1 /* This test is to cover nx_secure_tls_record_hash_*.c. */
2
3 #include "tx_api.h"
4 #include "nx_api.h"
5 #include "nx_tcp.h"
6 #include "nx_crypto_rsa.h"
7 #include "nx_secure_tls_api.h"
8 #include "tls_test_utility.h"
9
10 extern void test_control_return(UINT status);
11
12 #if !defined(NX_SECURE_TLS_CLIENT_DISABLED) && !defined(NX_SECURE_TLS_SERVER_DISABLED) && !defined(NX_SECURE_DISABLE_X509)
13 #define __LINUX__
14
15 /* Define the ThreadX and NetX object control blocks... */
16
17 static TX_THREAD ntest_0;
18 static TX_THREAD ntest_1;
19
20 static NX_PACKET_POOL pool_0;
21 static NX_PACKET_POOL pool_1;
22 static NX_IP ip_0;
23 static NX_IP ip_1;
24 static NX_TCP_SOCKET client_socket;
25 static NX_TCP_SOCKET server_socket;
26 static NX_SECURE_TLS_SESSION client_tls_session;
27 static NX_SECURE_TLS_SESSION server_tls_session;
28
29 static NX_SECURE_X509_CERT certificate;
30 static NX_SECURE_X509_CERT ica_certificate;
31 static NX_SECURE_X509_CERT client_certificate;
32 static NX_SECURE_X509_CERT remote_certificate, remote_issuer;
33 static NX_SECURE_X509_CERT client_remote_certificate, client_remote_issuer;
34 static NX_SECURE_X509_CERT trusted_certificate;
35
36 static UCHAR remote_cert_buffer[2000];
37 static UCHAR remote_issuer_buffer[2000];
38 static UCHAR client_remote_cert_buffer[2000];
39 static UCHAR client_remote_issuer_buffer[2000];
40
41 static UCHAR server_packet_buffer[4000];
42 static UCHAR client_packet_buffer[4000];
43
44 static CHAR server_crypto_metadata[16000];
45 static CHAR client_crypto_metadata[16000];
46
47 /* Test PKI (3-level). */
48 #include "test_ca_cert.c"
49 #include "tls_two_test_certs.c"
50 #define ca_cert_der test_ca_cert_der
51 #define ca_cert_der_len test_ca_cert_der_len
52
53 /* Cryptographic routines. */
54 extern NX_SECURE_TLS_CRYPTO nx_crypto_tls_ciphers;
55 extern NX_CRYPTO_METHOD crypto_method_hmac_sha256;
56 static NX_SECURE_TLS_CRYPTO tls_ciphers;
57 static NX_SECURE_TLS_CIPHERSUITE_INFO ciphersuite_table;
58 static NX_CRYPTO_METHOD test_hash;
59 #define TEST_COUNT 5
60
61 #define DEMO_STACK_SIZE 4096 // (3 * 1024 / sizeof(ULONG))
62
63 /* Define the IP thread's stack area. */
64 #define IP_STACK_SIZE 4096 //(2 * 1024 / sizeof(ULONG))
65
66 /* Define packet pool for the demonstration. */
67 #define NX_PACKET_POOL_BYTES ((1536 + sizeof(NX_PACKET)) * 20)
68 #define NX_PACKET_POOL_SIZE (NX_PACKET_POOL_BYTES/sizeof(ULONG) + 64 / sizeof(ULONG))
69
70 /* Define the ARP cache area. */
71 #define ARP_AREA_SIZE 1024 // (512 / sizeof(ULONG))
72
73 #define TOTAL_STACK_SPACE (2 * (DEMO_STACK_SIZE + IP_STACK_SIZE + NX_PACKET_POOL_SIZE + ARP_AREA_SIZE))
74
75 #ifndef __LINUX__
76 ULONG test_stack_area[TOTAL_STACK_SPACE + 2000];
77 #endif
78
79 static ULONG pool_area[2][NX_PACKET_POOL_SIZE];
80
81 /* Define thread prototypes. */
82
83 static void ntest_0_entry(ULONG thread_input);
84 static void ntest_1_entry(ULONG thread_input);
85 extern void _nx_ram_network_driver_1500(struct NX_IP_DRIVER_STRUCT *driver_req);
86
87 /* Define what the initial system looks like. */
88 #ifndef __LINUX__
tx_application_define(void * first_unused_memory)89 void tx_application_define(void *first_unused_memory)
90 #else
91 #ifdef CTEST
92 void test_application_define(void *first_unused_memory);
93 void test_application_define(void *first_unused_memory)
94 #else
95 void nx_secure_tls_hash_coverage_test_application_define(void *first_unused_memory)
96 #endif
97 #endif
98 {
99 CHAR *pointer;
100 UINT status;
101
102 /* Setup the working pointer. */
103 #ifndef __LINUX__
104 pointer = (CHAR*)test_stack_area;
105 #else
106 pointer = (CHAR *) first_unused_memory;
107 #endif
108
109 /* Create the main thread. */
110 tx_thread_create(&ntest_0, "thread 0", ntest_0_entry, 0,
111 pointer, DEMO_STACK_SIZE,
112 3, 3, TX_NO_TIME_SLICE, TX_AUTO_START);
113
114 pointer = pointer + DEMO_STACK_SIZE;
115
116 /* Create the main thread. */
117 tx_thread_create(&ntest_1, "thread 1", ntest_1_entry, 0,
118 pointer, DEMO_STACK_SIZE,
119 4, 4, TX_NO_TIME_SLICE, TX_AUTO_START);
120
121 pointer = pointer + DEMO_STACK_SIZE;
122
123 /* Initialize the NetX system. */
124 nx_system_initialize();
125
126 /* Create a packet pool. */
127 status = nx_packet_pool_create(&pool_0, "NetX Main Packet Pool", 1536, pool_area[0], sizeof(pool_area[0]));
128 EXPECT_EQ(NX_SUCCESS, status);
129
130 /* Create a packet pool. */
131 status = nx_packet_pool_create(&pool_1, "NetX Main Packet Pool", 1536, pool_area[1], sizeof(pool_area[1]));
132 EXPECT_EQ(NX_SUCCESS, status);
133
134 /* Create an IP instance. */
135 status = nx_ip_create(&ip_0, "NetX IP Instance 0", IP_ADDRESS(1, 2, 3, 4), 0xFFFFFF00UL, &pool_0, _nx_ram_network_driver_1500,
136 pointer, IP_STACK_SIZE, 1);
137 pointer = pointer + IP_STACK_SIZE;
138
139 /* Create another IP instance. */
140 status += nx_ip_create(&ip_1, "NetX IP Instance 1", IP_ADDRESS(1, 2, 3, 5), 0xFFFFFF00UL, &pool_1, _nx_ram_network_driver_1500,
141 pointer, IP_STACK_SIZE, 1);
142 pointer = pointer + IP_STACK_SIZE;
143 EXPECT_EQ(NX_SUCCESS, status);
144
145 /* Enable ARP and supply ARP cache memory for IP Instance 0. */
146 status = nx_arp_enable(&ip_0, (void *) pointer, ARP_AREA_SIZE);
147 pointer = pointer + ARP_AREA_SIZE;
148
149 /* Enable ARP and supply ARP cache memory for IP Instance 1. */
150 status += nx_arp_enable(&ip_1, (void *) pointer, ARP_AREA_SIZE);
151 pointer = pointer + ARP_AREA_SIZE;
152 EXPECT_EQ(NX_SUCCESS, status);
153
154 /* Enable TCP processing for both IP instances. */
155 status = nx_tcp_enable(&ip_0);
156 status += nx_tcp_enable(&ip_1);
157 EXPECT_EQ(NX_SUCCESS, status);
158
159 nx_secure_tls_initialize();
160 }
161
162 /* Define callbacks used by TLS. */
163 /* Include CRL associated with Verisign root CA (for AWS) for demo purposes. */
164 #include "test_ca.crl.der.c"
165
166 /* -----===== SERVER =====----- */
167
ntest_0_entry(ULONG thread_input)168 static void ntest_0_entry(ULONG thread_input)
169 {
170 UINT status, i;
171 ULONG actual_status;
172
173 /* Print out test information banner. */
174 printf("NetX Secure Test: TLS Hash Coverage Test.............................");
175
176 /* Ensure the IP instance has been initialized. */
177 status = nx_ip_status_check(&ip_0, NX_IP_INITIALIZE_DONE, &actual_status, NX_IP_PERIODIC_RATE);
178 EXPECT_EQ(NX_SUCCESS, status);
179
180 /* Create a socket. */
181 status = nx_tcp_socket_create(&ip_0, &server_socket, "Server Socket",
182 NX_IP_NORMAL, NX_FRAGMENT_OKAY, NX_IP_TIME_TO_LIVE * 100, 16*1024,
183 NX_NULL, NX_NULL);
184 EXPECT_EQ(NX_SUCCESS, status);
185
186 /* Create a TLS session for our socket. */
187 status = nx_secure_tls_session_create(&server_tls_session,
188 &nx_crypto_tls_ciphers,
189 server_crypto_metadata,
190 sizeof(server_crypto_metadata));
191 EXPECT_EQ(NX_SUCCESS, status);
192
193 /* Setup our packet reassembly buffer. */
194 nx_secure_tls_session_packet_buffer_set(&server_tls_session, server_packet_buffer, sizeof(server_packet_buffer));
195
196 /* Enable Client Certificate Verification. */
197 nx_secure_tls_session_client_verify_enable(&server_tls_session);
198
199 /* Initialize our certificate. */
200 nx_secure_x509_certificate_initialize(&certificate, test_device_cert_der, test_device_cert_der_len, NX_NULL, 0, test_device_cert_key_der, test_device_cert_key_der_len, NX_SECURE_X509_KEY_TYPE_RSA_PKCS1_DER);
201 nx_secure_tls_local_certificate_add(&server_tls_session, &certificate);
202
203 nx_secure_x509_certificate_initialize(&ica_certificate, ica_cert_der, ica_cert_der_len, NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
204 nx_secure_tls_local_certificate_add(&server_tls_session, &ica_certificate);
205
206 /* If we are testing client certificate verify, allocate remote certificate space. */
207 nx_secure_tls_remote_certificate_allocate(&server_tls_session, &client_remote_certificate, client_remote_cert_buffer, sizeof(client_remote_cert_buffer));
208 nx_secure_tls_remote_certificate_allocate(&server_tls_session, &client_remote_issuer, client_remote_issuer_buffer, sizeof(client_remote_issuer_buffer));
209
210 /* Add a CA Certificate to our trusted store for verifying incoming client certificates. */
211 nx_secure_x509_certificate_initialize(&trusted_certificate, ca_cert_der, ca_cert_der_len, NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
212 nx_secure_tls_trusted_certificate_add(&server_tls_session, &trusted_certificate);
213
214 /* Setup this thread to listen. */
215 status = nx_tcp_server_socket_listen(&ip_0, 12, &server_socket, 5, NX_NULL);
216 EXPECT_EQ(NX_SUCCESS, status);
217
218 for (i = 0; i < TEST_COUNT; i++)
219 {
220 status = nx_tcp_server_socket_accept(&server_socket, 5 * NX_IP_PERIODIC_RATE);
221 EXPECT_EQ(NX_SUCCESS, status);
222 tx_thread_suspend(&ntest_0);
223
224 status = nx_secure_tls_session_start(&server_tls_session, &server_socket, NX_IP_PERIODIC_RATE);
225 //EXPECT_EQ(NX_SUCCESS, status);
226 tx_thread_suspend(&ntest_0);
227
228 status = nx_secure_tls_session_end(&server_tls_session, NX_NO_WAIT);
229 status += nx_tcp_socket_disconnect(&server_socket, NX_WAIT_FOREVER);
230 status += nx_tcp_server_socket_unaccept(&server_socket);
231 status += nx_tcp_server_socket_relisten(&ip_0, 12, &server_socket);
232 EXPECT_EQ(NX_SUCCESS, status);
233 }
234
235 /* End the TLS session. This is required to properly shut down the TLS connection. */
236 status = nx_tcp_server_socket_unlisten(&ip_0, 12);
237 status += nx_secure_tls_session_delete(&server_tls_session);
238 status += nx_tcp_socket_delete(&server_socket);
239 EXPECT_EQ(NX_SUCCESS, status);
240
241 }
242
243 /* -----===== CLIENT =====----- */
244 static UINT test_op;
test_operation(UINT op,VOID * handle,struct NX_CRYPTO_METHOD_STRUCT * method,UCHAR * key,NX_CRYPTO_KEY_SIZE key_size_in_bits,UCHAR * input,ULONG input_length_in_byte,UCHAR * iv_ptr,UCHAR * output,ULONG output_length_in_byte,VOID * crypto_metadata,ULONG crypto_metadata_size,VOID * packet_ptr,VOID (* nx_crypto_hw_process_callback)(VOID * packet_ptr,UINT status))245 UINT test_operation(UINT op, VOID *handle, struct NX_CRYPTO_METHOD_STRUCT *method, UCHAR *key,
246 NX_CRYPTO_KEY_SIZE key_size_in_bits, UCHAR *input, ULONG input_length_in_byte,
247 UCHAR *iv_ptr, UCHAR *output, ULONG output_length_in_byte, VOID *crypto_metadata,
248 ULONG crypto_metadata_size, VOID *packet_ptr, VOID (*nx_crypto_hw_process_callback)(VOID *packet_ptr, UINT status))
249 {
250 if (op == test_op)
251 {
252 return(NX_CRYPTO_NOT_SUCCESSFUL);
253 }
254
255 return(NX_CRYPTO_SUCCESS);
256 }
ntest_1_entry(ULONG thread_input)257 static void ntest_1_entry(ULONG thread_input)
258 {
259 UINT status, i;
260 NX_PACKET *send_packet = NX_NULL;
261 UCHAR record_buffer[] = {0x17, 0x03, 0x03, 0x00, 0x80};
262 UCHAR record_hash[NX_SECURE_TLS_MAX_HASH_SIZE];
263 UINT hash_length = 0;
264
265 /* Create a socket. */
266 status = nx_tcp_socket_create(&ip_1, &client_socket, "Client Socket",
267 NX_IP_NORMAL, NX_FRAGMENT_OKAY, NX_IP_TIME_TO_LIVE * 100, 1024*16,
268 NX_NULL, NX_NULL);
269 EXPECT_EQ(NX_SUCCESS, status);
270
271 /* Bind the socket. */
272 status = nx_tcp_client_socket_bind(&client_socket, 12, NX_IP_PERIODIC_RATE);
273 EXPECT_EQ(NX_SUCCESS, status);
274
275 for (i = 0; i < TEST_COUNT; i++)
276 {
277
278 /* Initialize ciphersuites. */
279 memcpy(&tls_ciphers, &nx_crypto_tls_ciphers, sizeof(NX_SECURE_TLS_CRYPTO));
280 tls_ciphers.nx_secure_tls_ciphersuite_lookup_table = &ciphersuite_table;
281 tls_ciphers.nx_secure_tls_ciphersuite_lookup_table_size = 1;
282 memcpy(&ciphersuite_table,
283 &nx_crypto_tls_ciphers.nx_secure_tls_ciphersuite_lookup_table[1],
284 sizeof(NX_SECURE_TLS_CIPHERSUITE_INFO));
285
286 if (i == 0)
287 {
288 memcpy(&test_hash, &crypto_method_hmac_sha256, sizeof(NX_CRYPTO_METHOD));
289 test_hash.nx_crypto_algorithm = NX_CRYPTO_AUTHENTICATION_HMAC_SHA2_384;
290 ciphersuite_table.nx_secure_tls_hash = &test_hash;
291 }
292 else if (i == 1)
293 {
294 memcpy(&test_hash, &crypto_method_hmac_sha256, sizeof(NX_CRYPTO_METHOD));
295 test_hash.nx_crypto_operation = test_operation;
296 test_op = NX_CRYPTO_HASH_UPDATE;
297 ciphersuite_table.nx_secure_tls_hash = &test_hash;
298 }
299 else if (i == 2)
300 {
301 memcpy(&test_hash, &crypto_method_hmac_sha256, sizeof(NX_CRYPTO_METHOD));
302 test_hash.nx_crypto_operation = test_operation;
303 test_op = NX_CRYPTO_HASH_CALCULATE;
304 ciphersuite_table.nx_secure_tls_hash = &test_hash;
305 }
306 else if (i == 3)
307 {
308 memcpy(&test_hash, &crypto_method_hmac_sha256, sizeof(NX_CRYPTO_METHOD));
309 test_hash.nx_crypto_init = NX_NULL;
310 test_hash.nx_crypto_cleanup = NX_NULL;
311 ciphersuite_table.nx_secure_tls_hash = &test_hash;
312 }
313
314 /* Create a TLS session for our socket. */
315 status = nx_secure_tls_session_create(&client_tls_session,
316 &tls_ciphers,
317 client_crypto_metadata,
318 sizeof(client_crypto_metadata));
319 EXPECT_EQ(NX_SUCCESS, status);
320
321 /* Setup our packet reassembly buffer. */
322 nx_secure_tls_session_packet_buffer_set(&client_tls_session, client_packet_buffer, sizeof(client_packet_buffer));
323
324 /* Make sure client certificate verification is disabled. */
325 nx_secure_tls_session_client_verify_disable(&client_tls_session);
326
327 /* Need to allocate space for the certificate coming in from the remote host. */
328 nx_secure_tls_remote_certificate_allocate(&client_tls_session, &remote_certificate, remote_cert_buffer, sizeof(remote_cert_buffer));
329 nx_secure_tls_remote_certificate_allocate(&client_tls_session, &remote_issuer, remote_issuer_buffer, sizeof(remote_issuer_buffer));
330 nx_secure_x509_certificate_initialize(&client_certificate, test_device_cert_der, test_device_cert_der_len, NX_NULL, 0, test_device_cert_key_der, test_device_cert_key_der_len, NX_SECURE_X509_KEY_TYPE_RSA_PKCS1_DER);
331 nx_secure_tls_local_certificate_add(&client_tls_session, &client_certificate);
332
333 /* Add a CA Certificate to our trusted store for verifying incoming server certificates. */
334 nx_secure_x509_certificate_initialize(&trusted_certificate, ca_cert_der, ca_cert_der_len, NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
335 nx_secure_tls_trusted_certificate_add(&client_tls_session, &trusted_certificate);
336
337 status = nx_tcp_client_socket_connect(&client_socket, IP_ADDRESS(1, 2, 3, 4), 12, 5 * NX_IP_PERIODIC_RATE);
338 EXPECT_EQ(NX_SUCCESS, status);
339 tx_thread_sleep(10);
340 tx_thread_resume(&ntest_0);
341
342 status = nx_secure_tls_session_start(&client_tls_session, &client_socket, NX_IP_PERIODIC_RATE);
343
344 if (i == (TEST_COUNT - 1))
345 {
346 EXPECT_EQ(NX_SUCCESS, status);
347 status = _nx_secure_tls_record_hash_initialize(&client_tls_session, client_tls_session.nx_secure_tls_local_sequence_number,
348 record_buffer, sizeof(record_buffer), &hash_length, NX_NULL);
349 EXPECT_EQ(NX_CRYPTO_PTR_ERROR, status);
350 client_tls_session.nx_secure_tls_session_ciphersuite = NX_NULL;
351 status = _nx_secure_tls_record_hash_initialize(&client_tls_session, client_tls_session.nx_secure_tls_local_sequence_number,
352 record_buffer, sizeof(record_buffer), &hash_length, client_tls_session.nx_secure_tls_key_material.nx_secure_tls_client_write_mac_secret);
353 EXPECT_EQ(NX_SECURE_TLS_UNKNOWN_CIPHERSUITE, status);
354 status = _nx_secure_tls_record_hash_update(&client_tls_session, record_hash, hash_length);
355 EXPECT_EQ(NX_SECURE_TLS_UNKNOWN_CIPHERSUITE, status);
356 status = _nx_secure_tls_record_hash_calculate(&client_tls_session, record_hash, &hash_length);
357 EXPECT_EQ(NX_SECURE_TLS_UNKNOWN_CIPHERSUITE, status);
358 }
359
360 /* End session. */
361 tx_thread_sleep(NX_IP_PERIODIC_RATE);
362 tx_thread_resume(&ntest_0);
363 nx_secure_tls_session_end(&client_tls_session, NX_NO_WAIT);
364 nx_secure_tls_session_delete(&client_tls_session);
365 status = nx_tcp_socket_disconnect(&client_socket, NX_WAIT_FOREVER);
366 EXPECT_EQ(NX_SUCCESS, status);
367 }
368
369 /* Unbind the socket. */
370 status = nx_tcp_client_socket_unbind(&client_socket);
371 EXPECT_EQ(NX_SUCCESS, status);
372
373 /* Delete the socket. */
374 status = nx_tcp_socket_delete(&client_socket);
375 EXPECT_EQ(NX_SUCCESS, status);
376
377 printf("SUCCESS!\n");
378 test_control_return(0);
379 }
380
381 #else
382 #ifdef CTEST
383 void test_application_define(void *first_unused_memory);
test_application_define(void * first_unused_memory)384 void test_application_define(void *first_unused_memory)
385 #else
386 VOID nx_secure_tls_hash_coverage_test_application_define(void *first_unused_memory)
387 #endif
388 {
389
390 /* Print out test information banner. */
391 printf("NetX Secure Test: TLS Hash Coverage Test.............................N/A\n");
392 test_control_return(3);
393 }
394 #endif
395
