1 /*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2021 Netflix Inc.
5 * Written by: John Baldwin <jhb@FreeBSD.org>
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29 #include <sys/param.h>
30 #include <sys/endian.h>
31 #include <sys/event.h>
32 #include <sys/ktls.h>
33 #include <sys/socket.h>
34 #include <sys/sysctl.h>
35 #include <netinet/in.h>
36 #include <netinet/tcp.h>
37 #include <crypto/cryptodev.h>
38 #include <assert.h>
39 #include <err.h>
40 #include <fcntl.h>
41 #include <libutil.h>
42 #include <netdb.h>
43 #include <poll.h>
44 #include <stdbool.h>
45 #include <stdlib.h>
46 #include <atf-c.h>
47
48 #include <openssl/err.h>
49 #include <openssl/evp.h>
50 #include <openssl/hmac.h>
51
52 static void
require_ktls(void)53 require_ktls(void)
54 {
55 size_t len;
56 bool enable;
57
58 len = sizeof(enable);
59 if (sysctlbyname("kern.ipc.tls.enable", &enable, &len, NULL, 0) == -1) {
60 if (errno == ENOENT)
61 atf_tc_skip("kernel does not support TLS offload");
62 atf_libc_error(errno, "Failed to read kern.ipc.tls.enable");
63 }
64
65 if (!enable)
66 atf_tc_skip("Kernel TLS is disabled");
67 }
68
69 #define ATF_REQUIRE_KTLS() require_ktls()
70
71 static void
check_tls_mode(const atf_tc_t * tc,int s,int sockopt)72 check_tls_mode(const atf_tc_t *tc, int s, int sockopt)
73 {
74 if (atf_tc_get_config_var_as_bool_wd(tc, "ktls.require_ifnet", false)) {
75 socklen_t len;
76 int mode;
77
78 len = sizeof(mode);
79 if (getsockopt(s, IPPROTO_TCP, sockopt, &mode, &len) == -1)
80 atf_libc_error(errno, "Failed to fetch TLS mode");
81
82 if (mode != TCP_TLS_MODE_IFNET)
83 atf_tc_skip("connection did not use ifnet TLS");
84 }
85
86 if (atf_tc_get_config_var_as_bool_wd(tc, "ktls.require_toe", false)) {
87 socklen_t len;
88 int mode;
89
90 len = sizeof(mode);
91 if (getsockopt(s, IPPROTO_TCP, sockopt, &mode, &len) == -1)
92 atf_libc_error(errno, "Failed to fetch TLS mode");
93
94 if (mode != TCP_TLS_MODE_TOE)
95 atf_tc_skip("connection did not use TOE TLS");
96 }
97 }
98
99 static void __printflike(2, 3)
debug(const atf_tc_t * tc,const char * fmt,...)100 debug(const atf_tc_t *tc, const char *fmt, ...)
101 {
102 if (!atf_tc_get_config_var_as_bool_wd(tc, "ktls.debug", false))
103 return;
104
105 va_list ap;
106 va_start(ap, fmt);
107 vprintf(fmt, ap);
108 va_end(ap);
109 }
110
111 static void
debug_hexdump(const atf_tc_t * tc,const void * buf,int length,const char * label)112 debug_hexdump(const atf_tc_t *tc, const void *buf, int length,
113 const char *label)
114 {
115 if (!atf_tc_get_config_var_as_bool_wd(tc, "ktls.debug", false))
116 return;
117
118 if (label != NULL)
119 printf("%s:\n", label);
120 hexdump(buf, length, NULL, 0);
121 }
122
123 static char
rdigit(void)124 rdigit(void)
125 {
126 /* ASCII printable values between 0x20 and 0x7e */
127 return (0x20 + random() % (0x7f - 0x20));
128 }
129
130 static char *
alloc_buffer(size_t len)131 alloc_buffer(size_t len)
132 {
133 char *buf;
134 size_t i;
135
136 if (len == 0)
137 return (NULL);
138 buf = malloc(len);
139 for (i = 0; i < len; i++)
140 buf[i] = rdigit();
141 return (buf);
142 }
143
144 static bool
socketpair_tcp(int sv[2])145 socketpair_tcp(int sv[2])
146 {
147 struct pollfd pfd;
148 struct sockaddr_in sin;
149 socklen_t len;
150 int as, cs, ls;
151
152 ls = socket(PF_INET, SOCK_STREAM, 0);
153 if (ls == -1) {
154 warn("socket() for listen");
155 return (false);
156 }
157
158 memset(&sin, 0, sizeof(sin));
159 sin.sin_len = sizeof(sin);
160 sin.sin_family = AF_INET;
161 sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
162 if (bind(ls, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
163 warn("bind");
164 close(ls);
165 return (false);
166 }
167
168 if (listen(ls, 1) == -1) {
169 warn("listen");
170 close(ls);
171 return (false);
172 }
173
174 len = sizeof(sin);
175 if (getsockname(ls, (struct sockaddr *)&sin, &len) == -1) {
176 warn("getsockname");
177 close(ls);
178 return (false);
179 }
180
181 cs = socket(PF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0);
182 if (cs == -1) {
183 warn("socket() for connect");
184 close(ls);
185 return (false);
186 }
187
188 if (connect(cs, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
189 if (errno != EINPROGRESS) {
190 warn("connect");
191 close(ls);
192 close(cs);
193 return (false);
194 }
195 }
196
197 as = accept4(ls, NULL, NULL, SOCK_NONBLOCK);
198 if (as == -1) {
199 warn("accept4");
200 close(ls);
201 close(cs);
202 return (false);
203 }
204
205 close(ls);
206
207 pfd.fd = cs;
208 pfd.events = POLLOUT;
209 pfd.revents = 0;
210 ATF_REQUIRE_INTEQ(1, poll(&pfd, 1, INFTIM));
211 ATF_REQUIRE_INTEQ(POLLOUT, pfd.revents);
212
213 sv[0] = cs;
214 sv[1] = as;
215 return (true);
216 }
217
218 static bool
echo_socket(const atf_tc_t * tc,int sv[2])219 echo_socket(const atf_tc_t *tc, int sv[2])
220 {
221 const char *cause, *host, *port;
222 struct addrinfo hints, *ai, *tofree;
223 int error, flags, s;
224
225 host = atf_tc_get_config_var(tc, "ktls.host");
226 port = atf_tc_get_config_var_wd(tc, "ktls.port", "echo");
227 memset(&hints, 0, sizeof(hints));
228 hints.ai_family = AF_UNSPEC;
229 hints.ai_socktype = SOCK_STREAM;
230 hints.ai_protocol = IPPROTO_TCP;
231 error = getaddrinfo(host, port, &hints, &tofree);
232 if (error != 0) {
233 warnx("getaddrinfo(%s:%s) failed: %s", host, port,
234 gai_strerror(error));
235 return (false);
236 }
237
238 cause = NULL;
239 for (ai = tofree; ai != NULL; ai = ai->ai_next) {
240 s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
241 if (s == -1) {
242 cause = "socket";
243 error = errno;
244 continue;
245 }
246
247 if (connect(s, ai->ai_addr, ai->ai_addrlen) == -1) {
248 cause = "connect";
249 error = errno;
250 close(s);
251 continue;
252 }
253
254 freeaddrinfo(tofree);
255
256 ATF_REQUIRE((flags = fcntl(s, F_GETFL)) != -1);
257 flags |= O_NONBLOCK;
258 ATF_REQUIRE(fcntl(s, F_SETFL, flags) != -1);
259
260 sv[0] = s;
261 sv[1] = s;
262 return (true);
263 }
264
265 warnc(error, "%s", cause);
266 freeaddrinfo(tofree);
267 return (false);
268 }
269
270 static bool
open_sockets(const atf_tc_t * tc,int sv[2])271 open_sockets(const atf_tc_t *tc, int sv[2])
272 {
273 if (atf_tc_has_config_var(tc, "ktls.host"))
274 return (echo_socket(tc, sv));
275 else
276 return (socketpair_tcp(sv));
277 }
278
279 static void
close_sockets(int sv[2])280 close_sockets(int sv[2])
281 {
282 if (sv[0] != sv[1])
283 ATF_REQUIRE(close(sv[1]) == 0);
284 ATF_REQUIRE(close(sv[0]) == 0);
285 }
286
287 static void
close_sockets_ignore_errors(int sv[2])288 close_sockets_ignore_errors(int sv[2])
289 {
290 if (sv[0] != sv[1])
291 close(sv[1]);
292 close(sv[0]);
293 }
294
295 static void
fd_set_blocking(int fd)296 fd_set_blocking(int fd)
297 {
298 int flags;
299
300 ATF_REQUIRE((flags = fcntl(fd, F_GETFL)) != -1);
301 flags &= ~O_NONBLOCK;
302 ATF_REQUIRE(fcntl(fd, F_SETFL, flags) != -1);
303 }
304
305 static bool
cbc_crypt(const EVP_CIPHER * cipher,const char * key,const char * iv,const char * input,char * output,size_t size,int enc)306 cbc_crypt(const EVP_CIPHER *cipher, const char *key, const char *iv,
307 const char *input, char *output, size_t size, int enc)
308 {
309 EVP_CIPHER_CTX *ctx;
310 int outl, total;
311
312 ctx = EVP_CIPHER_CTX_new();
313 if (ctx == NULL) {
314 warnx("EVP_CIPHER_CTX_new failed: %s",
315 ERR_error_string(ERR_get_error(), NULL));
316 return (false);
317 }
318 if (EVP_CipherInit_ex(ctx, cipher, NULL, (const u_char *)key,
319 (const u_char *)iv, enc) != 1) {
320 warnx("EVP_CipherInit_ex failed: %s",
321 ERR_error_string(ERR_get_error(), NULL));
322 EVP_CIPHER_CTX_free(ctx);
323 return (false);
324 }
325 EVP_CIPHER_CTX_set_padding(ctx, 0);
326 if (EVP_CipherUpdate(ctx, (u_char *)output, &outl,
327 (const u_char *)input, size) != 1) {
328 warnx("EVP_CipherUpdate failed: %s",
329 ERR_error_string(ERR_get_error(), NULL));
330 EVP_CIPHER_CTX_free(ctx);
331 return (false);
332 }
333 total = outl;
334 if (EVP_CipherFinal_ex(ctx, (u_char *)output + outl, &outl) != 1) {
335 warnx("EVP_CipherFinal_ex failed: %s",
336 ERR_error_string(ERR_get_error(), NULL));
337 EVP_CIPHER_CTX_free(ctx);
338 return (false);
339 }
340 total += outl;
341 if ((size_t)total != size) {
342 warnx("decrypt size mismatch: %zu vs %d", size, total);
343 EVP_CIPHER_CTX_free(ctx);
344 return (false);
345 }
346 EVP_CIPHER_CTX_free(ctx);
347 return (true);
348 }
349
350 static bool
cbc_encrypt(const EVP_CIPHER * cipher,const char * key,const char * iv,const char * input,char * output,size_t size)351 cbc_encrypt(const EVP_CIPHER *cipher, const char *key, const char *iv,
352 const char *input, char *output, size_t size)
353 {
354 return (cbc_crypt(cipher, key, iv, input, output, size, 1));
355 }
356
357 static bool
cbc_decrypt(const EVP_CIPHER * cipher,const char * key,const char * iv,const char * input,char * output,size_t size)358 cbc_decrypt(const EVP_CIPHER *cipher, const char *key, const char *iv,
359 const char *input, char *output, size_t size)
360 {
361 return (cbc_crypt(cipher, key, iv, input, output, size, 0));
362 }
363
364 static bool
compute_hash(const EVP_MD * md,const void * key,size_t key_len,const void * aad,size_t aad_len,const void * buffer,size_t len,void * digest,u_int * digest_len)365 compute_hash(const EVP_MD *md, const void *key, size_t key_len, const void *aad,
366 size_t aad_len, const void *buffer, size_t len, void *digest,
367 u_int *digest_len)
368 {
369 HMAC_CTX *ctx;
370
371 ctx = HMAC_CTX_new();
372 if (ctx == NULL) {
373 warnx("HMAC_CTX_new failed: %s",
374 ERR_error_string(ERR_get_error(), NULL));
375 return (false);
376 }
377 if (HMAC_Init_ex(ctx, key, key_len, md, NULL) != 1) {
378 warnx("HMAC_Init_ex failed: %s",
379 ERR_error_string(ERR_get_error(), NULL));
380 HMAC_CTX_free(ctx);
381 return (false);
382 }
383 if (HMAC_Update(ctx, aad, aad_len) != 1) {
384 warnx("HMAC_Update (aad) failed: %s",
385 ERR_error_string(ERR_get_error(), NULL));
386 HMAC_CTX_free(ctx);
387 return (false);
388 }
389 if (HMAC_Update(ctx, buffer, len) != 1) {
390 warnx("HMAC_Update (payload) failed: %s",
391 ERR_error_string(ERR_get_error(), NULL));
392 HMAC_CTX_free(ctx);
393 return (false);
394 }
395 if (HMAC_Final(ctx, digest, digest_len) != 1) {
396 warnx("HMAC_Final failed: %s",
397 ERR_error_string(ERR_get_error(), NULL));
398 HMAC_CTX_free(ctx);
399 return (false);
400 }
401 HMAC_CTX_free(ctx);
402 return (true);
403 }
404
405 static bool
verify_hash(const EVP_MD * md,const void * key,size_t key_len,const void * aad,size_t aad_len,const void * buffer,size_t len,const void * digest)406 verify_hash(const EVP_MD *md, const void *key, size_t key_len, const void *aad,
407 size_t aad_len, const void *buffer, size_t len, const void *digest)
408 {
409 unsigned char digest2[EVP_MAX_MD_SIZE];
410 u_int digest_len;
411
412 if (!compute_hash(md, key, key_len, aad, aad_len, buffer, len, digest2,
413 &digest_len))
414 return (false);
415 if (memcmp(digest, digest2, digest_len) != 0) {
416 warnx("HMAC mismatch");
417 return (false);
418 }
419 return (true);
420 }
421
422 static bool
aead_encrypt(const EVP_CIPHER * cipher,const char * key,const char * nonce,const void * aad,size_t aad_len,const char * input,char * output,size_t size,char * tag,size_t tag_len)423 aead_encrypt(const EVP_CIPHER *cipher, const char *key, const char *nonce,
424 const void *aad, size_t aad_len, const char *input, char *output,
425 size_t size, char *tag, size_t tag_len)
426 {
427 EVP_CIPHER_CTX *ctx;
428 int outl, total;
429
430 ctx = EVP_CIPHER_CTX_new();
431 if (ctx == NULL) {
432 warnx("EVP_CIPHER_CTX_new failed: %s",
433 ERR_error_string(ERR_get_error(), NULL));
434 return (false);
435 }
436 if (EVP_EncryptInit_ex(ctx, cipher, NULL, (const u_char *)key,
437 (const u_char *)nonce) != 1) {
438 warnx("EVP_EncryptInit_ex failed: %s",
439 ERR_error_string(ERR_get_error(), NULL));
440 EVP_CIPHER_CTX_free(ctx);
441 return (false);
442 }
443 EVP_CIPHER_CTX_set_padding(ctx, 0);
444 if (aad != NULL) {
445 if (EVP_EncryptUpdate(ctx, NULL, &outl, (const u_char *)aad,
446 aad_len) != 1) {
447 warnx("EVP_EncryptUpdate for AAD failed: %s",
448 ERR_error_string(ERR_get_error(), NULL));
449 EVP_CIPHER_CTX_free(ctx);
450 return (false);
451 }
452 }
453 if (EVP_EncryptUpdate(ctx, (u_char *)output, &outl,
454 (const u_char *)input, size) != 1) {
455 warnx("EVP_EncryptUpdate failed: %s",
456 ERR_error_string(ERR_get_error(), NULL));
457 EVP_CIPHER_CTX_free(ctx);
458 return (false);
459 }
460 total = outl;
461 if (EVP_EncryptFinal_ex(ctx, (u_char *)output + outl, &outl) != 1) {
462 warnx("EVP_EncryptFinal_ex failed: %s",
463 ERR_error_string(ERR_get_error(), NULL));
464 EVP_CIPHER_CTX_free(ctx);
465 return (false);
466 }
467 total += outl;
468 if ((size_t)total != size) {
469 warnx("encrypt size mismatch: %zu vs %d", size, total);
470 EVP_CIPHER_CTX_free(ctx);
471 return (false);
472 }
473 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, tag_len, tag) !=
474 1) {
475 warnx("EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_GET_TAG) failed: %s",
476 ERR_error_string(ERR_get_error(), NULL));
477 EVP_CIPHER_CTX_free(ctx);
478 return (false);
479 }
480 EVP_CIPHER_CTX_free(ctx);
481 return (true);
482 }
483
484 static bool
aead_decrypt(const EVP_CIPHER * cipher,const char * key,const char * nonce,const void * aad,size_t aad_len,const char * input,char * output,size_t size,const char * tag,size_t tag_len)485 aead_decrypt(const EVP_CIPHER *cipher, const char *key, const char *nonce,
486 const void *aad, size_t aad_len, const char *input, char *output,
487 size_t size, const char *tag, size_t tag_len)
488 {
489 EVP_CIPHER_CTX *ctx;
490 int outl, total;
491 bool valid;
492
493 ctx = EVP_CIPHER_CTX_new();
494 if (ctx == NULL) {
495 warnx("EVP_CIPHER_CTX_new failed: %s",
496 ERR_error_string(ERR_get_error(), NULL));
497 return (false);
498 }
499 if (EVP_DecryptInit_ex(ctx, cipher, NULL, (const u_char *)key,
500 (const u_char *)nonce) != 1) {
501 warnx("EVP_DecryptInit_ex failed: %s",
502 ERR_error_string(ERR_get_error(), NULL));
503 EVP_CIPHER_CTX_free(ctx);
504 return (false);
505 }
506 EVP_CIPHER_CTX_set_padding(ctx, 0);
507 if (aad != NULL) {
508 if (EVP_DecryptUpdate(ctx, NULL, &outl, (const u_char *)aad,
509 aad_len) != 1) {
510 warnx("EVP_DecryptUpdate for AAD failed: %s",
511 ERR_error_string(ERR_get_error(), NULL));
512 EVP_CIPHER_CTX_free(ctx);
513 return (false);
514 }
515 }
516 if (EVP_DecryptUpdate(ctx, (u_char *)output, &outl,
517 (const u_char *)input, size) != 1) {
518 warnx("EVP_DecryptUpdate failed: %s",
519 ERR_error_string(ERR_get_error(), NULL));
520 EVP_CIPHER_CTX_free(ctx);
521 return (false);
522 }
523 total = outl;
524 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len,
525 __DECONST(char *, tag)) != 1) {
526 warnx("EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed: %s",
527 ERR_error_string(ERR_get_error(), NULL));
528 EVP_CIPHER_CTX_free(ctx);
529 return (false);
530 }
531 valid = (EVP_DecryptFinal_ex(ctx, (u_char *)output + outl, &outl) == 1);
532 total += outl;
533 if ((size_t)total != size) {
534 warnx("decrypt size mismatch: %zu vs %d", size, total);
535 EVP_CIPHER_CTX_free(ctx);
536 return (false);
537 }
538 if (!valid)
539 warnx("tag mismatch");
540 EVP_CIPHER_CTX_free(ctx);
541 return (valid);
542 }
543
544 static void
build_tls_enable(const atf_tc_t * tc,int cipher_alg,size_t cipher_key_len,int auth_alg,int minor,uint64_t seqno,struct tls_enable * en)545 build_tls_enable(const atf_tc_t *tc, int cipher_alg, size_t cipher_key_len,
546 int auth_alg, int minor, uint64_t seqno, struct tls_enable *en)
547 {
548 u_int auth_key_len, iv_len;
549
550 memset(en, 0, sizeof(*en));
551
552 switch (cipher_alg) {
553 case CRYPTO_AES_CBC:
554 if (minor == TLS_MINOR_VER_ZERO)
555 iv_len = AES_BLOCK_LEN;
556 else
557 iv_len = 0;
558 break;
559 case CRYPTO_AES_NIST_GCM_16:
560 if (minor == TLS_MINOR_VER_TWO)
561 iv_len = TLS_AEAD_GCM_LEN;
562 else
563 iv_len = TLS_1_3_GCM_IV_LEN;
564 break;
565 case CRYPTO_CHACHA20_POLY1305:
566 iv_len = TLS_CHACHA20_IV_LEN;
567 break;
568 default:
569 iv_len = 0;
570 break;
571 }
572 switch (auth_alg) {
573 case CRYPTO_SHA1_HMAC:
574 auth_key_len = SHA1_HASH_LEN;
575 break;
576 case CRYPTO_SHA2_256_HMAC:
577 auth_key_len = SHA2_256_HASH_LEN;
578 break;
579 case CRYPTO_SHA2_384_HMAC:
580 auth_key_len = SHA2_384_HASH_LEN;
581 break;
582 default:
583 auth_key_len = 0;
584 break;
585 }
586 en->cipher_key = alloc_buffer(cipher_key_len);
587 debug_hexdump(tc, en->cipher_key, cipher_key_len, "cipher key");
588 en->iv = alloc_buffer(iv_len);
589 if (iv_len != 0)
590 debug_hexdump(tc, en->iv, iv_len, "iv");
591 en->auth_key = alloc_buffer(auth_key_len);
592 if (auth_key_len != 0)
593 debug_hexdump(tc, en->auth_key, auth_key_len, "auth key");
594 en->cipher_algorithm = cipher_alg;
595 en->cipher_key_len = cipher_key_len;
596 en->iv_len = iv_len;
597 en->auth_algorithm = auth_alg;
598 en->auth_key_len = auth_key_len;
599 en->tls_vmajor = TLS_MAJOR_VER_ONE;
600 en->tls_vminor = minor;
601 be64enc(en->rec_seq, seqno);
602 debug(tc, "seqno: %ju\n", (uintmax_t)seqno);
603 }
604
605 static void
free_tls_enable(struct tls_enable * en)606 free_tls_enable(struct tls_enable *en)
607 {
608 free(__DECONST(void *, en->cipher_key));
609 free(__DECONST(void *, en->iv));
610 free(__DECONST(void *, en->auth_key));
611 }
612
613 static const EVP_CIPHER *
tls_EVP_CIPHER(const struct tls_enable * en)614 tls_EVP_CIPHER(const struct tls_enable *en)
615 {
616 switch (en->cipher_algorithm) {
617 case CRYPTO_AES_CBC:
618 switch (en->cipher_key_len) {
619 case 128 / 8:
620 return (EVP_aes_128_cbc());
621 case 256 / 8:
622 return (EVP_aes_256_cbc());
623 default:
624 return (NULL);
625 }
626 break;
627 case CRYPTO_AES_NIST_GCM_16:
628 switch (en->cipher_key_len) {
629 case 128 / 8:
630 return (EVP_aes_128_gcm());
631 case 256 / 8:
632 return (EVP_aes_256_gcm());
633 default:
634 return (NULL);
635 }
636 break;
637 case CRYPTO_CHACHA20_POLY1305:
638 return (EVP_chacha20_poly1305());
639 default:
640 return (NULL);
641 }
642 }
643
644 static const EVP_MD *
tls_EVP_MD(const struct tls_enable * en)645 tls_EVP_MD(const struct tls_enable *en)
646 {
647 switch (en->auth_algorithm) {
648 case CRYPTO_SHA1_HMAC:
649 return (EVP_sha1());
650 case CRYPTO_SHA2_256_HMAC:
651 return (EVP_sha256());
652 case CRYPTO_SHA2_384_HMAC:
653 return (EVP_sha384());
654 default:
655 return (NULL);
656 }
657 }
658
659 static size_t
tls_header_len(struct tls_enable * en)660 tls_header_len(struct tls_enable *en)
661 {
662 size_t len;
663
664 len = sizeof(struct tls_record_layer);
665 switch (en->cipher_algorithm) {
666 case CRYPTO_AES_CBC:
667 if (en->tls_vminor != TLS_MINOR_VER_ZERO)
668 len += AES_BLOCK_LEN;
669 return (len);
670 case CRYPTO_AES_NIST_GCM_16:
671 if (en->tls_vminor == TLS_MINOR_VER_TWO)
672 len += sizeof(uint64_t);
673 return (len);
674 case CRYPTO_CHACHA20_POLY1305:
675 return (len);
676 default:
677 return (0);
678 }
679 }
680
681 static size_t
tls_mac_len(struct tls_enable * en)682 tls_mac_len(struct tls_enable *en)
683 {
684 switch (en->cipher_algorithm) {
685 case CRYPTO_AES_CBC:
686 switch (en->auth_algorithm) {
687 case CRYPTO_SHA1_HMAC:
688 return (SHA1_HASH_LEN);
689 case CRYPTO_SHA2_256_HMAC:
690 return (SHA2_256_HASH_LEN);
691 case CRYPTO_SHA2_384_HMAC:
692 return (SHA2_384_HASH_LEN);
693 default:
694 return (0);
695 }
696 case CRYPTO_AES_NIST_GCM_16:
697 return (AES_GMAC_HASH_LEN);
698 case CRYPTO_CHACHA20_POLY1305:
699 return (POLY1305_HASH_LEN);
700 default:
701 return (0);
702 }
703 }
704
705 /* Includes maximum padding for MTE. */
706 static size_t
tls_trailer_len(struct tls_enable * en)707 tls_trailer_len(struct tls_enable *en)
708 {
709 size_t len;
710
711 len = tls_mac_len(en);
712 if (en->cipher_algorithm == CRYPTO_AES_CBC)
713 len += AES_BLOCK_LEN;
714 if (en->tls_vminor == TLS_MINOR_VER_THREE)
715 len++;
716 return (len);
717 }
718
719 /* Minimum valid record payload size for a given cipher suite. */
720 static size_t
tls_minimum_record_payload(struct tls_enable * en)721 tls_minimum_record_payload(struct tls_enable *en)
722 {
723 size_t len;
724
725 len = tls_header_len(en);
726 if (en->cipher_algorithm == CRYPTO_AES_CBC)
727 len += roundup2(tls_mac_len(en) + 1, AES_BLOCK_LEN);
728 else
729 len += tls_mac_len(en);
730 if (en->tls_vminor == TLS_MINOR_VER_THREE)
731 len++;
732 return (len - sizeof(struct tls_record_layer));
733 }
734
735 /* 'len' is the length of the payload application data. */
736 static void
tls_mte_aad(struct tls_enable * en,size_t len,const struct tls_record_layer * hdr,uint64_t seqno,struct tls_mac_data * ad)737 tls_mte_aad(struct tls_enable *en, size_t len,
738 const struct tls_record_layer *hdr, uint64_t seqno, struct tls_mac_data *ad)
739 {
740 ad->seq = htobe64(seqno);
741 ad->type = hdr->tls_type;
742 ad->tls_vmajor = hdr->tls_vmajor;
743 ad->tls_vminor = hdr->tls_vminor;
744 ad->tls_length = htons(len);
745 }
746
747 static void
tls_12_aead_aad(struct tls_enable * en,size_t len,const struct tls_record_layer * hdr,uint64_t seqno,struct tls_aead_data * ad)748 tls_12_aead_aad(struct tls_enable *en, size_t len,
749 const struct tls_record_layer *hdr, uint64_t seqno,
750 struct tls_aead_data *ad)
751 {
752 ad->seq = htobe64(seqno);
753 ad->type = hdr->tls_type;
754 ad->tls_vmajor = hdr->tls_vmajor;
755 ad->tls_vminor = hdr->tls_vminor;
756 ad->tls_length = htons(len);
757 }
758
759 static void
tls_13_aad(struct tls_enable * en,const struct tls_record_layer * hdr,uint64_t seqno,struct tls_aead_data_13 * ad)760 tls_13_aad(struct tls_enable *en, const struct tls_record_layer *hdr,
761 uint64_t seqno, struct tls_aead_data_13 *ad)
762 {
763 ad->type = hdr->tls_type;
764 ad->tls_vmajor = hdr->tls_vmajor;
765 ad->tls_vminor = hdr->tls_vminor;
766 ad->tls_length = hdr->tls_length;
767 }
768
769 static void
tls_12_gcm_nonce(struct tls_enable * en,const struct tls_record_layer * hdr,char * nonce)770 tls_12_gcm_nonce(struct tls_enable *en, const struct tls_record_layer *hdr,
771 char *nonce)
772 {
773 memcpy(nonce, en->iv, TLS_AEAD_GCM_LEN);
774 memcpy(nonce + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t));
775 }
776
777 static void
tls_13_nonce(struct tls_enable * en,uint64_t seqno,char * nonce)778 tls_13_nonce(struct tls_enable *en, uint64_t seqno, char *nonce)
779 {
780 static_assert(TLS_1_3_GCM_IV_LEN == TLS_CHACHA20_IV_LEN,
781 "TLS 1.3 nonce length mismatch");
782 memcpy(nonce, en->iv, TLS_1_3_GCM_IV_LEN);
783 *(uint64_t *)(nonce + 4) ^= htobe64(seqno);
784 }
785
786 /*
787 * Decrypt a TLS record 'len' bytes long at 'src' and store the result at
788 * 'dst'. If the TLS record header length doesn't match or 'dst' doesn't
789 * have sufficient room ('avail'), fail the test.
790 */
791 static size_t
decrypt_tls_aes_cbc_mte(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,const void * src,size_t len,void * dst,size_t avail,uint8_t * record_type)792 decrypt_tls_aes_cbc_mte(const atf_tc_t *tc, struct tls_enable *en,
793 uint64_t seqno, const void *src, size_t len, void *dst, size_t avail,
794 uint8_t *record_type)
795 {
796 const struct tls_record_layer *hdr;
797 struct tls_mac_data aad;
798 const char *iv;
799 char *buf;
800 size_t hdr_len, mac_len, payload_len;
801 int padding;
802
803 hdr = src;
804 hdr_len = tls_header_len(en);
805 mac_len = tls_mac_len(en);
806 ATF_REQUIRE_INTEQ(TLS_MAJOR_VER_ONE, hdr->tls_vmajor);
807 ATF_REQUIRE_INTEQ(en->tls_vminor, hdr->tls_vminor);
808 debug(tc, "decrypting MTE record seqno %ju:\n", (uintmax_t)seqno);
809 debug_hexdump(tc, src, len, NULL);
810
811 /* First, decrypt the outer payload into a temporary buffer. */
812 payload_len = len - hdr_len;
813 buf = malloc(payload_len);
814 if (en->tls_vminor == TLS_MINOR_VER_ZERO)
815 iv = en->iv;
816 else
817 iv = (void *)(hdr + 1);
818 debug_hexdump(tc, iv, AES_BLOCK_LEN, "iv");
819 ATF_REQUIRE(cbc_decrypt(tls_EVP_CIPHER(en), en->cipher_key, iv,
820 (const u_char *)src + hdr_len, buf, payload_len));
821 debug_hexdump(tc, buf, payload_len, "decrypted buffer");
822
823 /*
824 * Copy the last encrypted block to use as the IV for the next
825 * record for TLS 1.0.
826 */
827 if (en->tls_vminor == TLS_MINOR_VER_ZERO)
828 memcpy(__DECONST(uint8_t *, en->iv), (const u_char *)src +
829 (len - AES_BLOCK_LEN), AES_BLOCK_LEN);
830
831 /*
832 * Verify trailing padding and strip.
833 *
834 * The kernel always generates the smallest amount of padding.
835 */
836 padding = buf[payload_len - 1] + 1;
837 ATF_REQUIRE_MSG(padding > 0 && padding <= AES_BLOCK_LEN,
838 "invalid padding %d", padding);
839 ATF_REQUIRE_MSG(payload_len >= mac_len + padding,
840 "payload_len (%zu) < mac_len (%zu) + padding (%d)", payload_len,
841 mac_len, padding);
842 payload_len -= padding;
843
844 /* Verify HMAC. */
845 payload_len -= mac_len;
846 tls_mte_aad(en, payload_len, hdr, seqno, &aad);
847 debug_hexdump(tc, &aad, sizeof(aad), "aad");
848 ATF_REQUIRE(verify_hash(tls_EVP_MD(en), en->auth_key, en->auth_key_len,
849 &aad, sizeof(aad), buf, payload_len, buf + payload_len));
850
851 ATF_REQUIRE_MSG(payload_len <= avail, "payload_len (%zu) < avail (%zu)",
852 payload_len, avail);
853 memcpy(dst, buf, payload_len);
854 *record_type = hdr->tls_type;
855 return (payload_len);
856 }
857
858 static size_t
decrypt_tls_12_aead(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,const void * src,size_t len,void * dst,uint8_t * record_type)859 decrypt_tls_12_aead(const atf_tc_t *tc, struct tls_enable *en, uint64_t seqno,
860 const void *src, size_t len, void *dst, uint8_t *record_type)
861 {
862 const struct tls_record_layer *hdr;
863 struct tls_aead_data aad;
864 char nonce[12];
865 size_t hdr_len, mac_len, payload_len;
866
867 hdr = src;
868
869 hdr_len = tls_header_len(en);
870 mac_len = tls_mac_len(en);
871 payload_len = len - (hdr_len + mac_len);
872 ATF_REQUIRE_INTEQ(TLS_MAJOR_VER_ONE, hdr->tls_vmajor);
873 ATF_REQUIRE_INTEQ(TLS_MINOR_VER_TWO, hdr->tls_vminor);
874 debug(tc, "decrypting TLS 1.2 record seqno %ju:\n", (uintmax_t)seqno);
875 debug_hexdump(tc, src, len, NULL);
876
877 tls_12_aead_aad(en, payload_len, hdr, seqno, &aad);
878 debug_hexdump(tc, &aad, sizeof(aad), "aad");
879 if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16)
880 tls_12_gcm_nonce(en, hdr, nonce);
881 else
882 tls_13_nonce(en, seqno, nonce);
883 debug_hexdump(tc, nonce, sizeof(nonce), "nonce");
884
885 ATF_REQUIRE(aead_decrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce,
886 &aad, sizeof(aad), (const char *)src + hdr_len, dst, payload_len,
887 (const char *)src + hdr_len + payload_len, mac_len));
888
889 *record_type = hdr->tls_type;
890 return (payload_len);
891 }
892
893 static size_t
decrypt_tls_13_aead(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,const void * src,size_t len,void * dst,uint8_t * record_type)894 decrypt_tls_13_aead(const atf_tc_t *tc, struct tls_enable *en, uint64_t seqno,
895 const void *src, size_t len, void *dst, uint8_t *record_type)
896 {
897 const struct tls_record_layer *hdr;
898 struct tls_aead_data_13 aad;
899 char nonce[12];
900 char *buf;
901 size_t hdr_len, mac_len, payload_len;
902
903 hdr = src;
904
905 hdr_len = tls_header_len(en);
906 mac_len = tls_mac_len(en);
907 payload_len = len - (hdr_len + mac_len);
908 ATF_REQUIRE_MSG(payload_len >= 1,
909 "payload_len (%zu) too short: len %zu hdr_len %zu mac_len %zu",
910 payload_len, len, hdr_len, mac_len);
911 ATF_REQUIRE_INTEQ(TLS_RLTYPE_APP, hdr->tls_type);
912 ATF_REQUIRE_INTEQ(TLS_MAJOR_VER_ONE, hdr->tls_vmajor);
913 ATF_REQUIRE_INTEQ(TLS_MINOR_VER_TWO, hdr->tls_vminor);
914 debug(tc, "decrypting TLS 1.3 record seqno %ju:\n", (uintmax_t)seqno);
915 debug_hexdump(tc, src, len, NULL);
916
917 tls_13_aad(en, hdr, seqno, &aad);
918 debug_hexdump(tc, &aad, sizeof(aad), "aad");
919 tls_13_nonce(en, seqno, nonce);
920 debug_hexdump(tc, nonce, sizeof(nonce), "nonce");
921
922 /*
923 * Have to use a temporary buffer for the output due to the
924 * record type as the last byte of the trailer.
925 */
926 buf = malloc(payload_len);
927
928 ATF_REQUIRE(aead_decrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce,
929 &aad, sizeof(aad), (const char *)src + hdr_len, buf, payload_len,
930 (const char *)src + hdr_len + payload_len, mac_len));
931 debug_hexdump(tc, buf, payload_len, "decrypted buffer");
932
933 /* Trim record type. */
934 *record_type = buf[payload_len - 1];
935 payload_len--;
936
937 memcpy(dst, buf, payload_len);
938 free(buf);
939
940 return (payload_len);
941 }
942
943 static size_t
decrypt_tls_aead(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,const void * src,size_t len,void * dst,size_t avail,uint8_t * record_type)944 decrypt_tls_aead(const atf_tc_t *tc, struct tls_enable *en, uint64_t seqno,
945 const void *src, size_t len, void *dst, size_t avail, uint8_t *record_type)
946 {
947 const struct tls_record_layer *hdr;
948 size_t payload_len;
949
950 hdr = src;
951 ATF_REQUIRE_INTEQ(len, ntohs(hdr->tls_length) + sizeof(*hdr));
952
953 payload_len = len - (tls_header_len(en) + tls_trailer_len(en));
954 ATF_REQUIRE_MSG(payload_len <= avail, "payload_len (%zu) > avail (%zu)",
955 payload_len, avail);
956
957 if (en->tls_vminor == TLS_MINOR_VER_TWO) {
958 ATF_REQUIRE_INTEQ(payload_len, decrypt_tls_12_aead(tc, en,
959 seqno, src, len, dst, record_type));
960 } else {
961 ATF_REQUIRE_INTEQ(payload_len, decrypt_tls_13_aead(tc, en,
962 seqno, src, len, dst, record_type));
963 }
964
965 return (payload_len);
966 }
967
968 static size_t
decrypt_tls_record(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,const void * src,size_t len,void * dst,size_t avail,uint8_t * record_type)969 decrypt_tls_record(const atf_tc_t *tc, struct tls_enable *en, uint64_t seqno,
970 const void *src, size_t len, void *dst, size_t avail, uint8_t *record_type)
971 {
972 if (en->cipher_algorithm == CRYPTO_AES_CBC)
973 return (decrypt_tls_aes_cbc_mte(tc, en, seqno, src, len, dst,
974 avail, record_type));
975 else
976 return (decrypt_tls_aead(tc, en, seqno, src, len, dst, avail,
977 record_type));
978 }
979
980 /*
981 * Encrypt a TLS record of type 'record_type' with payload 'len' bytes
982 * long at 'src' and store the result at 'dst'. If 'dst' doesn't have
983 * sufficient room ('avail'), fail the test. 'padding' is the amount
984 * of additional padding to include beyond any amount mandated by the
985 * cipher suite.
986 */
987 static size_t
encrypt_tls_aes_cbc_mte(const atf_tc_t * tc,struct tls_enable * en,uint8_t record_type,uint64_t seqno,const void * src,size_t len,void * dst,size_t avail,size_t padding)988 encrypt_tls_aes_cbc_mte(const atf_tc_t *tc, struct tls_enable *en,
989 uint8_t record_type, uint64_t seqno, const void *src, size_t len, void *dst,
990 size_t avail, size_t padding)
991 {
992 struct tls_record_layer *hdr;
993 struct tls_mac_data aad;
994 char *buf, *iv;
995 size_t hdr_len, mac_len, record_len;
996 u_int digest_len, i;
997
998 ATF_REQUIRE_INTEQ(0, padding % 16);
999
1000 hdr = dst;
1001 buf = dst;
1002
1003 debug(tc, "encrypting MTE record seqno %ju:\n", (uintmax_t)seqno);
1004 hdr_len = tls_header_len(en);
1005 mac_len = tls_mac_len(en);
1006 padding += (AES_BLOCK_LEN - (len + mac_len) % AES_BLOCK_LEN);
1007 ATF_REQUIRE_MSG(padding > 0 && padding <= 255, "invalid padding (%zu)",
1008 padding);
1009
1010 record_len = hdr_len + len + mac_len + padding;
1011 ATF_REQUIRE_MSG(record_len <= avail, "record_len (%zu) > avail (%zu): "
1012 "hdr_len %zu, len %zu, mac_len %zu, padding %zu", record_len,
1013 avail, hdr_len, len, mac_len, padding);
1014
1015 hdr->tls_type = record_type;
1016 hdr->tls_vmajor = TLS_MAJOR_VER_ONE;
1017 hdr->tls_vminor = en->tls_vminor;
1018 hdr->tls_length = htons(record_len - sizeof(*hdr));
1019 iv = (char *)(hdr + 1);
1020 for (i = 0; i < AES_BLOCK_LEN; i++)
1021 iv[i] = rdigit();
1022 debug_hexdump(tc, iv, AES_BLOCK_LEN, "explicit IV");
1023
1024 /* Copy plaintext to ciphertext region. */
1025 memcpy(buf + hdr_len, src, len);
1026
1027 /* Compute HMAC. */
1028 tls_mte_aad(en, len, hdr, seqno, &aad);
1029 debug_hexdump(tc, &aad, sizeof(aad), "aad");
1030 debug_hexdump(tc, src, len, "plaintext");
1031 ATF_REQUIRE(compute_hash(tls_EVP_MD(en), en->auth_key, en->auth_key_len,
1032 &aad, sizeof(aad), src, len, buf + hdr_len + len, &digest_len));
1033 ATF_REQUIRE_INTEQ(mac_len, digest_len);
1034
1035 /* Store padding. */
1036 for (i = 0; i < padding; i++)
1037 buf[hdr_len + len + mac_len + i] = padding - 1;
1038 debug_hexdump(tc, buf + hdr_len + len, mac_len + padding,
1039 "MAC and padding");
1040
1041 /* Encrypt the record. */
1042 ATF_REQUIRE(cbc_encrypt(tls_EVP_CIPHER(en), en->cipher_key, iv,
1043 buf + hdr_len, buf + hdr_len, len + mac_len + padding));
1044 debug_hexdump(tc, dst, record_len, "encrypted record");
1045
1046 return (record_len);
1047 }
1048
1049 static size_t
encrypt_tls_12_aead(const atf_tc_t * tc,struct tls_enable * en,uint8_t record_type,uint64_t seqno,const void * src,size_t len,void * dst)1050 encrypt_tls_12_aead(const atf_tc_t *tc, struct tls_enable *en,
1051 uint8_t record_type, uint64_t seqno, const void *src, size_t len, void *dst)
1052 {
1053 struct tls_record_layer *hdr;
1054 struct tls_aead_data aad;
1055 char nonce[12];
1056 size_t hdr_len, mac_len, record_len;
1057
1058 hdr = dst;
1059
1060 debug(tc, "encrypting TLS 1.2 record seqno %ju:\n", (uintmax_t)seqno);
1061 hdr_len = tls_header_len(en);
1062 mac_len = tls_mac_len(en);
1063 record_len = hdr_len + len + mac_len;
1064
1065 hdr->tls_type = record_type;
1066 hdr->tls_vmajor = TLS_MAJOR_VER_ONE;
1067 hdr->tls_vminor = TLS_MINOR_VER_TWO;
1068 hdr->tls_length = htons(record_len - sizeof(*hdr));
1069 if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16)
1070 memcpy(hdr + 1, &seqno, sizeof(seqno));
1071
1072 tls_12_aead_aad(en, len, hdr, seqno, &aad);
1073 debug_hexdump(tc, &aad, sizeof(aad), "aad");
1074 if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16)
1075 tls_12_gcm_nonce(en, hdr, nonce);
1076 else
1077 tls_13_nonce(en, seqno, nonce);
1078 debug_hexdump(tc, nonce, sizeof(nonce), "nonce");
1079
1080 debug_hexdump(tc, src, len, "plaintext");
1081 ATF_REQUIRE(aead_encrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce,
1082 &aad, sizeof(aad), src, (char *)dst + hdr_len, len,
1083 (char *)dst + hdr_len + len, mac_len));
1084 debug_hexdump(tc, dst, record_len, "encrypted record");
1085
1086 return (record_len);
1087 }
1088
1089 static size_t
encrypt_tls_13_aead(const atf_tc_t * tc,struct tls_enable * en,uint8_t record_type,uint64_t seqno,const void * src,size_t len,void * dst,size_t padding)1090 encrypt_tls_13_aead(const atf_tc_t *tc, struct tls_enable *en,
1091 uint8_t record_type, uint64_t seqno, const void *src, size_t len, void *dst,
1092 size_t padding)
1093 {
1094 struct tls_record_layer *hdr;
1095 struct tls_aead_data_13 aad;
1096 char nonce[12];
1097 char *buf;
1098 size_t hdr_len, mac_len, record_len;
1099
1100 hdr = dst;
1101
1102 debug(tc, "encrypting TLS 1.3 record seqno %ju:\n", (uintmax_t)seqno);
1103 hdr_len = tls_header_len(en);
1104 mac_len = tls_mac_len(en);
1105 record_len = hdr_len + len + 1 + padding + mac_len;
1106
1107 hdr->tls_type = TLS_RLTYPE_APP;
1108 hdr->tls_vmajor = TLS_MAJOR_VER_ONE;
1109 hdr->tls_vminor = TLS_MINOR_VER_TWO;
1110 hdr->tls_length = htons(record_len - sizeof(*hdr));
1111
1112 tls_13_aad(en, hdr, seqno, &aad);
1113 debug_hexdump(tc, &aad, sizeof(aad), "aad");
1114 tls_13_nonce(en, seqno, nonce);
1115 debug_hexdump(tc, nonce, sizeof(nonce), "nonce");
1116
1117 /*
1118 * Have to use a temporary buffer for the input so that the record
1119 * type can be appended.
1120 */
1121 buf = malloc(len + 1 + padding);
1122 memcpy(buf, src, len);
1123 buf[len] = record_type;
1124 memset(buf + len + 1, 0, padding);
1125 debug_hexdump(tc, buf, len + 1 + padding, "plaintext + type + padding");
1126
1127 ATF_REQUIRE(aead_encrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce,
1128 &aad, sizeof(aad), buf, (char *)dst + hdr_len, len + 1 + padding,
1129 (char *)dst + hdr_len + len + 1 + padding, mac_len));
1130 debug_hexdump(tc, dst, record_len, "encrypted record");
1131
1132 free(buf);
1133
1134 return (record_len);
1135 }
1136
1137 static size_t
encrypt_tls_aead(const atf_tc_t * tc,struct tls_enable * en,uint8_t record_type,uint64_t seqno,const void * src,size_t len,void * dst,size_t avail,size_t padding)1138 encrypt_tls_aead(const atf_tc_t *tc, struct tls_enable *en,
1139 uint8_t record_type, uint64_t seqno, const void *src, size_t len, void *dst,
1140 size_t avail, size_t padding)
1141 {
1142 size_t record_len;
1143
1144 record_len = tls_header_len(en) + len + padding + tls_trailer_len(en);
1145 ATF_REQUIRE_MSG(record_len <= avail, "record_len (%zu) > avail (%zu): "
1146 "header %zu len %zu padding %zu trailer %zu", record_len, avail,
1147 tls_header_len(en), len, padding, tls_trailer_len(en));
1148
1149 if (en->tls_vminor == TLS_MINOR_VER_TWO) {
1150 ATF_REQUIRE_INTEQ(0, padding);
1151 ATF_REQUIRE_INTEQ(record_len, encrypt_tls_12_aead(tc, en,
1152 record_type, seqno, src, len, dst));
1153 } else
1154 ATF_REQUIRE_INTEQ(record_len, encrypt_tls_13_aead(tc, en,
1155 record_type, seqno, src, len, dst, padding));
1156
1157 return (record_len);
1158 }
1159
1160 static size_t
encrypt_tls_record(const atf_tc_t * tc,struct tls_enable * en,uint8_t record_type,uint64_t seqno,const void * src,size_t len,void * dst,size_t avail,size_t padding)1161 encrypt_tls_record(const atf_tc_t *tc, struct tls_enable *en,
1162 uint8_t record_type, uint64_t seqno, const void *src, size_t len, void *dst,
1163 size_t avail, size_t padding)
1164 {
1165 if (en->cipher_algorithm == CRYPTO_AES_CBC)
1166 return (encrypt_tls_aes_cbc_mte(tc, en, record_type, seqno, src,
1167 len, dst, avail, padding));
1168 else
1169 return (encrypt_tls_aead(tc, en, record_type, seqno, src, len,
1170 dst, avail, padding));
1171 }
1172
1173 static void
test_ktls_transmit_app_data(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,size_t len)1174 test_ktls_transmit_app_data(const atf_tc_t *tc, struct tls_enable *en,
1175 uint64_t seqno, size_t len)
1176 {
1177 struct kevent ev;
1178 struct tls_record_layer *hdr;
1179 char *plaintext, *decrypted, *outbuf;
1180 size_t decrypted_len, outbuf_len, outbuf_cap, record_len, written;
1181 ssize_t rv;
1182 int kq, sockets[2];
1183 uint8_t record_type;
1184
1185 plaintext = alloc_buffer(len);
1186 debug_hexdump(tc, plaintext, len, "plaintext");
1187 decrypted = malloc(len);
1188 outbuf_cap = tls_header_len(en) + TLS_MAX_MSG_SIZE_V10_2 +
1189 tls_trailer_len(en);
1190 outbuf = malloc(outbuf_cap);
1191 hdr = (struct tls_record_layer *)outbuf;
1192
1193 ATF_REQUIRE((kq = kqueue()) != -1);
1194
1195 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1196
1197 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en,
1198 sizeof(*en)) == 0);
1199 check_tls_mode(tc, sockets[1], TCP_TXTLS_MODE);
1200
1201 EV_SET(&ev, sockets[0], EVFILT_READ, EV_ADD, 0, 0, NULL);
1202 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0);
1203 EV_SET(&ev, sockets[1], EVFILT_WRITE, EV_ADD, 0, 0, NULL);
1204 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0);
1205
1206 decrypted_len = 0;
1207 outbuf_len = 0;
1208 written = 0;
1209
1210 while (decrypted_len != len) {
1211 ATF_REQUIRE(kevent(kq, NULL, 0, &ev, 1, NULL) == 1);
1212
1213 switch (ev.filter) {
1214 case EVFILT_WRITE:
1215 /* Try to write any remaining data. */
1216 rv = write(ev.ident, plaintext + written,
1217 len - written);
1218 ATF_REQUIRE_MSG(rv > 0,
1219 "failed to write to socket");
1220 written += rv;
1221 if (written == len) {
1222 ev.flags = EV_DISABLE;
1223 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0,
1224 NULL) == 0);
1225 }
1226 break;
1227
1228 case EVFILT_READ:
1229 ATF_REQUIRE((ev.flags & EV_EOF) == 0);
1230
1231 /*
1232 * Try to read data for the next TLS record
1233 * into outbuf. Start by reading the header
1234 * to determine how much additional data to
1235 * read.
1236 */
1237 if (outbuf_len < sizeof(struct tls_record_layer)) {
1238 rv = read(ev.ident, outbuf + outbuf_len,
1239 sizeof(struct tls_record_layer) -
1240 outbuf_len);
1241 ATF_REQUIRE_MSG(rv > 0,
1242 "failed to read from socket");
1243 outbuf_len += rv;
1244
1245 if (outbuf_len ==
1246 sizeof(struct tls_record_layer)) {
1247 debug(tc, "TLS header for seqno %ju:\n",
1248 (uintmax_t)seqno);
1249 debug_hexdump(tc, outbuf, outbuf_len,
1250 NULL);
1251 }
1252 }
1253
1254 if (outbuf_len < sizeof(struct tls_record_layer))
1255 break;
1256
1257 record_len = sizeof(struct tls_record_layer) +
1258 ntohs(hdr->tls_length);
1259 debug(tc, "record_len %zu outbuf_cap %zu\n",
1260 record_len, outbuf_cap);
1261 ATF_REQUIRE(record_len <= outbuf_cap);
1262 ATF_REQUIRE(record_len > outbuf_len);
1263 rv = read(ev.ident, outbuf + outbuf_len,
1264 record_len - outbuf_len);
1265 if (rv == -1 && errno == EAGAIN)
1266 break;
1267 ATF_REQUIRE_MSG(rv > 0,
1268 "failed to read from socket: %s", strerror(errno));
1269
1270 outbuf_len += rv;
1271 if (outbuf_len == record_len) {
1272 decrypted_len += decrypt_tls_record(tc, en,
1273 seqno, outbuf, outbuf_len,
1274 decrypted + decrypted_len,
1275 len - decrypted_len, &record_type);
1276 ATF_REQUIRE_INTEQ(TLS_RLTYPE_APP, record_type);
1277
1278 seqno++;
1279 outbuf_len = 0;
1280 }
1281 break;
1282 }
1283 }
1284
1285 ATF_REQUIRE_MSG(written == decrypted_len,
1286 "read %zu decrypted bytes, but wrote %zu", decrypted_len, written);
1287
1288 ATF_REQUIRE(memcmp(plaintext, decrypted, len) == 0);
1289
1290 free(outbuf);
1291 free(decrypted);
1292 free(plaintext);
1293
1294 close_sockets(sockets);
1295 ATF_REQUIRE(close(kq) == 0);
1296 }
1297
1298 static void
ktls_send_control_message(int fd,uint8_t type,void * data,size_t len)1299 ktls_send_control_message(int fd, uint8_t type, void *data, size_t len)
1300 {
1301 struct msghdr msg;
1302 struct cmsghdr *cmsg;
1303 char cbuf[CMSG_SPACE(sizeof(type))];
1304 struct iovec iov;
1305
1306 memset(&msg, 0, sizeof(msg));
1307
1308 msg.msg_control = cbuf;
1309 msg.msg_controllen = sizeof(cbuf);
1310 cmsg = CMSG_FIRSTHDR(&msg);
1311 cmsg->cmsg_level = IPPROTO_TCP;
1312 cmsg->cmsg_type = TLS_SET_RECORD_TYPE;
1313 cmsg->cmsg_len = CMSG_LEN(sizeof(type));
1314 *(uint8_t *)CMSG_DATA(cmsg) = type;
1315
1316 iov.iov_base = data;
1317 iov.iov_len = len;
1318 msg.msg_iov = &iov;
1319 msg.msg_iovlen = 1;
1320
1321 ATF_REQUIRE_INTEQ((ssize_t)len, sendmsg(fd, &msg, 0));
1322 }
1323
1324 static void
test_ktls_transmit_control(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,uint8_t type,size_t len)1325 test_ktls_transmit_control(const atf_tc_t *tc, struct tls_enable *en,
1326 uint64_t seqno, uint8_t type, size_t len)
1327 {
1328 struct tls_record_layer *hdr;
1329 char *plaintext, *decrypted, *outbuf;
1330 size_t outbuf_cap, payload_len, record_len;
1331 ssize_t rv;
1332 int sockets[2];
1333 uint8_t record_type;
1334
1335 ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2);
1336
1337 plaintext = alloc_buffer(len);
1338 decrypted = malloc(len);
1339 outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en);
1340 outbuf = malloc(outbuf_cap);
1341 hdr = (struct tls_record_layer *)outbuf;
1342
1343 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1344
1345 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en,
1346 sizeof(*en)) == 0);
1347 check_tls_mode(tc, sockets[1], TCP_TXTLS_MODE);
1348
1349 fd_set_blocking(sockets[0]);
1350 fd_set_blocking(sockets[1]);
1351
1352 ktls_send_control_message(sockets[1], type, plaintext, len);
1353
1354 /*
1355 * First read the header to determine how much additional data
1356 * to read.
1357 */
1358 rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer));
1359 ATF_REQUIRE_INTEQ(sizeof(struct tls_record_layer), rv);
1360 payload_len = ntohs(hdr->tls_length);
1361 record_len = payload_len + sizeof(struct tls_record_layer);
1362 ATF_REQUIRE_MSG(record_len <= outbuf_cap,
1363 "record_len (%zu) > outbuf_cap (%zu)", record_len, outbuf_cap);
1364 rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer),
1365 payload_len);
1366 ATF_REQUIRE_INTEQ((ssize_t)payload_len, rv);
1367
1368 rv = decrypt_tls_record(tc, en, seqno, outbuf, record_len, decrypted,
1369 len, &record_type);
1370
1371 ATF_REQUIRE_MSG((ssize_t)len == rv,
1372 "read %zd decrypted bytes, but wrote %zu", rv, len);
1373 ATF_REQUIRE_INTEQ(type, record_type);
1374
1375 ATF_REQUIRE(memcmp(plaintext, decrypted, len) == 0);
1376
1377 free(outbuf);
1378 free(decrypted);
1379 free(plaintext);
1380
1381 close_sockets(sockets);
1382 }
1383
1384 static void
test_ktls_transmit_empty_fragment(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno)1385 test_ktls_transmit_empty_fragment(const atf_tc_t *tc, struct tls_enable *en,
1386 uint64_t seqno)
1387 {
1388 struct tls_record_layer *hdr;
1389 char *outbuf;
1390 size_t outbuf_cap, payload_len, record_len;
1391 ssize_t rv;
1392 int sockets[2];
1393 uint8_t record_type;
1394
1395 outbuf_cap = tls_header_len(en) + tls_trailer_len(en);
1396 outbuf = malloc(outbuf_cap);
1397 hdr = (struct tls_record_layer *)outbuf;
1398
1399 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1400
1401 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en,
1402 sizeof(*en)) == 0);
1403 check_tls_mode(tc, sockets[1], TCP_TXTLS_MODE);
1404
1405 fd_set_blocking(sockets[0]);
1406 fd_set_blocking(sockets[1]);
1407
1408 /*
1409 * A write of zero bytes should send an empty fragment only for
1410 * TLS 1.0, otherwise an error should be raised.
1411 */
1412 rv = write(sockets[1], NULL, 0);
1413 if (rv == 0) {
1414 ATF_REQUIRE_INTEQ(CRYPTO_AES_CBC, en->cipher_algorithm);
1415 ATF_REQUIRE_INTEQ(TLS_MINOR_VER_ZERO, en->tls_vminor);
1416 } else {
1417 ATF_REQUIRE_INTEQ(-1, rv);
1418 ATF_REQUIRE_ERRNO(EINVAL, true);
1419 goto out;
1420 }
1421
1422 /*
1423 * First read the header to determine how much additional data
1424 * to read.
1425 */
1426 rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer));
1427 ATF_REQUIRE_INTEQ(sizeof(struct tls_record_layer), rv);
1428 payload_len = ntohs(hdr->tls_length);
1429 record_len = payload_len + sizeof(struct tls_record_layer);
1430 ATF_REQUIRE_MSG(record_len <= outbuf_cap,
1431 "record_len (%zu) > outbuf_cap (%zu)", record_len, outbuf_cap);
1432 rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer),
1433 payload_len);
1434 ATF_REQUIRE_INTEQ((ssize_t)payload_len, rv);
1435
1436 rv = decrypt_tls_record(tc, en, seqno, outbuf, record_len, NULL, 0,
1437 &record_type);
1438
1439 ATF_REQUIRE_MSG(rv == 0,
1440 "read %zd decrypted bytes for an empty fragment", rv);
1441 ATF_REQUIRE_INTEQ(TLS_RLTYPE_APP, record_type);
1442
1443 out:
1444 free(outbuf);
1445
1446 close_sockets(sockets);
1447 }
1448
1449 static size_t
ktls_receive_tls_record(struct tls_enable * en,int fd,uint8_t record_type,void * data,size_t len)1450 ktls_receive_tls_record(struct tls_enable *en, int fd, uint8_t record_type,
1451 void *data, size_t len)
1452 {
1453 struct msghdr msg;
1454 struct cmsghdr *cmsg;
1455 struct tls_get_record *tgr;
1456 char cbuf[CMSG_SPACE(sizeof(*tgr))];
1457 struct iovec iov;
1458 ssize_t rv;
1459
1460 memset(&msg, 0, sizeof(msg));
1461
1462 msg.msg_control = cbuf;
1463 msg.msg_controllen = sizeof(cbuf);
1464
1465 iov.iov_base = data;
1466 iov.iov_len = len;
1467 msg.msg_iov = &iov;
1468 msg.msg_iovlen = 1;
1469
1470 ATF_REQUIRE((rv = recvmsg(fd, &msg, 0)) > 0);
1471
1472 ATF_REQUIRE((msg.msg_flags & (MSG_EOR | MSG_CTRUNC)) == MSG_EOR);
1473
1474 cmsg = CMSG_FIRSTHDR(&msg);
1475 ATF_REQUIRE(cmsg != NULL);
1476 ATF_REQUIRE_INTEQ(IPPROTO_TCP, cmsg->cmsg_level);
1477 ATF_REQUIRE_INTEQ(TLS_GET_RECORD, cmsg->cmsg_type);
1478 ATF_REQUIRE_INTEQ(CMSG_LEN(sizeof(*tgr)), cmsg->cmsg_len);
1479
1480 tgr = (struct tls_get_record *)CMSG_DATA(cmsg);
1481 ATF_REQUIRE_INTEQ(record_type, tgr->tls_type);
1482 ATF_REQUIRE_INTEQ(en->tls_vmajor, tgr->tls_vmajor);
1483 /* XXX: Not sure if this is what OpenSSL expects? */
1484 if (en->tls_vminor == TLS_MINOR_VER_THREE)
1485 ATF_REQUIRE_INTEQ(TLS_MINOR_VER_TWO, tgr->tls_vminor);
1486 else
1487 ATF_REQUIRE_INTEQ(en->tls_vminor, tgr->tls_vminor);
1488 ATF_REQUIRE_INTEQ(htons(rv), tgr->tls_length);
1489
1490 return (rv);
1491 }
1492
1493 static void
test_ktls_receive_app_data(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,size_t len,size_t padding)1494 test_ktls_receive_app_data(const atf_tc_t *tc, struct tls_enable *en,
1495 uint64_t seqno, size_t len, size_t padding)
1496 {
1497 struct kevent ev;
1498 char *plaintext, *received, *outbuf;
1499 size_t outbuf_cap, outbuf_len, outbuf_sent, received_len, todo, written;
1500 ssize_t rv;
1501 int kq, sockets[2];
1502
1503 plaintext = alloc_buffer(len);
1504 received = malloc(len);
1505 outbuf_cap = tls_header_len(en) + TLS_MAX_MSG_SIZE_V10_2 +
1506 tls_trailer_len(en);
1507 outbuf = malloc(outbuf_cap);
1508
1509 ATF_REQUIRE((kq = kqueue()) != -1);
1510
1511 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1512
1513 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en,
1514 sizeof(*en)) == 0);
1515 check_tls_mode(tc, sockets[0], TCP_RXTLS_MODE);
1516
1517 EV_SET(&ev, sockets[0], EVFILT_READ, EV_ADD, 0, 0, NULL);
1518 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0);
1519 EV_SET(&ev, sockets[1], EVFILT_WRITE, EV_ADD, 0, 0, NULL);
1520 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0);
1521
1522 received_len = 0;
1523 outbuf_len = 0;
1524 written = 0;
1525
1526 while (received_len != len) {
1527 ATF_REQUIRE(kevent(kq, NULL, 0, &ev, 1, NULL) == 1);
1528
1529 switch (ev.filter) {
1530 case EVFILT_WRITE:
1531 /*
1532 * Compose the next TLS record to send.
1533 */
1534 if (outbuf_len == 0) {
1535 ATF_REQUIRE(written < len);
1536 todo = len - written;
1537 if (todo > TLS_MAX_MSG_SIZE_V10_2 - padding)
1538 todo = TLS_MAX_MSG_SIZE_V10_2 - padding;
1539 outbuf_len = encrypt_tls_record(tc, en,
1540 TLS_RLTYPE_APP, seqno, plaintext + written,
1541 todo, outbuf, outbuf_cap, padding);
1542 outbuf_sent = 0;
1543 written += todo;
1544 seqno++;
1545 }
1546
1547 /*
1548 * Try to write the remainder of the current
1549 * TLS record.
1550 */
1551 rv = write(ev.ident, outbuf + outbuf_sent,
1552 outbuf_len - outbuf_sent);
1553 ATF_REQUIRE_MSG(rv > 0,
1554 "failed to write to socket: %s", strerror(errno));
1555 outbuf_sent += rv;
1556 if (outbuf_sent == outbuf_len) {
1557 outbuf_len = 0;
1558 if (written == len) {
1559 ev.flags = EV_DISABLE;
1560 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0,
1561 NULL) == 0);
1562 }
1563 }
1564 break;
1565
1566 case EVFILT_READ:
1567 ATF_REQUIRE((ev.flags & EV_EOF) == 0);
1568
1569 rv = ktls_receive_tls_record(en, ev.ident,
1570 TLS_RLTYPE_APP, received + received_len,
1571 len - received_len);
1572 received_len += rv;
1573 break;
1574 }
1575 }
1576
1577 ATF_REQUIRE_MSG(written == received_len,
1578 "read %zu decrypted bytes, but wrote %zu", received_len, written);
1579
1580 ATF_REQUIRE(memcmp(plaintext, received, len) == 0);
1581
1582 free(outbuf);
1583 free(received);
1584 free(plaintext);
1585
1586 close_sockets(sockets);
1587 ATF_REQUIRE(close(kq) == 0);
1588 }
1589
1590 static void
ktls_receive_tls_error(int fd,int expected_error)1591 ktls_receive_tls_error(int fd, int expected_error)
1592 {
1593 struct msghdr msg;
1594 struct tls_get_record *tgr;
1595 char cbuf[CMSG_SPACE(sizeof(*tgr))];
1596 char buf[64];
1597 struct iovec iov;
1598
1599 memset(&msg, 0, sizeof(msg));
1600
1601 msg.msg_control = cbuf;
1602 msg.msg_controllen = sizeof(cbuf);
1603
1604 iov.iov_base = buf;
1605 iov.iov_len = sizeof(buf);
1606 msg.msg_iov = &iov;
1607 msg.msg_iovlen = 1;
1608
1609 ATF_REQUIRE(recvmsg(fd, &msg, 0) == -1);
1610 if (expected_error != 0)
1611 ATF_REQUIRE_ERRNO(expected_error, true);
1612 }
1613
1614 static void
test_ktls_receive_corrupted_record(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,size_t len,ssize_t offset)1615 test_ktls_receive_corrupted_record(const atf_tc_t *tc, struct tls_enable *en,
1616 uint64_t seqno, size_t len, ssize_t offset)
1617 {
1618 char *plaintext, *outbuf;
1619 size_t outbuf_cap, outbuf_len;
1620 ssize_t rv;
1621 int sockets[2];
1622
1623 ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2);
1624
1625 plaintext = alloc_buffer(len);
1626 outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en);
1627 outbuf = malloc(outbuf_cap);
1628
1629 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1630
1631 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en,
1632 sizeof(*en)) == 0);
1633 check_tls_mode(tc, sockets[0], TCP_RXTLS_MODE);
1634
1635 fd_set_blocking(sockets[0]);
1636 fd_set_blocking(sockets[1]);
1637
1638 outbuf_len = encrypt_tls_record(tc, en, TLS_RLTYPE_APP, seqno,
1639 plaintext, len, outbuf, outbuf_cap, 0);
1640
1641 /* A negative offset is an offset from the end. */
1642 if (offset < 0)
1643 offset += outbuf_len;
1644 outbuf[offset] ^= 0x01;
1645
1646 rv = write(sockets[1], outbuf, outbuf_len);
1647 ATF_REQUIRE_INTEQ((ssize_t)outbuf_len, rv);
1648
1649 ktls_receive_tls_error(sockets[0], EBADMSG);
1650
1651 free(outbuf);
1652 free(plaintext);
1653
1654 close_sockets_ignore_errors(sockets);
1655 }
1656
1657 static void
test_ktls_receive_corrupted_iv(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,size_t len)1658 test_ktls_receive_corrupted_iv(const atf_tc_t *tc, struct tls_enable *en,
1659 uint64_t seqno, size_t len)
1660 {
1661 ATF_REQUIRE(tls_header_len(en) > sizeof(struct tls_record_layer));
1662
1663 /* Corrupt the first byte of the explicit IV after the header. */
1664 test_ktls_receive_corrupted_record(tc, en, seqno, len,
1665 sizeof(struct tls_record_layer));
1666 }
1667
1668 static void
test_ktls_receive_corrupted_data(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,size_t len)1669 test_ktls_receive_corrupted_data(const atf_tc_t *tc, struct tls_enable *en,
1670 uint64_t seqno, size_t len)
1671 {
1672 ATF_REQUIRE(len > 0);
1673
1674 /* Corrupt the first ciphertext byte after the header. */
1675 test_ktls_receive_corrupted_record(tc, en, seqno, len,
1676 tls_header_len(en));
1677 }
1678
1679 static void
test_ktls_receive_corrupted_mac(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,size_t len)1680 test_ktls_receive_corrupted_mac(const atf_tc_t *tc, struct tls_enable *en,
1681 uint64_t seqno, size_t len)
1682 {
1683 size_t offset;
1684
1685 /* Corrupt the first byte of the MAC. */
1686 if (en->cipher_algorithm == CRYPTO_AES_CBC)
1687 offset = tls_header_len(en) + len;
1688 else
1689 offset = -tls_mac_len(en);
1690 test_ktls_receive_corrupted_record(tc, en, seqno, len, offset);
1691 }
1692
1693 static void
test_ktls_receive_corrupted_padding(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,size_t len)1694 test_ktls_receive_corrupted_padding(const atf_tc_t *tc, struct tls_enable *en,
1695 uint64_t seqno, size_t len)
1696 {
1697 ATF_REQUIRE_INTEQ(CRYPTO_AES_CBC, en->cipher_algorithm);
1698
1699 /* Corrupt the last byte of the padding. */
1700 test_ktls_receive_corrupted_record(tc, en, seqno, len, -1);
1701 }
1702
1703 static void
test_ktls_receive_truncated_record(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,size_t len)1704 test_ktls_receive_truncated_record(const atf_tc_t *tc, struct tls_enable *en,
1705 uint64_t seqno, size_t len)
1706 {
1707 char *plaintext, *outbuf;
1708 size_t outbuf_cap, outbuf_len;
1709 ssize_t rv;
1710 int sockets[2];
1711
1712 ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2);
1713
1714 plaintext = alloc_buffer(len);
1715 outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en);
1716 outbuf = malloc(outbuf_cap);
1717
1718 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1719
1720 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en,
1721 sizeof(*en)) == 0);
1722 check_tls_mode(tc, sockets[0], TCP_RXTLS_MODE);
1723
1724 fd_set_blocking(sockets[0]);
1725 fd_set_blocking(sockets[1]);
1726
1727 outbuf_len = encrypt_tls_record(tc, en, TLS_RLTYPE_APP, seqno,
1728 plaintext, len, outbuf, outbuf_cap, 0);
1729
1730 rv = write(sockets[1], outbuf, outbuf_len / 2);
1731 ATF_REQUIRE_INTEQ((ssize_t)(outbuf_len / 2), rv);
1732
1733 ATF_REQUIRE(shutdown(sockets[1], SHUT_WR) == 0);
1734
1735 ktls_receive_tls_error(sockets[0], EMSGSIZE);
1736
1737 free(outbuf);
1738 free(plaintext);
1739
1740 close_sockets_ignore_errors(sockets);
1741 }
1742
1743 static void
test_ktls_receive_bad_major(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,size_t len)1744 test_ktls_receive_bad_major(const atf_tc_t *tc, struct tls_enable *en,
1745 uint64_t seqno, size_t len)
1746 {
1747 struct tls_record_layer *hdr;
1748 char *plaintext, *outbuf;
1749 size_t outbuf_cap, outbuf_len;
1750 ssize_t rv;
1751 int sockets[2];
1752
1753 ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2);
1754
1755 plaintext = alloc_buffer(len);
1756 outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en);
1757 outbuf = malloc(outbuf_cap);
1758
1759 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1760
1761 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en,
1762 sizeof(*en)) == 0);
1763 check_tls_mode(tc, sockets[0], TCP_RXTLS_MODE);
1764
1765 fd_set_blocking(sockets[0]);
1766 fd_set_blocking(sockets[1]);
1767
1768 outbuf_len = encrypt_tls_record(tc, en, TLS_RLTYPE_APP, seqno,
1769 plaintext, len, outbuf, outbuf_cap, 0);
1770
1771 hdr = (void *)outbuf;
1772 hdr->tls_vmajor++;
1773
1774 rv = write(sockets[1], outbuf, outbuf_len);
1775 ATF_REQUIRE_INTEQ((ssize_t)outbuf_len, rv);
1776
1777 ktls_receive_tls_error(sockets[0], EINVAL);
1778
1779 free(outbuf);
1780 free(plaintext);
1781
1782 close_sockets_ignore_errors(sockets);
1783 }
1784
1785 static void
test_ktls_receive_bad_minor(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,size_t len)1786 test_ktls_receive_bad_minor(const atf_tc_t *tc, struct tls_enable *en,
1787 uint64_t seqno, size_t len)
1788 {
1789 struct tls_record_layer *hdr;
1790 char *plaintext, *outbuf;
1791 size_t outbuf_cap, outbuf_len;
1792 ssize_t rv;
1793 int sockets[2];
1794
1795 ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2);
1796
1797 plaintext = alloc_buffer(len);
1798 outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en);
1799 outbuf = malloc(outbuf_cap);
1800
1801 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1802
1803 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en,
1804 sizeof(*en)) == 0);
1805 check_tls_mode(tc, sockets[0], TCP_RXTLS_MODE);
1806
1807 fd_set_blocking(sockets[0]);
1808 fd_set_blocking(sockets[1]);
1809
1810 outbuf_len = encrypt_tls_record(tc, en, TLS_RLTYPE_APP, seqno,
1811 plaintext, len, outbuf, outbuf_cap, 0);
1812
1813 hdr = (void *)outbuf;
1814 hdr->tls_vminor++;
1815
1816 rv = write(sockets[1], outbuf, outbuf_len);
1817 ATF_REQUIRE_INTEQ((ssize_t)outbuf_len, rv);
1818
1819 ktls_receive_tls_error(sockets[0], EINVAL);
1820
1821 free(outbuf);
1822 free(plaintext);
1823
1824 close_sockets_ignore_errors(sockets);
1825 }
1826
1827 static void
test_ktls_receive_bad_type(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,size_t len)1828 test_ktls_receive_bad_type(const atf_tc_t *tc, struct tls_enable *en,
1829 uint64_t seqno, size_t len)
1830 {
1831 struct tls_record_layer *hdr;
1832 char *plaintext, *outbuf;
1833 size_t outbuf_cap, outbuf_len;
1834 ssize_t rv;
1835 int sockets[2];
1836
1837 ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2);
1838 ATF_REQUIRE_INTEQ(TLS_MINOR_VER_THREE, en->tls_vminor);
1839
1840 plaintext = alloc_buffer(len);
1841 outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en);
1842 outbuf = malloc(outbuf_cap);
1843
1844 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1845
1846 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en,
1847 sizeof(*en)) == 0);
1848 check_tls_mode(tc, sockets[0], TCP_RXTLS_MODE);
1849
1850 fd_set_blocking(sockets[0]);
1851 fd_set_blocking(sockets[1]);
1852
1853 outbuf_len = encrypt_tls_record(tc, en, 0x21 /* Alert */, seqno,
1854 plaintext, len, outbuf, outbuf_cap, 0);
1855
1856 hdr = (void *)outbuf;
1857 hdr->tls_type = TLS_RLTYPE_APP + 1;
1858
1859 rv = write(sockets[1], outbuf, outbuf_len);
1860 ATF_REQUIRE_INTEQ((ssize_t)outbuf_len, rv);
1861
1862 ktls_receive_tls_error(sockets[0], EINVAL);
1863
1864 free(outbuf);
1865 free(plaintext);
1866
1867 close_sockets_ignore_errors(sockets);
1868 }
1869
1870 static void
test_ktls_receive_bad_size(const atf_tc_t * tc,struct tls_enable * en,uint64_t seqno,size_t len)1871 test_ktls_receive_bad_size(const atf_tc_t *tc, struct tls_enable *en,
1872 uint64_t seqno, size_t len)
1873 {
1874 struct tls_record_layer *hdr;
1875 char *outbuf;
1876 size_t outbuf_len;
1877 ssize_t rv;
1878 int sockets[2];
1879
1880 outbuf_len = sizeof(*hdr) + len;
1881 outbuf = calloc(1, outbuf_len);
1882
1883 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1884
1885 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en,
1886 sizeof(*en)) == 0);
1887 check_tls_mode(tc, sockets[0], TCP_RXTLS_MODE);
1888
1889 fd_set_blocking(sockets[0]);
1890 fd_set_blocking(sockets[1]);
1891
1892 hdr = (void *)outbuf;
1893 hdr->tls_vmajor = en->tls_vmajor;
1894 if (en->tls_vminor == TLS_MINOR_VER_THREE)
1895 hdr->tls_vminor = TLS_MINOR_VER_TWO;
1896 else
1897 hdr->tls_vminor = en->tls_vminor;
1898 hdr->tls_type = TLS_RLTYPE_APP;
1899 hdr->tls_length = htons(len);
1900
1901 rv = write(sockets[1], outbuf, outbuf_len);
1902 ATF_REQUIRE_INTEQ((ssize_t)outbuf_len, rv);
1903
1904 /*
1905 * The other end may notice the error and drop the connection
1906 * before this executes resulting in shutdown() failing with
1907 * either ENOTCONN or ECONNRESET. Ignore this error if it
1908 * occurs.
1909 */
1910 if (shutdown(sockets[1], SHUT_WR) != 0) {
1911 ATF_REQUIRE_MSG(errno == ENOTCONN || errno == ECONNRESET,
1912 "shutdown() failed: %s", strerror(errno));
1913 }
1914
1915 ktls_receive_tls_error(sockets[0], EMSGSIZE);
1916
1917 free(outbuf);
1918
1919 close_sockets_ignore_errors(sockets);
1920 }
1921
1922 #define TLS_10_TESTS(M) \
1923 M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8, \
1924 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO) \
1925 M(aes256_cbc_1_0_sha1, CRYPTO_AES_CBC, 256 / 8, \
1926 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO)
1927
1928 #define TLS_13_TESTS(M) \
1929 M(aes128_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \
1930 TLS_MINOR_VER_THREE) \
1931 M(aes256_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \
1932 TLS_MINOR_VER_THREE) \
1933 M(chacha20_poly1305_1_3, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \
1934 TLS_MINOR_VER_THREE)
1935
1936 #define AES_CBC_NONZERO_TESTS(M) \
1937 M(aes128_cbc_1_1_sha1, CRYPTO_AES_CBC, 128 / 8, \
1938 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ONE) \
1939 M(aes256_cbc_1_1_sha1, CRYPTO_AES_CBC, 256 / 8, \
1940 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ONE) \
1941 M(aes128_cbc_1_2_sha1, CRYPTO_AES_CBC, 128 / 8, \
1942 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_TWO) \
1943 M(aes256_cbc_1_2_sha1, CRYPTO_AES_CBC, 256 / 8, \
1944 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_TWO) \
1945 M(aes128_cbc_1_2_sha256, CRYPTO_AES_CBC, 128 / 8, \
1946 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_TWO) \
1947 M(aes256_cbc_1_2_sha256, CRYPTO_AES_CBC, 256 / 8, \
1948 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_TWO) \
1949 M(aes128_cbc_1_2_sha384, CRYPTO_AES_CBC, 128 / 8, \
1950 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_TWO) \
1951 M(aes256_cbc_1_2_sha384, CRYPTO_AES_CBC, 256 / 8, \
1952 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_TWO) \
1953
1954 #define AES_CBC_TESTS(M) \
1955 TLS_10_TESTS(M) \
1956 AES_CBC_NONZERO_TESTS(M)
1957
1958 #define AES_GCM_12_TESTS(M) \
1959 M(aes128_gcm_1_2, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \
1960 TLS_MINOR_VER_TWO) \
1961 M(aes256_gcm_1_2, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \
1962 TLS_MINOR_VER_TWO)
1963
1964 #define AES_GCM_TESTS(M) \
1965 AES_GCM_12_TESTS(M) \
1966 M(aes128_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \
1967 TLS_MINOR_VER_THREE) \
1968 M(aes256_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \
1969 TLS_MINOR_VER_THREE)
1970
1971 #define CHACHA20_TESTS(M) \
1972 M(chacha20_poly1305_1_2, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \
1973 TLS_MINOR_VER_TWO) \
1974 M(chacha20_poly1305_1_3, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \
1975 TLS_MINOR_VER_THREE)
1976
1977 #define GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
1978 auth_alg, minor, name, len) \
1979 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_##name); \
1980 ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc) \
1981 { \
1982 struct tls_enable en; \
1983 uint64_t seqno; \
1984 \
1985 ATF_REQUIRE_KTLS(); \
1986 seqno = random(); \
1987 build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
1988 seqno, &en); \
1989 test_ktls_transmit_app_data(tc, &en, seqno, len); \
1990 free_tls_enable(&en); \
1991 }
1992
1993 #define ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
1994 auth_alg, minor, name) \
1995 ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name);
1996
1997 #define GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
1998 auth_alg, minor, name, type, len) \
1999 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_##name); \
2000 ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc) \
2001 { \
2002 struct tls_enable en; \
2003 uint64_t seqno; \
2004 \
2005 ATF_REQUIRE_KTLS(); \
2006 seqno = random(); \
2007 build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
2008 seqno, &en); \
2009 test_ktls_transmit_control(tc, &en, seqno, type, len); \
2010 free_tls_enable(&en); \
2011 }
2012
2013 #define ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2014 auth_alg, minor, name) \
2015 ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name);
2016
2017 #define GEN_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \
2018 key_size, auth_alg, minor) \
2019 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_empty_fragment); \
2020 ATF_TC_BODY(ktls_transmit_##cipher_name##_empty_fragment, tc) \
2021 { \
2022 struct tls_enable en; \
2023 uint64_t seqno; \
2024 \
2025 ATF_REQUIRE_KTLS(); \
2026 seqno = random(); \
2027 build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
2028 seqno, &en); \
2029 test_ktls_transmit_empty_fragment(tc, &en, seqno); \
2030 free_tls_enable(&en); \
2031 }
2032
2033 #define ADD_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \
2034 key_size, auth_alg, minor) \
2035 ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_empty_fragment);
2036
2037 #define GEN_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \
2038 minor) \
2039 GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2040 auth_alg, minor, short, 64) \
2041 GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2042 auth_alg, minor, long, 64 * 1024) \
2043 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2044 auth_alg, minor, control, 0x21 /* Alert */, 32)
2045
2046 #define ADD_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \
2047 minor) \
2048 ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2049 auth_alg, minor, short) \
2050 ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2051 auth_alg, minor, long) \
2052 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2053 auth_alg, minor, control)
2054
2055 /*
2056 * For each supported cipher suite, run three transmit tests:
2057 *
2058 * - a short test which sends 64 bytes of application data (likely as
2059 * a single TLS record)
2060 *
2061 * - a long test which sends 64KB of application data (split across
2062 * multiple TLS records)
2063 *
2064 * - a control test which sends a single record with a specific
2065 * content type via sendmsg()
2066 */
2067 AES_CBC_TESTS(GEN_TRANSMIT_TESTS);
2068 AES_GCM_TESTS(GEN_TRANSMIT_TESTS);
2069 CHACHA20_TESTS(GEN_TRANSMIT_TESTS);
2070
2071 #define GEN_TRANSMIT_PADDING_TESTS(cipher_name, cipher_alg, key_size, \
2072 auth_alg, minor) \
2073 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2074 auth_alg, minor, padding_1, 0x21 /* Alert */, 1) \
2075 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2076 auth_alg, minor, padding_2, 0x21 /* Alert */, 2) \
2077 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2078 auth_alg, minor, padding_3, 0x21 /* Alert */, 3) \
2079 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2080 auth_alg, minor, padding_4, 0x21 /* Alert */, 4) \
2081 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2082 auth_alg, minor, padding_5, 0x21 /* Alert */, 5) \
2083 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2084 auth_alg, minor, padding_6, 0x21 /* Alert */, 6) \
2085 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2086 auth_alg, minor, padding_7, 0x21 /* Alert */, 7) \
2087 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2088 auth_alg, minor, padding_8, 0x21 /* Alert */, 8) \
2089 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2090 auth_alg, minor, padding_9, 0x21 /* Alert */, 9) \
2091 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2092 auth_alg, minor, padding_10, 0x21 /* Alert */, 10) \
2093 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2094 auth_alg, minor, padding_11, 0x21 /* Alert */, 11) \
2095 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2096 auth_alg, minor, padding_12, 0x21 /* Alert */, 12) \
2097 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2098 auth_alg, minor, padding_13, 0x21 /* Alert */, 13) \
2099 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2100 auth_alg, minor, padding_14, 0x21 /* Alert */, 14) \
2101 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2102 auth_alg, minor, padding_15, 0x21 /* Alert */, 15) \
2103 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2104 auth_alg, minor, padding_16, 0x21 /* Alert */, 16)
2105
2106 #define ADD_TRANSMIT_PADDING_TESTS(cipher_name, cipher_alg, key_size, \
2107 auth_alg, minor) \
2108 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2109 auth_alg, minor, padding_1) \
2110 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2111 auth_alg, minor, padding_2) \
2112 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2113 auth_alg, minor, padding_3) \
2114 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2115 auth_alg, minor, padding_4) \
2116 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2117 auth_alg, minor, padding_5) \
2118 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2119 auth_alg, minor, padding_6) \
2120 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2121 auth_alg, minor, padding_7) \
2122 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2123 auth_alg, minor, padding_8) \
2124 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2125 auth_alg, minor, padding_9) \
2126 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2127 auth_alg, minor, padding_10) \
2128 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2129 auth_alg, minor, padding_11) \
2130 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2131 auth_alg, minor, padding_12) \
2132 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2133 auth_alg, minor, padding_13) \
2134 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2135 auth_alg, minor, padding_14) \
2136 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2137 auth_alg, minor, padding_15) \
2138 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \
2139 auth_alg, minor, padding_16)
2140
2141 /*
2142 * For AES-CBC MTE cipher suites using padding, add tests of messages
2143 * with each possible padding size. Note that the padding_<N> tests
2144 * do not necessarily test <N> bytes of padding as the padding is a
2145 * function of the cipher suite's MAC length. However, cycling
2146 * through all of the payload sizes from 1 to 16 should exercise all
2147 * of the possible padding lengths for each suite.
2148 */
2149 AES_CBC_TESTS(GEN_TRANSMIT_PADDING_TESTS);
2150
2151 /*
2152 * Test "empty fragments" which are TLS records with no payload that
2153 * OpenSSL can send for TLS 1.0 connections.
2154 */
2155 AES_CBC_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST);
2156 AES_GCM_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST);
2157 CHACHA20_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST);
2158
2159 static void
test_ktls_invalid_transmit_cipher_suite(const atf_tc_t * tc,struct tls_enable * en)2160 test_ktls_invalid_transmit_cipher_suite(const atf_tc_t *tc,
2161 struct tls_enable *en)
2162 {
2163 int sockets[2];
2164
2165 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
2166
2167 ATF_REQUIRE_ERRNO(EINVAL, setsockopt(sockets[1], IPPROTO_TCP,
2168 TCP_TXTLS_ENABLE, en, sizeof(*en)) == -1);
2169
2170 close_sockets(sockets);
2171 }
2172
2173 #define GEN_INVALID_TRANSMIT_TEST(name, cipher_alg, key_size, auth_alg, \
2174 minor) \
2175 ATF_TC_WITHOUT_HEAD(ktls_transmit_invalid_##name); \
2176 ATF_TC_BODY(ktls_transmit_invalid_##name, tc) \
2177 { \
2178 struct tls_enable en; \
2179 uint64_t seqno; \
2180 \
2181 ATF_REQUIRE_KTLS(); \
2182 seqno = random(); \
2183 build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
2184 seqno, &en); \
2185 test_ktls_invalid_transmit_cipher_suite(tc, &en); \
2186 free_tls_enable(&en); \
2187 }
2188
2189 #define ADD_INVALID_TRANSMIT_TEST(name, cipher_alg, key_size, auth_alg, \
2190 minor) \
2191 ATF_TP_ADD_TC(tp, ktls_transmit_invalid_##name);
2192
2193 #define INVALID_CIPHER_SUITES(M) \
2194 M(aes128_cbc_1_0_sha256, CRYPTO_AES_CBC, 128 / 8, \
2195 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_ZERO) \
2196 M(aes128_cbc_1_0_sha384, CRYPTO_AES_CBC, 128 / 8, \
2197 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_ZERO) \
2198 M(aes128_gcm_1_0, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \
2199 TLS_MINOR_VER_ZERO) \
2200 M(chacha20_poly1305_1_0, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \
2201 TLS_MINOR_VER_ZERO) \
2202 M(aes128_cbc_1_1_sha256, CRYPTO_AES_CBC, 128 / 8, \
2203 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_ONE) \
2204 M(aes128_cbc_1_1_sha384, CRYPTO_AES_CBC, 128 / 8, \
2205 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_ONE) \
2206 M(aes128_gcm_1_1, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \
2207 TLS_MINOR_VER_ONE) \
2208 M(chacha20_poly1305_1_1, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \
2209 TLS_MINOR_VER_ONE) \
2210 M(aes128_cbc_1_3_sha1, CRYPTO_AES_CBC, 128 / 8, \
2211 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_THREE) \
2212 M(aes128_cbc_1_3_sha256, CRYPTO_AES_CBC, 128 / 8, \
2213 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_THREE) \
2214 M(aes128_cbc_1_3_sha384, CRYPTO_AES_CBC, 128 / 8, \
2215 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_THREE)
2216
2217 /*
2218 * Ensure that invalid cipher suites are rejected for transmit.
2219 */
2220 INVALID_CIPHER_SUITES(GEN_INVALID_TRANSMIT_TEST);
2221
2222 #define GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2223 auth_alg, minor, name, len, padding) \
2224 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_##name); \
2225 ATF_TC_BODY(ktls_receive_##cipher_name##_##name, tc) \
2226 { \
2227 struct tls_enable en; \
2228 uint64_t seqno; \
2229 \
2230 ATF_REQUIRE_KTLS(); \
2231 seqno = random(); \
2232 build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
2233 seqno, &en); \
2234 test_ktls_receive_app_data(tc, &en, seqno, len, padding); \
2235 free_tls_enable(&en); \
2236 }
2237
2238 #define ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2239 auth_alg, minor, name) \
2240 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_##name);
2241
2242 #define GEN_RECEIVE_BAD_DATA_TEST(cipher_name, cipher_alg, key_size, \
2243 auth_alg, minor, len) \
2244 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_bad_data); \
2245 ATF_TC_BODY(ktls_receive_##cipher_name##_bad_data, tc) \
2246 { \
2247 struct tls_enable en; \
2248 uint64_t seqno; \
2249 \
2250 ATF_REQUIRE_KTLS(); \
2251 seqno = random(); \
2252 build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
2253 seqno, &en); \
2254 test_ktls_receive_corrupted_data(tc, &en, seqno, len); \
2255 free_tls_enable(&en); \
2256 }
2257
2258 #define ADD_RECEIVE_BAD_DATA_TEST(cipher_name, cipher_alg, key_size, \
2259 auth_alg, minor) \
2260 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_bad_data);
2261
2262 #define GEN_RECEIVE_BAD_MAC_TEST(cipher_name, cipher_alg, key_size, \
2263 auth_alg, minor, len) \
2264 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_bad_mac); \
2265 ATF_TC_BODY(ktls_receive_##cipher_name##_bad_mac, tc) \
2266 { \
2267 struct tls_enable en; \
2268 uint64_t seqno; \
2269 \
2270 ATF_REQUIRE_KTLS(); \
2271 seqno = random(); \
2272 build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
2273 seqno, &en); \
2274 test_ktls_receive_corrupted_mac(tc, &en, seqno, len); \
2275 free_tls_enable(&en); \
2276 }
2277
2278 #define ADD_RECEIVE_BAD_MAC_TEST(cipher_name, cipher_alg, key_size, \
2279 auth_alg, minor) \
2280 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_bad_mac);
2281
2282 #define GEN_RECEIVE_TRUNCATED_TEST(cipher_name, cipher_alg, key_size, \
2283 auth_alg, minor, len) \
2284 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_truncated_record); \
2285 ATF_TC_BODY(ktls_receive_##cipher_name##_truncated_record, tc) \
2286 { \
2287 struct tls_enable en; \
2288 uint64_t seqno; \
2289 \
2290 ATF_REQUIRE_KTLS(); \
2291 seqno = random(); \
2292 build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
2293 seqno, &en); \
2294 test_ktls_receive_truncated_record(tc, &en, seqno, len); \
2295 free_tls_enable(&en); \
2296 }
2297
2298 #define ADD_RECEIVE_TRUNCATED_TEST(cipher_name, cipher_alg, key_size, \
2299 auth_alg, minor) \
2300 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_truncated_record);
2301
2302 #define GEN_RECEIVE_BAD_MAJOR_TEST(cipher_name, cipher_alg, key_size, \
2303 auth_alg, minor, len) \
2304 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_bad_major); \
2305 ATF_TC_BODY(ktls_receive_##cipher_name##_bad_major, tc) \
2306 { \
2307 struct tls_enable en; \
2308 uint64_t seqno; \
2309 \
2310 ATF_REQUIRE_KTLS(); \
2311 seqno = random(); \
2312 build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
2313 seqno, &en); \
2314 test_ktls_receive_bad_major(tc, &en, seqno, len); \
2315 free_tls_enable(&en); \
2316 }
2317
2318 #define ADD_RECEIVE_BAD_MAJOR_TEST(cipher_name, cipher_alg, key_size, \
2319 auth_alg, minor) \
2320 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_bad_major);
2321
2322 #define GEN_RECEIVE_BAD_MINOR_TEST(cipher_name, cipher_alg, key_size, \
2323 auth_alg, minor, len) \
2324 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_bad_minor); \
2325 ATF_TC_BODY(ktls_receive_##cipher_name##_bad_minor, tc) \
2326 { \
2327 struct tls_enable en; \
2328 uint64_t seqno; \
2329 \
2330 ATF_REQUIRE_KTLS(); \
2331 seqno = random(); \
2332 build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
2333 seqno, &en); \
2334 test_ktls_receive_bad_minor(tc, &en, seqno, len); \
2335 free_tls_enable(&en); \
2336 }
2337
2338 #define ADD_RECEIVE_BAD_MINOR_TEST(cipher_name, cipher_alg, key_size, \
2339 auth_alg, minor) \
2340 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_bad_minor);
2341
2342 #define GEN_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \
2343 auth_alg, minor, name, len) \
2344 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_##name); \
2345 ATF_TC_BODY(ktls_receive_##cipher_name##_##name, tc) \
2346 { \
2347 struct tls_enable en; \
2348 uint64_t seqno; \
2349 \
2350 ATF_REQUIRE_KTLS(); \
2351 seqno = random(); \
2352 build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
2353 seqno, &en); \
2354 test_ktls_receive_bad_size(tc, &en, seqno, (len)); \
2355 free_tls_enable(&en); \
2356 }
2357
2358 #define ADD_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \
2359 auth_alg, minor, name) \
2360 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_##name);
2361
2362 #define GEN_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \
2363 minor) \
2364 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2365 auth_alg, minor, short, 64, 0) \
2366 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2367 auth_alg, minor, long, 64 * 1024, 0) \
2368 GEN_RECEIVE_BAD_DATA_TEST(cipher_name, cipher_alg, key_size, \
2369 auth_alg, minor, 64) \
2370 GEN_RECEIVE_BAD_MAC_TEST(cipher_name, cipher_alg, key_size, \
2371 auth_alg, minor, 64) \
2372 GEN_RECEIVE_TRUNCATED_TEST(cipher_name, cipher_alg, key_size, \
2373 auth_alg, minor, 64) \
2374 GEN_RECEIVE_BAD_MAJOR_TEST(cipher_name, cipher_alg, key_size, \
2375 auth_alg, minor, 64) \
2376 GEN_RECEIVE_BAD_MINOR_TEST(cipher_name, cipher_alg, key_size, \
2377 auth_alg, minor, 64) \
2378 GEN_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \
2379 auth_alg, minor, small_record, \
2380 tls_minimum_record_payload(&en) - 1) \
2381 GEN_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \
2382 auth_alg, minor, oversized_record, \
2383 TLS_MAX_MSG_SIZE_V10_2 * 2)
2384
2385 #define ADD_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \
2386 minor) \
2387 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2388 auth_alg, minor, short) \
2389 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2390 auth_alg, minor, long) \
2391 ADD_RECEIVE_BAD_DATA_TEST(cipher_name, cipher_alg, key_size, \
2392 auth_alg, minor) \
2393 ADD_RECEIVE_BAD_MAC_TEST(cipher_name, cipher_alg, key_size, \
2394 auth_alg, minor) \
2395 ADD_RECEIVE_TRUNCATED_TEST(cipher_name, cipher_alg, key_size, \
2396 auth_alg, minor) \
2397 ADD_RECEIVE_BAD_MAJOR_TEST(cipher_name, cipher_alg, key_size, \
2398 auth_alg, minor) \
2399 ADD_RECEIVE_BAD_MINOR_TEST(cipher_name, cipher_alg, key_size, \
2400 auth_alg, minor) \
2401 ADD_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \
2402 auth_alg, minor, small_record) \
2403 ADD_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \
2404 auth_alg, minor, oversized_record)
2405
2406 /*
2407 * For each supported cipher suite, run several receive tests:
2408 *
2409 * - a short test which sends 64 bytes of application data (likely as
2410 * a single TLS record)
2411 *
2412 * - a long test which sends 64KB of application data (split across
2413 * multiple TLS records)
2414 *
2415 * - a test with corrupted payload data in a single TLS record
2416 *
2417 * - a test with a corrupted MAC in a single TLS record
2418 *
2419 * - a test with a truncated TLS record
2420 *
2421 * - tests with invalid TLS major and minor versions
2422 *
2423 * - a tests with a record whose is one less than the smallest valid
2424 * size
2425 *
2426 * - a test with an oversized TLS record
2427 */
2428 AES_CBC_NONZERO_TESTS(GEN_RECEIVE_TESTS);
2429 AES_GCM_TESTS(GEN_RECEIVE_TESTS);
2430 CHACHA20_TESTS(GEN_RECEIVE_TESTS);
2431
2432 #define GEN_RECEIVE_MTE_PADDING_TESTS(cipher_name, cipher_alg, \
2433 key_size, auth_alg, minor) \
2434 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2435 auth_alg, minor, padding_1, 1, 0) \
2436 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2437 auth_alg, minor, padding_2, 2, 0) \
2438 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2439 auth_alg, minor, padding_3, 3, 0) \
2440 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2441 auth_alg, minor, padding_4, 4, 0) \
2442 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2443 auth_alg, minor, padding_5, 5, 0) \
2444 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2445 auth_alg, minor, padding_6, 6, 0) \
2446 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2447 auth_alg, minor, padding_7, 7, 0) \
2448 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2449 auth_alg, minor, padding_8, 8, 0) \
2450 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2451 auth_alg, minor, padding_9, 9, 0) \
2452 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2453 auth_alg, minor, padding_10, 10, 0) \
2454 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2455 auth_alg, minor, padding_11, 11, 0) \
2456 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2457 auth_alg, minor, padding_12, 12, 0) \
2458 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2459 auth_alg, minor, padding_13, 13, 0) \
2460 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2461 auth_alg, minor, padding_14, 14, 0) \
2462 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2463 auth_alg, minor, padding_15, 15, 0) \
2464 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2465 auth_alg, minor, padding_16, 16, 0) \
2466 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2467 auth_alg, minor, padding_16_extra, 16, 16) \
2468 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2469 auth_alg, minor, padding_32_extra, 16, 32)
2470
2471 #define ADD_RECEIVE_MTE_PADDING_TESTS(cipher_name, cipher_alg, \
2472 key_size, auth_alg, minor) \
2473 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2474 auth_alg, minor, padding_1) \
2475 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2476 auth_alg, minor, padding_2) \
2477 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2478 auth_alg, minor, padding_3) \
2479 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2480 auth_alg, minor, padding_4) \
2481 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2482 auth_alg, minor, padding_5) \
2483 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2484 auth_alg, minor, padding_6) \
2485 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2486 auth_alg, minor, padding_7) \
2487 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2488 auth_alg, minor, padding_8) \
2489 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2490 auth_alg, minor, padding_9) \
2491 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2492 auth_alg, minor, padding_10) \
2493 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2494 auth_alg, minor, padding_11) \
2495 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2496 auth_alg, minor, padding_12) \
2497 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2498 auth_alg, minor, padding_13) \
2499 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2500 auth_alg, minor, padding_14) \
2501 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2502 auth_alg, minor, padding_15) \
2503 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2504 auth_alg, minor, padding_16) \
2505 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2506 auth_alg, minor, padding_16_extra) \
2507 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2508 auth_alg, minor, padding_32_extra)
2509
2510 #define GEN_RECEIVE_BAD_PADDING_TEST(cipher_name, cipher_alg, key_size, \
2511 auth_alg, minor, len) \
2512 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_bad_padding); \
2513 ATF_TC_BODY(ktls_receive_##cipher_name##_bad_padding, tc) \
2514 { \
2515 struct tls_enable en; \
2516 uint64_t seqno; \
2517 \
2518 ATF_REQUIRE_KTLS(); \
2519 seqno = random(); \
2520 build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
2521 seqno, &en); \
2522 test_ktls_receive_corrupted_padding(tc, &en, seqno, len); \
2523 free_tls_enable(&en); \
2524 }
2525
2526 #define ADD_RECEIVE_BAD_PADDING_TEST(cipher_name, cipher_alg, key_size, \
2527 auth_alg, minor) \
2528 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_bad_padding);
2529
2530 #define GEN_RECEIVE_MTE_TESTS(cipher_name, cipher_alg, key_size, \
2531 auth_alg, minor) \
2532 GEN_RECEIVE_MTE_PADDING_TESTS(cipher_name, cipher_alg, \
2533 key_size, auth_alg, minor) \
2534 GEN_RECEIVE_BAD_PADDING_TEST(cipher_name, cipher_alg, key_size, \
2535 auth_alg, minor, 64) \
2536 GEN_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \
2537 auth_alg, minor, non_block_size, \
2538 tls_minimum_record_payload(&en) + 1)
2539
2540 #define ADD_RECEIVE_MTE_TESTS(cipher_name, cipher_alg, key_size, \
2541 auth_alg, minor) \
2542 ADD_RECEIVE_MTE_PADDING_TESTS(cipher_name, cipher_alg, \
2543 key_size, auth_alg, minor) \
2544 ADD_RECEIVE_BAD_PADDING_TEST(cipher_name, cipher_alg, key_size, \
2545 auth_alg, minor) \
2546 ADD_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \
2547 auth_alg, minor, non_block_size)
2548
2549 /*
2550 * For AES-CBC MTE cipher suites using padding, add tests of messages
2551 * with each possible padding size. Note that the padding_<N> tests
2552 * do not necessarily test <N> bytes of padding as the padding is a
2553 * function of the cipher suite's MAC length. However, cycling
2554 * through all of the payload sizes from 1 to 16 should exercise all
2555 * of the possible padding lengths for each suite.
2556 *
2557 * Two additional tests check for additional padding with an extra
2558 * 16 or 32 bytes beyond the normal padding.
2559 *
2560 * Another test checks for corrupted padding.
2561 *
2562 * Another test checks for a record whose payload is not a multiple of
2563 * the AES block size.
2564 */
2565 AES_CBC_NONZERO_TESTS(GEN_RECEIVE_MTE_TESTS);
2566
2567 #define GEN_RECEIVE_BAD_IV_TEST(cipher_name, cipher_alg, key_size, \
2568 auth_alg, minor) \
2569 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_bad_iv); \
2570 ATF_TC_BODY(ktls_receive_##cipher_name##_bad_iv, tc) \
2571 { \
2572 struct tls_enable en; \
2573 uint64_t seqno; \
2574 \
2575 ATF_REQUIRE_KTLS(); \
2576 seqno = random(); \
2577 build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
2578 seqno, &en); \
2579 test_ktls_receive_corrupted_iv(tc, &en, seqno, 64); \
2580 free_tls_enable(&en); \
2581 }
2582
2583 #define ADD_RECEIVE_BAD_IV_TEST(cipher_name, cipher_alg, key_size, \
2584 auth_alg, minor) \
2585 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_bad_iv);
2586
2587 #define GEN_RECEIVE_EXPLICIT_IV_TESTS(cipher_name, cipher_alg, \
2588 key_size, auth_alg, minor) \
2589 GEN_RECEIVE_BAD_IV_TEST(cipher_name, cipher_alg, key_size, \
2590 auth_alg, minor) \
2591 GEN_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \
2592 auth_alg, minor, short_header, \
2593 sizeof(struct tls_record_layer) + 1)
2594
2595 #define ADD_RECEIVE_EXPLICIT_IV_TESTS(cipher_name, cipher_alg, \
2596 key_size, auth_alg, minor) \
2597 ADD_RECEIVE_BAD_IV_TEST(cipher_name, cipher_alg, key_size, \
2598 auth_alg, minor) \
2599 ADD_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \
2600 auth_alg, minor, short_header)
2601
2602 /*
2603 * For cipher suites with an explicit IV, run a receive test where the
2604 * explicit IV has been corrupted. Also run a receive test that sends
2605 * a short record without a complete IV.
2606 */
2607 AES_CBC_NONZERO_TESTS(GEN_RECEIVE_EXPLICIT_IV_TESTS);
2608 AES_GCM_12_TESTS(GEN_RECEIVE_EXPLICIT_IV_TESTS);
2609
2610 #define GEN_RECEIVE_BAD_TYPE_TEST(cipher_name, cipher_alg, key_size, \
2611 auth_alg, minor, len) \
2612 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_bad_type); \
2613 ATF_TC_BODY(ktls_receive_##cipher_name##_bad_type, tc) \
2614 { \
2615 struct tls_enable en; \
2616 uint64_t seqno; \
2617 \
2618 ATF_REQUIRE_KTLS(); \
2619 seqno = random(); \
2620 build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
2621 seqno, &en); \
2622 test_ktls_receive_bad_type(tc, &en, seqno, len); \
2623 free_tls_enable(&en); \
2624 }
2625
2626 #define ADD_RECEIVE_BAD_TYPE_TEST(cipher_name, cipher_alg, key_size, \
2627 auth_alg, minor) \
2628 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_bad_type);
2629
2630 #define GEN_RECEIVE_TLS13_TESTS(cipher_name, cipher_alg, key_size, \
2631 auth_alg, minor) \
2632 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2633 auth_alg, minor, short_padded, 64, 16) \
2634 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2635 auth_alg, minor, long_padded, 64 * 1024, 15) \
2636 GEN_RECEIVE_BAD_TYPE_TEST(cipher_name, cipher_alg, key_size, \
2637 auth_alg, minor, 64)
2638
2639 #define ADD_RECEIVE_TLS13_TESTS(cipher_name, cipher_alg, key_size, \
2640 auth_alg, minor) \
2641 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2642 auth_alg, minor, short_padded) \
2643 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \
2644 auth_alg, minor, long_padded) \
2645 ADD_RECEIVE_BAD_TYPE_TEST(cipher_name, cipher_alg, key_size, \
2646 auth_alg, minor)
2647
2648 /*
2649 * For TLS 1.3 cipher suites, run two additional receive tests which
2650 * use add padding to each record. Also run a test that uses an
2651 * invalid "outer" record type.
2652 */
2653 TLS_13_TESTS(GEN_RECEIVE_TLS13_TESTS);
2654
2655 static void
test_ktls_invalid_receive_cipher_suite(const atf_tc_t * tc,struct tls_enable * en)2656 test_ktls_invalid_receive_cipher_suite(const atf_tc_t *tc,
2657 struct tls_enable *en)
2658 {
2659 int sockets[2];
2660
2661 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
2662
2663 ATF_REQUIRE_ERRNO(EINVAL, setsockopt(sockets[1], IPPROTO_TCP,
2664 TCP_RXTLS_ENABLE, en, sizeof(*en)) == -1);
2665
2666 close_sockets(sockets);
2667 }
2668
2669 #define GEN_INVALID_RECEIVE_TEST(name, cipher_alg, key_size, auth_alg, \
2670 minor) \
2671 ATF_TC_WITHOUT_HEAD(ktls_receive_invalid_##name); \
2672 ATF_TC_BODY(ktls_receive_invalid_##name, tc) \
2673 { \
2674 struct tls_enable en; \
2675 uint64_t seqno; \
2676 \
2677 ATF_REQUIRE_KTLS(); \
2678 seqno = random(); \
2679 build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
2680 seqno, &en); \
2681 test_ktls_invalid_receive_cipher_suite(tc, &en); \
2682 free_tls_enable(&en); \
2683 }
2684
2685 #define ADD_INVALID_RECEIVE_TEST(name, cipher_alg, key_size, auth_alg, \
2686 minor) \
2687 ATF_TP_ADD_TC(tp, ktls_receive_invalid_##name);
2688
2689 /*
2690 * Ensure that invalid cipher suites are rejected for receive.
2691 */
2692 INVALID_CIPHER_SUITES(GEN_INVALID_RECEIVE_TEST);
2693
2694 static void
test_ktls_unsupported_receive_cipher_suite(const atf_tc_t * tc,struct tls_enable * en)2695 test_ktls_unsupported_receive_cipher_suite(const atf_tc_t *tc,
2696 struct tls_enable *en)
2697 {
2698 int sockets[2];
2699
2700 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
2701
2702 ATF_REQUIRE_ERRNO(EPROTONOSUPPORT, setsockopt(sockets[1], IPPROTO_TCP,
2703 TCP_RXTLS_ENABLE, en, sizeof(*en)) == -1);
2704
2705 close_sockets(sockets);
2706 }
2707
2708 #define GEN_UNSUPPORTED_RECEIVE_TEST(name, cipher_alg, key_size, \
2709 auth_alg, minor) \
2710 ATF_TC_WITHOUT_HEAD(ktls_receive_unsupported_##name); \
2711 ATF_TC_BODY(ktls_receive_unsupported_##name, tc) \
2712 { \
2713 struct tls_enable en; \
2714 uint64_t seqno; \
2715 \
2716 ATF_REQUIRE_KTLS(); \
2717 seqno = random(); \
2718 build_tls_enable(tc, cipher_alg, key_size, auth_alg, minor, \
2719 seqno, &en); \
2720 test_ktls_unsupported_receive_cipher_suite(tc, &en); \
2721 free_tls_enable(&en); \
2722 }
2723
2724 #define ADD_UNSUPPORTED_RECEIVE_TEST(name, cipher_alg, key_size, \
2725 auth_alg, minor) \
2726 ATF_TP_ADD_TC(tp, ktls_receive_unsupported_##name);
2727
2728 /*
2729 * Ensure that valid cipher suites not supported for receive are
2730 * rejected.
2731 */
2732 TLS_10_TESTS(GEN_UNSUPPORTED_RECEIVE_TEST);
2733
2734 /*
2735 * Try to perform an invalid sendto(2) on a TXTLS-enabled socket, to exercise
2736 * KTLS error handling in the socket layer.
2737 */
2738 ATF_TC_WITHOUT_HEAD(ktls_sendto_baddst);
ATF_TC_BODY(ktls_sendto_baddst,tc)2739 ATF_TC_BODY(ktls_sendto_baddst, tc)
2740 {
2741 char buf[32];
2742 struct sockaddr_in dst;
2743 struct tls_enable en;
2744 ssize_t n;
2745 int s;
2746
2747 ATF_REQUIRE_KTLS();
2748
2749 s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
2750 ATF_REQUIRE(s >= 0);
2751
2752 build_tls_enable(tc, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0,
2753 TLS_MINOR_VER_THREE, (uint64_t)random(), &en);
2754
2755 ATF_REQUIRE(setsockopt(s, IPPROTO_TCP, TCP_TXTLS_ENABLE, &en,
2756 sizeof(en)) == 0);
2757
2758 memset(&dst, 0, sizeof(dst));
2759 dst.sin_family = AF_INET;
2760 dst.sin_len = sizeof(dst);
2761 dst.sin_addr.s_addr = htonl(INADDR_BROADCAST);
2762 dst.sin_port = htons(12345);
2763
2764 memset(buf, 0, sizeof(buf));
2765 n = sendto(s, buf, sizeof(buf), 0, (struct sockaddr *)&dst,
2766 sizeof(dst));
2767
2768 /* Can't transmit to the broadcast address over TCP. */
2769 ATF_REQUIRE_ERRNO(EACCES, n == -1);
2770 ATF_REQUIRE(close(s) == 0);
2771 }
2772
2773 /*
2774 * Make sure that listen(2) returns an error for KTLS-enabled sockets, and
2775 * verify that an attempt to enable KTLS on a listening socket fails.
2776 */
2777 ATF_TC_WITHOUT_HEAD(ktls_listening_socket);
ATF_TC_BODY(ktls_listening_socket,tc)2778 ATF_TC_BODY(ktls_listening_socket, tc)
2779 {
2780 struct tls_enable en;
2781 struct sockaddr_in sin;
2782 int s;
2783
2784 ATF_REQUIRE_KTLS();
2785
2786 s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
2787 ATF_REQUIRE(s >= 0);
2788 build_tls_enable(tc, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0,
2789 TLS_MINOR_VER_THREE, (uint64_t)random(), &en);
2790 ATF_REQUIRE(setsockopt(s, IPPROTO_TCP, TCP_TXTLS_ENABLE, &en,
2791 sizeof(en)) == 0);
2792 ATF_REQUIRE_ERRNO(EINVAL, listen(s, 1) == -1);
2793 ATF_REQUIRE(close(s) == 0);
2794
2795 s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
2796 ATF_REQUIRE(s >= 0);
2797 build_tls_enable(tc, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0,
2798 TLS_MINOR_VER_THREE, (uint64_t)random(), &en);
2799 ATF_REQUIRE(setsockopt(s, IPPROTO_TCP, TCP_RXTLS_ENABLE, &en,
2800 sizeof(en)) == 0);
2801 ATF_REQUIRE_ERRNO(EINVAL, listen(s, 1) == -1);
2802 ATF_REQUIRE(close(s) == 0);
2803
2804 s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
2805 ATF_REQUIRE(s >= 0);
2806 memset(&sin, 0, sizeof(sin));
2807 sin.sin_family = AF_INET;
2808 sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
2809 ATF_REQUIRE(bind(s, (struct sockaddr *)&sin, sizeof(sin)) == 0);
2810 ATF_REQUIRE(listen(s, 1) == 0);
2811 build_tls_enable(tc, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0,
2812 TLS_MINOR_VER_THREE, (uint64_t)random(), &en);
2813 ATF_REQUIRE_ERRNO(ENOTCONN,
2814 setsockopt(s, IPPROTO_TCP, TCP_TXTLS_ENABLE, &en, sizeof(en)) != 0);
2815 ATF_REQUIRE_ERRNO(EINVAL,
2816 setsockopt(s, IPPROTO_TCP, TCP_RXTLS_ENABLE, &en, sizeof(en)) != 0);
2817 ATF_REQUIRE(close(s) == 0);
2818 }
2819
ATF_TP_ADD_TCS(tp)2820 ATF_TP_ADD_TCS(tp)
2821 {
2822 /* Transmit tests */
2823 AES_CBC_TESTS(ADD_TRANSMIT_TESTS);
2824 AES_GCM_TESTS(ADD_TRANSMIT_TESTS);
2825 CHACHA20_TESTS(ADD_TRANSMIT_TESTS);
2826 AES_CBC_TESTS(ADD_TRANSMIT_PADDING_TESTS);
2827 AES_CBC_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST);
2828 AES_GCM_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST);
2829 CHACHA20_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST);
2830 INVALID_CIPHER_SUITES(ADD_INVALID_TRANSMIT_TEST);
2831
2832 /* Receive tests */
2833 TLS_10_TESTS(ADD_UNSUPPORTED_RECEIVE_TEST);
2834 AES_CBC_NONZERO_TESTS(ADD_RECEIVE_TESTS);
2835 AES_GCM_TESTS(ADD_RECEIVE_TESTS);
2836 CHACHA20_TESTS(ADD_RECEIVE_TESTS);
2837 AES_CBC_NONZERO_TESTS(ADD_RECEIVE_MTE_TESTS);
2838 AES_CBC_NONZERO_TESTS(ADD_RECEIVE_EXPLICIT_IV_TESTS);
2839 AES_GCM_12_TESTS(ADD_RECEIVE_EXPLICIT_IV_TESTS);
2840 TLS_13_TESTS(ADD_RECEIVE_TLS13_TESTS);
2841 INVALID_CIPHER_SUITES(ADD_INVALID_RECEIVE_TEST);
2842
2843 /* Miscellaneous */
2844 ATF_TP_ADD_TC(tp, ktls_sendto_baddst);
2845 ATF_TP_ADD_TC(tp, ktls_listening_socket);
2846
2847 return (atf_no_error());
2848 }
2849