derive_resumption_master_secret( 2123 alg, secret->x, transcript->x, transcript->len, 2124 &secrets) == 0); 2125 2126 TEST_MEMORY_COMPARE(secrets.resumption_master_secret, hash_len, 2127 resumption_expected->x, resumption_expected->len); 2128 2129 exit: 2130 PSA_DONE(); 2131 } 2132 /* END_CASE */ 2133 2134 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 2135 void ssl_tls13_create_psk_binder(int hash_alg, 2136 data_t *psk, 2137 int psk_type, 2138 data_t *transcript, 2139 data_t *binder_expected) 2140 { 2141 unsigned char binder[MBEDTLS_MD_MAX_SIZE]; 2142 2143 /* Double-check that we've passed sane parameters. */ 2144 psa_algorithm_t alg = (psa_algorithm_t) hash_alg; 2145 size_t const hash_len = PSA_HASH_LENGTH(alg); 2146 TEST_ASSERT(PSA_ALG_IS_HASH(alg) && 2147 transcript->len == hash_len && 2148 binder_expected->len == hash_len); 2149 2150 PSA_INIT(); 2151 2152 TEST_ASSERT(mbedtls_ssl_tls13_create_psk_binder( 2153 NULL, /* SSL context for debugging only */ 2154 alg, 2155 psk->x, psk->len, 2156 psk_type, 2157 transcript->x, 2158 binder) == 0); 2159 2160 TEST_MEMORY_COMPARE(binder, hash_len, 2161 binder_expected->x, binder_expected->len); 2162 2163 exit: 2164 PSA_DONE(); 2165 } 2166 /* END_CASE */ 2167 2168 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 2169 void ssl_tls13_record_protection(int ciphersuite, 2170 int endpoint, 2171 int ctr, 2172 int padding_used, 2173 data_t *server_write_key, 2174 data_t *server_write_iv, 2175 data_t *client_write_key, 2176 data_t *client_write_iv, 2177 data_t *plaintext, 2178 data_t *ciphertext) 2179 { 2180 mbedtls_ssl_key_set keys; 2181 mbedtls_ssl_transform transform_send; 2182 mbedtls_ssl_transform_init(&transform_send); 2183 mbedtls_ssl_transform transform_recv; 2184 mbedtls_ssl_transform_init(&transform_recv); 2185 mbedtls_record rec; 2186 unsigned char *buf = NULL; 2187 size_t buf_len; 2188 int other_endpoint; 2189 2190 TEST_ASSERT(endpoint == MBEDTLS_SSL_IS_CLIENT || 2191 endpoint == MBEDTLS_SSL_IS_SERVER); 2192 2193 if (endpoint == MBEDTLS_SSL_IS_SERVER) { 2194 other_endpoint = MBEDTLS_SSL_IS_CLIENT; 2195 } 2196 if (endpoint == MBEDTLS_SSL_IS_CLIENT) { 2197 other_endpoint = MBEDTLS_SSL_IS_SERVER; 2198 } 2199 2200 TEST_ASSERT(server_write_key->len == client_write_key->len); 2201 TEST_ASSERT(server_write_iv->len == client_write_iv->len); 2202 2203 memcpy(keys.client_write_key, 2204 client_write_key->x, client_write_key->len); 2205 memcpy(keys.client_write_iv, 2206 client_write_iv->x, client_write_iv->len); 2207 memcpy(keys.server_write_key, 2208 server_write_key->x, server_write_key->len); 2209 memcpy(keys.server_write_iv, 2210 server_write_iv->x, server_write_iv->len); 2211 2212 keys.key_len = server_write_key->len; 2213 keys.iv_len = server_write_iv->len; 2214 2215 MD_OR_USE_PSA_INIT(); 2216 2217 TEST_ASSERT(mbedtls_ssl_tls13_populate_transform( 2218 &transform_send, endpoint, 2219 ciphersuite, &keys, NULL) == 0); 2220 TEST_ASSERT(mbedtls_ssl_tls13_populate_transform( 2221 &transform_recv, other_endpoint, 2222 ciphersuite, &keys, NULL) == 0); 2223 2224 /* Make sure we have enough space in the buffer even if 2225 * we use more padding than the KAT. */ 2226 buf_len = ciphertext->len + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY; 2227 TEST_CALLOC(buf, buf_len); 2228 rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA; 2229 2230 /* TLS 1.3 uses the version identifier from TLS 1.2 on the wire. */ 2231 mbedtls_ssl_write_version(rec.ver, 2232 MBEDTLS_SSL_TRANSPORT_STREAM, 2233 MBEDTLS_SSL_VERSION_TLS1_2); 2234 2235 /* Copy plaintext into record structure */ 2236 rec.buf = buf; 2237 rec.buf_len = buf_len; 2238 rec.data_offset = 0; 2239 TEST_ASSERT(plaintext->len <= ciphertext->len); 2240 memcpy(rec.buf + rec.data_offset, plaintext->x, plaintext->len); 2241 rec.data_len = plaintext->len; 2242 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 2243 rec.cid_len = 0; 2244 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 2245 2246 memset(&rec.ctr[0], 0, 8); 2247 rec.ctr[7] = ctr; 2248 2249 TEST_ASSERT(mbedtls_ssl_encrypt_buf(NULL, &transform_send, &rec, 2250 NULL, NULL) == 0); 2251 2252 if (padding_used == MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) { 2253 TEST_MEMORY_COMPARE(rec.buf + rec.data_offset, rec.data_len, 2254 ciphertext->x, ciphertext->len); 2255 } 2256 2257 TEST_ASSERT(mbedtls_ssl_decrypt_buf(NULL, &transform_recv, &rec) == 0); 2258 TEST_MEMORY_COMPARE(rec.buf + rec.data_offset, rec.data_len, 2259 plaintext->x, plaintext->len); 2260 2261 exit: 2262 mbedtls_free(buf); 2263 mbedtls_ssl_transform_free(&transform_send); 2264 mbedtls_ssl_transform_free(&transform_recv); 2265 MD_OR_USE_PSA_DONE(); 2266 } 2267 /* END_CASE */ 2268 2269 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 2270 void ssl_tls13_key_evolution(int hash_alg, 2271 data_t *secret, 2272 data_t *input, 2273 data_t *expected) 2274 { 2275 unsigned char secret_new[MBEDTLS_MD_MAX_SIZE]; 2276 2277 PSA_INIT(); 2278 2279 TEST_ASSERT(mbedtls_ssl_tls13_evolve_secret( 2280 (psa_algorithm_t) hash_alg, 2281 secret->len ? secret->x : NULL, 2282 input->len ? input->x : NULL, input->len, 2283 secret_new) == 0); 2284 2285 TEST_MEMORY_COMPARE(secret_new, (size_t) expected->len, 2286 expected->x, (size_t) expected->len); 2287 2288 exit: 2289 PSA_DONE(); 2290 } 2291 /* END_CASE */ 2292 2293 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2 */ 2294 void ssl_tls_prf(int type, data_t *secret, data_t *random, 2295 char *label, data_t *result_str, int exp_ret) 2296 { 2297 unsigned char *output; 2298 2299 output = mbedtls_calloc(1, result_str->len); 2300 if (output == NULL) { 2301 goto exit; 2302 } 2303 2304 MD_OR_USE_PSA_INIT(); 2305 2306 TEST_ASSERT(mbedtls_ssl_tls_prf(type, secret->x, secret->len, 2307 label, random->x, random->len, 2308 output, result_str->len) == exp_ret); 2309 2310 if (exp_ret == 0) { 2311 TEST_ASSERT(mbedtls_test_hexcmp(output, result_str->x, 2312 result_str->len, result_str->len) == 0); 2313 } 2314 exit: 2315 2316 mbedtls_free(output); 2317 MD_OR_USE_PSA_DONE(); 2318 } 2319 /* END_CASE */ 2320 2321 /* BEGIN_CASE */ 2322 void ssl_serialize_session_save_load(int ticket_len, char *crt_file, 2323 int endpoint_type, int tls_version) 2324 { 2325 mbedtls_ssl_session original, restored; 2326 unsigned char *buf = NULL; 2327 size_t len; 2328 2329 /* 2330 * Test that a save-load pair is the identity 2331 */ 2332 mbedtls_ssl_session_init(&original); 2333 mbedtls_ssl_session_init(&restored); 2334 USE_PSA_INIT(); 2335 2336 /* Prepare a dummy session to work on */ 2337 ((void) tls_version); 2338 ((void) ticket_len); 2339 ((void) crt_file); 2340 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2341 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 2342 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session( 2343 &original, 0, endpoint_type) == 0); 2344 } 2345 #endif 2346 2347 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2348 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 2349 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( 2350 &original, ticket_len, endpoint_type, crt_file) == 0); 2351 } 2352 #endif 2353 2354 /* Serialize it */ 2355 TEST_ASSERT(mbedtls_ssl_session_save(&original, NULL, 0, &len) 2356 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); 2357 TEST_CALLOC(buf, len); 2358 TEST_ASSERT(mbedtls_ssl_session_save(&original, buf, len, &len) 2359 == 0); 2360 2361 /* Restore session from serialized data */ 2362 TEST_ASSERT(mbedtls_ssl_session_load(&restored, buf, len) == 0); 2363 2364 /* 2365 * Make sure both session structures are identical 2366 */ 2367 #if defined(MBEDTLS_HAVE_TIME) 2368 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 2369 TEST_ASSERT(original.start == restored.start); 2370 } 2371 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C) 2372 TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time); 2373 #endif 2374 #endif /* MBEDTLS_HAVE_TIME */ 2375 2376 TEST_ASSERT(original.tls_version == restored.tls_version); 2377 TEST_ASSERT(original.endpoint == restored.endpoint); 2378 TEST_ASSERT(original.ciphersuite == restored.ciphersuite); 2379 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2380 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 2381 TEST_ASSERT(original.id_len == restored.id_len); 2382 TEST_ASSERT(memcmp(original.id, 2383 restored.id, sizeof(original.id)) == 0); 2384 TEST_ASSERT(memcmp(original.master, 2385 restored.master, sizeof(original.master)) == 0); 2386 2387 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2388 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 2389 TEST_ASSERT((original.peer_cert == NULL) == 2390 (restored.peer_cert == NULL)); 2391 if (original.peer_cert != NULL) { 2392 TEST_ASSERT(original.peer_cert->raw.len == 2393 restored.peer_cert->raw.len); 2394 TEST_ASSERT(memcmp(original.peer_cert->raw.p, 2395 restored.peer_cert->raw.p, 2396 original.peer_cert->raw.len) == 0); 2397 } 2398 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 2399 TEST_ASSERT(original.peer_cert_digest_type == 2400 restored.peer_cert_digest_type); 2401 TEST_ASSERT(original.peer_cert_digest_len == 2402 restored.peer_cert_digest_len); 2403 TEST_ASSERT((original.peer_cert_digest == NULL) == 2404 (restored.peer_cert_digest == NULL)); 2405 if (original.peer_cert_digest != NULL) { 2406 TEST_ASSERT(memcmp(original.peer_cert_digest, 2407 restored.peer_cert_digest, 2408 original.peer_cert_digest_len) == 0); 2409 } 2410 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 2411 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2412 TEST_ASSERT(original.verify_result == restored.verify_result); 2413 2414 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 2415 TEST_ASSERT(original.mfl_code == restored.mfl_code); 2416 #endif 2417 2418 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 2419 TEST_ASSERT(original.encrypt_then_mac == restored.encrypt_then_mac); 2420 #endif 2421 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 2422 TEST_ASSERT(original.ticket_len == restored.ticket_len); 2423 if (original.ticket_len != 0) { 2424 TEST_ASSERT(original.ticket != NULL); 2425 TEST_ASSERT(restored.ticket != NULL); 2426 TEST_ASSERT(memcmp(original.ticket, 2427 restored.ticket, original.ticket_len) == 0); 2428 } 2429 TEST_ASSERT(original.ticket_lifetime == restored.ticket_lifetime); 2430 #endif 2431 } 2432 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2433 2434 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2435 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 2436 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 2437 TEST_ASSERT(original.ticket_age_add == restored.ticket_age_add); 2438 TEST_ASSERT(original.ticket_flags == restored.ticket_flags); 2439 TEST_ASSERT(original.resumption_key_len == restored.resumption_key_len); 2440 if (original.resumption_key_len != 0) { 2441 TEST_ASSERT(original.resumption_key != NULL); 2442 TEST_ASSERT(restored.resumption_key != NULL); 2443 TEST_ASSERT(memcmp(original.resumption_key, 2444 restored.resumption_key, 2445 original.resumption_key_len) == 0); 2446 } 2447 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 2448 2449 #if defined(MBEDTLS_SSL_SRV_C) 2450 if (endpoint_type == MBEDTLS_SSL_IS_SERVER) { 2451 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 2452 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 2453 TEST_ASSERT(original.ticket_alpn != NULL); 2454 TEST_ASSERT(restored.ticket_alpn != NULL); 2455 TEST_MEMORY_COMPARE(original.ticket_alpn, strlen(original.ticket_alpn), 2456 restored.ticket_alpn, strlen(restored.ticket_alpn)); 2457 #endif 2458 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 2459 } 2460 #endif /* MBEDTLS_SSL_SRV_C */ 2461 2462 #if defined(MBEDTLS_SSL_CLI_C) 2463 if (endpoint_type == MBEDTLS_SSL_IS_CLIENT) { 2464 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 2465 #if defined(MBEDTLS_HAVE_TIME) 2466 TEST_ASSERT(original.ticket_reception_time == restored.ticket_reception_time); 2467 #endif 2468 TEST_ASSERT(original.ticket_lifetime == restored.ticket_lifetime); 2469 TEST_ASSERT(original.ticket_len == restored.ticket_len); 2470 if (original.ticket_len != 0) { 2471 TEST_ASSERT(original.ticket != NULL); 2472 TEST_ASSERT(restored.ticket != NULL); 2473 TEST_ASSERT(memcmp(original.ticket, 2474 restored.ticket, 2475 original.ticket_len) == 0); 2476 } 2477 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2478 TEST_ASSERT(original.hostname != NULL); 2479 TEST_ASSERT(restored.hostname != NULL); 2480 TEST_MEMORY_COMPARE(original.hostname, strlen(original.hostname), 2481 restored.hostname, strlen(restored.hostname)); 2482 #endif 2483 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 2484 } 2485 #endif /* MBEDTLS_SSL_CLI_C */ 2486 } 2487 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 2488 2489 #if defined(MBEDTLS_SSL_EARLY_DATA) 2490 TEST_ASSERT( 2491 original.max_early_data_size == restored.max_early_data_size); 2492 #endif 2493 2494 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 2495 TEST_ASSERT(original.record_size_limit == restored.record_size_limit); 2496 #endif 2497 2498 exit: 2499 mbedtls_ssl_session_free(&original); 2500 mbedtls_ssl_session_free(&restored); 2501 mbedtls_free(buf); 2502 USE_PSA_DONE(); 2503 } 2504 /* END_CASE */ 2505 2506 /* BEGIN_CASE */ 2507 void ssl_serialize_session_load_save(int ticket_len, char *crt_file, 2508 int endpoint_type, int tls_version) 2509 { 2510 mbedtls_ssl_session session; 2511 unsigned char *buf1 = NULL, *buf2 = NULL; 2512 size_t len0, len1, len2; 2513 2514 /* 2515 * Test that a load-save pair is the identity 2516 */ 2517 mbedtls_ssl_session_init(&session); 2518 USE_PSA_INIT(); 2519 2520 /* Prepare a dummy session to work on */ 2521 ((void) ticket_len); 2522 ((void) crt_file); 2523 2524 switch (tls_version) { 2525 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2526 case MBEDTLS_SSL_VERSION_TLS1_3: 2527 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session( 2528 &session, 0, endpoint_type) == 0); 2529 break; 2530 #endif 2531 2532 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2533 case MBEDTLS_SSL_VERSION_TLS1_2: 2534 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( 2535 &session, ticket_len, endpoint_type, crt_file) == 0); 2536 break; 2537 #endif 2538 default: 2539 /* should never happen */ 2540 TEST_ASSERT(0); 2541 break; 2542 } 2543 2544 /* Get desired buffer size for serializing */ 2545 TEST_ASSERT(mbedtls_ssl_session_save(&session, NULL, 0, &len0) 2546 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); 2547 2548 /* Allocate first buffer */ 2549 buf1 = mbedtls_calloc(1, len0); 2550 TEST_ASSERT(buf1 != NULL); 2551 2552 /* Serialize to buffer and free live session */ 2553 TEST_ASSERT(mbedtls_ssl_session_save(&session, buf1, len0, &len1) 2554 == 0); 2555 TEST_ASSERT(len0 == len1); 2556 mbedtls_ssl_session_free(&session); 2557 2558 /* Restore session from serialized data */ 2559 TEST_ASSERT(mbedtls_ssl_session_load(&session, buf1, len1) == 0); 2560 2561 /* Allocate second buffer and serialize to it */ 2562 buf2 = mbedtls_calloc(1, len0); 2563 TEST_ASSERT(buf2 != NULL); 2564 TEST_ASSERT(mbedtls_ssl_session_save(&session, buf2, len0, &len2) 2565 == 0); 2566 2567 /* Make sure both serialized versions are identical */ 2568 TEST_ASSERT(len1 == len2); 2569 TEST_ASSERT(memcmp(buf1, buf2, len1) == 0); 2570 2571 exit: 2572 mbedtls_ssl_session_free(&session); 2573 mbedtls_free(buf1); 2574 mbedtls_free(buf2); 2575 USE_PSA_DONE(); 2576 } 2577 /* END_CASE */ 2578 2579 /* BEGIN_CASE */ 2580 void ssl_serialize_session_save_buf_size(int ticket_len, char *crt_file, 2581 int endpoint_type, int tls_version) 2582 { 2583 mbedtls_ssl_session session; 2584 unsigned char *buf = NULL; 2585 size_t good_len, bad_len, test_len; 2586 2587 /* 2588 * Test that session_save() fails cleanly on small buffers 2589 */ 2590 mbedtls_ssl_session_init(&session); 2591 USE_PSA_INIT(); 2592 2593 /* Prepare dummy session and get serialized size */ 2594 ((void) ticket_len); 2595 ((void) crt_file); 2596 2597 switch (tls_version) { 2598 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2599 case MBEDTLS_SSL_VERSION_TLS1_3: 2600 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session( 2601 &session, 0, endpoint_type) == 0); 2602 break; 2603 #endif 2604 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2605 case MBEDTLS_SSL_VERSION_TLS1_2: 2606 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( 2607 &session, ticket_len, endpoint_type, crt_file) == 0); 2608 break; 2609 #endif 2610 default: 2611 /* should never happen */ 2612 TEST_ASSERT(0); 2613 break; 2614 } 2615 2616 TEST_ASSERT(mbedtls_ssl_session_save(&session, NULL, 0, &good_len) 2617 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); 2618 2619 /* Try all possible bad lengths */ 2620 for (bad_len = 1; bad_len < good_len; bad_len++) { 2621 /* Allocate exact size so that asan/valgrind can detect any overwrite */ 2622 mbedtls_free(buf); 2623 buf = NULL; 2624 TEST_CALLOC(buf, bad_len); 2625 TEST_ASSERT(mbedtls_ssl_session_save(&session, buf, bad_len, 2626 &test_len) 2627 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); 2628 TEST_ASSERT(test_len == good_len); 2629 } 2630 2631 exit: 2632 mbedtls_ssl_session_free(&session); 2633 mbedtls_free(buf); 2634 USE_PSA_DONE(); 2635 } 2636 /* END_CASE */ 2637 2638 /* BEGIN_CASE */ 2639 void ssl_serialize_session_load_buf_size(int ticket_len, char *crt_file, 2640 int endpoint_type, int tls_version) 2641 { 2642 mbedtls_ssl_session session; 2643 unsigned char *good_buf = NULL, *bad_buf = NULL; 2644 size_t good_len, bad_len; 2645 2646 /* 2647 * Test that session_load() fails cleanly on small buffers 2648 */ 2649 mbedtls_ssl_session_init(&session); 2650 USE_PSA_INIT(); 2651 2652 /* Prepare serialized session data */ 2653 ((void) ticket_len); 2654 ((void) crt_file); 2655 2656 switch (tls_version) { 2657 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2658 case MBEDTLS_SSL_VERSION_TLS1_3: 2659 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session( 2660 &session, 0, endpoint_type) == 0); 2661 break; 2662 #endif 2663 2664 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2665 case MBEDTLS_SSL_VERSION_TLS1_2: 2666 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( 2667 &session, ticket_len, endpoint_type, crt_file) == 0); 2668 break; 2669 #endif 2670 2671 default: 2672 /* should never happen */ 2673 TEST_ASSERT(0); 2674 break; 2675 } 2676 2677 TEST_ASSERT(mbedtls_ssl_session_save(&session, NULL, 0, &good_len) 2678 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); 2679 TEST_CALLOC(good_buf, good_len); 2680 TEST_ASSERT(mbedtls_ssl_session_save(&session, good_buf, good_len, 2681 &good_len) == 0); 2682 mbedtls_ssl_session_free(&session); 2683 2684 /* Try all possible bad lengths */ 2685 for (bad_len = 0; bad_len < good_len; bad_len++) { 2686 /* Allocate exact size so that asan/valgrind can detect any overread */ 2687 mbedtls_free(bad_buf); 2688 bad_buf = NULL; 2689 TEST_CALLOC_NONNULL(bad_buf, bad_len); 2690 memcpy(bad_buf, good_buf, bad_len); 2691 2692 TEST_ASSERT(mbedtls_ssl_session_load(&session, bad_buf, bad_len) 2693 == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 2694 } 2695 2696 exit: 2697 mbedtls_ssl_session_free(&session); 2698 mbedtls_free(good_buf); 2699 mbedtls_free(bad_buf); 2700 USE_PSA_DONE(); 2701 } 2702 /* END_CASE */ 2703 2704 /* BEGIN_CASE */ 2705 void ssl_session_serialize_version_check(int corrupt_major, 2706 int corrupt_minor, 2707 int corrupt_patch, 2708 int corrupt_config, 2709 int endpoint_type, 2710 int tls_version) 2711 { 2712 unsigned char serialized_session[2048]; 2713 size_t serialized_session_len; 2714 unsigned cur_byte; 2715 mbedtls_ssl_session session; 2716 uint8_t should_corrupt_byte[] = { corrupt_major == 1, 2717 corrupt_minor == 1, 2718 corrupt_patch == 1, 2719 corrupt_config == 1, 2720 corrupt_config == 1 }; 2721 2722 mbedtls_ssl_session_init(&session); 2723 USE_PSA_INIT(); 2724 2725 switch (tls_version) { 2726 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2727 case MBEDTLS_SSL_VERSION_TLS1_3: 2728 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session( 2729 &session, 0, endpoint_type) == 0); 2730 break; 2731 #endif 2732 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2733 case MBEDTLS_SSL_VERSION_TLS1_2: 2734 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( 2735 &session, 0, endpoint_type, NULL) == 0); 2736 2737 break; 2738 #endif 2739 default: 2740 /* should never happen */ 2741 TEST_ASSERT(0); 2742 break; 2743 } 2744 2745 /* Infer length of serialized session. */ 2746 TEST_ASSERT(mbedtls_ssl_session_save(&session, 2747 serialized_session, 2748 sizeof(serialized_session), 2749 &serialized_session_len) == 0); 2750 2751 mbedtls_ssl_session_free(&session); 2752 2753 /* Without any modification, we should be able to successfully 2754 * de-serialize the session - double-check that. */ 2755 TEST_ASSERT(mbedtls_ssl_session_load(&session, 2756 serialized_session, 2757 serialized_session_len) == 0); 2758 mbedtls_ssl_session_free(&session); 2759 2760 /* Go through the bytes in the serialized session header and 2761 * corrupt them bit-by-bit. */ 2762 for (cur_byte = 0; cur_byte < sizeof(should_corrupt_byte); cur_byte++) { 2763 int cur_bit; 2764 unsigned char *const byte = &serialized_session[cur_byte]; 2765 2766 if (should_corrupt_byte[cur_byte] == 0) { 2767 continue; 2768 } 2769 2770 for (cur_bit = 0; cur_bit < CHAR_BIT; cur_bit++) { 2771 unsigned char const corrupted_bit = 0x1u << cur_bit; 2772 /* Modify a single bit in the serialized session. */ 2773 *byte ^= corrupted_bit; 2774 2775 /* Attempt to deserialize */ 2776 TEST_ASSERT(mbedtls_ssl_session_load(&session, 2777 serialized_session, 2778 serialized_session_len) == 2779 MBEDTLS_ERR_SSL_VERSION_MISMATCH); 2780 2781 /* Undo the change */ 2782 *byte ^= corrupted_bit; 2783 } 2784 } 2785 exit: 2786 USE_PSA_DONE(); 2787 } 2788 /* END_CASE */ 2789 2790 /* BEGIN_CASE */ 2791 void ssl_session_id_accessors_check(int tls_version) 2792 { 2793 mbedtls_ssl_session session; 2794 int ciphersuite_id; 2795 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 2796 2797 mbedtls_ssl_session_init(&session); 2798 USE_PSA_INIT(); 2799 2800 switch (tls_version) { 2801 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2802 case MBEDTLS_SSL_VERSION_TLS1_3: 2803 ciphersuite_id = MBEDTLS_TLS1_3_AES_128_GCM_SHA256; 2804 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session( 2805 &session, 0, MBEDTLS_SSL_IS_SERVER) == 0); 2806 break; 2807 #endif 2808 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2809 case MBEDTLS_SSL_VERSION_TLS1_2: 2810 ciphersuite_id = MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256; 2811 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( 2812 &session, 0, MBEDTLS_SSL_IS_SERVER, NULL) == 0); 2813 2814 break; 2815 #endif 2816 default: 2817 /* should never happen */ 2818 TEST_ASSERT(0); 2819 break; 2820 } 2821 TEST_ASSERT(*mbedtls_ssl_session_get_id(&session) == session.id); 2822 TEST_ASSERT(mbedtls_ssl_session_get_id_len(&session) == session.id_len); 2823 /* mbedtls_test_ssl_tls1x_populate_session sets a mock suite-id of 0xabcd */ 2824 TEST_ASSERT(mbedtls_ssl_session_get_ciphersuite_id(&session) == 0xabcd); 2825 2826 /* Test setting a reference id for tls1.3 and tls1.2 */ 2827 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite_id); 2828 if (ciphersuite_info != NULL) { 2829 TEST_ASSERT(mbedtls_ssl_ciphersuite_get_id(ciphersuite_info) == ciphersuite_id); 2830 } 2831 2832 exit: 2833 mbedtls_ssl_session_free(&session); 2834 USE_PSA_DONE(); 2835 } 2836 /* END_CASE */ 2837 2838 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256 */ 2839 void mbedtls_endpoint_sanity(int endpoint_type) 2840 { 2841 enum { BUFFSIZE = 1024 }; 2842 mbedtls_test_ssl_endpoint ep; 2843 memset(&ep, 0, sizeof(ep)); 2844 int ret = -1; 2845 mbedtls_test_handshake_test_options options; 2846 mbedtls_test_init_handshake_options(&options); 2847 options.pk_alg = MBEDTLS_PK_RSA; 2848 2849 MD_OR_USE_PSA_INIT(); 2850 2851 ret = mbedtls_test_ssl_endpoint_init(NULL, endpoint_type, &options, 2852 NULL, NULL, NULL); 2853 TEST_ASSERT(MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret); 2854 2855 ret = mbedtls_test_ssl_endpoint_certificate_init(NULL, options.pk_alg, 2856 0, 0, 0); 2857 TEST_ASSERT(MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret); 2858 2859 ret = mbedtls_test_ssl_endpoint_init(&ep, endpoint_type, &options, 2860 NULL, NULL, NULL); 2861 TEST_ASSERT(ret == 0); 2862 2863 exit: 2864 mbedtls_test_ssl_endpoint_free(&ep, NULL); 2865 mbedtls_test_free_handshake_options(&options); 2866 MD_OR_USE_PSA_DONE(); 2867 } 2868 /* END_CASE */ 2869 2870 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_HAVE_ECC_KEYS */ 2871 void move_handshake_to_state(int endpoint_type, int tls_version, int state, int need_pass) 2872 { 2873 enum { BUFFSIZE = 1024 }; 2874 mbedtls_test_ssl_endpoint base_ep, second_ep; 2875 memset(&base_ep, 0, sizeof(base_ep)); 2876 memset(&second_ep, 0, sizeof(second_ep)); 2877 int ret = -1; 2878 (void) tls_version; 2879 2880 mbedtls_test_handshake_test_options options; 2881 mbedtls_test_init_handshake_options(&options); 2882 2883 options.pk_alg = MBEDTLS_PK_RSA; 2884 2885 /* 2886 * If both TLS 1.2 and 1.3 are enabled and we want to do a TLS 1.2 2887 * handshake, force the TLS 1.2 version on endpoint under test. 2888 */ 2889 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_PROTO_TLS1_2) 2890 if (MBEDTLS_SSL_VERSION_TLS1_2 == tls_version) { 2891 if (MBEDTLS_SSL_IS_CLIENT == endpoint_type) { 2892 options.client_min_version = MBEDTLS_SSL_VERSION_TLS1_2; 2893 options.client_max_version = MBEDTLS_SSL_VERSION_TLS1_2; 2894 } else { 2895 options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2; 2896 options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2; 2897 } 2898 } 2899 #endif 2900 2901 MD_OR_USE_PSA_INIT(); 2902 2903 ret = mbedtls_test_ssl_endpoint_init(&base_ep, endpoint_type, &options, 2904 NULL, NULL, NULL); 2905 TEST_ASSERT(ret == 0); 2906 2907 ret = mbedtls_test_ssl_endpoint_init( 2908 &second_ep, 2909 (endpoint_type == MBEDTLS_SSL_IS_SERVER) ? 2910 MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER, 2911 &options, NULL, NULL, NULL); 2912 2913 TEST_ASSERT(ret == 0); 2914 2915 ret = mbedtls_test_mock_socket_connect(&(base_ep.socket), 2916 &(second_ep.socket), 2917 BUFFSIZE); 2918 TEST_ASSERT(ret == 0); 2919 2920 ret = mbedtls_test_move_handshake_to_state(&(base_ep.ssl), 2921 &(second_ep.ssl), 2922 state); 2923 if (need_pass) { 2924 TEST_ASSERT(ret == 0 || 2925 ret == MBEDTLS_ERR_SSL_WANT_READ || 2926 ret == MBEDTLS_ERR_SSL_WANT_WRITE); 2927 TEST_ASSERT(base_ep.ssl.state == state); 2928 } else { 2929 TEST_ASSERT(ret != 0 && 2930 ret != MBEDTLS_ERR_SSL_WANT_READ && 2931 ret != MBEDTLS_ERR_SSL_WANT_WRITE); 2932 TEST_ASSERT(base_ep.ssl.state != state); 2933 } 2934 2935 exit: 2936 mbedtls_test_free_handshake_options(&options); 2937 mbedtls_test_ssl_endpoint_free(&base_ep, NULL); 2938 mbedtls_test_ssl_endpoint_free(&second_ep, NULL); 2939 MD_OR_USE_PSA_DONE(); 2940 } 2941 /* END_CASE */ 2942 2943 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */ 2944 void handshake_version(int dtls, int client_min_version, int client_max_version, 2945 int server_min_version, int server_max_version, 2946 int expected_negotiated_version) 2947 { 2948 mbedtls_test_handshake_test_options options; 2949 mbedtls_test_init_handshake_options(&options); 2950 2951 options.client_min_version = client_min_version; 2952 options.client_max_version = client_max_version; 2953 options.server_min_version = server_min_version; 2954 options.server_max_version = server_max_version; 2955 options.expected_negotiated_version = expected_negotiated_version; 2956 2957 options.dtls = dtls; 2958 mbedtls_test_ssl_perform_handshake(&options); 2959 2960 /* The goto below is used to avoid an "unused label" warning.*/ 2961 goto exit; 2962 2963 exit: 2964 mbedtls_test_free_handshake_options(&options); 2965 } 2966 /* END_CASE */ 2967 2968 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256 */ 2969 void handshake_psk_cipher(char *cipher, int pk_alg, data_t *psk_str, int dtls) 2970 { 2971 mbedtls_test_handshake_test_options options; 2972 mbedtls_test_init_handshake_options(&options); 2973 2974 options.cipher = cipher; 2975 options.dtls = dtls; 2976 options.psk_str = psk_str; 2977 options.pk_alg = pk_alg; 2978 2979 options.client_min_version = MBEDTLS_SSL_VERSION_TLS1_2; 2980 options.client_max_version = MBEDTLS_SSL_VERSION_TLS1_2; 2981 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2; 2982 2983 mbedtls_test_ssl_perform_handshake(&options); 2984 2985 /* The goto below is used to avoid an "unused label" warning.*/ 2986 goto exit; 2987 2988 exit: 2989 mbedtls_test_free_handshake_options(&options); 2990 } 2991 /* END_CASE */ 2992 2993 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256 */ 2994 void handshake_cipher(char *cipher, int pk_alg, int dtls) 2995 { 2996 test_handshake_psk_cipher(cipher, pk_alg, NULL, dtls); 2997 2998 /* The goto below is used to avoid an "unused label" warning.*/ 2999 goto exit; 3000 } 3001 /* END_CASE */ 3002 3003 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256 */ 3004 void handshake_ciphersuite_select(char *cipher, int pk_alg, data_t *psk_str, 3005 int psa_alg, int psa_alg2, int psa_usage, 3006 int expected_handshake_result, 3007 int expected_ciphersuite) 3008 { 3009 mbedtls_test_handshake_test_options options; 3010 mbedtls_test_init_handshake_options(&options); 3011 3012 options.cipher = cipher; 3013 options.psk_str = psk_str; 3014 options.pk_alg = pk_alg; 3015 options.opaque_alg = psa_alg; 3016 options.opaque_alg2 = psa_alg2; 3017 options.opaque_usage = psa_usage; 3018 options.expected_handshake_result = expected_handshake_result; 3019 options.expected_ciphersuite = expected_ciphersuite; 3020 3021 options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2; 3022 options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2; 3023 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2; 3024 3025 mbedtls_test_ssl_perform_handshake(&options); 3026 3027 /* The goto below is used to avoid an "unused label" warning.*/ 3028 goto exit; 3029 3030 exit: 3031 mbedtls_test_free_handshake_options(&options); 3032 } 3033 /* END_CASE */ 3034 3035 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 */ 3036 void app_data(int mfl, int cli_msg_len, int srv_msg_len, 3037 int expected_cli_fragments, 3038 int expected_srv_fragments, int dtls) 3039 { 3040 mbedtls_test_handshake_test_options options; 3041 mbedtls_test_init_handshake_options(&options); 3042 3043 options.mfl = mfl; 3044 options.cli_msg_len = cli_msg_len; 3045 options.srv_msg_len = srv_msg_len; 3046 options.expected_cli_fragments = expected_cli_fragments; 3047 options.expected_srv_fragments = expected_srv_fragments; 3048 options.dtls = dtls; 3049 3050 options.client_min_version = MBEDTLS_SSL_VERSION_TLS1_2; 3051 options.client_max_version = MBEDTLS_SSL_VERSION_TLS1_2; 3052 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2; 3053 3054 mbedtls_test_ssl_perform_handshake(&options); 3055 3056 /* The goto below is used to avoid an "unused label" warning.*/ 3057 goto exit; 3058 3059 exit: 3060 mbedtls_test_free_handshake_options(&options); 3061 } 3062 /* END_CASE */ 3063 3064 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */ 3065 void app_data_tls(int mfl, int cli_msg_len, int srv_msg_len, 3066 int expected_cli_fragments, 3067 int expected_srv_fragments) 3068 { 3069 test_app_data(mfl, cli_msg_len, srv_msg_len, expected_cli_fragments, 3070 expected_srv_fragments, 0); 3071 /* The goto below is used to avoid an "unused label" warning.*/ 3072 goto exit; 3073 } 3074 /* END_CASE */ 3075 3076 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */ 3077 void app_data_dtls(int mfl, int cli_msg_len, int srv_msg_len, 3078 int expected_cli_fragments, 3079 int expected_srv_fragments) 3080 { 3081 test_app_data(mfl, cli_msg_len, srv_msg_len, expected_cli_fragments, 3082 expected_srv_fragments, 1); 3083 /* The goto below is used to avoid an "unused label" warning.*/ 3084 goto exit; 3085 } 3086 /* END_CASE */ 3087 3088 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */ 3089 void handshake_serialization() 3090 { 3091 mbedtls_test_handshake_test_options options; 3092 mbedtls_test_init_handshake_options(&options); 3093 3094 options.serialize = 1; 3095 options.dtls = 1; 3096 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2; 3097 mbedtls_test_ssl_perform_handshake(&options); 3098 /* The goto below is used to avoid an "unused label" warning.*/ 3099 goto exit; 3100 exit: 3101 mbedtls_test_free_handshake_options(&options); 3102 } 3103 /* END_CASE */ 3104 3105 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_SSL_HAVE_AES:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_SSL_HAVE_CBC */ 3106 void handshake_fragmentation(int mfl, 3107 int expected_srv_hs_fragmentation, 3108 int expected_cli_hs_fragmentation, 3109 char *ciphersuite) 3110 { 3111 mbedtls_test_handshake_test_options options; 3112 mbedtls_test_ssl_log_pattern srv_pattern, cli_pattern; 3113 3114 srv_pattern.pattern = cli_pattern.pattern = "found fragmented DTLS handshake"; 3115 srv_pattern.counter = 0; 3116 cli_pattern.counter = 0; 3117 3118 mbedtls_test_init_handshake_options(&options); 3119 options.dtls = 1; 3120 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2; 3121 options.mfl = mfl; 3122 /* Set cipher to one using CBC so that record splitting can be tested */ 3123 options.cipher = ciphersuite; 3124 options.srv_auth_mode = MBEDTLS_SSL_VERIFY_REQUIRED; 3125 options.srv_log_obj = &srv_pattern; 3126 options.cli_log_obj = &cli_pattern; 3127 options.srv_log_fun = mbedtls_test_ssl_log_analyzer; 3128 options.cli_log_fun = mbedtls_test_ssl_log_analyzer; 3129 3130 mbedtls_test_ssl_perform_handshake(&options); 3131 3132 /* Test if the server received a fragmented handshake */ 3133 if (expected_srv_hs_fragmentation) { 3134 TEST_ASSERT(srv_pattern.counter >= 1); 3135 } 3136 /* Test if the client received a fragmented handshake */ 3137 if (expected_cli_hs_fragmentation) { 3138 TEST_ASSERT(cli_pattern.counter >= 1); 3139 } 3140 3141 exit: 3142 mbedtls_test_free_handshake_options(&options); 3143 } 3144 /* END_CASE */ 3145 3146 /* This test case doesn't actually depend on certificates, 3147 * but our helper code for mbedtls_test_ssl_endpoint does. 3148 * Also, it needs specific hashes, algs and curves for the 3149 * hardcoded test certificates. In principle both RSA and ECDSA 3150 * can be used, but we hardcode ECDSA in order to avoid having 3151 * to express dependencies like "RSA or ECDSA with those curves". */ 3152 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_PK_CAN_ECDSA_VERIFY */ 3153 void recombine_server_first_flight(int version, 3154 int instruction, int param, 3155 char *client_log, char *server_log, 3156 int goal_state, int expected_ret) 3157 { 3158 /* Make sure we have a buffer that's large enough for the longest 3159 * data that the library might ever send, plus a bit extra so that 3160 * we can inject more content. The library won't ever send more than 3161 * 2^14 bytes of handshake messages, so we round that up. In practice 3162 * we could surely get away with a much smaller buffer. The main 3163 * variable part is the server certificate. */ 3164 enum { BUFFSIZE = 17000 }; 3165 mbedtls_test_ssl_endpoint client; 3166 memset(&client, 0, sizeof(client)); 3167 mbedtls_test_ssl_endpoint server; 3168 memset(&server, 0, sizeof(server)); 3169 mbedtls_test_handshake_test_options client_options; 3170 mbedtls_test_init_handshake_options(&client_options); 3171 mbedtls_test_handshake_test_options server_options; 3172 mbedtls_test_init_handshake_options(&server_options); 3173 #if defined(MBEDTLS_DEBUG_C) 3174 mbedtls_test_ssl_log_pattern cli_pattern = { .pattern = client_log }; 3175 mbedtls_test_ssl_log_pattern srv_pattern = { .pattern = server_log }; 3176 #else 3177 (void) client_log; 3178 (void) server_log; 3179 #endif 3180 int ret = 0; 3181 3182 MD_OR_USE_PSA_INIT(); 3183 #if defined(MBEDTLS_DEBUG_C) 3184 mbedtls_debug_set_threshold(3); 3185 #endif 3186 3187 // Does't really matter but we want to know to declare dependencies. 3188 client_options.pk_alg = MBEDTLS_PK_ECDSA; 3189 server_options.pk_alg = MBEDTLS_PK_ECDSA; 3190 3191 client_options.client_min_version = version; 3192 client_options.client_max_version = version; 3193 #if defined(MBEDTLS_DEBUG_C) 3194 client_options.cli_log_obj = &cli_pattern; 3195 client_options.cli_log_fun = mbedtls_test_ssl_log_analyzer; 3196 #endif 3197 TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT, 3198 &client_options, NULL, NULL, 3199 NULL), 0); 3200 3201 server_options.server_min_version = version; 3202 server_options.server_max_version = version; 3203 #if defined(MBEDTLS_DEBUG_C) 3204 server_options.srv_log_obj = &srv_pattern; 3205 server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer; 3206 #endif 3207 TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER, 3208 &server_options, NULL, NULL, 3209 NULL), 0); 3210 3211 TEST_EQUAL(mbedtls_test_mock_socket_connect(&client.socket, 3212 &server.socket, 3213 BUFFSIZE), 0); 3214 3215 /* Client: emit the first flight from the client */ 3216 while (ret == 0) { 3217 mbedtls_test_set_step(client.ssl.state); 3218 ret = mbedtls_ssl_handshake_step(&client.ssl); 3219 } 3220 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ); 3221 ret = 0; 3222 TEST_EQUAL(client.ssl.state, MBEDTLS_SSL_SERVER_HELLO); 3223 3224 /* Server: parse the first flight from the client 3225 * and emit the first flight from the server */ 3226 while (ret == 0) { 3227 mbedtls_test_set_step(1000 + server.ssl.state); 3228 ret = mbedtls_ssl_handshake_step(&server.ssl); 3229 } 3230 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ); 3231 ret = 0; 3232 TEST_EQUAL(server.ssl.state, MBEDTLS_SSL_SERVER_HELLO_DONE + 1); 3233 3234 /* Recombine the first flight from the server */ 3235 TEST_ASSERT(recombine_records(&server, instruction, param)); 3236 3237 /* Client: parse the first flight from the server 3238 * and emit the second flight from the client */ 3239 while (ret == 0 && !mbedtls_ssl_is_handshake_over(&client.ssl)) { 3240 mbedtls_test_set_step(client.ssl.state); 3241 ret = mbedtls_ssl_handshake_step(&client.ssl); 3242 if (client.ssl.state == goal_state && ret != 0) { 3243 TEST_EQUAL(ret, expected_ret); 3244 goto goal_reached; 3245 } 3246 } 3247 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 3248 /* A default TLS 1.3 handshake has only 1 flight from the server, 3249 * while the default (non-resumption) 1.2 handshake has two. */ 3250 if (version >= MBEDTLS_SSL_VERSION_TLS1_3 && 3251 goal_state >= MBEDTLS_SSL_HANDSHAKE_OVER) { 3252 TEST_EQUAL(ret, 0); 3253 } else 3254 #endif 3255 { 3256 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ); 3257 } 3258 ret = 0; 3259 3260 /* Server: parse the first flight from the client 3261 * and emit the second flight from the server */ 3262 if (instruction == RECOMBINE_TRUNCATE_FIRST) { 3263 /* Close without a notification. The case of closing with a 3264 * notification is tested via RECOMBINE_INSERT_RECORD to insert 3265 * an alert record (which we reject, making the client SSL 3266 * context become invalid). */ 3267 mbedtls_test_mock_socket_close(&server.socket); 3268 goto goal_reached; 3269 } 3270 while (ret == 0 && !mbedtls_ssl_is_handshake_over(&server.ssl)) { 3271 mbedtls_test_set_step(1000 + server.ssl.state); 3272 ret = mbedtls_ssl_handshake_step(&server.ssl); 3273 } 3274 TEST_EQUAL(ret, 0); 3275 3276 /* Client: parse the second flight from the server */ 3277 while (ret == 0 && !mbedtls_ssl_is_handshake_over(&client.ssl)) { 3278 mbedtls_test_set_step(client.ssl.state); 3279 ret = mbedtls_ssl_handshake_step(&client.ssl); 3280 } 3281 if (client.ssl.state == goal_state) { 3282 TEST_EQUAL(ret, expected_ret); 3283 } else { 3284 TEST_EQUAL(ret, 0); 3285 } 3286 3287 goal_reached: 3288 #if defined(MBEDTLS_DEBUG_C) 3289 TEST_ASSERT(cli_pattern.counter >= 1); 3290 TEST_ASSERT(srv_pattern.counter >= 1); 3291 #endif 3292 3293 exit: 3294 mbedtls_test_ssl_endpoint_free(&client, NULL); 3295 mbedtls_test_ssl_endpoint_free(&server, NULL); 3296 mbedtls_test_free_handshake_options(&client_options); 3297 mbedtls_test_free_handshake_options(&server_options); 3298 MD_OR_USE_PSA_DONE(); 3299 #if defined(MBEDTLS_DEBUG_C) 3300 mbedtls_debug_set_threshold(0); 3301 #endif 3302 } 3303 /* END_CASE */ 3304 3305 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */ 3306 void renegotiation(int legacy_renegotiation) 3307 { 3308 mbedtls_test_handshake_test_options options; 3309 mbedtls_test_init_handshake_options(&options); 3310 3311 options.renegotiate = 1; 3312 options.legacy_renegotiation = legacy_renegotiation; 3313 options.dtls = 1; 3314 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2; 3315 3316 mbedtls_test_ssl_perform_handshake(&options); 3317 3318 /* The goto below is used to avoid an "unused label" warning.*/ 3319 goto exit; 3320 exit: 3321 mbedtls_test_free_handshake_options(&options); 3322 } 3323 /* END_CASE */ 3324 3325 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 */ 3326 void resize_buffers(int mfl, int renegotiation, int legacy_renegotiation, 3327 int serialize, int dtls, char *cipher) 3328 { 3329 mbedtls_test_handshake_test_options options; 3330 mbedtls_test_init_handshake_options(&options); 3331 3332 options.mfl = mfl; 3333 options.cipher = cipher; 3334 options.renegotiate = renegotiation; 3335 options.legacy_renegotiation = legacy_renegotiation; 3336 options.serialize = serialize; 3337 options.dtls = dtls; 3338 if (dtls) { 3339 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2; 3340 } 3341 options.resize_buffers = 1; 3342 3343 mbedtls_test_ssl_perform_handshake(&options); 3344 3345 /* The goto below is used to avoid an "unused label" warning.*/ 3346 goto exit; 3347 exit: 3348 mbedtls_test_free_handshake_options(&options); 3349 } 3350 /* END_CASE */ 3351 3352 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */ 3353 void resize_buffers_serialize_mfl(int mfl) 3354 { 3355 test_resize_buffers(mfl, 0, MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION, 1, 1, 3356 (char *) ""); 3357 /* The goto below is used to avoid an "unused label" warning.*/ 3358 goto exit; 3359 } 3360 /* END_CASE */ 3361 3362 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */ 3363 void resize_buffers_renegotiate_mfl(int mfl, int legacy_renegotiation, 3364 char *cipher) 3365 { 3366 test_resize_buffers(mfl, 1, legacy_renegotiation, 0, 1, cipher); 3367 /* The goto below is used to avoid an "unused label" warning.*/ 3368 goto exit; 3369 } 3370 /* END_CASE */ 3371 3372 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 3373 void test_multiple_psks() 3374 { 3375 unsigned char psk0[10] = { 0 }; 3376 unsigned char psk0_identity[] = { 'f', 'o', 'o' }; 3377 3378 unsigned char psk1[10] = { 0 }; 3379 unsigned char psk1_identity[] = { 'b', 'a', 'r' }; 3380 3381 mbedtls_ssl_config conf; 3382 3383 mbedtls_ssl_config_init(&conf); 3384 MD_OR_USE_PSA_INIT(); 3385 3386 TEST_ASSERT(mbedtls_ssl_conf_psk(&conf, 3387 psk0, sizeof(psk0), 3388 psk0_identity, sizeof(psk0_identity)) == 0); 3389 TEST_ASSERT(mbedtls_ssl_conf_psk(&conf, 3390 psk1, sizeof(psk1), 3391 psk1_identity, sizeof(psk1_identity)) == 3392 MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE); 3393 3394 exit: 3395 mbedtls_ssl_config_free(&conf); 3396 MD_OR_USE_PSA_DONE(); 3397 } 3398 /* END_CASE */ 3399 3400 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO */ 3401 void test_multiple_psks_opaque(int mode) 3402 { 3403 /* 3404 * Mode 0: Raw PSK, then opaque PSK 3405 * Mode 1: Opaque PSK, then raw PSK 3406 * Mode 2: 2x opaque PSK 3407 */ 3408 3409 unsigned char psk0_raw[10] = { 0 }; 3410 unsigned char psk0_raw_identity[] = { 'f', 'o', 'o' }; 3411 3412 mbedtls_svc_key_id_t psk0_opaque = mbedtls_svc_key_id_make(0x1, (psa_key_id_t) 1); 3413 3414 unsigned char psk0_opaque_identity[] = { 'f', 'o', 'o' }; 3415 3416 unsigned char psk1_raw[10] = { 0 }; 3417 unsigned char psk1_raw_identity[] = { 'b', 'a', 'r' }; 3418 3419 mbedtls_svc_key_id_t psk1_opaque = mbedtls_svc_key_id_make(0x1, (psa_key_id_t) 2); 3420 3421 unsigned char psk1_opaque_identity[] = { 'b', 'a', 'r' }; 3422 3423 mbedtls_ssl_config conf; 3424 3425 mbedtls_ssl_config_init(&conf); 3426 MD_OR_USE_PSA_INIT(); 3427 3428 switch (mode) { 3429 case 0: 3430 3431 TEST_ASSERT(mbedtls_ssl_conf_psk(&conf, 3432 psk0_raw, sizeof(psk0_raw), 3433 psk0_raw_identity, sizeof(psk0_raw_identity)) 3434 == 0); 3435 TEST_ASSERT(mbedtls_ssl_conf_psk_opaque(&conf, 3436 psk1_opaque, 3437 psk1_opaque_identity, 3438 sizeof(psk1_opaque_identity)) 3439 == MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE); 3440 break; 3441 3442 case 1: 3443 3444 TEST_ASSERT(mbedtls_ssl_conf_psk_opaque(&conf, 3445 psk0_opaque, 3446 psk0_opaque_identity, 3447 sizeof(psk0_opaque_identity)) 3448 == 0); 3449 TEST_ASSERT(mbedtls_ssl_conf_psk(&conf, 3450 psk1_raw, sizeof(psk1_raw), 3451 psk1_raw_identity, sizeof(psk1_raw_identity)) 3452 == MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE); 3453 3454 break; 3455 3456 case 2: 3457 3458 TEST_ASSERT(mbedtls_ssl_conf_psk_opaque(&conf, 3459 psk0_opaque, 3460 psk0_opaque_identity, 3461 sizeof(psk0_opaque_identity)) 3462 == 0); 3463 TEST_ASSERT(mbedtls_ssl_conf_psk_opaque(&conf, 3464 psk1_opaque, 3465 psk1_opaque_identity, 3466 sizeof(psk1_opaque_identity)) 3467 == MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE); 3468 3469 break; 3470 3471 default: 3472 TEST_ASSERT(0); 3473 break; 3474 } 3475 3476 exit: 3477 mbedtls_ssl_config_free(&conf); 3478 MD_OR_USE_PSA_DONE(); 3479 3480 } 3481 /* END_CASE */ 3482 3483 /* BEGIN_CASE */ 3484 void conf_version(int endpoint, int transport, 3485 int min_tls_version, int max_tls_version, 3486 int expected_ssl_setup_result) 3487 { 3488 mbedtls_ssl_config conf; 3489 mbedtls_ssl_context ssl; 3490 3491 mbedtls_ssl_config_init(&conf); 3492 mbedtls_ssl_init(&ssl); 3493 MD_OR_USE_PSA_INIT(); 3494 3495 mbedtls_ssl_conf_endpoint(&conf, endpoint); 3496 mbedtls_ssl_conf_transport(&conf, transport); 3497 mbedtls_ssl_conf_min_tls_version(&conf, min_tls_version); 3498 mbedtls_ssl_conf_max_tls_version(&conf, max_tls_version); 3499 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); 3500 3501 TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == expected_ssl_setup_result); 3502 TEST_EQUAL(mbedtls_ssl_conf_get_endpoint( 3503 mbedtls_ssl_context_get_config(&ssl)), endpoint); 3504 3505 mbedtls_ssl_free(&ssl); 3506 mbedtls_ssl_config_free(&conf); 3507 3508 exit: 3509 MD_OR_USE_PSA_DONE(); 3510 } 3511 /* END_CASE */ 3512 3513 /* BEGIN_CASE depends_on:MBEDTLS_ECP_C:!MBEDTLS_DEPRECATED_REMOVED:!MBEDTLS_DEPRECATED_WARNING:MBEDTLS_ECP_HAVE_SECP192R1:MBEDTLS_ECP_HAVE_SECP224R1:MBEDTLS_ECP_HAVE_SECP256R1 */ 3514 void conf_curve() 3515 { 3516 3517 mbedtls_ecp_group_id curve_list[] = { MBEDTLS_ECP_DP_SECP192R1, 3518 MBEDTLS_ECP_DP_SECP224R1, 3519 MBEDTLS_ECP_DP_SECP256R1, 3520 MBEDTLS_ECP_DP_NONE }; 3521 uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, 3522 MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, 3523 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 3524 MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; 3525 3526 mbedtls_ssl_config conf; 3527 mbedtls_ssl_config_init(&conf); 3528 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3529 mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2); 3530 mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2); 3531 #else 3532 mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3); 3533 mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3); 3534 #endif 3535 mbedtls_ssl_conf_curves(&conf, curve_list); 3536 3537 mbedtls_ssl_context ssl; 3538 mbedtls_ssl_init(&ssl); 3539 MD_OR_USE_PSA_INIT(); 3540 3541 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); 3542 3543 TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); 3544 3545 TEST_ASSERT(ssl.handshake != NULL && ssl.handshake->group_list != NULL); 3546 TEST_ASSERT(ssl.conf != NULL && ssl.conf->group_list == NULL); 3547 3548 TEST_EQUAL(ssl.handshake-> 3549 group_list[ARRAY_LENGTH(iana_tls_group_list) - 1], 3550 MBEDTLS_SSL_IANA_TLS_GROUP_NONE); 3551 3552 for (size_t i = 0; i < ARRAY_LENGTH(iana_tls_group_list); i++) { 3553 TEST_EQUAL(iana_tls_group_list[i], ssl.handshake->group_list[i]); 3554 } 3555 3556 exit: 3557 mbedtls_ssl_free(&ssl); 3558 mbedtls_ssl_config_free(&conf); 3559 MD_OR_USE_PSA_DONE(); 3560 } 3561 /* END_CASE */ 3562 3563 /* BEGIN_CASE */ 3564 void conf_group() 3565 { 3566 uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, 3567 MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, 3568 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 3569 MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; 3570 3571 mbedtls_ssl_config conf; 3572 mbedtls_ssl_config_init(&conf); 3573 3574 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); 3575 mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, 3576 MBEDTLS_SSL_TRANSPORT_STREAM, 3577 MBEDTLS_SSL_PRESET_DEFAULT); 3578 3579 mbedtls_ssl_conf_groups(&conf, iana_tls_group_list); 3580 3581 mbedtls_ssl_context ssl; 3582 mbedtls_ssl_init(&ssl); 3583 MD_OR_USE_PSA_INIT(); 3584 3585 TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); 3586 3587 TEST_ASSERT(ssl.conf != NULL && ssl.conf->group_list != NULL); 3588 3589 TEST_EQUAL(ssl.conf-> 3590 group_list[ARRAY_LENGTH(iana_tls_group_list) - 1], 3591 MBEDTLS_SSL_IANA_TLS_GROUP_NONE); 3592 3593 for (size_t i = 0; i < ARRAY_LENGTH(iana_tls_group_list); i++) { 3594 TEST_EQUAL(iana_tls_group_list[i], ssl.conf->group_list[i]); 3595 } 3596 3597 exit: 3598 mbedtls_ssl_free(&ssl); 3599 mbedtls_ssl_config_free(&conf); 3600 MD_OR_USE_PSA_DONE(); 3601 } 3602 /* END_CASE */ 3603 3604 /* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_CACHE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_DEBUG_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256 */ 3605 void force_bad_session_id_len() 3606 { 3607 enum { BUFFSIZE = 1024 }; 3608 mbedtls_test_handshake_test_options options; 3609 mbedtls_test_ssl_endpoint client, server; 3610 memset(&client, 0, sizeof(client)); 3611 memset(&server, 0, sizeof(server)); 3612 mbedtls_test_ssl_log_pattern srv_pattern, cli_pattern; 3613 mbedtls_test_message_socket_context server_context, client_context; 3614 3615 srv_pattern.pattern = cli_pattern.pattern = "cache did not store session"; 3616 srv_pattern.counter = 0; 3617 mbedtls_test_init_handshake_options(&options); 3618 3619 options.srv_log_obj = &srv_pattern; 3620 options.srv_log_fun = mbedtls_test_ssl_log_analyzer; 3621 3622 mbedtls_test_message_socket_init(&server_context); 3623 mbedtls_test_message_socket_init(&client_context); 3624 MD_OR_USE_PSA_INIT(); 3625 3626 TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT, 3627 &options, NULL, NULL, 3628 NULL) == 0); 3629 3630 TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER, 3631 &options, NULL, NULL, NULL) == 0); 3632 3633 mbedtls_debug_set_threshold(1); 3634 mbedtls_ssl_conf_dbg(&server.conf, options.srv_log_fun, 3635 options.srv_log_obj); 3636 3637 TEST_ASSERT(mbedtls_test_mock_socket_connect(&(client.socket), 3638 &(server.socket), 3639 BUFFSIZE) == 0); 3640 3641 TEST_ASSERT(mbedtls_test_move_handshake_to_state( 3642 &(client.ssl), &(server.ssl), MBEDTLS_SSL_HANDSHAKE_WRAPUP) 3643 == 0); 3644 /* Force a bad session_id_len that will be read by the server in 3645 * mbedtls_ssl_cache_set. */ 3646 server.ssl.session_negotiate->id_len = 33; 3647 if (options.cli_msg_len != 0 || options.srv_msg_len != 0) { 3648 /* Start data exchanging test */ 3649 TEST_ASSERT(mbedtls_test_ssl_exchange_data( 3650 &(client.ssl), options.cli_msg_len, 3651 options.expected_cli_fragments, 3652 &(server.ssl), options.srv_msg_len, 3653 options.expected_srv_fragments) 3654 == 0); 3655 } 3656 3657 /* Make sure that the cache did not store the session */ 3658 TEST_EQUAL(srv_pattern.counter, 1); 3659 exit: 3660 mbedtls_test_ssl_endpoint_free(&client, NULL); 3661 mbedtls_test_ssl_endpoint_free(&server, NULL); 3662 mbedtls_test_free_handshake_options(&options); 3663 mbedtls_debug_set_threshold(0); 3664 MD_OR_USE_PSA_DONE(); 3665 } 3666 /* END_CASE */ 3667 3668 /* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE:MBEDTLS_TEST_HOOKS */ 3669 void cookie_parsing(data_t *cookie, int exp_ret) 3670 { 3671 mbedtls_ssl_context ssl; 3672 mbedtls_ssl_config conf; 3673 size_t len; 3674 3675 mbedtls_ssl_init(&ssl); 3676 mbedtls_ssl_config_init(&conf); 3677 USE_PSA_INIT(); 3678 3679 TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_SERVER, 3680 MBEDTLS_SSL_TRANSPORT_DATAGRAM, 3681 MBEDTLS_SSL_PRESET_DEFAULT), 3682 0); 3683 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); 3684 3685 TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0); 3686 TEST_EQUAL(mbedtls_ssl_check_dtls_clihlo_cookie(&ssl, ssl.cli_id, 3687 ssl.cli_id_len, 3688 cookie->x, cookie->len, 3689 ssl.out_buf, 3690 MBEDTLS_SSL_OUT_CONTENT_LEN, 3691 &len), 3692 exp_ret); 3693 3694 exit: 3695 mbedtls_ssl_free(&ssl); 3696 mbedtls_ssl_config_free(&conf); 3697 USE_PSA_DONE(); 3698 } 3699 /* END_CASE */ 3700 3701 /* BEGIN_CASE depends_on:MBEDTLS_TIMING_C:MBEDTLS_HAVE_TIME */ 3702 void timing_final_delay_accessor() 3703 { 3704 mbedtls_timing_delay_context delay_context; 3705 3706 USE_PSA_INIT(); 3707 mbedtls_timing_set_delay(&delay_context, 50, 100); 3708 3709 TEST_ASSERT(mbedtls_timing_get_final_delay(&delay_context) == 100); 3710 3711 exit: 3712 USE_PSA_DONE(); 3713 } 3714 /* END_CASE */ 3715 3716 /* BEGIN_CASE depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID */ 3717 void cid_sanity() 3718 { 3719 mbedtls_ssl_context ssl; 3720 mbedtls_ssl_config conf; 3721 3722 unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX]; 3723 unsigned char test_cid[MBEDTLS_SSL_CID_IN_LEN_MAX]; 3724 int cid_enabled; 3725 size_t own_cid_len; 3726 3727 mbedtls_test_rnd_std_rand(NULL, own_cid, sizeof(own_cid)); 3728 3729 mbedtls_ssl_init(&ssl); 3730 mbedtls_ssl_config_init(&conf); 3731 MD_OR_USE_PSA_INIT(); 3732 3733 TEST_ASSERT(mbedtls_ssl_config_defaults(&conf, 3734 MBEDTLS_SSL_IS_CLIENT, 3735 MBEDTLS_SSL_TRANSPORT_STREAM, 3736 MBEDTLS_SSL_PRESET_DEFAULT) 3737 == 0); 3738 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); 3739 3740 TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); 3741 3742 /* Can't use CID functions with stream transport. */ 3743 TEST_ASSERT(mbedtls_ssl_set_cid(&ssl, MBEDTLS_SSL_CID_ENABLED, own_cid, 3744 sizeof(own_cid)) 3745 == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 3746 3747 TEST_ASSERT(mbedtls_ssl_get_own_cid(&ssl, &cid_enabled, test_cid, 3748 &own_cid_len) 3749 == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 3750 3751 TEST_ASSERT(mbedtls_ssl_config_defaults(&conf, 3752 MBEDTLS_SSL_IS_CLIENT, 3753 MBEDTLS_SSL_TRANSPORT_DATAGRAM, 3754 MBEDTLS_SSL_PRESET_DEFAULT) 3755 == 0); 3756 3757 /* Attempt to set config cid size too big. */ 3758 TEST_ASSERT(mbedtls_ssl_conf_cid(&conf, MBEDTLS_SSL_CID_IN_LEN_MAX + 1, 3759 MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) 3760 == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 3761 3762 TEST_ASSERT(mbedtls_ssl_conf_cid(&conf, sizeof(own_cid), 3763 MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) 3764 == 0); 3765 3766 /* Attempt to set CID length not matching config. */ 3767 TEST_ASSERT(mbedtls_ssl_set_cid(&ssl, MBEDTLS_SSL_CID_ENABLED, own_cid, 3768 MBEDTLS_SSL_CID_IN_LEN_MAX - 1) 3769 == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 3770 3771 TEST_ASSERT(mbedtls_ssl_set_cid(&ssl, MBEDTLS_SSL_CID_ENABLED, own_cid, 3772 sizeof(own_cid)) 3773 == 0); 3774 3775 /* Test we get back what we put in. */ 3776 TEST_ASSERT(mbedtls_ssl_get_own_cid(&ssl, &cid_enabled, test_cid, 3777 &own_cid_len) 3778 == 0); 3779 3780 TEST_EQUAL(cid_enabled, MBEDTLS_SSL_CID_ENABLED); 3781 TEST_MEMORY_COMPARE(own_cid, own_cid_len, test_cid, own_cid_len); 3782 3783 /* Test disabling works. */ 3784 TEST_ASSERT(mbedtls_ssl_set_cid(&ssl, MBEDTLS_SSL_CID_DISABLED, NULL, 3785 0) 3786 == 0); 3787 3788 TEST_ASSERT(mbedtls_ssl_get_own_cid(&ssl, &cid_enabled, test_cid, 3789 &own_cid_len) 3790 == 0); 3791 3792 TEST_EQUAL(cid_enabled, MBEDTLS_SSL_CID_DISABLED); 3793 3794 exit: 3795 mbedtls_ssl_free(&ssl); 3796 mbedtls_ssl_config_free(&conf); 3797 MD_OR_USE_PSA_DONE(); 3798 } 3799 /* END_CASE */ 3800 3801 /* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_SIGN */ 3802 void raw_key_agreement_fail(int bad_server_ecdhe_key) 3803 { 3804 enum { BUFFSIZE = 17000 }; 3805 mbedtls_test_ssl_endpoint client, server; 3806 memset(&client, 0, sizeof(client)); 3807 memset(&server, 0, sizeof(server)); 3808 mbedtls_psa_stats_t stats; 3809 size_t free_slots_before = -1; 3810 mbedtls_test_handshake_test_options client_options, server_options; 3811 mbedtls_test_init_handshake_options(&client_options); 3812 mbedtls_test_init_handshake_options(&server_options); 3813 3814 uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 3815 MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; 3816 MD_OR_USE_PSA_INIT(); 3817 3818 /* Client side, force SECP256R1 to make one key bitflip fail 3819 * the raw key agreement. Flipping the first byte makes the 3820 * required 0x04 identifier invalid. */ 3821 client_options.pk_alg = MBEDTLS_PK_ECDSA; 3822 client_options.group_list = iana_tls_group_list; 3823 TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT, 3824 &client_options, NULL, NULL, 3825 NULL), 0); 3826 3827 /* Server side */ 3828 server_options.pk_alg = MBEDTLS_PK_ECDSA; 3829 server_options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2; 3830 server_options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2; 3831 TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER, 3832 &server_options, NULL, NULL, 3833 NULL), 0); 3834 3835 TEST_EQUAL(mbedtls_test_mock_socket_connect(&(client.socket), 3836 &(server.socket), 3837 BUFFSIZE), 0); 3838 3839 TEST_EQUAL(mbedtls_test_move_handshake_to_state( 3840 &(client.ssl), &(server.ssl), 3841 MBEDTLS_SSL_CLIENT_KEY_EXCHANGE), 0); 3842 3843 mbedtls_psa_get_stats(&stats); 3844 /* Save the number of slots in use up to this point. 3845 * With PSA, one can be used for the ECDH private key. */ 3846 free_slots_before = stats.empty_slots; 3847 3848 if (bad_server_ecdhe_key) { 3849 /* Force a simulated bitflip in the server key. to make the 3850 * raw key agreement in ssl_write_client_key_exchange fail. */ 3851 (client.ssl).handshake->xxdh_psa_peerkey[0] ^= 0x02; 3852 } 3853 3854 TEST_EQUAL(mbedtls_test_move_handshake_to_state( 3855 &(client.ssl), &(server.ssl), MBEDTLS_SSL_HANDSHAKE_OVER), 3856 bad_server_ecdhe_key ? MBEDTLS_ERR_SSL_HW_ACCEL_FAILED : 0); 3857 3858 mbedtls_psa_get_stats(&stats); 3859 3860 /* Make sure that the key slot is already destroyed in case of failure, 3861 * without waiting to close the connection. */ 3862 if (bad_server_ecdhe_key) { 3863 TEST_EQUAL(free_slots_before, stats.empty_slots); 3864 } 3865 3866 exit: 3867 mbedtls_test_ssl_endpoint_free(&client, NULL); 3868 mbedtls_test_ssl_endpoint_free(&server, NULL); 3869 mbedtls_test_free_handshake_options(&client_options); 3870 mbedtls_test_free_handshake_options(&server_options); 3871 3872 MD_OR_USE_PSA_DONE(); 3873 } 3874 /* END_CASE */ 3875 /* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_ECP_HAVE_SECP384R1 */ 3876 void tls13_server_certificate_msg_invalid_vector_len() 3877 { 3878 int ret = -1; 3879 mbedtls_test_ssl_endpoint client_ep, server_ep; 3880 memset(&client_ep, 0, sizeof(client_ep)); 3881 memset(&server_ep, 0, sizeof(server_ep)); 3882 unsigned char *buf, *end; 3883 size_t buf_len; 3884 int step = 0; 3885 int expected_result; 3886 mbedtls_ssl_chk_buf_ptr_args expected_chk_buf_ptr_args; 3887 mbedtls_test_handshake_test_options client_options; 3888 mbedtls_test_handshake_test_options server_options; 3889 3890 /* 3891 * Test set-up 3892 */ 3893 3894 mbedtls_test_init_handshake_options(&client_options); 3895 MD_OR_USE_PSA_INIT(); 3896 3897 client_options.pk_alg = MBEDTLS_PK_ECDSA; 3898 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, 3899 &client_options, NULL, NULL, NULL); 3900 TEST_EQUAL(ret, 0); 3901 3902 mbedtls_test_init_handshake_options(&server_options); 3903 server_options.pk_alg = MBEDTLS_PK_ECDSA; 3904 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, 3905 &server_options, NULL, NULL, NULL); 3906 TEST_EQUAL(ret, 0); 3907 3908 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), 3909 &(server_ep.socket), 1024); 3910 TEST_EQUAL(ret, 0); 3911 3912 while (1) { 3913 mbedtls_test_set_step(++step); 3914 3915 ret = mbedtls_test_move_handshake_to_state( 3916 &(server_ep.ssl), &(client_ep.ssl), 3917 MBEDTLS_SSL_CERTIFICATE_VERIFY); 3918 TEST_EQUAL(ret, 0); 3919 3920 ret = mbedtls_ssl_flush_output(&(server_ep.ssl)); 3921 TEST_EQUAL(ret, 0); 3922 3923 ret = mbedtls_test_move_handshake_to_state( 3924 &(client_ep.ssl), &(server_ep.ssl), 3925 MBEDTLS_SSL_SERVER_CERTIFICATE); 3926 TEST_EQUAL(ret, 0); 3927 3928 ret = mbedtls_ssl_tls13_fetch_handshake_msg(&(client_ep.ssl), 3929 MBEDTLS_SSL_HS_CERTIFICATE, 3930 &buf, &buf_len); 3931 TEST_EQUAL(ret, 0); 3932 3933 end = buf + buf_len; 3934 3935 /* 3936 * Tweak server Certificate message and parse it. 3937 */ 3938 3939 ret = mbedtls_test_tweak_tls13_certificate_msg_vector_len( 3940 buf, &end, step, &expected_result, &expected_chk_buf_ptr_args); 3941 3942 if (ret != 0) { 3943 break; 3944 } 3945 3946 ret = mbedtls_ssl_tls13_parse_certificate(&(client_ep.ssl), buf, end); 3947 TEST_EQUAL(ret, expected_result); 3948 3949 TEST_ASSERT(mbedtls_ssl_cmp_chk_buf_ptr_fail_args( 3950 &expected_chk_buf_ptr_args) == 0); 3951 3952 mbedtls_ssl_reset_chk_buf_ptr_fail_args(); 3953 3954 ret = mbedtls_ssl_session_reset(&(client_ep.ssl)); 3955 TEST_EQUAL(ret, 0); 3956 3957 ret = mbedtls_ssl_session_reset(&(server_ep.ssl)); 3958 TEST_EQUAL(ret, 0); 3959 } 3960 3961 exit: 3962 mbedtls_ssl_reset_chk_buf_ptr_fail_args(); 3963 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 3964 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 3965 mbedtls_test_free_handshake_options(&client_options); 3966 mbedtls_test_free_handshake_options(&server_options); 3967 MD_OR_USE_PSA_DONE(); 3968 } 3969 /* END_CASE */ 3970 3971 /* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 3972 void ssl_ecjpake_set_password(int use_opaque_arg) 3973 { 3974 mbedtls_ssl_context ssl; 3975 mbedtls_ssl_config conf; 3976 #if defined(MBEDTLS_USE_PSA_CRYPTO) 3977 mbedtls_svc_key_id_t pwd_slot = MBEDTLS_SVC_KEY_ID_INIT; 3978 #else /* MBEDTLS_USE_PSA_CRYPTO */ 3979 (void) use_opaque_arg; 3980 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 3981 unsigned char pwd_string[sizeof(ECJPAKE_TEST_PWD)] = ""; 3982 size_t pwd_len = 0; 3983 int ret; 3984 3985 mbedtls_ssl_init(&ssl); 3986 MD_OR_USE_PSA_INIT(); 3987 3988 /* test with uninitalized SSL context */ 3989 ECJPAKE_TEST_SET_PASSWORD(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 3990 3991 mbedtls_ssl_config_init(&conf); 3992 3993 TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, 3994 MBEDTLS_SSL_IS_CLIENT, 3995 MBEDTLS_SSL_TRANSPORT_STREAM, 3996 MBEDTLS_SSL_PRESET_DEFAULT), 0); 3997 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); 3998 3999 TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0); 4000 4001 /* test with empty password or unitialized password key (depending on use_opaque_arg) */ 4002 ECJPAKE_TEST_SET_PASSWORD(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 4003 4004 pwd_len = strlen(ECJPAKE_TEST_PWD); 4005 memcpy(pwd_string, ECJPAKE_TEST_PWD, pwd_len); 4006 4007 #if defined(MBEDTLS_USE_PSA_CRYPTO) 4008 if (use_opaque_arg) { 4009 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 4010 psa_key_attributes_t check_attributes = PSA_KEY_ATTRIBUTES_INIT; 4011 4012 /* First try with an invalid usage */ 4013 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 4014 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); 4015 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 4016 4017 PSA_ASSERT(psa_import_key(&attributes, pwd_string, 4018 pwd_len, &pwd_slot)); 4019 4020 ECJPAKE_TEST_SET_PASSWORD(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED); 4021 4022 /* check that the opaque key is still valid after failure */ 4023 TEST_EQUAL(psa_get_key_attributes(pwd_slot, &check_attributes), 4024 PSA_SUCCESS); 4025 4026 psa_destroy_key(pwd_slot); 4027 4028 /* Then set the correct usage */ 4029 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 4030 4031 PSA_ASSERT(psa_import_key(&attributes, pwd_string, 4032 pwd_len, &pwd_slot)); 4033 } 4034 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 4035 4036 /* final check which should work without errors */ 4037 ECJPAKE_TEST_SET_PASSWORD(0); 4038 4039 #if defined(MBEDTLS_USE_PSA_CRYPTO) 4040 if (use_opaque_arg) { 4041 psa_destroy_key(pwd_slot); 4042 } 4043 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 4044 mbedtls_ssl_free(&ssl); 4045 mbedtls_ssl_config_free(&conf); 4046 4047 MD_OR_USE_PSA_DONE(); 4048 } 4049 /* END_CASE */ 4050 4051 /* BEGIN_CASE */ 4052 void elliptic_curve_get_properties() 4053 { 4054 psa_key_type_t psa_type = PSA_KEY_TYPE_NONE; 4055 size_t psa_bits; 4056 4057 MD_OR_USE_PSA_INIT(); 4058 4059 #if defined(MBEDTLS_ECP_HAVE_SECP521R1) || defined(PSA_WANT_ECC_SECP_R1_521) 4060 TEST_AVAILABLE_ECC(25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521); 4061 #else 4062 TEST_UNAVAILABLE_ECC(25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521); 4063 #endif 4064 #if defined(MBEDTLS_ECP_HAVE_BP512R1) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) 4065 TEST_AVAILABLE_ECC(28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512); 4066 #else 4067 TEST_UNAVAILABLE_ECC(28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512); 4068 #endif 4069 #if defined(MBEDTLS_ECP_HAVE_SECP384R1) || defined(PSA_WANT_ECC_SECP_R1_384) 4070 TEST_AVAILABLE_ECC(24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384); 4071 #else 4072 TEST_UNAVAILABLE_ECC(24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384); 4073 #endif 4074 #if defined(MBEDTLS_ECP_HAVE_BP384R1) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) 4075 TEST_AVAILABLE_ECC(27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384); 4076 #else 4077 TEST_UNAVAILABLE_ECC(27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384); 4078 #endif 4079 #if defined(MBEDTLS_ECP_HAVE_SECP256R1) || defined(PSA_WANT_ECC_SECP_R1_256) 4080 TEST_AVAILABLE_ECC(23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256); 4081 #else 4082 TEST_UNAVAILABLE_ECC(23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256); 4083 #endif 4084 #if defined(MBEDTLS_ECP_HAVE_SECP256K1) || defined(PSA_WANT_ECC_SECP_K1_256) 4085 TEST_AVAILABLE_ECC(22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256); 4086 #else 4087 TEST_UNAVAILABLE_ECC(22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256); 4088 #endif 4089 #if defined(MBEDTLS_ECP_HAVE_BP256R1) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) 4090 TEST_AVAILABLE_ECC(26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256); 4091 #else 4092 TEST_UNAVAILABLE_ECC(26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256); 4093 #endif 4094 #if defined(MBEDTLS_ECP_HAVE_SECP224R1) || defined(PSA_WANT_ECC_SECP_R1_224) 4095 TEST_AVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224); 4096 #else 4097 TEST_UNAVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224); 4098 #endif 4099 #if defined(MBEDTLS_ECP_HAVE_SECP224K1) || defined(PSA_WANT_ECC_SECP_K1_224) 4100 TEST_AVAILABLE_ECC(20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224); 4101 #else 4102 TEST_UNAVAILABLE_ECC(20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224); 4103 #endif 4104 #if defined(MBEDTLS_ECP_HAVE_SECP192R1) || defined(PSA_WANT_ECC_SECP_R1_192) 4105 TEST_AVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192); 4106 #else 4107 TEST_UNAVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192); 4108 #endif 4109 #if defined(MBEDTLS_ECP_HAVE_SECP192K1) || defined(PSA_WANT_ECC_SECP_K1_192) 4110 TEST_AVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192); 4111 #else 4112 TEST_UNAVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192); 4113 #endif 4114 #if defined(MBEDTLS_ECP_HAVE_CURVE25519) || defined(PSA_WANT_ECC_MONTGOMERY_255) 4115 TEST_AVAILABLE_ECC(29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255); 4116 #else 4117 TEST_UNAVAILABLE_ECC(29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255); 4118 #endif 4119 #if defined(MBEDTLS_ECP_HAVE_CURVE448) || defined(PSA_WANT_ECC_MONTGOMERY_448) 4120 TEST_AVAILABLE_ECC(30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448); 4121 #else 4122 TEST_UNAVAILABLE_ECC(30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448); 4123 #endif 4124 goto exit; 4125 exit: 4126 MD_OR_USE_PSA_DONE(); 4127 } 4128 /* END_CASE */ 4129 4130 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ 4131 void tls13_resume_session_with_ticket() 4132 { 4133 int ret = -1; 4134 mbedtls_test_ssl_endpoint client_ep, server_ep; 4135 memset(&client_ep, 0, sizeof(client_ep)); 4136 memset(&server_ep, 0, sizeof(server_ep)); 4137 mbedtls_test_handshake_test_options client_options; 4138 mbedtls_test_handshake_test_options server_options; 4139 mbedtls_ssl_session saved_session; 4140 4141 mbedtls_test_init_handshake_options(&client_options); 4142 mbedtls_test_init_handshake_options(&server_options); 4143 mbedtls_ssl_session_init(&saved_session); 4144 4145 PSA_INIT(); 4146 4147 /* 4148 * Run first handshake to get a ticket from the server. 4149 */ 4150 client_options.pk_alg = MBEDTLS_PK_ECDSA; 4151 server_options.pk_alg = MBEDTLS_PK_ECDSA; 4152 4153 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, 4154 &saved_session); 4155 TEST_EQUAL(ret, 0); 4156 4157 /* 4158 * Prepare for handshake with the ticket. 4159 */ 4160 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, 4161 &client_options, NULL, NULL, NULL); 4162 TEST_EQUAL(ret, 0); 4163 4164 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, 4165 &server_options, NULL, NULL, NULL); 4166 TEST_EQUAL(ret, 0); 4167 4168 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, 4169 mbedtls_test_ticket_write, 4170 mbedtls_test_ticket_parse, 4171 NULL); 4172 TEST_EQUAL(ret, 0); 4173 4174 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), 4175 &(server_ep.socket), 1024); 4176 TEST_EQUAL(ret, 0); 4177 4178 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); 4179 TEST_EQUAL(ret, 0); 4180 4181 /* 4182 * Handshake with ticket. 4183 * 4184 * Run the handshake up to MBEDTLS_SSL_HANDSHAKE_WRAPUP and not 4185 * MBEDTLS_SSL_HANDSHAKE_OVER to preserve handshake data for the checks 4186 * below. 4187 */ 4188 TEST_EQUAL(mbedtls_test_move_handshake_to_state( 4189 &(server_ep.ssl), &(client_ep.ssl), 4190 MBEDTLS_SSL_HANDSHAKE_WRAPUP), 0); 4191 4192 TEST_EQUAL(server_ep.ssl.handshake->resume, 1); 4193 TEST_EQUAL(server_ep.ssl.handshake->new_session_tickets_count, 1); 4194 TEST_EQUAL(server_ep.ssl.handshake->key_exchange_mode, 4195 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL); 4196 4197 exit: 4198 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 4199 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 4200 mbedtls_test_free_handshake_options(&client_options); 4201 mbedtls_test_free_handshake_options(&server_options); 4202 mbedtls_ssl_session_free(&saved_session); 4203 PSA_DONE(); 4204 } 4205 /* END_CASE */ 4206 4207 /* 4208 * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_read_early_data() below is 4209 * a temporary workaround to not run the test in Windows-2013 where there is 4210 * an issue with mbedtls_vsnprintf(). 4211 */ 4212 /* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ 4213 void tls13_read_early_data(int scenario) 4214 { 4215 int ret = -1; 4216 unsigned char buf[64]; 4217 const char *early_data = "This is early data."; 4218 size_t early_data_len = strlen(early_data); 4219 mbedtls_test_ssl_endpoint client_ep, server_ep; 4220 memset(&client_ep, 0, sizeof(client_ep)); 4221 memset(&server_ep, 0, sizeof(server_ep)); 4222 mbedtls_test_handshake_test_options client_options; 4223 mbedtls_test_handshake_test_options server_options; 4224 mbedtls_ssl_session saved_session; 4225 mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 }; 4226 uint16_t group_list[3] = { 4227 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 4228 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, 4229 MBEDTLS_SSL_IANA_TLS_GROUP_NONE 4230 }; 4231 4232 mbedtls_test_init_handshake_options(&client_options); 4233 mbedtls_test_init_handshake_options(&server_options); 4234 mbedtls_ssl_session_init(&saved_session); 4235 4236 PSA_INIT(); 4237 4238 /* 4239 * Run first handshake to get a ticket from the server. 4240 */ 4241 4242 client_options.pk_alg = MBEDTLS_PK_ECDSA; 4243 client_options.group_list = group_list; 4244 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 4245 server_options.pk_alg = MBEDTLS_PK_ECDSA; 4246 server_options.group_list = group_list; 4247 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 4248 4249 #if defined(MBEDTLS_SSL_ALPN) 4250 switch (scenario) { 4251 case TEST_EARLY_DATA_SAME_ALPN: 4252 case TEST_EARLY_DATA_DIFF_ALPN: 4253 case TEST_EARLY_DATA_NO_LATER_ALPN: 4254 client_options.alpn_list[0] = "ALPNExample"; 4255 client_options.alpn_list[1] = NULL; 4256 server_options.alpn_list[0] = "ALPNExample"; 4257 server_options.alpn_list[1] = NULL; 4258 break; 4259 } 4260 #endif 4261 4262 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, 4263 &saved_session); 4264 TEST_EQUAL(ret, 0); 4265 4266 /* 4267 * Prepare for handshake with the ticket. 4268 */ 4269 switch (scenario) { 4270 case TEST_EARLY_DATA_ACCEPTED: 4271 break; 4272 4273 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4274 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; 4275 break; 4276 4277 case TEST_EARLY_DATA_SERVER_REJECTS: 4278 mbedtls_debug_set_threshold(3); 4279 server_pattern.pattern = 4280 "EarlyData: deprotect and discard app data records."; 4281 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; 4282 break; 4283 4284 case TEST_EARLY_DATA_HRR: 4285 mbedtls_debug_set_threshold(3); 4286 server_pattern.pattern = 4287 "EarlyData: Ignore application message before 2nd ClientHello"; 4288 server_options.group_list = group_list + 1; 4289 break; 4290 #if defined(MBEDTLS_SSL_ALPN) 4291 case TEST_EARLY_DATA_SAME_ALPN: 4292 client_options.alpn_list[0] = "ALPNExample"; 4293 client_options.alpn_list[1] = NULL; 4294 server_options.alpn_list[0] = "ALPNExample"; 4295 server_options.alpn_list[1] = NULL; 4296 break; 4297 case TEST_EARLY_DATA_DIFF_ALPN: 4298 case TEST_EARLY_DATA_NO_INITIAL_ALPN: 4299 client_options.alpn_list[0] = "ALPNExample2"; 4300 client_options.alpn_list[1] = NULL; 4301 server_options.alpn_list[0] = "ALPNExample2"; 4302 server_options.alpn_list[1] = NULL; 4303 mbedtls_debug_set_threshold(3); 4304 server_pattern.pattern = 4305 "EarlyData: rejected, the selected ALPN is different " 4306 "from the one associated with the pre-shared key."; 4307 break; 4308 case TEST_EARLY_DATA_NO_LATER_ALPN: 4309 client_options.alpn_list[0] = NULL; 4310 server_options.alpn_list[0] = NULL; 4311 mbedtls_debug_set_threshold(3); 4312 server_pattern.pattern = 4313 "EarlyData: rejected, the selected ALPN is different " 4314 "from the one associated with the pre-shared key."; 4315 break; 4316 #endif 4317 4318 default: 4319 TEST_FAIL("Unknown scenario."); 4320 } 4321 4322 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, 4323 &client_options, NULL, NULL, NULL); 4324 TEST_EQUAL(ret, 0); 4325 4326 server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer; 4327 server_options.srv_log_obj = &server_pattern; 4328 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, 4329 &server_options, NULL, NULL, NULL); 4330 TEST_EQUAL(ret, 0); 4331 4332 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, 4333 mbedtls_test_ticket_write, 4334 mbedtls_test_ticket_parse, 4335 NULL); 4336 4337 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), 4338 &(server_ep.socket), 1024); 4339 TEST_EQUAL(ret, 0); 4340 4341 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); 4342 TEST_EQUAL(ret, 0); 4343 4344 /* 4345 * Handshake with ticket and send early data. 4346 */ 4347 TEST_EQUAL(mbedtls_test_move_handshake_to_state( 4348 &(client_ep.ssl), &(server_ep.ssl), 4349 MBEDTLS_SSL_SERVER_HELLO), 0); 4350 4351 ret = mbedtls_ssl_write_early_data(&(client_ep.ssl), 4352 (unsigned char *) early_data, 4353 early_data_len); 4354 4355 if (client_ep.ssl.early_data_state != 4356 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) { 4357 TEST_EQUAL(ret, early_data_len); 4358 } else { 4359 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4360 } 4361 4362 ret = mbedtls_test_move_handshake_to_state( 4363 &(server_ep.ssl), &(client_ep.ssl), 4364 MBEDTLS_SSL_HANDSHAKE_WRAPUP); 4365 4366 switch (scenario) { 4367 case TEST_EARLY_DATA_ACCEPTED: 4368 #if defined(MBEDTLS_SSL_ALPN) 4369 case TEST_EARLY_DATA_SAME_ALPN: 4370 #endif 4371 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA); 4372 TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 1); 4373 TEST_EQUAL(mbedtls_ssl_read_early_data(&(server_ep.ssl), 4374 buf, sizeof(buf)), early_data_len); 4375 TEST_MEMORY_COMPARE(buf, early_data_len, early_data, early_data_len); 4376 break; 4377 4378 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4379 TEST_EQUAL(ret, 0); 4380 TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0); 4381 break; 4382 4383 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4384 case TEST_EARLY_DATA_HRR: 4385 #if defined(MBEDTLS_SSL_ALPN) 4386 case TEST_EARLY_DATA_DIFF_ALPN: 4387 case TEST_EARLY_DATA_NO_INITIAL_ALPN: 4388 case TEST_EARLY_DATA_NO_LATER_ALPN: 4389 #endif 4390 TEST_EQUAL(ret, 0); 4391 TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0); 4392 TEST_EQUAL(server_pattern.counter, 1); 4393 break; 4394 4395 default: 4396 TEST_FAIL("Unknown scenario."); 4397 } 4398 4399 TEST_EQUAL(mbedtls_test_move_handshake_to_state( 4400 &(server_ep.ssl), &(client_ep.ssl), 4401 MBEDTLS_SSL_HANDSHAKE_OVER), 0); 4402 4403 exit: 4404 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 4405 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 4406 mbedtls_test_free_handshake_options(&client_options); 4407 mbedtls_test_free_handshake_options(&server_options); 4408 mbedtls_ssl_session_free(&saved_session); 4409 mbedtls_debug_set_threshold(0); 4410 PSA_DONE(); 4411 } 4412 /* END_CASE */ 4413 4414 /* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ 4415 void tls13_cli_early_data_state(int scenario) 4416 { 4417 int ret = -1; 4418 mbedtls_test_ssl_endpoint client_ep, server_ep; 4419 memset(&client_ep, 0, sizeof(client_ep)); 4420 memset(&server_ep, 0, sizeof(server_ep)); 4421 mbedtls_test_handshake_test_options client_options; 4422 mbedtls_test_handshake_test_options server_options; 4423 mbedtls_ssl_session saved_session; 4424 uint16_t group_list[3] = { 4425 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 4426 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, 4427 MBEDTLS_SSL_IANA_TLS_GROUP_NONE 4428 }; 4429 uint8_t client_random[MBEDTLS_CLIENT_HELLO_RANDOM_LEN]; 4430 4431 mbedtls_test_init_handshake_options(&client_options); 4432 mbedtls_test_init_handshake_options(&server_options); 4433 mbedtls_ssl_session_init(&saved_session); 4434 4435 PSA_INIT(); 4436 4437 /* 4438 * Run first handshake to get a ticket from the server. 4439 */ 4440 client_options.pk_alg = MBEDTLS_PK_ECDSA; 4441 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 4442 server_options.pk_alg = MBEDTLS_PK_ECDSA; 4443 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 4444 if (scenario == TEST_EARLY_DATA_HRR) { 4445 client_options.group_list = group_list; 4446 server_options.group_list = group_list; 4447 } 4448 4449 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, 4450 &saved_session); 4451 TEST_EQUAL(ret, 0); 4452 4453 /* 4454 * Prepare for handshake with the ticket. 4455 */ 4456 switch (scenario) { 4457 case TEST_EARLY_DATA_ACCEPTED: 4458 break; 4459 4460 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4461 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; 4462 break; 4463 4464 case TEST_EARLY_DATA_SERVER_REJECTS: 4465 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; 4466 break; 4467 4468 case TEST_EARLY_DATA_HRR: 4469 server_options.group_list = group_list + 1; 4470 break; 4471 4472 default: 4473 TEST_FAIL("Unknown scenario."); 4474 } 4475 4476 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, 4477 &client_options, NULL, NULL, NULL); 4478 TEST_EQUAL(ret, 0); 4479 4480 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, 4481 &server_options, NULL, NULL, NULL); 4482 TEST_EQUAL(ret, 0); 4483 4484 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, 4485 mbedtls_test_ticket_write, 4486 mbedtls_test_ticket_parse, 4487 NULL); 4488 4489 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), 4490 &(server_ep.socket), 1024); 4491 TEST_EQUAL(ret, 0); 4492 4493 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); 4494 TEST_EQUAL(ret, 0); 4495 4496 /* 4497 * Go through the handshake sequence, state by state, checking the early 4498 * data status each time. 4499 */ 4500 do { 4501 int state = client_ep.ssl.state; 4502 4503 /* Progress the handshake from at least one state */ 4504 while (client_ep.ssl.state == state) { 4505 ret = mbedtls_ssl_handshake_step(&(client_ep.ssl)); 4506 TEST_ASSERT((ret == 0) || 4507 (ret == MBEDTLS_ERR_SSL_WANT_READ) || 4508 (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); 4509 if (client_ep.ssl.state != state) { 4510 break; 4511 } 4512 ret = mbedtls_ssl_handshake_step(&(server_ep.ssl)); 4513 TEST_ASSERT((ret == 0) || 4514 (ret == MBEDTLS_ERR_SSL_WANT_READ) || 4515 (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); 4516 } 4517 4518 if (client_ep.ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) { 4519 TEST_EQUAL(mbedtls_ssl_get_early_data_status(&(client_ep.ssl)), 4520 MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 4521 } 4522 4523 switch (client_ep.ssl.state) { 4524 case MBEDTLS_SSL_CLIENT_HELLO: 4525 switch (scenario) { 4526 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 4527 case TEST_EARLY_DATA_NO_INDICATION_SENT: /* Intentional fallthrough */ 4528 case TEST_EARLY_DATA_SERVER_REJECTS: 4529 TEST_EQUAL(client_ep.ssl.early_data_state, 4530 MBEDTLS_SSL_EARLY_DATA_STATE_IDLE); 4531 break; 4532 4533 case TEST_EARLY_DATA_HRR: 4534 if (!client_ep.ssl.handshake->hello_retry_request_flag) { 4535 TEST_EQUAL(client_ep.ssl.early_data_state, 4536 MBEDTLS_SSL_EARLY_DATA_STATE_IDLE); 4537 } else { 4538 TEST_EQUAL(client_ep.ssl.early_data_state, 4539 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4540 } 4541 break; 4542 4543 default: 4544 TEST_FAIL("Unknown scenario."); 4545 } 4546 break; 4547 4548 case MBEDTLS_SSL_SERVER_HELLO: 4549 switch (scenario) { 4550 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 4551 case TEST_EARLY_DATA_SERVER_REJECTS: 4552 TEST_EQUAL(client_ep.ssl.early_data_state, 4553 MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE); 4554 break; 4555 4556 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4557 TEST_EQUAL(client_ep.ssl.early_data_state, 4558 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT); 4559 break; 4560 4561 case TEST_EARLY_DATA_HRR: 4562 if (!client_ep.ssl.handshake->hello_retry_request_flag) { 4563 TEST_EQUAL(client_ep.ssl.early_data_state, 4564 MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE); 4565 memcpy(client_random, 4566 client_ep.ssl.handshake->randbytes, 4567 MBEDTLS_CLIENT_HELLO_RANDOM_LEN); 4568 } else { 4569 TEST_EQUAL(client_ep.ssl.early_data_state, 4570 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4571 TEST_MEMORY_COMPARE(client_random, 4572 MBEDTLS_CLIENT_HELLO_RANDOM_LEN, 4573 client_ep.ssl.handshake->randbytes, 4574 MBEDTLS_CLIENT_HELLO_RANDOM_LEN); 4575 } 4576 break; 4577 4578 default: 4579 TEST_FAIL("Unknown scenario."); 4580 } 4581 break; 4582 4583 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: 4584 switch (scenario) { 4585 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 4586 case TEST_EARLY_DATA_SERVER_REJECTS: 4587 TEST_EQUAL(client_ep.ssl.early_data_state, 4588 MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE); 4589 break; 4590 4591 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4592 TEST_EQUAL(client_ep.ssl.early_data_state, 4593 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT); 4594 break; 4595 4596 case TEST_EARLY_DATA_HRR: 4597 TEST_EQUAL(client_ep.ssl.early_data_state, 4598 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4599 break; 4600 4601 default: 4602 TEST_FAIL("Unknown scenario."); 4603 } 4604 break; 4605 4606 case MBEDTLS_SSL_SERVER_FINISHED: 4607 switch (scenario) { 4608 case TEST_EARLY_DATA_ACCEPTED: 4609 TEST_EQUAL(client_ep.ssl.early_data_state, 4610 MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED); 4611 break; 4612 4613 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4614 TEST_EQUAL(client_ep.ssl.early_data_state, 4615 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT); 4616 break; 4617 4618 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4619 case TEST_EARLY_DATA_HRR: 4620 TEST_EQUAL(client_ep.ssl.early_data_state, 4621 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4622 break; 4623 4624 default: 4625 TEST_FAIL("Unknown scenario."); 4626 } 4627 break; 4628 4629 case MBEDTLS_SSL_END_OF_EARLY_DATA: 4630 TEST_EQUAL(scenario, TEST_EARLY_DATA_ACCEPTED); 4631 TEST_EQUAL(client_ep.ssl.early_data_state, 4632 MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED); 4633 break; 4634 4635 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 4636 switch (scenario) { 4637 case TEST_EARLY_DATA_ACCEPTED: 4638 TEST_EQUAL(client_ep.ssl.early_data_state, 4639 MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED); 4640 break; 4641 4642 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4643 TEST_EQUAL(client_ep.ssl.early_data_state, 4644 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT); 4645 break; 4646 4647 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4648 case TEST_EARLY_DATA_HRR: 4649 TEST_EQUAL(client_ep.ssl.early_data_state, 4650 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4651 break; 4652 4653 default: 4654 TEST_FAIL("Unknown scenario."); 4655 } 4656 break; 4657 4658 case MBEDTLS_SSL_CLIENT_FINISHED: 4659 switch (scenario) { 4660 case TEST_EARLY_DATA_ACCEPTED: 4661 TEST_EQUAL(client_ep.ssl.early_data_state, 4662 MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED); 4663 break; 4664 4665 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4666 TEST_EQUAL(client_ep.ssl.early_data_state, 4667 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT); 4668 break; 4669 4670 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4671 case TEST_EARLY_DATA_HRR: 4672 TEST_EQUAL(client_ep.ssl.early_data_state, 4673 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4674 break; 4675 4676 default: 4677 TEST_FAIL("Unknown scenario."); 4678 } 4679 break; 4680 4681 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) 4682 case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: 4683 switch (scenario) { 4684 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 4685 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4686 case TEST_EARLY_DATA_HRR: 4687 TEST_EQUAL(client_ep.ssl.early_data_state, 4688 MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT); 4689 break; 4690 4691 default: 4692 TEST_FAIL("Unexpected or unknown scenario."); 4693 } 4694 break; 4695 4696 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: 4697 TEST_ASSERT(scenario == TEST_EARLY_DATA_HRR); 4698 TEST_EQUAL(client_ep.ssl.early_data_state, 4699 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4700 break; 4701 4702 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: 4703 switch (scenario) { 4704 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4705 TEST_EQUAL(client_ep.ssl.early_data_state, 4706 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT); 4707 break; 4708 4709 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4710 case TEST_EARLY_DATA_HRR: 4711 TEST_EQUAL(client_ep.ssl.early_data_state, 4712 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4713 break; 4714 4715 default: 4716 TEST_FAIL("Unexpected or unknown scenario."); 4717 } 4718 break; 4719 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ 4720 4721 case MBEDTLS_SSL_FLUSH_BUFFERS: /* Intentional fallthrough */ 4722 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: /* Intentional fallthrough */ 4723 case MBEDTLS_SSL_HANDSHAKE_OVER: 4724 switch (scenario) { 4725 case TEST_EARLY_DATA_ACCEPTED: 4726 TEST_EQUAL(client_ep.ssl.early_data_state, 4727 MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED); 4728 break; 4729 4730 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4731 TEST_EQUAL(client_ep.ssl.early_data_state, 4732 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT); 4733 break; 4734 4735 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4736 case TEST_EARLY_DATA_HRR: 4737 TEST_EQUAL(client_ep.ssl.early_data_state, 4738 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4739 break; 4740 4741 default: 4742 TEST_FAIL("Unknown scenario."); 4743 } 4744 break; 4745 4746 default: 4747 TEST_FAIL("Unexpected state."); 4748 } 4749 } while (client_ep.ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER); 4750 4751 ret = mbedtls_ssl_get_early_data_status(&(client_ep.ssl)); 4752 switch (scenario) { 4753 case TEST_EARLY_DATA_ACCEPTED: 4754 TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED); 4755 break; 4756 4757 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4758 TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED); 4759 break; 4760 4761 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4762 case TEST_EARLY_DATA_HRR: 4763 TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); 4764 break; 4765 4766 default: 4767 TEST_FAIL("Unknown scenario."); 4768 } 4769 4770 ret = mbedtls_ssl_get_early_data_status(&(server_ep.ssl)); 4771 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 4772 4773 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) 4774 TEST_EQUAL(client_ep.ssl.handshake->ccs_sent, 1); 4775 #endif 4776 4777 exit: 4778 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 4779 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 4780 mbedtls_test_free_handshake_options(&client_options); 4781 mbedtls_test_free_handshake_options(&server_options); 4782 mbedtls_ssl_session_free(&saved_session); 4783 PSA_DONE(); 4784 } 4785 /* END_CASE */ 4786 4787 /* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ 4788 void tls13_write_early_data(int scenario) 4789 { 4790 int ret = -1; 4791 mbedtls_test_ssl_endpoint client_ep, server_ep; 4792 memset(&client_ep, 0, sizeof(client_ep)); 4793 memset(&server_ep, 0, sizeof(server_ep)); 4794 mbedtls_test_handshake_test_options client_options; 4795 mbedtls_test_handshake_test_options server_options; 4796 mbedtls_ssl_session saved_session; 4797 uint16_t group_list[3] = { 4798 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 4799 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, 4800 MBEDTLS_SSL_IANA_TLS_GROUP_NONE 4801 }; 4802 int beyond_first_hello = 0; 4803 4804 mbedtls_test_init_handshake_options(&client_options); 4805 mbedtls_test_init_handshake_options(&server_options); 4806 mbedtls_ssl_session_init(&saved_session); 4807 4808 PSA_INIT(); 4809 4810 /* 4811 * Run first handshake to get a ticket from the server. 4812 */ 4813 client_options.pk_alg = MBEDTLS_PK_ECDSA; 4814 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 4815 server_options.pk_alg = MBEDTLS_PK_ECDSA; 4816 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 4817 if (scenario == TEST_EARLY_DATA_HRR) { 4818 client_options.group_list = group_list; 4819 server_options.group_list = group_list; 4820 } 4821 4822 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, 4823 &saved_session); 4824 TEST_EQUAL(ret, 0); 4825 4826 /* 4827 * Prepare for handshake with the ticket. 4828 */ 4829 switch (scenario) { 4830 case TEST_EARLY_DATA_ACCEPTED: 4831 break; 4832 4833 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4834 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; 4835 break; 4836 4837 case TEST_EARLY_DATA_SERVER_REJECTS: 4838 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; 4839 break; 4840 4841 case TEST_EARLY_DATA_HRR: 4842 /* 4843 * Remove server support for the group negotiated in 4844 * mbedtls_test_get_tls13_ticket() forcing a HelloRetryRequest. 4845 */ 4846 server_options.group_list = group_list + 1; 4847 break; 4848 4849 default: 4850 TEST_FAIL("Unknown scenario."); 4851 } 4852 4853 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, 4854 &client_options, NULL, NULL, NULL); 4855 TEST_EQUAL(ret, 0); 4856 4857 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, 4858 &server_options, NULL, NULL, NULL); 4859 TEST_EQUAL(ret, 0); 4860 4861 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, 4862 mbedtls_test_ticket_write, 4863 mbedtls_test_ticket_parse, 4864 NULL); 4865 4866 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), 4867 &(server_ep.socket), 1024); 4868 TEST_EQUAL(ret, 0); 4869 4870 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); 4871 TEST_EQUAL(ret, 0); 4872 4873 /* 4874 * Run handshakes going one state further in the handshake sequence at each 4875 * loop up to the point where we reach the MBEDTLS_SSL_HANDSHAKE_OVER 4876 * state. For each reached handshake state, check the result of the call 4877 * to mbedtls_ssl_write_early_data(), make sure we can complete the 4878 * handshake successfully and then reset the connection to restart the 4879 * handshake from scratch. 4880 */ 4881 do { 4882 int client_state = client_ep.ssl.state; 4883 int previous_client_state; 4884 const char *early_data_string = "This is early data."; 4885 const unsigned char *early_data = (const unsigned char *) early_data_string; 4886 size_t early_data_len = strlen(early_data_string); 4887 int write_early_data_ret, read_early_data_ret; 4888 unsigned char read_buf[64]; 4889 4890 write_early_data_ret = mbedtls_ssl_write_early_data(&(client_ep.ssl), 4891 early_data, 4892 early_data_len); 4893 4894 if (scenario == TEST_EARLY_DATA_NO_INDICATION_SENT) { 4895 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4896 TEST_EQUAL(client_ep.ssl.state, client_state); 4897 goto complete_handshake; 4898 } 4899 4900 switch (client_state) { 4901 case MBEDTLS_SSL_HELLO_REQUEST: /* Intentional fallthrough */ 4902 case MBEDTLS_SSL_CLIENT_HELLO: 4903 switch (scenario) { 4904 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 4905 case TEST_EARLY_DATA_SERVER_REJECTS: 4906 TEST_EQUAL(write_early_data_ret, early_data_len); 4907 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); 4908 break; 4909 4910 case TEST_EARLY_DATA_HRR: 4911 if (!client_ep.ssl.handshake->hello_retry_request_flag) { 4912 TEST_EQUAL(write_early_data_ret, early_data_len); 4913 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); 4914 } else { 4915 beyond_first_hello = 1; 4916 TEST_EQUAL(write_early_data_ret, 4917 MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4918 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_CLIENT_HELLO); 4919 } 4920 break; 4921 4922 default: 4923 TEST_FAIL("Unknown scenario."); 4924 } 4925 break; 4926 4927 case MBEDTLS_SSL_SERVER_HELLO: 4928 switch (scenario) { 4929 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 4930 case TEST_EARLY_DATA_SERVER_REJECTS: 4931 TEST_EQUAL(write_early_data_ret, early_data_len); 4932 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); 4933 break; 4934 4935 case TEST_EARLY_DATA_HRR: 4936 if (!client_ep.ssl.handshake->hello_retry_request_flag) { 4937 TEST_EQUAL(write_early_data_ret, early_data_len); 4938 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); 4939 } else { 4940 TEST_EQUAL(write_early_data_ret, 4941 MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4942 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); 4943 } 4944 break; 4945 4946 default: 4947 TEST_FAIL("Unknown scenario."); 4948 } 4949 break; 4950 4951 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: 4952 switch (scenario) { 4953 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 4954 case TEST_EARLY_DATA_SERVER_REJECTS: 4955 TEST_EQUAL(write_early_data_ret, early_data_len); 4956 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); 4957 break; 4958 4959 case TEST_EARLY_DATA_HRR: 4960 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4961 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); 4962 break; 4963 4964 default: 4965 TEST_FAIL("Unknown scenario."); 4966 } 4967 break; 4968 4969 case MBEDTLS_SSL_SERVER_FINISHED: 4970 switch (scenario) { 4971 case TEST_EARLY_DATA_ACCEPTED: 4972 TEST_EQUAL(write_early_data_ret, early_data_len); 4973 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED); 4974 break; 4975 4976 case TEST_EARLY_DATA_SERVER_REJECTS: 4977 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4978 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED); 4979 break; 4980 4981 case TEST_EARLY_DATA_HRR: 4982 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4983 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED); 4984 break; 4985 4986 default: 4987 TEST_FAIL("Unknown scenario."); 4988 } 4989 break; 4990 4991 case MBEDTLS_SSL_END_OF_EARLY_DATA: 4992 TEST_EQUAL(scenario, TEST_EARLY_DATA_ACCEPTED); 4993 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4994 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_END_OF_EARLY_DATA); 4995 break; 4996 4997 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) 4998 case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: 4999 switch (scenario) { 5000 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 5001 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 5002 case TEST_EARLY_DATA_HRR: 5003 TEST_EQUAL(write_early_data_ret, early_data_len); 5004 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); 5005 break; 5006 default: 5007 TEST_FAIL("Unknown scenario."); 5008 } 5009 break; 5010 5011 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: 5012 TEST_EQUAL(scenario, TEST_EARLY_DATA_HRR); 5013 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 5014 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO); 5015 break; 5016 5017 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: 5018 switch (scenario) { 5019 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 5020 case TEST_EARLY_DATA_HRR: 5021 TEST_EQUAL(write_early_data_ret, 5022 MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 5023 TEST_EQUAL(client_ep.ssl.state, 5024 MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED); 5025 break; 5026 default: 5027 TEST_FAIL("Unexpected or unknown scenario."); 5028 } 5029 break; 5030 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ 5031 5032 case MBEDTLS_SSL_CLIENT_CERTIFICATE: /* Intentional fallthrough */ 5033 case MBEDTLS_SSL_CLIENT_FINISHED: /* Intentional fallthrough */ 5034 case MBEDTLS_SSL_FLUSH_BUFFERS: /* Intentional fallthrough */ 5035 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: /* Intentional fallthrough */ 5036 case MBEDTLS_SSL_HANDSHAKE_OVER: 5037 switch (scenario) { 5038 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 5039 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 5040 case TEST_EARLY_DATA_HRR: 5041 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 5042 TEST_EQUAL(client_ep.ssl.state, client_state); 5043 break; 5044 default: 5045 TEST_FAIL("Unknown scenario."); 5046 } 5047 break; 5048 5049 default: 5050 TEST_FAIL("Unexpected state."); 5051 } 5052 5053 complete_handshake: 5054 do { 5055 ret = mbedtls_test_move_handshake_to_state( 5056 &(server_ep.ssl), &(client_ep.ssl), 5057 MBEDTLS_SSL_HANDSHAKE_OVER); 5058 5059 if (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA) { 5060 read_early_data_ret = mbedtls_ssl_read_early_data( 5061 &(server_ep.ssl), read_buf, sizeof(read_buf)); 5062 5063 TEST_EQUAL(read_early_data_ret, early_data_len); 5064 } 5065 } while (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA); 5066 5067 TEST_EQUAL(ret, 0); 5068 TEST_EQUAL(mbedtls_test_move_handshake_to_state( 5069 &(client_ep.ssl), &(server_ep.ssl), 5070 MBEDTLS_SSL_HANDSHAKE_OVER), 0); 5071 5072 mbedtls_test_mock_socket_close(&(client_ep.socket)); 5073 mbedtls_test_mock_socket_close(&(server_ep.socket)); 5074 5075 ret = mbedtls_ssl_session_reset(&(client_ep.ssl)); 5076 TEST_EQUAL(ret, 0); 5077 5078 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); 5079 TEST_EQUAL(ret, 0); 5080 5081 ret = mbedtls_ssl_session_reset(&(server_ep.ssl)); 5082 TEST_EQUAL(ret, 0); 5083 5084 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), 5085 &(server_ep.socket), 1024); 5086 TEST_EQUAL(ret, 0); 5087 5088 previous_client_state = client_state; 5089 if (previous_client_state == MBEDTLS_SSL_HANDSHAKE_OVER) { 5090 break; 5091 } 5092 5093 /* In case of HRR scenario, once we have been through it, move over 5094 * the first ClientHello and ServerHello otherwise we just keep playing 5095 * this first part of the handshake with HRR. 5096 */ 5097 if ((scenario == TEST_EARLY_DATA_HRR) && (beyond_first_hello)) { 5098 TEST_ASSERT(mbedtls_test_move_handshake_to_state( 5099 &(client_ep.ssl), &(server_ep.ssl), 5100 MBEDTLS_SSL_SERVER_HELLO) == 0); 5101 TEST_ASSERT(mbedtls_test_move_handshake_to_state( 5102 &(client_ep.ssl), &(server_ep.ssl), 5103 MBEDTLS_SSL_CLIENT_HELLO) == 0); 5104 } 5105 5106 TEST_EQUAL(mbedtls_test_move_handshake_to_state( 5107 &(client_ep.ssl), &(server_ep.ssl), 5108 previous_client_state), 0); 5109 5110 /* Progress the handshake from at least one state */ 5111 while (client_ep.ssl.state == previous_client_state) { 5112 ret = mbedtls_ssl_handshake_step(&(client_ep.ssl)); 5113 TEST_ASSERT((ret == 0) || 5114 (ret == MBEDTLS_ERR_SSL_WANT_READ) || 5115 (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); 5116 if (client_ep.ssl.state != previous_client_state) { 5117 break; 5118 } 5119 ret = mbedtls_ssl_handshake_step(&(server_ep.ssl)); 5120 TEST_ASSERT((ret == 0) || 5121 (ret == MBEDTLS_ERR_SSL_WANT_READ) || 5122 (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); 5123 } 5124 } while (1); 5125 5126 exit: 5127 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 5128 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 5129 mbedtls_test_free_handshake_options(&client_options); 5130 mbedtls_test_free_handshake_options(&server_options); 5131 mbedtls_ssl_session_free(&saved_session); 5132 PSA_DONE(); 5133 } 5134 /* END_CASE */ 5135 5136 /* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ 5137 void tls13_cli_max_early_data_size(int max_early_data_size_arg) 5138 { 5139 int ret = -1; 5140 mbedtls_test_ssl_endpoint client_ep, server_ep; 5141 memset(&client_ep, 0, sizeof(client_ep)); 5142 memset(&server_ep, 0, sizeof(server_ep)); 5143 mbedtls_test_handshake_test_options client_options; 5144 mbedtls_test_handshake_test_options server_options; 5145 mbedtls_ssl_session saved_session; 5146 unsigned char *buf = NULL; 5147 uint32_t buf_size = 64; 5148 uint32_t max_early_data_size; 5149 uint32_t written_early_data_size = 0; 5150 uint32_t read_early_data_size = 0; 5151 5152 mbedtls_test_init_handshake_options(&client_options); 5153 mbedtls_test_init_handshake_options(&server_options); 5154 mbedtls_ssl_session_init(&saved_session); 5155 5156 PSA_INIT(); 5157 TEST_CALLOC(buf, buf_size); 5158 5159 /* 5160 * Run first handshake to get a ticket from the server. 5161 */ 5162 5163 client_options.pk_alg = MBEDTLS_PK_ECDSA; 5164 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 5165 server_options.pk_alg = MBEDTLS_PK_ECDSA; 5166 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 5167 server_options.max_early_data_size = max_early_data_size_arg; 5168 5169 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, 5170 &saved_session); 5171 TEST_EQUAL(ret, 0); 5172 5173 /* 5174 * Prepare for handshake with the ticket. 5175 */ 5176 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, 5177 &client_options, NULL, NULL, NULL); 5178 TEST_EQUAL(ret, 0); 5179 5180 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, 5181 &server_options, NULL, NULL, NULL); 5182 TEST_EQUAL(ret, 0); 5183 5184 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, 5185 mbedtls_test_ticket_write, 5186 mbedtls_test_ticket_parse, 5187 NULL); 5188 5189 max_early_data_size = saved_session.max_early_data_size; 5190 /* 5191 * (max_early_data_size + 1024) for the size of the socket buffers for the 5192 * server one to be able to contain the maximum number of early data bytes 5193 * plus the first flight of client messages. Needed because we cannot 5194 * initiate the handshake on server side before doing all the calls to 5195 * mbedtls_ssl_write_early_data() we want to test. See below for more 5196 * information. 5197 */ 5198 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), 5199 &(server_ep.socket), 5200 max_early_data_size + 1024); 5201 TEST_EQUAL(ret, 0); 5202 5203 /* If our server is configured with max_early_data_size equal to zero, it 5204 * does not set the MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA flag for 5205 * the tickets it creates. To be able to test early data with a ticket 5206 * allowing early data in its flags but with max_early_data_size equal to 5207 * zero (case supported by our client) tweak the ticket flags here. 5208 */ 5209 if (max_early_data_size == 0) { 5210 saved_session.ticket_flags |= MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA; 5211 } 5212 5213 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); 5214 TEST_EQUAL(ret, 0); 5215 5216 while (written_early_data_size < max_early_data_size) { 5217 uint32_t remaining = max_early_data_size - written_early_data_size; 5218 5219 for (size_t i = 0; i < buf_size; i++) { 5220 buf[i] = (unsigned char) (written_early_data_size + i); 5221 } 5222 5223 ret = mbedtls_ssl_write_early_data(&(client_ep.ssl), 5224 buf, 5225 buf_size); 5226 5227 if (buf_size <= remaining) { 5228 TEST_EQUAL(ret, buf_size); 5229 } else { 5230 TEST_EQUAL(ret, remaining); 5231 } 5232 written_early_data_size += buf_size; 5233 } 5234 TEST_EQUAL(client_ep.ssl.total_early_data_size, max_early_data_size); 5235 5236 ret = mbedtls_ssl_write_early_data(&(client_ep.ssl), buf, 1); 5237 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 5238 TEST_EQUAL(client_ep.ssl.total_early_data_size, max_early_data_size); 5239 TEST_EQUAL(client_ep.ssl.early_data_state, 5240 MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE); 5241 5242 /* 5243 * Now, check data on server side. It is not done in the previous loop as 5244 * in the first call to mbedtls_ssl_handshake(), the server ends up sending 5245 * its Finished message and then in the following call to 5246 * mbedtls_ssl_write_early_data() we go past the early data writing window 5247 * and we cannot test multiple calls to the API is this writing window. 5248 */ 5249 while (read_early_data_size < max_early_data_size) { 5250 ret = mbedtls_ssl_handshake(&(server_ep.ssl)); 5251 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA); 5252 5253 ret = mbedtls_ssl_read_early_data(&(server_ep.ssl), 5254 buf, 5255 buf_size); 5256 TEST_ASSERT(ret > 0); 5257 5258 for (size_t i = 0; i < (size_t) ret; i++) { 5259 TEST_EQUAL(buf[i], (unsigned char) (read_early_data_size + i)); 5260 } 5261 5262 read_early_data_size += ret; 5263 } 5264 TEST_EQUAL(read_early_data_size, max_early_data_size); 5265 5266 ret = mbedtls_ssl_handshake(&(server_ep.ssl)); 5267 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ); 5268 5269 TEST_ASSERT(mbedtls_test_move_handshake_to_state( 5270 &(client_ep.ssl), &(server_ep.ssl), MBEDTLS_SSL_HANDSHAKE_OVER) 5271 == 0); 5272 5273 exit: 5274 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 5275 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 5276 mbedtls_test_free_handshake_options(&client_options); 5277 mbedtls_test_free_handshake_options(&server_options); 5278 mbedtls_ssl_session_free(&saved_session); 5279 mbedtls_free(buf); 5280 PSA_DONE(); 5281 } 5282 /* END_CASE */ 5283 5284 /* 5285 * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_early_data() below is 5286 * a temporary workaround to not run the test in Windows-2013 where there is 5287 * an issue with mbedtls_vsnprintf(). 5288 */ 5289 /* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ 5290 void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, int write_size_arg) 5291 { 5292 int ret = -1; 5293 mbedtls_test_ssl_endpoint client_ep, server_ep; 5294 memset(&client_ep, 0, sizeof(client_ep)); 5295 memset(&server_ep, 0, sizeof(server_ep)); 5296 mbedtls_test_handshake_test_options client_options; 5297 mbedtls_test_handshake_test_options server_options; 5298 mbedtls_ssl_session saved_session; 5299 mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 }; 5300 uint16_t group_list[3] = { 5301 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 5302 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, 5303 MBEDTLS_SSL_IANA_TLS_GROUP_NONE 5304 }; 5305 char pattern[128]; 5306 unsigned char *buf_write = NULL; 5307 uint32_t write_size = (uint32_t) write_size_arg; 5308 unsigned char *buf_read = NULL; 5309 uint32_t read_size; 5310 uint32_t expanded_early_data_chunk_size = 0; 5311 uint32_t written_early_data_size = 0; 5312 uint32_t max_early_data_size; 5313 5314 mbedtls_test_init_handshake_options(&client_options); 5315 mbedtls_test_init_handshake_options(&server_options); 5316 mbedtls_ssl_session_init(&saved_session); 5317 PSA_INIT(); 5318 5319 TEST_CALLOC(buf_write, write_size); 5320 5321 /* 5322 * Allocate a smaller buffer for early data reading to exercise the reading 5323 * of data in one record in multiple calls. 5324 */ 5325 read_size = (write_size / 2) + 1; 5326 TEST_CALLOC(buf_read, read_size); 5327 5328 /* 5329 * Run first handshake to get a ticket from the server. 5330 */ 5331 5332 client_options.pk_alg = MBEDTLS_PK_ECDSA; 5333 client_options.group_list = group_list; 5334 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 5335 server_options.pk_alg = MBEDTLS_PK_ECDSA; 5336 server_options.group_list = group_list; 5337 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 5338 server_options.max_early_data_size = max_early_data_size_arg; 5339 5340 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, 5341 &saved_session); 5342 TEST_EQUAL(ret, 0); 5343 5344 /* 5345 * Prepare for handshake with the ticket. 5346 */ 5347 server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer; 5348 server_options.srv_log_obj = &server_pattern; 5349 server_pattern.pattern = pattern; 5350 5351 switch (scenario) { 5352 case TEST_EARLY_DATA_ACCEPTED: 5353 break; 5354 5355 case TEST_EARLY_DATA_SERVER_REJECTS: 5356 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; 5357 ret = mbedtls_snprintf(pattern, sizeof(pattern), 5358 "EarlyData: deprotect and discard app data records."); 5359 TEST_ASSERT(ret < (int) sizeof(pattern)); 5360 mbedtls_debug_set_threshold(3); 5361 break; 5362 5363 case TEST_EARLY_DATA_HRR: 5364 /* 5365 * Remove server support for the group negotiated in 5366 * mbedtls_test_get_tls13_ticket() forcing an HelloRetryRequest. 5367 */ 5368 server_options.group_list = group_list + 1; 5369 ret = mbedtls_snprintf( 5370 pattern, sizeof(pattern), 5371 "EarlyData: Ignore application message before 2nd ClientHello"); 5372 TEST_ASSERT(ret < (int) sizeof(pattern)); 5373 mbedtls_debug_set_threshold(3); 5374 break; 5375 5376 default: 5377 TEST_FAIL("Unknown scenario."); 5378 } 5379 5380 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, 5381 &client_options, NULL, NULL, NULL); 5382 TEST_EQUAL(ret, 0); 5383 5384 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, 5385 &server_options, NULL, NULL, NULL); 5386 TEST_EQUAL(ret, 0); 5387 5388 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, 5389 mbedtls_test_ticket_write, 5390 mbedtls_test_ticket_parse, 5391 NULL); 5392 5393 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), 5394 &(server_ep.socket), 1024); 5395 TEST_EQUAL(ret, 0); 5396 5397 max_early_data_size = saved_session.max_early_data_size; 5398 5399 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); 5400 TEST_EQUAL(ret, 0); 5401 5402 /* 5403 * Start an handshake based on the ticket up to the point where early data 5404 * can be sent from client side. Then send in a loop as much early data as 5405 * possible without going over the maximum permitted size for the ticket. 5406 * Finally, do a last writting to go past that maximum permitted size and 5407 * check that we detect it. 5408 */ 5409 TEST_EQUAL(mbedtls_test_move_handshake_to_state( 5410 &(client_ep.ssl), &(server_ep.ssl), 5411 MBEDTLS_SSL_SERVER_HELLO), 0); 5412 5413 TEST_ASSERT(client_ep.ssl.early_data_state != 5414 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT); 5415 5416 ret = mbedtls_ssl_handshake(&(server_ep.ssl)); 5417 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ); 5418 5419 /* 5420 * Write and if possible read as much as possible chunks of write_size 5421 * bytes data without getting over the max_early_data_size limit. 5422 */ 5423 do { 5424 uint32_t read_early_data_size = 0; 5425 5426 /* 5427 * The contents of the early data are not very important, write a 5428 * pattern that varies byte-by-byte and is different for every chunk of 5429 * early data. 5430 */ 5431 if ((written_early_data_size + write_size) > max_early_data_size) { 5432 break; 5433 } 5434 5435 /* 5436 * If the server rejected early data, base the determination of when 5437 * to stop the loop on the expanded size (padding and encryption 5438 * expansion) of early data on server side and the number of early data 5439 * received so far by the server (multiple of the expanded size). 5440 */ 5441 if ((expanded_early_data_chunk_size != 0) && 5442 ((server_ep.ssl.total_early_data_size + 5443 expanded_early_data_chunk_size) > max_early_data_size)) { 5444 break; 5445 } 5446 5447 for (size_t i = 0; i < write_size; i++) { 5448 buf_write[i] = (unsigned char) (written_early_data_size + i); 5449 } 5450 5451 ret = write_early_data(&(client_ep.ssl), buf_write, write_size); 5452 TEST_EQUAL(ret, write_size); 5453 written_early_data_size += write_size; 5454 5455 switch (scenario) { 5456 case TEST_EARLY_DATA_ACCEPTED: 5457 while (read_early_data_size < write_size) { 5458 ret = mbedtls_ssl_handshake(&(server_ep.ssl)); 5459 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA); 5460 5461 ret = mbedtls_ssl_read_early_data(&(server_ep.ssl), 5462 buf_read, read_size); 5463 TEST_ASSERT(ret > 0); 5464 5465 TEST_MEMORY_COMPARE(buf_read, ret, 5466 buf_write + read_early_data_size, ret); 5467 read_early_data_size += ret; 5468 5469 TEST_EQUAL(server_ep.ssl.total_early_data_size, 5470 written_early_data_size); 5471 } 5472 break; 5473 5474 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 5475 case TEST_EARLY_DATA_HRR: 5476 ret = mbedtls_ssl_handshake(&(server_ep.ssl)); 5477 /* 5478 * In this write loop we try to always stay below the 5479 * max_early_data_size limit but if max_early_data_size is very 5480 * small we may exceed the max_early_data_size limit on the 5481 * first write. In TEST_EARLY_DATA_SERVER_REJECTS/ 5482 * TEST_EARLY_DATA_HRR scenario, this is for sure the case if 5483 * max_early_data_size is smaller than the smallest possible 5484 * inner content/protected record. Take into account this 5485 * possibility here but only for max_early_data_size values 5486 * that are close to write_size. Below, '1' is for the inner 5487 * type byte and '16' is to take into account some AEAD 5488 * expansion (tag, ...). 5489 */ 5490 if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) { 5491 if (scenario == TEST_EARLY_DATA_SERVER_REJECTS) { 5492 TEST_LE_U(max_early_data_size, 5493 write_size + 1 + 5494 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY); 5495 } else { 5496 TEST_LE_U(max_early_data_size, 5497 write_size + 1 + 16 + 5498 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY); 5499 } 5500 goto exit; 5501 } 5502 5503 TEST_ASSERT(ret == MBEDTLS_ERR_SSL_WANT_READ); 5504 5505 TEST_EQUAL(server_pattern.counter, 1); 5506 server_pattern.counter = 0; 5507 if (expanded_early_data_chunk_size == 0) { 5508 expanded_early_data_chunk_size = server_ep.ssl.total_early_data_size; 5509 } 5510 break; 5511 } 5512 TEST_LE_U(server_ep.ssl.total_early_data_size, max_early_data_size); 5513 } while (1); 5514 5515 mbedtls_debug_set_threshold(3); 5516 ret = write_early_data(&(client_ep.ssl), buf_write, write_size); 5517 TEST_EQUAL(ret, write_size); 5518 5519 ret = mbedtls_snprintf(pattern, sizeof(pattern), 5520 "EarlyData: Too much early data received"); 5521 TEST_ASSERT(ret < (int) sizeof(pattern)); 5522 5523 ret = mbedtls_ssl_handshake(&(server_ep.ssl)); 5524 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); 5525 TEST_EQUAL(server_pattern.counter, 1); 5526 5527 exit: 5528 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 5529 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 5530 mbedtls_test_free_handshake_options(&client_options); 5531 mbedtls_test_free_handshake_options(&server_options); 5532 mbedtls_ssl_session_free(&saved_session); 5533 mbedtls_free(buf_write); 5534 mbedtls_free(buf_read); 5535 mbedtls_debug_set_threshold(0); 5536 PSA_DONE(); 5537 } 5538 /* END_CASE */ 5539 5540 /* BEGIN_CASE depends_on:MBEDTLS_DEBUG_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 5541 void inject_client_content_on_the_wire(int pk_alg, 5542 int state, data_t *data, 5543 char *log_pattern, int expected_ret) 5544 { 5545 /* This function allows us to inject content at a specific state 5546 * in the handshake, or when it's completed. The content is injected 5547 * on the mock TCP socket, as if we were an active network attacker. 5548 * 5549 * This function is suitable to inject: 5550 * - crafted records, at any point; 5551 * - valid records that contain crafted handshake messages, but only 5552 * when the traffic is still unprotected (for TLS 1.2 that's most of the 5553 * handshake, for TLS 1.3 that's only the Hello messages); 5554 * - handshake messages that are fragmented in a specific way, 5555 * under the same conditions as above. 5556 */ 5557 enum { BUFFSIZE = 16384 }; 5558 mbedtls_test_ssl_endpoint server, client; 5559 mbedtls_platform_zeroize(&server, sizeof(server)); 5560 mbedtls_platform_zeroize(&client, sizeof(client)); 5561 mbedtls_test_handshake_test_options options; 5562 mbedtls_test_init_handshake_options(&options); 5563 mbedtls_test_ssl_log_pattern srv_pattern; 5564 memset(&srv_pattern, 0, sizeof(srv_pattern)); 5565 int ret = -1; 5566 5567 PSA_INIT(); 5568 5569 srv_pattern.pattern = log_pattern; 5570 options.srv_log_obj = &srv_pattern; 5571 options.srv_log_fun = mbedtls_test_ssl_log_analyzer; 5572 mbedtls_debug_set_threshold(3); 5573 5574 options.pk_alg = pk_alg; 5575 5576 ret = mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER, 5577 &options, NULL, NULL, NULL); 5578 TEST_EQUAL(ret, 0); 5579 5580 ret = mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT, 5581 &options, NULL, NULL, NULL); 5582 TEST_EQUAL(ret, 0); 5583 5584 ret = mbedtls_test_mock_socket_connect(&server.socket, &client.socket, 5585 BUFFSIZE); 5586 TEST_EQUAL(ret, 0); 5587 5588 /* Make the server move to the required state */ 5589 ret = mbedtls_test_move_handshake_to_state(&client.ssl, &server.ssl, state); 5590 TEST_EQUAL(ret, 0); 5591 5592 /* Send the crafted message */ 5593 ret = mbedtls_test_mock_tcp_send_b(&client.socket, data->x, data->len); 5594 TEST_EQUAL(ret, (int) data->len); 5595 5596 /* Have the server process it. 5597 * Need the loop because a server that support 1.3 and 1.2 5598 * will process a 1.2 ClientHello in two steps. 5599 */ 5600 do { 5601 ret = mbedtls_ssl_handshake_step(&server.ssl); 5602 } while (ret == 0 && server.ssl.state == state); 5603 TEST_EQUAL(ret, expected_ret); 5604 TEST_ASSERT(srv_pattern.counter >= 1); 5605 5606 exit: 5607 mbedtls_test_free_handshake_options(&options); 5608 mbedtls_test_ssl_endpoint_free(&server, NULL); 5609 mbedtls_test_ssl_endpoint_free(&client, NULL); 5610 mbedtls_debug_set_threshold(0); 5611 PSA_DONE(); 5612 } 5613 /* END_CASE */ 5614 5615 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_DEBUG_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_PK_CAN_ECDSA_VERIFY */ 5616 void send_large_fragmented_hello(int hs_len_int, int first_frag_content_len_int, 5617 char *log_pattern, int expected_ret) 5618 { 5619 /* This function sends a long message (claiming to be a ClientHello) 5620 * fragmented in 1-byte fragments (except the initial fragment). 5621 * The purpose is to test how the stack reacts when receiving: 5622 * - a message larger than our buffer; 5623 * - a message smaller than our buffer, but where the intermediate size of 5624 * holding all the fragments (including overhead) is larger than our 5625 * buffer. 5626 */ 5627 enum { BUFFSIZE = 16384 }; 5628 mbedtls_test_ssl_endpoint server, client; 5629 mbedtls_platform_zeroize(&server, sizeof(server)); 5630 mbedtls_platform_zeroize(&client, sizeof(client)); 5631 5632 mbedtls_test_handshake_test_options options; 5633 mbedtls_test_init_handshake_options(&options); 5634 5635 mbedtls_test_ssl_log_pattern srv_pattern; 5636 memset(&srv_pattern, 0, sizeof(srv_pattern)); 5637 5638 unsigned char *first_frag = NULL; 5639 int ret = -1; 5640 5641 size_t hs_len = (size_t) hs_len_int; 5642 size_t first_frag_content_len = (size_t) first_frag_content_len_int; 5643 5644 PSA_INIT(); 5645 5646 srv_pattern.pattern = log_pattern; 5647 options.srv_log_obj = &srv_pattern; 5648 options.srv_log_fun = mbedtls_test_ssl_log_analyzer; 5649 mbedtls_debug_set_threshold(1); 5650 5651 // Does't really matter but we want to know to declare dependencies. 5652 options.pk_alg = MBEDTLS_PK_ECDSA; 5653 5654 ret = mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER, 5655 &options, NULL, NULL, NULL); 5656 TEST_EQUAL(ret, 0); 5657 5658 ret = mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT, 5659 &options, NULL, NULL, NULL); 5660 TEST_EQUAL(ret, 0); 5661 5662 ret = mbedtls_test_mock_socket_connect(&server.socket, &client.socket, 5663 BUFFSIZE); 5664 TEST_EQUAL(ret, 0); 5665 5666 /* Make the server move past the initial dummy state */ 5667 ret = mbedtls_test_move_handshake_to_state(&client.ssl, &server.ssl, 5668 MBEDTLS_SSL_CLIENT_HELLO); 5669 TEST_EQUAL(ret, 0); 5670 5671 /* Prepare initial fragment */ 5672 const size_t first_len = 5 // record header, see below 5673 + 4 // handshake header, see balow 5674 + first_frag_content_len; 5675 TEST_CALLOC(first_frag, first_len); 5676 unsigned char *p = first_frag; 5677 // record header 5678 // record type: handshake 5679 *p++ = 0x16, 5680 // record version (actually common to TLS 1.2 and TLS 1.3) 5681 *p++ = 0x03, 5682 *p++ = 0x03, 5683 // record length: two bytes 5684 *p++ = (unsigned char) (((4 + first_frag_content_len) >> 8) & 0xff); 5685 *p++ = (unsigned char) (((4 + first_frag_content_len) >> 0) & 0xff); 5686 // handshake header 5687 // handshake type: ClientHello 5688 *p++ = 0x01, 5689 // handshake length: three bytes 5690 *p++ = (unsigned char) ((hs_len >> 16) & 0xff); 5691 *p++ = (unsigned char) ((hs_len >> 8) & 0xff); 5692 *p++ = (unsigned char) ((hs_len >> 0) & 0xff); 5693 // handshake content: dummy value 5694 memset(p, 0x2a, first_frag_content_len); 5695 5696 /* Send initial fragment and have the server process it. */ 5697 ret = mbedtls_test_mock_tcp_send_b(&client.socket, first_frag, first_len); 5698 TEST_ASSERT(ret >= 0 && (size_t) ret == first_len); 5699 5700 ret = mbedtls_ssl_handshake_step(&server.ssl); 5701 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ); 5702 5703 /* Dummy 1-byte fragment to repeatedly send next */ 5704 const unsigned char next[] = { 5705 0x16, 0x03, 0x03, 0x00, 0x01, // record header (see above) 5706 0x2a, // Dummy handshake message content 5707 }; 5708 for (size_t left = hs_len - first_frag_content_len; left != 0; left--) { 5709 ret = mbedtls_test_mock_tcp_send_b(&client.socket, next, sizeof(next)); 5710 TEST_ASSERT(ret >= 0 && (size_t) ret == sizeof(next)); 5711 5712 ret = mbedtls_ssl_handshake_step(&server.ssl); 5713 if (ret != MBEDTLS_ERR_SSL_WANT_READ) { 5714 break; 5715 } 5716 } 5717 TEST_EQUAL(ret, expected_ret); 5718 TEST_EQUAL(srv_pattern.counter, 1); 5719 5720 exit: 5721 mbedtls_test_free_handshake_options(&options); 5722 mbedtls_test_ssl_endpoint_free(&server, NULL); 5723 mbedtls_test_ssl_endpoint_free(&client, NULL); 5724 mbedtls_debug_set_threshold(0); 5725 mbedtls_free(first_frag); 5726 PSA_DONE(); 5727 } 5728 /* END_CASE */ 5729 5730 /* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */ 5731 void ssl_tls_exporter_consistent_result(int proto, int exported_key_length, int use_context) 5732 { 5733 /* Test that the client and server generate the same key. */ 5734 5735 int ret = -1; 5736 uint8_t *key_buffer_server = NULL; 5737 uint8_t *key_buffer_client = NULL; 5738 mbedtls_test_ssl_endpoint client_ep, server_ep; 5739 memset(&client_ep, 0, sizeof(client_ep)); 5740 memset(&server_ep, 0, sizeof(server_ep)); 5741 mbedtls_test_handshake_test_options options; 5742 5743 MD_OR_USE_PSA_INIT(); 5744 5745 ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, &options, proto); 5746 TEST_ASSERT(ret == 0); 5747 5748 TEST_ASSERT(exported_key_length > 0); 5749 TEST_CALLOC(key_buffer_server, exported_key_length); 5750 TEST_CALLOC(key_buffer_client, exported_key_length); 5751 5752 memset(key_buffer_server, 0, exported_key_length); 5753 memset(key_buffer_client, 0, exported_key_length); 5754 5755 char label[] = "test-label"; 5756 unsigned char context[128] = { 0 }; 5757 ret = mbedtls_ssl_export_keying_material(&server_ep.ssl, 5758 key_buffer_server, (size_t) exported_key_length, 5759 label, sizeof(label), 5760 context, sizeof(context), use_context); 5761 TEST_ASSERT(ret == 0); 5762 ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, 5763 key_buffer_client, (size_t) exported_key_length, 5764 label, sizeof(label), 5765 context, sizeof(context), use_context); 5766 TEST_ASSERT(ret == 0); 5767 TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, (size_t) exported_key_length) == 0); 5768 5769 exit: 5770 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 5771 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 5772 mbedtls_test_free_handshake_options(&options); 5773 mbedtls_free(key_buffer_server); 5774 mbedtls_free(key_buffer_client); 5775 MD_OR_USE_PSA_DONE(); 5776 } 5777 /* END_CASE */ 5778 5779 /* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */ 5780 void ssl_tls_exporter_uses_label(int proto) 5781 { 5782 /* Test that the client and server export different keys when using different labels. */ 5783 5784 int ret = -1; 5785 mbedtls_test_ssl_endpoint client_ep, server_ep; 5786 memset(&client_ep, 0, sizeof(client_ep)); 5787 memset(&server_ep, 0, sizeof(server_ep)); 5788 mbedtls_test_handshake_test_options options; 5789 5790 MD_OR_USE_PSA_INIT(); 5791 5792 ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, &options, proto); 5793 TEST_ASSERT(ret == 0); 5794 5795 char label_server[] = "test-label-server"; 5796 char label_client[] = "test-label-client"; 5797 uint8_t key_buffer_server[24] = { 0 }; 5798 uint8_t key_buffer_client[24] = { 0 }; 5799 unsigned char context[128] = { 0 }; 5800 ret = mbedtls_ssl_export_keying_material(&server_ep.ssl, 5801 key_buffer_server, sizeof(key_buffer_server), 5802 label_server, sizeof(label_server), 5803 context, sizeof(context), 1); 5804 TEST_ASSERT(ret == 0); 5805 ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, 5806 key_buffer_client, sizeof(key_buffer_client), 5807 label_client, sizeof(label_client), 5808 context, sizeof(context), 1); 5809 TEST_ASSERT(ret == 0); 5810 TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, sizeof(key_buffer_server)) != 0); 5811 5812 exit: 5813 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 5814 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 5815 mbedtls_test_free_handshake_options(&options); 5816 MD_OR_USE_PSA_DONE(); 5817 } 5818 /* END_CASE */ 5819 5820 /* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */ 5821 void ssl_tls_exporter_uses_context(int proto) 5822 { 5823 /* Test that the client and server export different keys when using different contexts. */ 5824 5825 int ret = -1; 5826 mbedtls_test_ssl_endpoint client_ep, server_ep; 5827 memset(&client_ep, 0, sizeof(client_ep)); 5828 memset(&server_ep, 0, sizeof(server_ep)); 5829 mbedtls_test_handshake_test_options options; 5830 5831 MD_OR_USE_PSA_INIT(); 5832 5833 ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, &options, proto); 5834 TEST_ASSERT(ret == 0); 5835 5836 char label[] = "test-label"; 5837 uint8_t key_buffer_server[24] = { 0 }; 5838 uint8_t key_buffer_client[24] = { 0 }; 5839 unsigned char context_server[128] = { 0 }; 5840 unsigned char context_client[128] = { 23 }; 5841 ret = mbedtls_ssl_export_keying_material(&server_ep.ssl, 5842 key_buffer_server, sizeof(key_buffer_server), 5843 label, sizeof(label), 5844 context_server, sizeof(context_server), 1); 5845 TEST_ASSERT(ret == 0); 5846 ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, 5847 key_buffer_client, sizeof(key_buffer_client), 5848 label, sizeof(label), 5849 context_client, sizeof(context_client), 1); 5850 TEST_ASSERT(ret == 0); 5851 TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, sizeof(key_buffer_server)) != 0); 5852 5853 exit: 5854 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 5855 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 5856 mbedtls_test_free_handshake_options(&options); 5857 MD_OR_USE_PSA_DONE(); 5858 } 5859 /* END_CASE */ 5860 5861 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */ 5862 void ssl_tls13_exporter_uses_length(void) 5863 { 5864 /* In TLS 1.3, when two keys are exported with the same parameters except one is shorter, 5865 * the shorter key should NOT be a prefix of the longer one. */ 5866 5867 int ret = -1; 5868 mbedtls_test_ssl_endpoint client_ep, server_ep; 5869 memset(&client_ep, 0, sizeof(client_ep)); 5870 memset(&server_ep, 0, sizeof(server_ep)); 5871 mbedtls_test_handshake_test_options options; 5872 5873 MD_OR_USE_PSA_INIT(); 5874 5875 ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, 5876 &client_ep, 5877 &options, 5878 MBEDTLS_SSL_VERSION_TLS1_3); 5879 TEST_ASSERT(ret == 0); 5880 5881 char label[] = "test-label"; 5882 uint8_t key_buffer_server[16] = { 0 }; 5883 uint8_t key_buffer_client[24] = { 0 }; 5884 unsigned char context[128] = { 0 }; 5885 ret = mbedtls_ssl_export_keying_material(&server_ep.ssl, 5886 key_buffer_server, sizeof(key_buffer_server), 5887 label, sizeof(label), 5888 context, sizeof(context), 1); 5889 TEST_ASSERT(ret == 0); 5890 ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, 5891 key_buffer_client, sizeof(key_buffer_client), 5892 label, sizeof(label), 5893 context, sizeof(context), 1); 5894 TEST_ASSERT(ret == 0); 5895 TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, sizeof(key_buffer_server)) != 0); 5896 5897 exit: 5898 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 5899 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 5900 mbedtls_test_free_handshake_options(&options); 5901 MD_OR_USE_PSA_DONE(); 5902 } 5903 /* END_CASE */ 5904 5905 /* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */ 5906 void ssl_tls_exporter_rejects_bad_parameters( 5907 int proto, int exported_key_length, int label_length, int context_length) 5908 { 5909 int ret = -1; 5910 uint8_t *key_buffer = NULL; 5911 char *label = NULL; 5912 uint8_t *context = NULL; 5913 mbedtls_test_ssl_endpoint client_ep, server_ep; 5914 memset(&client_ep, 0, sizeof(client_ep)); 5915 memset(&server_ep, 0, sizeof(server_ep)); 5916 mbedtls_test_handshake_test_options options; 5917 5918 TEST_ASSERT(exported_key_length > 0); 5919 TEST_ASSERT(label_length > 0); 5920 TEST_ASSERT(context_length > 0); 5921 TEST_CALLOC(key_buffer, exported_key_length); 5922 TEST_CALLOC(label, label_length); 5923 TEST_CALLOC(context, context_length); 5924 5925 MD_OR_USE_PSA_INIT(); 5926 5927 ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, &options, proto); 5928 TEST_ASSERT(ret == 0); 5929 5930 ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, 5931 key_buffer, exported_key_length, 5932 label, label_length, 5933 context, context_length, 1); 5934 TEST_ASSERT(ret == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 5935 5936 exit: 5937 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 5938 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 5939 mbedtls_test_free_handshake_options(&options); 5940 mbedtls_free(key_buffer); 5941 mbedtls_free(label); 5942 mbedtls_free(context); 5943 MD_OR_USE_PSA_DONE(); 5944 } 5945 /* END_CASE */ 5946 5947 /* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_256 */ 5948 void ssl_tls_exporter_too_early(int proto, int check_server, int state) 5949 { 5950 enum { BUFFSIZE = 1024 }; 5951 5952 int ret = -1; 5953 mbedtls_test_ssl_endpoint server_ep, client_ep; 5954 memset(&client_ep, 0, sizeof(client_ep)); 5955 memset(&server_ep, 0, sizeof(server_ep)); 5956 5957 mbedtls_test_handshake_test_options options; 5958 mbedtls_test_init_handshake_options(&options); 5959 options.server_min_version = proto; 5960 options.client_min_version = proto; 5961 options.server_max_version = proto; 5962 options.client_max_version = proto; 5963 5964 MD_OR_USE_PSA_INIT(); 5965 5966 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, &options, 5967 NULL, NULL, NULL); 5968 TEST_ASSERT(ret == 0); 5969 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, &options, 5970 NULL, NULL, NULL); 5971 TEST_ASSERT(ret == 0); 5972 5973 ret = mbedtls_test_mock_socket_connect(&client_ep.socket, &server_ep.socket, BUFFSIZE); 5974 TEST_ASSERT(ret == 0); 5975 5976 if (check_server) { 5977 ret = mbedtls_test_move_handshake_to_state(&server_ep.ssl, &client_ep.ssl, state); 5978 } else { 5979 ret = mbedtls_test_move_handshake_to_state(&client_ep.ssl, &server_ep.ssl, state); 5980 } 5981 if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { 5982 TEST_EQUAL(ret, 0); 5983 } 5984 5985 char label[] = "test-label"; 5986 uint8_t key_buffer[24] = { 0 }; 5987 ret = mbedtls_ssl_export_keying_material(check_server ? &server_ep.ssl : &client_ep.ssl, 5988 key_buffer, sizeof(key_buffer), 5989 label, sizeof(label), 5990 NULL, 0, 0); 5991 5992 /* FIXME: A more appropriate error code should be created for this case. */ 5993 TEST_ASSERT(ret == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 5994 5995 exit: 5996 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 5997 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 5998 mbedtls_test_free_handshake_options(&options); 5999 MD_OR_USE_PSA_DONE(); 6000 } 6001 /* END_CASE */