1/* BEGIN_HEADER */ 2#include <ssl_misc.h> 3#include <mbedtls/timing.h> 4#include <mbedtls/debug.h> 5#include <mbedtls/pk.h> 6#include <ssl_tls13_keys.h> 7#include <ssl_tls13_invasive.h> 8#include <test/ssl_helpers.h> 9 10#include <constant_time_internal.h> 11#include <test/constant_flow.h> 12 13#define SSL_MESSAGE_QUEUE_INIT { NULL, 0, 0, 0 } 14 15/* Mnemonics for the early data test scenarios */ 16#define TEST_EARLY_DATA_ACCEPTED 0 17#define TEST_EARLY_DATA_NO_INDICATION_SENT 1 18#define TEST_EARLY_DATA_SERVER_REJECTS 2 19#define TEST_EARLY_DATA_HRR 3 20#define TEST_EARLY_DATA_SAME_ALPN 4 21#define TEST_EARLY_DATA_DIFF_ALPN 5 22#define TEST_EARLY_DATA_NO_INITIAL_ALPN 6 23#define TEST_EARLY_DATA_NO_LATER_ALPN 7 24 25#if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \ 26 defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \ 27 defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \ 28 defined(MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE) && \ 29 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \ 30 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) && \ 31 defined(MBEDTLS_MD_CAN_SHA256) && \ 32 defined(MBEDTLS_ECP_HAVE_SECP256R1) && defined(MBEDTLS_ECP_HAVE_SECP384R1) && \ 33 defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) && defined(MBEDTLS_SSL_SESSION_TICKETS) 34/* 35 * Test function to write early data for negative tests where 36 * mbedtls_ssl_write_early_data() cannot be used. 37 */ 38static int write_early_data(mbedtls_ssl_context *ssl, 39 unsigned char *buf, size_t len) 40{ 41 int ret = mbedtls_ssl_get_max_out_record_payload(ssl); 42 43 TEST_ASSERT(ret > 0); 44 TEST_LE_U(len, (size_t) ret); 45 46 ret = mbedtls_ssl_flush_output(ssl); 47 TEST_EQUAL(ret, 0); 48 TEST_EQUAL(ssl->out_left, 0); 49 50 ssl->out_msglen = len; 51 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; 52 if (len > 0) { 53 memcpy(ssl->out_msg, buf, len); 54 } 55 56 ret = mbedtls_ssl_write_record(ssl, 1); 57 TEST_EQUAL(ret, 0); 58 59 ret = len; 60 61exit: 62 return ret; 63} 64#endif 65 66/* END_HEADER */ 67 68/* BEGIN_DEPENDENCIES 69 * depends_on:MBEDTLS_SSL_TLS_C 70 * END_DEPENDENCIES 71 */ 72 73/* BEGIN_CASE */ 74void test_callback_buffer_sanity() 75{ 76 enum { MSGLEN = 10 }; 77 mbedtls_test_ssl_buffer buf; 78 mbedtls_test_ssl_buffer_init(&buf); 79 unsigned char input[MSGLEN]; 80 unsigned char output[MSGLEN]; 81 82 USE_PSA_INIT(); 83 memset(input, 0, sizeof(input)); 84 85 /* Make sure calling put and get on NULL buffer results in error. */ 86 TEST_ASSERT(mbedtls_test_ssl_buffer_put(NULL, input, sizeof(input)) 87 == -1); 88 TEST_ASSERT(mbedtls_test_ssl_buffer_get(NULL, output, sizeof(output)) 89 == -1); 90 TEST_ASSERT(mbedtls_test_ssl_buffer_put(NULL, NULL, sizeof(input)) 91 == -1); 92 93 TEST_ASSERT(mbedtls_test_ssl_buffer_put(NULL, NULL, 0) == -1); 94 TEST_ASSERT(mbedtls_test_ssl_buffer_get(NULL, NULL, 0) == -1); 95 96 /* Make sure calling put and get on a buffer that hasn't been set up results 97 * in error. */ 98 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, sizeof(input)) 99 == -1); 100 TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, output, sizeof(output)) 101 == -1); 102 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, NULL, sizeof(input)) 103 == -1); 104 105 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, NULL, 0) == -1); 106 TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, NULL, 0) == -1); 107 108 /* Make sure calling put and get on NULL input only results in 109 * error if the length is not zero, and that a NULL output is valid for data 110 * dropping. 111 */ 112 113 TEST_ASSERT(mbedtls_test_ssl_buffer_setup(&buf, sizeof(input)) == 0); 114 115 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, NULL, sizeof(input)) 116 == -1); 117 TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, NULL, sizeof(output)) 118 == 0); 119 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, NULL, 0) == 0); 120 TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, NULL, 0) == 0); 121 122 /* Make sure calling put several times in the row is safe */ 123 124 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, sizeof(input)) 125 == sizeof(input)); 126 TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, output, 2) == 2); 127 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, 1) == 1); 128 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, 2) == 1); 129 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, 2) == 0); 130 131 132exit: 133 mbedtls_test_ssl_buffer_free(&buf); 134 USE_PSA_DONE(); 135} 136/* END_CASE */ 137 138/* 139 * Test if the implementation of `mbedtls_test_ssl_buffer` related functions is 140 * correct and works as expected. 141 * 142 * That is 143 * - If we try to put in \p put1 bytes then we can put in \p put1_ret bytes. 144 * - Afterwards if we try to get \p get1 bytes then we can get \get1_ret bytes. 145 * - Next, if we try to put in \p put1 bytes then we can put in \p put1_ret 146 * bytes. 147 * - Afterwards if we try to get \p get1 bytes then we can get \get1_ret bytes. 148 * - All of the bytes we got match the bytes we put in in a FIFO manner. 149 */ 150 151/* BEGIN_CASE */ 152void test_callback_buffer(int size, int put1, int put1_ret, 153 int get1, int get1_ret, int put2, int put2_ret, 154 int get2, int get2_ret) 155{ 156 enum { ROUNDS = 2 }; 157 size_t put[ROUNDS]; 158 int put_ret[ROUNDS]; 159 size_t get[ROUNDS]; 160 int get_ret[ROUNDS]; 161 mbedtls_test_ssl_buffer buf; 162 unsigned char *input = NULL; 163 size_t input_len; 164 unsigned char *output = NULL; 165 size_t output_len; 166 size_t i, j, written, read; 167 168 mbedtls_test_ssl_buffer_init(&buf); 169 USE_PSA_INIT(); 170 TEST_ASSERT(mbedtls_test_ssl_buffer_setup(&buf, size) == 0); 171 172 /* Check the sanity of input parameters and initialise local variables. That 173 * is, ensure that the amount of data is not negative and that we are not 174 * expecting more to put or get than we actually asked for. */ 175 TEST_ASSERT(put1 >= 0); 176 put[0] = put1; 177 put_ret[0] = put1_ret; 178 TEST_ASSERT(put1_ret <= put1); 179 TEST_ASSERT(put2 >= 0); 180 put[1] = put2; 181 put_ret[1] = put2_ret; 182 TEST_ASSERT(put2_ret <= put2); 183 184 TEST_ASSERT(get1 >= 0); 185 get[0] = get1; 186 get_ret[0] = get1_ret; 187 TEST_ASSERT(get1_ret <= get1); 188 TEST_ASSERT(get2 >= 0); 189 get[1] = get2; 190 get_ret[1] = get2_ret; 191 TEST_ASSERT(get2_ret <= get2); 192 193 input_len = 0; 194 /* Calculate actual input and output lengths */ 195 for (j = 0; j < ROUNDS; j++) { 196 if (put_ret[j] > 0) { 197 input_len += put_ret[j]; 198 } 199 } 200 /* In order to always have a valid pointer we always allocate at least 1 201 * byte. */ 202 if (input_len == 0) { 203 input_len = 1; 204 } 205 TEST_CALLOC(input, input_len); 206 207 output_len = 0; 208 for (j = 0; j < ROUNDS; j++) { 209 if (get_ret[j] > 0) { 210 output_len += get_ret[j]; 211 } 212 } 213 TEST_ASSERT(output_len <= input_len); 214 /* In order to always have a valid pointer we always allocate at least 1 215 * byte. */ 216 if (output_len == 0) { 217 output_len = 1; 218 } 219 TEST_CALLOC(output, output_len); 220 221 /* Fill up the buffer with structured data so that unwanted changes 222 * can be detected */ 223 for (i = 0; i < input_len; i++) { 224 input[i] = i & 0xFF; 225 } 226 227 written = read = 0; 228 for (j = 0; j < ROUNDS; j++) { 229 TEST_ASSERT(put_ret[j] == mbedtls_test_ssl_buffer_put(&buf, 230 input + written, put[j])); 231 written += put_ret[j]; 232 TEST_ASSERT(get_ret[j] == mbedtls_test_ssl_buffer_get(&buf, 233 output + read, get[j])); 234 read += get_ret[j]; 235 TEST_ASSERT(read <= written); 236 if (get_ret[j] > 0) { 237 TEST_ASSERT(memcmp(output + read - get_ret[j], 238 input + read - get_ret[j], get_ret[j]) 239 == 0); 240 } 241 } 242 243exit: 244 mbedtls_free(input); 245 mbedtls_free(output); 246 mbedtls_test_ssl_buffer_free(&buf); 247 USE_PSA_DONE(); 248} 249/* END_CASE */ 250 251/* 252 * Test if the implementation of `mbedtls_test_mock_socket` related 253 * I/O functions is correct and works as expected on unconnected sockets. 254 */ 255 256/* BEGIN_CASE */ 257void ssl_mock_sanity() 258{ 259 enum { MSGLEN = 105 }; 260 unsigned char message[MSGLEN] = { 0 }; 261 unsigned char received[MSGLEN] = { 0 }; 262 mbedtls_test_mock_socket socket; 263 264 mbedtls_test_mock_socket_init(&socket); 265 USE_PSA_INIT(); 266 TEST_ASSERT(mbedtls_test_mock_tcp_send_b(&socket, message, MSGLEN) < 0); 267 mbedtls_test_mock_socket_close(&socket); 268 mbedtls_test_mock_socket_init(&socket); 269 TEST_ASSERT(mbedtls_test_mock_tcp_recv_b(&socket, received, MSGLEN) < 0); 270 mbedtls_test_mock_socket_close(&socket); 271 272 mbedtls_test_mock_socket_init(&socket); 273 TEST_ASSERT(mbedtls_test_mock_tcp_send_nb(&socket, message, MSGLEN) < 0); 274 mbedtls_test_mock_socket_close(&socket); 275 mbedtls_test_mock_socket_init(&socket); 276 TEST_ASSERT(mbedtls_test_mock_tcp_recv_nb(&socket, received, MSGLEN) < 0); 277 mbedtls_test_mock_socket_close(&socket); 278 279exit: 280 mbedtls_test_mock_socket_close(&socket); 281 USE_PSA_DONE(); 282} 283/* END_CASE */ 284 285/* 286 * Test if the implementation of `mbedtls_test_mock_socket` related functions 287 * can send a single message from the client to the server. 288 */ 289 290/* BEGIN_CASE */ 291void ssl_mock_tcp(int blocking) 292{ 293 enum { MSGLEN = 105 }; 294 enum { BUFLEN = MSGLEN / 5 }; 295 unsigned char message[MSGLEN]; 296 unsigned char received[MSGLEN]; 297 mbedtls_test_mock_socket client; 298 mbedtls_test_mock_socket server; 299 size_t written, read; 300 int send_ret, recv_ret; 301 mbedtls_ssl_send_t *send; 302 mbedtls_ssl_recv_t *recv; 303 unsigned i; 304 305 if (blocking == 0) { 306 send = mbedtls_test_mock_tcp_send_nb; 307 recv = mbedtls_test_mock_tcp_recv_nb; 308 } else { 309 send = mbedtls_test_mock_tcp_send_b; 310 recv = mbedtls_test_mock_tcp_recv_b; 311 } 312 313 mbedtls_test_mock_socket_init(&client); 314 mbedtls_test_mock_socket_init(&server); 315 USE_PSA_INIT(); 316 317 /* Fill up the buffer with structured data so that unwanted changes 318 * can be detected */ 319 for (i = 0; i < MSGLEN; i++) { 320 message[i] = i & 0xFF; 321 } 322 323 /* Make sure that sending a message takes a few iterations. */ 324 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 325 BUFLEN)); 326 327 /* Send the message to the server */ 328 send_ret = recv_ret = 1; 329 written = read = 0; 330 while (send_ret != 0 || recv_ret != 0) { 331 send_ret = send(&client, message + written, MSGLEN - written); 332 333 TEST_ASSERT(send_ret >= 0); 334 TEST_ASSERT(send_ret <= BUFLEN); 335 written += send_ret; 336 337 /* If the buffer is full we can test blocking and non-blocking send */ 338 if (send_ret == BUFLEN) { 339 int blocking_ret = send(&client, message, 1); 340 if (blocking) { 341 TEST_ASSERT(blocking_ret == 0); 342 } else { 343 TEST_ASSERT(blocking_ret == MBEDTLS_ERR_SSL_WANT_WRITE); 344 } 345 } 346 347 recv_ret = recv(&server, received + read, MSGLEN - read); 348 349 /* The result depends on whether any data was sent */ 350 if (send_ret > 0) { 351 TEST_ASSERT(recv_ret > 0); 352 TEST_ASSERT(recv_ret <= BUFLEN); 353 read += recv_ret; 354 } else if (blocking) { 355 TEST_ASSERT(recv_ret == 0); 356 } else { 357 TEST_ASSERT(recv_ret == MBEDTLS_ERR_SSL_WANT_READ); 358 recv_ret = 0; 359 } 360 361 /* If the buffer is empty we can test blocking and non-blocking read */ 362 if (recv_ret == BUFLEN) { 363 int blocking_ret = recv(&server, received, 1); 364 if (blocking) { 365 TEST_ASSERT(blocking_ret == 0); 366 } else { 367 TEST_ASSERT(blocking_ret == MBEDTLS_ERR_SSL_WANT_READ); 368 } 369 } 370 } 371 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 372 373exit: 374 mbedtls_test_mock_socket_close(&client); 375 mbedtls_test_mock_socket_close(&server); 376 USE_PSA_DONE(); 377} 378/* END_CASE */ 379 380/* 381 * Test if the implementation of `mbedtls_test_mock_socket` related functions 382 * can send messages in both direction at the same time (with the I/O calls 383 * interleaving). 384 */ 385 386/* BEGIN_CASE */ 387void ssl_mock_tcp_interleaving(int blocking) 388{ 389 enum { ROUNDS = 2 }; 390 enum { MSGLEN = 105 }; 391 enum { BUFLEN = MSGLEN / 5 }; 392 unsigned char message[ROUNDS][MSGLEN]; 393 unsigned char received[ROUNDS][MSGLEN]; 394 mbedtls_test_mock_socket client; 395 mbedtls_test_mock_socket server; 396 size_t written[ROUNDS]; 397 size_t read[ROUNDS]; 398 int send_ret[ROUNDS]; 399 int recv_ret[ROUNDS]; 400 unsigned i, j, progress; 401 mbedtls_ssl_send_t *send; 402 mbedtls_ssl_recv_t *recv; 403 404 if (blocking == 0) { 405 send = mbedtls_test_mock_tcp_send_nb; 406 recv = mbedtls_test_mock_tcp_recv_nb; 407 } else { 408 send = mbedtls_test_mock_tcp_send_b; 409 recv = mbedtls_test_mock_tcp_recv_b; 410 } 411 412 mbedtls_test_mock_socket_init(&client); 413 mbedtls_test_mock_socket_init(&server); 414 USE_PSA_INIT(); 415 416 /* Fill up the buffers with structured data so that unwanted changes 417 * can be detected */ 418 for (i = 0; i < ROUNDS; i++) { 419 for (j = 0; j < MSGLEN; j++) { 420 message[i][j] = (i * MSGLEN + j) & 0xFF; 421 } 422 } 423 424 /* Make sure that sending a message takes a few iterations. */ 425 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 426 BUFLEN)); 427 428 /* Send the message from both sides, interleaving. */ 429 progress = 1; 430 for (i = 0; i < ROUNDS; i++) { 431 written[i] = 0; 432 read[i] = 0; 433 } 434 /* This loop does not stop as long as there was a successful write or read 435 * of at least one byte on either side. */ 436 while (progress != 0) { 437 mbedtls_test_mock_socket *socket; 438 439 for (i = 0; i < ROUNDS; i++) { 440 /* First sending is from the client */ 441 socket = (i % 2 == 0) ? (&client) : (&server); 442 443 send_ret[i] = send(socket, message[i] + written[i], 444 MSGLEN - written[i]); 445 TEST_ASSERT(send_ret[i] >= 0); 446 TEST_ASSERT(send_ret[i] <= BUFLEN); 447 written[i] += send_ret[i]; 448 449 /* If the buffer is full we can test blocking and non-blocking 450 * send */ 451 if (send_ret[i] == BUFLEN) { 452 int blocking_ret = send(socket, message[i], 1); 453 if (blocking) { 454 TEST_ASSERT(blocking_ret == 0); 455 } else { 456 TEST_ASSERT(blocking_ret == MBEDTLS_ERR_SSL_WANT_WRITE); 457 } 458 } 459 } 460 461 for (i = 0; i < ROUNDS; i++) { 462 /* First receiving is from the server */ 463 socket = (i % 2 == 0) ? (&server) : (&client); 464 465 recv_ret[i] = recv(socket, received[i] + read[i], 466 MSGLEN - read[i]); 467 468 /* The result depends on whether any data was sent */ 469 if (send_ret[i] > 0) { 470 TEST_ASSERT(recv_ret[i] > 0); 471 TEST_ASSERT(recv_ret[i] <= BUFLEN); 472 read[i] += recv_ret[i]; 473 } else if (blocking) { 474 TEST_ASSERT(recv_ret[i] == 0); 475 } else { 476 TEST_ASSERT(recv_ret[i] == MBEDTLS_ERR_SSL_WANT_READ); 477 recv_ret[i] = 0; 478 } 479 480 /* If the buffer is empty we can test blocking and non-blocking 481 * read */ 482 if (recv_ret[i] == BUFLEN) { 483 int blocking_ret = recv(socket, received[i], 1); 484 if (blocking) { 485 TEST_ASSERT(blocking_ret == 0); 486 } else { 487 TEST_ASSERT(blocking_ret == MBEDTLS_ERR_SSL_WANT_READ); 488 } 489 } 490 } 491 492 progress = 0; 493 for (i = 0; i < ROUNDS; i++) { 494 progress += send_ret[i] + recv_ret[i]; 495 } 496 } 497 498 for (i = 0; i < ROUNDS; i++) { 499 TEST_ASSERT(memcmp(message[i], received[i], MSGLEN) == 0); 500 } 501 502exit: 503 mbedtls_test_mock_socket_close(&client); 504 mbedtls_test_mock_socket_close(&server); 505 USE_PSA_DONE(); 506} 507/* END_CASE */ 508 509/* BEGIN_CASE */ 510void ssl_message_queue_sanity() 511{ 512 mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT; 513 514 USE_PSA_INIT(); 515 /* Trying to push/pull to an empty queue */ 516 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(NULL, 1) 517 == MBEDTLS_TEST_ERROR_ARG_NULL); 518 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(NULL, 1) 519 == MBEDTLS_TEST_ERROR_ARG_NULL); 520 521 TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0); 522 TEST_ASSERT(queue.capacity == 3); 523 TEST_ASSERT(queue.num == 0); 524 525exit: 526 mbedtls_test_ssl_message_queue_free(&queue); 527 USE_PSA_DONE(); 528} 529/* END_CASE */ 530 531/* BEGIN_CASE */ 532void ssl_message_queue_basic() 533{ 534 mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT; 535 536 USE_PSA_INIT(); 537 TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0); 538 539 /* Sanity test - 3 pushes and 3 pops with sufficient space */ 540 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1); 541 TEST_ASSERT(queue.capacity == 3); 542 TEST_ASSERT(queue.num == 1); 543 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1); 544 TEST_ASSERT(queue.capacity == 3); 545 TEST_ASSERT(queue.num == 2); 546 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 2) == 2); 547 TEST_ASSERT(queue.capacity == 3); 548 TEST_ASSERT(queue.num == 3); 549 550 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1); 551 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1); 552 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 2) == 2); 553 554exit: 555 mbedtls_test_ssl_message_queue_free(&queue); 556 USE_PSA_DONE(); 557} 558/* END_CASE */ 559 560/* BEGIN_CASE */ 561void ssl_message_queue_overflow_underflow() 562{ 563 mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT; 564 565 USE_PSA_INIT(); 566 TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0); 567 568 /* 4 pushes (last one with an error), 4 pops (last one with an error) */ 569 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1); 570 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1); 571 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 2) == 2); 572 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 3) 573 == MBEDTLS_ERR_SSL_WANT_WRITE); 574 575 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1); 576 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1); 577 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 2) == 2); 578 579 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) 580 == MBEDTLS_ERR_SSL_WANT_READ); 581 582exit: 583 mbedtls_test_ssl_message_queue_free(&queue); 584 USE_PSA_DONE(); 585} 586/* END_CASE */ 587 588/* BEGIN_CASE */ 589void ssl_message_queue_interleaved() 590{ 591 mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT; 592 593 USE_PSA_INIT(); 594 TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0); 595 596 /* Interleaved test - [2 pushes, 1 pop] twice, and then two pops 597 * (to wrap around the buffer) */ 598 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1); 599 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1); 600 601 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1); 602 603 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 2) == 2); 604 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 3) == 3); 605 606 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1); 607 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 2) == 2); 608 609 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 5) == 5); 610 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 8) == 8); 611 612 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 3) == 3); 613 614 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 5) == 5); 615 616 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 8) == 8); 617 618exit: 619 mbedtls_test_ssl_message_queue_free(&queue); 620 USE_PSA_DONE(); 621} 622/* END_CASE */ 623 624/* BEGIN_CASE */ 625void ssl_message_queue_insufficient_buffer() 626{ 627 mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT; 628 size_t message_len = 10; 629 size_t buffer_len = 5; 630 631 USE_PSA_INIT(); 632 TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 1) == 0); 633 634 /* Popping without a sufficient buffer */ 635 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, message_len) 636 == (int) message_len); 637 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, buffer_len) 638 == (int) buffer_len); 639exit: 640 mbedtls_test_ssl_message_queue_free(&queue); 641 USE_PSA_DONE(); 642} 643/* END_CASE */ 644 645/* BEGIN_CASE */ 646void ssl_message_mock_uninitialized() 647{ 648 enum { MSGLEN = 10 }; 649 unsigned char message[MSGLEN] = { 0 }, received[MSGLEN]; 650 mbedtls_test_mock_socket client, server; 651 mbedtls_test_ssl_message_queue server_queue, client_queue; 652 mbedtls_test_message_socket_context server_context, client_context; 653 mbedtls_test_message_socket_init(&server_context); 654 mbedtls_test_message_socket_init(&client_context); 655 656 USE_PSA_INIT(); 657 /* Send with a NULL context */ 658 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(NULL, message, MSGLEN) 659 == MBEDTLS_TEST_ERROR_CONTEXT_ERROR); 660 661 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(NULL, message, MSGLEN) 662 == MBEDTLS_TEST_ERROR_CONTEXT_ERROR); 663 664 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue, 665 &client_queue, 1, 666 &server, 667 &server_context) == 0); 668 669 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue, 670 &server_queue, 1, 671 &client, 672 &client_context) == 0); 673 674 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 675 MSGLEN) 676 == MBEDTLS_TEST_ERROR_SEND_FAILED); 677 678 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 679 MSGLEN) 680 == MBEDTLS_ERR_SSL_WANT_READ); 681 682 /* Push directly to a queue to later simulate a disconnected behavior */ 683 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&server_queue, 684 MSGLEN) 685 == MSGLEN); 686 687 /* Test if there's an error when trying to read from a disconnected 688 * socket */ 689 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 690 MSGLEN) 691 == MBEDTLS_TEST_ERROR_RECV_FAILED); 692exit: 693 mbedtls_test_message_socket_close(&server_context); 694 mbedtls_test_message_socket_close(&client_context); 695 USE_PSA_DONE(); 696} 697/* END_CASE */ 698 699/* BEGIN_CASE */ 700void ssl_message_mock_basic() 701{ 702 enum { MSGLEN = 10 }; 703 unsigned char message[MSGLEN], received[MSGLEN]; 704 mbedtls_test_mock_socket client, server; 705 unsigned i; 706 mbedtls_test_ssl_message_queue server_queue, client_queue; 707 mbedtls_test_message_socket_context server_context, client_context; 708 709 mbedtls_test_message_socket_init(&server_context); 710 mbedtls_test_message_socket_init(&client_context); 711 USE_PSA_INIT(); 712 713 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue, 714 &client_queue, 1, 715 &server, 716 &server_context) == 0); 717 718 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue, 719 &server_queue, 1, 720 &client, 721 &client_context) == 0); 722 723 /* Fill up the buffer with structured data so that unwanted changes 724 * can be detected */ 725 for (i = 0; i < MSGLEN; i++) { 726 message[i] = i & 0xFF; 727 } 728 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 729 MSGLEN)); 730 731 /* Send the message to the server */ 732 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 733 MSGLEN) == MSGLEN); 734 735 /* Read from the server */ 736 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 737 MSGLEN) 738 == MSGLEN); 739 740 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 741 memset(received, 0, MSGLEN); 742 743 /* Send the message to the client */ 744 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&server_context, message, 745 MSGLEN) 746 == MSGLEN); 747 748 /* Read from the client */ 749 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&client_context, received, 750 MSGLEN) 751 == MSGLEN); 752 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 753 754exit: 755 mbedtls_test_message_socket_close(&server_context); 756 mbedtls_test_message_socket_close(&client_context); 757 USE_PSA_DONE(); 758} 759/* END_CASE */ 760 761/* BEGIN_CASE */ 762void ssl_message_mock_queue_overflow_underflow() 763{ 764 enum { MSGLEN = 10 }; 765 unsigned char message[MSGLEN], received[MSGLEN]; 766 mbedtls_test_mock_socket client, server; 767 unsigned i; 768 mbedtls_test_ssl_message_queue server_queue, client_queue; 769 mbedtls_test_message_socket_context server_context, client_context; 770 771 mbedtls_test_message_socket_init(&server_context); 772 mbedtls_test_message_socket_init(&client_context); 773 USE_PSA_INIT(); 774 775 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue, 776 &client_queue, 2, 777 &server, 778 &server_context) == 0); 779 780 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue, 781 &server_queue, 2, 782 &client, 783 &client_context) == 0); 784 785 /* Fill up the buffer with structured data so that unwanted changes 786 * can be detected */ 787 for (i = 0; i < MSGLEN; i++) { 788 message[i] = i & 0xFF; 789 } 790 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 791 MSGLEN*2)); 792 793 /* Send three message to the server, last one with an error */ 794 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 795 MSGLEN - 1) 796 == MSGLEN - 1); 797 798 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 799 MSGLEN) 800 == MSGLEN); 801 802 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 803 MSGLEN) 804 == MBEDTLS_ERR_SSL_WANT_WRITE); 805 806 /* Read three messages from the server, last one with an error */ 807 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 808 MSGLEN - 1) 809 == MSGLEN - 1); 810 811 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 812 MSGLEN) 813 == MSGLEN); 814 815 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 816 817 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 818 MSGLEN) 819 == MBEDTLS_ERR_SSL_WANT_READ); 820 821exit: 822 mbedtls_test_message_socket_close(&server_context); 823 mbedtls_test_message_socket_close(&client_context); 824 USE_PSA_DONE(); 825} 826/* END_CASE */ 827 828/* BEGIN_CASE */ 829void ssl_message_mock_socket_overflow() 830{ 831 enum { MSGLEN = 10 }; 832 unsigned char message[MSGLEN], received[MSGLEN]; 833 mbedtls_test_mock_socket client, server; 834 unsigned i; 835 mbedtls_test_ssl_message_queue server_queue, client_queue; 836 mbedtls_test_message_socket_context server_context, client_context; 837 838 mbedtls_test_message_socket_init(&server_context); 839 mbedtls_test_message_socket_init(&client_context); 840 USE_PSA_INIT(); 841 842 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue, 843 &client_queue, 2, 844 &server, 845 &server_context) == 0); 846 847 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue, 848 &server_queue, 2, 849 &client, 850 &client_context) == 0); 851 852 /* Fill up the buffer with structured data so that unwanted changes 853 * can be detected */ 854 for (i = 0; i < MSGLEN; i++) { 855 message[i] = i & 0xFF; 856 } 857 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 858 MSGLEN)); 859 860 /* Send two message to the server, second one with an error */ 861 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 862 MSGLEN) 863 == MSGLEN); 864 865 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 866 MSGLEN) 867 == MBEDTLS_TEST_ERROR_SEND_FAILED); 868 869 /* Read the only message from the server */ 870 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 871 MSGLEN) 872 == MSGLEN); 873 874 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 875 876exit: 877 mbedtls_test_message_socket_close(&server_context); 878 mbedtls_test_message_socket_close(&client_context); 879 USE_PSA_DONE(); 880} 881/* END_CASE */ 882 883/* BEGIN_CASE */ 884void ssl_message_mock_truncated() 885{ 886 enum { MSGLEN = 10 }; 887 unsigned char message[MSGLEN], received[MSGLEN]; 888 mbedtls_test_mock_socket client, server; 889 unsigned i; 890 mbedtls_test_ssl_message_queue server_queue, client_queue; 891 mbedtls_test_message_socket_context server_context, client_context; 892 893 mbedtls_test_message_socket_init(&server_context); 894 mbedtls_test_message_socket_init(&client_context); 895 USE_PSA_INIT(); 896 897 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue, 898 &client_queue, 2, 899 &server, 900 &server_context) == 0); 901 902 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue, 903 &server_queue, 2, 904 &client, 905 &client_context) == 0); 906 907 memset(received, 0, MSGLEN); 908 /* Fill up the buffer with structured data so that unwanted changes 909 * can be detected */ 910 for (i = 0; i < MSGLEN; i++) { 911 message[i] = i & 0xFF; 912 } 913 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 914 2 * MSGLEN)); 915 916 /* Send two messages to the server, the second one small enough to fit in the 917 * receiver's buffer. */ 918 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 919 MSGLEN) 920 == MSGLEN); 921 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 922 MSGLEN / 2) 923 == MSGLEN / 2); 924 /* Read a truncated message from the server */ 925 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 926 MSGLEN/2) 927 == MSGLEN/2); 928 929 /* Test that the first half of the message is valid, and second one isn't */ 930 TEST_ASSERT(memcmp(message, received, MSGLEN/2) == 0); 931 TEST_ASSERT(memcmp(message + MSGLEN/2, received + MSGLEN/2, MSGLEN/2) 932 != 0); 933 memset(received, 0, MSGLEN); 934 935 /* Read a full message from the server */ 936 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 937 MSGLEN/2) 938 == MSGLEN / 2); 939 940 /* Test that the first half of the message is valid */ 941 TEST_ASSERT(memcmp(message, received, MSGLEN/2) == 0); 942 943exit: 944 mbedtls_test_message_socket_close(&server_context); 945 mbedtls_test_message_socket_close(&client_context); 946 USE_PSA_DONE(); 947} 948/* END_CASE */ 949 950/* BEGIN_CASE */ 951void ssl_message_mock_socket_read_error() 952{ 953 enum { MSGLEN = 10 }; 954 unsigned char message[MSGLEN], received[MSGLEN]; 955 mbedtls_test_mock_socket client, server; 956 unsigned i; 957 mbedtls_test_ssl_message_queue server_queue, client_queue; 958 mbedtls_test_message_socket_context server_context, client_context; 959 960 mbedtls_test_message_socket_init(&server_context); 961 mbedtls_test_message_socket_init(&client_context); 962 USE_PSA_INIT(); 963 964 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue, 965 &client_queue, 1, 966 &server, 967 &server_context) == 0); 968 969 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue, 970 &server_queue, 1, 971 &client, 972 &client_context) == 0); 973 974 /* Fill up the buffer with structured data so that unwanted changes 975 * can be detected */ 976 for (i = 0; i < MSGLEN; i++) { 977 message[i] = i & 0xFF; 978 } 979 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 980 MSGLEN)); 981 982 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 983 MSGLEN) 984 == MSGLEN); 985 986 /* Force a read error by disconnecting the socket by hand */ 987 server.status = 0; 988 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 989 MSGLEN) 990 == MBEDTLS_TEST_ERROR_RECV_FAILED); 991 /* Return to a valid state */ 992 server.status = MBEDTLS_MOCK_SOCKET_CONNECTED; 993 994 memset(received, 0, sizeof(received)); 995 996 /* Test that even though the server tried to read once disconnected, the 997 * continuity is preserved */ 998 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 999 MSGLEN) 1000 == MSGLEN); 1001 1002 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1003 1004exit: 1005 mbedtls_test_message_socket_close(&server_context); 1006 mbedtls_test_message_socket_close(&client_context); 1007 USE_PSA_DONE(); 1008} 1009/* END_CASE */ 1010 1011/* BEGIN_CASE */ 1012void ssl_message_mock_interleaved_one_way() 1013{ 1014 enum { MSGLEN = 10 }; 1015 unsigned char message[MSGLEN], received[MSGLEN]; 1016 mbedtls_test_mock_socket client, server; 1017 unsigned i; 1018 mbedtls_test_ssl_message_queue server_queue, client_queue; 1019 mbedtls_test_message_socket_context server_context, client_context; 1020 1021 mbedtls_test_message_socket_init(&server_context); 1022 mbedtls_test_message_socket_init(&client_context); 1023 USE_PSA_INIT(); 1024 1025 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue, 1026 &client_queue, 3, 1027 &server, 1028 &server_context) == 0); 1029 1030 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue, 1031 &server_queue, 3, 1032 &client, 1033 &client_context) == 0); 1034 1035 /* Fill up the buffer with structured data so that unwanted changes 1036 * can be detected */ 1037 for (i = 0; i < MSGLEN; i++) { 1038 message[i] = i & 0xFF; 1039 } 1040 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 1041 MSGLEN*3)); 1042 1043 /* Interleaved test - [2 sends, 1 read] twice, and then two reads 1044 * (to wrap around the buffer) */ 1045 for (i = 0; i < 2; i++) { 1046 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1047 MSGLEN) == MSGLEN); 1048 1049 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1050 MSGLEN) == MSGLEN); 1051 1052 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1053 MSGLEN) == MSGLEN); 1054 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1055 memset(received, 0, sizeof(received)); 1056 } 1057 1058 for (i = 0; i < 2; i++) { 1059 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1060 MSGLEN) == MSGLEN); 1061 1062 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1063 } 1064 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1065 MSGLEN) 1066 == MBEDTLS_ERR_SSL_WANT_READ); 1067exit: 1068 mbedtls_test_message_socket_close(&server_context); 1069 mbedtls_test_message_socket_close(&client_context); 1070 USE_PSA_DONE(); 1071} 1072/* END_CASE */ 1073 1074/* BEGIN_CASE */ 1075void ssl_message_mock_interleaved_two_ways() 1076{ 1077 enum { MSGLEN = 10 }; 1078 unsigned char message[MSGLEN], received[MSGLEN]; 1079 mbedtls_test_mock_socket client, server; 1080 unsigned i; 1081 mbedtls_test_ssl_message_queue server_queue, client_queue; 1082 mbedtls_test_message_socket_context server_context, client_context; 1083 1084 mbedtls_test_message_socket_init(&server_context); 1085 mbedtls_test_message_socket_init(&client_context); 1086 USE_PSA_INIT(); 1087 1088 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue, 1089 &client_queue, 3, 1090 &server, 1091 &server_context) == 0); 1092 1093 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue, 1094 &server_queue, 3, 1095 &client, 1096 &client_context) == 0); 1097 1098 /* Fill up the buffer with structured data so that unwanted changes 1099 * can be detected */ 1100 for (i = 0; i < MSGLEN; i++) { 1101 message[i] = i & 0xFF; 1102 } 1103 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server, 1104 MSGLEN*3)); 1105 1106 /* Interleaved test - [2 sends, 1 read] twice, both ways, and then two reads 1107 * (to wrap around the buffer) both ways. */ 1108 for (i = 0; i < 2; i++) { 1109 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1110 MSGLEN) == MSGLEN); 1111 1112 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message, 1113 MSGLEN) == MSGLEN); 1114 1115 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&server_context, message, 1116 MSGLEN) == MSGLEN); 1117 1118 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&server_context, message, 1119 MSGLEN) == MSGLEN); 1120 1121 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1122 MSGLEN) == MSGLEN); 1123 1124 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1125 1126 memset(received, 0, sizeof(received)); 1127 1128 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&client_context, received, 1129 MSGLEN) == MSGLEN); 1130 1131 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1132 1133 memset(received, 0, sizeof(received)); 1134 } 1135 1136 for (i = 0; i < 2; i++) { 1137 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1138 MSGLEN) == MSGLEN); 1139 1140 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1141 memset(received, 0, sizeof(received)); 1142 1143 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&client_context, received, 1144 MSGLEN) == MSGLEN); 1145 1146 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0); 1147 memset(received, 0, sizeof(received)); 1148 } 1149 1150 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received, 1151 MSGLEN) 1152 == MBEDTLS_ERR_SSL_WANT_READ); 1153 1154 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&client_context, received, 1155 MSGLEN) 1156 == MBEDTLS_ERR_SSL_WANT_READ); 1157exit: 1158 mbedtls_test_message_socket_close(&server_context); 1159 mbedtls_test_message_socket_close(&client_context); 1160 USE_PSA_DONE(); 1161} 1162/* END_CASE */ 1163 1164/* BEGIN_CASE depends_on:MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 1165void ssl_dtls_replay(data_t *prevs, data_t *new, int ret) 1166{ 1167 uint32_t len = 0; 1168 mbedtls_ssl_context ssl; 1169 mbedtls_ssl_config conf; 1170 1171 mbedtls_ssl_init(&ssl); 1172 mbedtls_ssl_config_init(&conf); 1173 MD_OR_USE_PSA_INIT(); 1174 1175 TEST_ASSERT(mbedtls_ssl_config_defaults(&conf, 1176 MBEDTLS_SSL_IS_CLIENT, 1177 MBEDTLS_SSL_TRANSPORT_DATAGRAM, 1178 MBEDTLS_SSL_PRESET_DEFAULT) == 0); 1179 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); 1180 1181 TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); 1182 1183 /* Read previous record numbers */ 1184 for (len = 0; len < prevs->len; len += 6) { 1185 memcpy(ssl.in_ctr + 2, prevs->x + len, 6); 1186 mbedtls_ssl_dtls_replay_update(&ssl); 1187 } 1188 1189 /* Check new number */ 1190 memcpy(ssl.in_ctr + 2, new->x, 6); 1191 TEST_ASSERT(mbedtls_ssl_dtls_replay_check(&ssl) == ret); 1192 1193exit: 1194 mbedtls_ssl_free(&ssl); 1195 mbedtls_ssl_config_free(&conf); 1196 MD_OR_USE_PSA_DONE(); 1197} 1198/* END_CASE */ 1199 1200/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 1201void ssl_set_hostname_twice(char *input_hostname0, char *input_hostname1) 1202{ 1203 const char *output_hostname; 1204 mbedtls_ssl_context ssl; 1205 1206 mbedtls_ssl_init(&ssl); 1207 USE_PSA_INIT(); 1208 1209 TEST_ASSERT(mbedtls_ssl_set_hostname(&ssl, input_hostname0) == 0); 1210 output_hostname = mbedtls_ssl_get_hostname(&ssl); 1211 TEST_ASSERT(strcmp(input_hostname0, output_hostname) == 0); 1212 1213 TEST_ASSERT(mbedtls_ssl_set_hostname(&ssl, input_hostname1) == 0); 1214 output_hostname = mbedtls_ssl_get_hostname(&ssl); 1215 TEST_ASSERT(strcmp(input_hostname1, output_hostname) == 0); 1216 1217exit: 1218 mbedtls_ssl_free(&ssl); 1219 USE_PSA_DONE(); 1220} 1221/* END_CASE */ 1222 1223/* BEGIN_CASE */ 1224void ssl_crypt_record(int cipher_type, int hash_id, 1225 int etm, int tag_mode, int ver, 1226 int cid0_len, int cid1_len) 1227{ 1228 /* 1229 * Test several record encryptions and decryptions 1230 * with plenty of space before and after the data 1231 * within the record buffer. 1232 */ 1233 1234 int ret; 1235 int num_records = 16; 1236 mbedtls_ssl_context ssl; /* ONLY for debugging */ 1237 1238 mbedtls_ssl_transform t0, t1; 1239 unsigned char *buf = NULL; 1240 size_t const buflen = 512; 1241 mbedtls_record rec, rec_backup; 1242 1243 mbedtls_ssl_init(&ssl); 1244 mbedtls_ssl_transform_init(&t0); 1245 mbedtls_ssl_transform_init(&t1); 1246 MD_OR_USE_PSA_INIT(); 1247 1248 ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id, 1249 etm, tag_mode, ver, 1250 (size_t) cid0_len, 1251 (size_t) cid1_len); 1252 1253 TEST_ASSERT(ret == 0); 1254 1255 TEST_CALLOC(buf, buflen); 1256 1257 while (num_records-- > 0) { 1258 mbedtls_ssl_transform *t_dec, *t_enc; 1259 /* Take turns in who's sending and who's receiving. */ 1260 if (num_records % 3 == 0) { 1261 t_dec = &t0; 1262 t_enc = &t1; 1263 } else { 1264 t_dec = &t1; 1265 t_enc = &t0; 1266 } 1267 1268 /* 1269 * The record header affects the transformation in two ways: 1270 * 1) It determines the AEAD additional data 1271 * 2) The record counter sometimes determines the IV. 1272 * 1273 * Apart from that, the fields don't have influence. 1274 * In particular, it is currently not the responsibility 1275 * of ssl_encrypt/decrypt_buf to check if the transform 1276 * version matches the record version, or that the 1277 * type is sensible. 1278 */ 1279 1280 memset(rec.ctr, num_records, sizeof(rec.ctr)); 1281 rec.type = 42; 1282 rec.ver[0] = num_records; 1283 rec.ver[1] = num_records; 1284#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1285 rec.cid_len = 0; 1286#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1287 1288 rec.buf = buf; 1289 rec.buf_len = buflen; 1290 rec.data_offset = 16; 1291 /* Make sure to vary the length to exercise different 1292 * paddings. */ 1293 rec.data_len = 1 + num_records; 1294 1295 memset(rec.buf + rec.data_offset, 42, rec.data_len); 1296 1297 /* Make a copy for later comparison */ 1298 rec_backup = rec; 1299 1300 /* Encrypt record */ 1301 ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec, 1302 mbedtls_test_rnd_std_rand, NULL); 1303 TEST_ASSERT(ret == 0 || ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); 1304 if (ret != 0) { 1305 continue; 1306 } 1307 1308#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1309 if (rec.cid_len != 0) { 1310 /* DTLS 1.2 + CID hides the real content type and 1311 * uses a special CID content type in the protected 1312 * record. Double-check this. */ 1313 TEST_ASSERT(rec.type == MBEDTLS_SSL_MSG_CID); 1314 } 1315#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1316 1317#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1318 if (t_enc->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 1319 /* TLS 1.3 hides the real content type and 1320 * always uses Application Data as the content type 1321 * for protected records. Double-check this. */ 1322 TEST_ASSERT(rec.type == MBEDTLS_SSL_MSG_APPLICATION_DATA); 1323 } 1324#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1325 1326 /* Decrypt record with t_dec */ 1327 ret = mbedtls_ssl_decrypt_buf(&ssl, t_dec, &rec); 1328 TEST_ASSERT(ret == 0); 1329 1330 /* Compare results */ 1331 TEST_ASSERT(rec.type == rec_backup.type); 1332 TEST_ASSERT(memcmp(rec.ctr, rec_backup.ctr, 8) == 0); 1333 TEST_ASSERT(rec.ver[0] == rec_backup.ver[0]); 1334 TEST_ASSERT(rec.ver[1] == rec_backup.ver[1]); 1335 TEST_ASSERT(rec.data_len == rec_backup.data_len); 1336 TEST_ASSERT(rec.data_offset == rec_backup.data_offset); 1337 TEST_ASSERT(memcmp(rec.buf + rec.data_offset, 1338 rec_backup.buf + rec_backup.data_offset, 1339 rec.data_len) == 0); 1340 } 1341 1342exit: 1343 1344 /* Cleanup */ 1345 mbedtls_ssl_free(&ssl); 1346 mbedtls_ssl_transform_free(&t0); 1347 mbedtls_ssl_transform_free(&t1); 1348 1349 mbedtls_free(buf); 1350 MD_OR_USE_PSA_DONE(); 1351} 1352/* END_CASE */ 1353 1354/* BEGIN_CASE */ 1355void ssl_crypt_record_small(int cipher_type, int hash_id, 1356 int etm, int tag_mode, int ver, 1357 int cid0_len, int cid1_len) 1358{ 1359 /* 1360 * Test pairs of encryption and decryption with an increasing 1361 * amount of space in the record buffer - in more detail: 1362 * 1) Try to encrypt with 0, 1, 2, ... bytes available 1363 * in front of the plaintext, and expect the encryption 1364 * to succeed starting from some offset. Always keep 1365 * enough space in the end of the buffer. 1366 * 2) Try to encrypt with 0, 1, 2, ... bytes available 1367 * at the end of the plaintext, and expect the encryption 1368 * to succeed starting from some offset. Always keep 1369 * enough space at the beginning of the buffer. 1370 * 3) Try to encrypt with 0, 1, 2, ... bytes available 1371 * both at the front and end of the plaintext, 1372 * and expect the encryption to succeed starting from 1373 * some offset. 1374 * 1375 * If encryption succeeds, check that decryption succeeds 1376 * and yields the original record. 1377 */ 1378 1379 mbedtls_ssl_context ssl; /* ONLY for debugging */ 1380 1381 mbedtls_ssl_transform t0, t1; 1382 unsigned char *buf = NULL; 1383 size_t const buflen = 256; 1384 mbedtls_record rec, rec_backup; 1385 1386 int ret; 1387 int mode; /* Mode 1, 2 or 3 as explained above */ 1388 size_t offset; /* Available space at beginning/end/both */ 1389 size_t threshold = 96; /* Maximum offset to test against */ 1390 1391 size_t default_pre_padding = 64; /* Pre-padding to use in mode 2 */ 1392 size_t default_post_padding = 128; /* Post-padding to use in mode 1 */ 1393 1394 int seen_success; /* Indicates if in the current mode we've 1395 * already seen a successful test. */ 1396 1397 mbedtls_ssl_init(&ssl); 1398 mbedtls_ssl_transform_init(&t0); 1399 mbedtls_ssl_transform_init(&t1); 1400 MD_OR_USE_PSA_INIT(); 1401 1402 ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id, 1403 etm, tag_mode, ver, 1404 (size_t) cid0_len, 1405 (size_t) cid1_len); 1406 1407 TEST_ASSERT(ret == 0); 1408 1409 TEST_CALLOC(buf, buflen); 1410 1411 for (mode = 1; mode <= 3; mode++) { 1412 seen_success = 0; 1413 for (offset = 0; offset <= threshold; offset++) { 1414 mbedtls_ssl_transform *t_dec, *t_enc; 1415 t_dec = &t0; 1416 t_enc = &t1; 1417 1418 memset(rec.ctr, offset, sizeof(rec.ctr)); 1419 rec.type = 42; 1420 rec.ver[0] = offset; 1421 rec.ver[1] = offset; 1422 rec.buf = buf; 1423 rec.buf_len = buflen; 1424#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1425 rec.cid_len = 0; 1426#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1427 1428 switch (mode) { 1429 case 1: /* Space in the beginning */ 1430 rec.data_offset = offset; 1431 rec.data_len = buflen - offset - default_post_padding; 1432 break; 1433 1434 case 2: /* Space in the end */ 1435 rec.data_offset = default_pre_padding; 1436 rec.data_len = buflen - default_pre_padding - offset; 1437 break; 1438 1439 case 3: /* Space in the beginning and end */ 1440 rec.data_offset = offset; 1441 rec.data_len = buflen - 2 * offset; 1442 break; 1443 1444 default: 1445 TEST_ASSERT(0); 1446 break; 1447 } 1448 1449 memset(rec.buf + rec.data_offset, 42, rec.data_len); 1450 1451 /* Make a copy for later comparison */ 1452 rec_backup = rec; 1453 1454 /* Encrypt record */ 1455 ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec, 1456 mbedtls_test_rnd_std_rand, NULL); 1457 1458 if (ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { 1459 /* It's ok if the output buffer is too small. We do insist 1460 * on at least one mode succeeding; this is tracked by 1461 * seen_success. */ 1462 continue; 1463 } 1464 1465 TEST_EQUAL(ret, 0); 1466 seen_success = 1; 1467 1468#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1469 if (rec.cid_len != 0) { 1470 /* DTLS 1.2 + CID hides the real content type and 1471 * uses a special CID content type in the protected 1472 * record. Double-check this. */ 1473 TEST_ASSERT(rec.type == MBEDTLS_SSL_MSG_CID); 1474 } 1475#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1476 1477#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1478 if (t_enc->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 1479 /* TLS 1.3 hides the real content type and 1480 * always uses Application Data as the content type 1481 * for protected records. Double-check this. */ 1482 TEST_ASSERT(rec.type == MBEDTLS_SSL_MSG_APPLICATION_DATA); 1483 } 1484#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1485 1486 /* Decrypt record with t_dec */ 1487 TEST_ASSERT(mbedtls_ssl_decrypt_buf(&ssl, t_dec, &rec) == 0); 1488 1489 /* Compare results */ 1490 TEST_ASSERT(rec.type == rec_backup.type); 1491 TEST_ASSERT(memcmp(rec.ctr, rec_backup.ctr, 8) == 0); 1492 TEST_ASSERT(rec.ver[0] == rec_backup.ver[0]); 1493 TEST_ASSERT(rec.ver[1] == rec_backup.ver[1]); 1494 TEST_ASSERT(rec.data_len == rec_backup.data_len); 1495 TEST_ASSERT(rec.data_offset == rec_backup.data_offset); 1496 TEST_ASSERT(memcmp(rec.buf + rec.data_offset, 1497 rec_backup.buf + rec_backup.data_offset, 1498 rec.data_len) == 0); 1499 } 1500 1501 TEST_ASSERT(seen_success == 1); 1502 } 1503 1504exit: 1505 1506 /* Cleanup */ 1507 mbedtls_ssl_free(&ssl); 1508 mbedtls_ssl_transform_free(&t0); 1509 mbedtls_ssl_transform_free(&t1); 1510 1511 mbedtls_free(buf); 1512 MD_OR_USE_PSA_DONE(); 1513} 1514/* END_CASE */ 1515 1516/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 1517void ssl_tls13_hkdf_expand_label(int hash_alg, 1518 data_t *secret, 1519 int label_idx, 1520 data_t *ctx, 1521 int desired_length, 1522 data_t *expected) 1523{ 1524 unsigned char dst[100]; 1525 1526 unsigned char const *lbl = NULL; 1527 size_t lbl_len; 1528#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \ 1529 if (label_idx == (int) tls13_label_ ## name) \ 1530 { \ 1531 lbl = mbedtls_ssl_tls13_labels.name; \ 1532 lbl_len = sizeof(mbedtls_ssl_tls13_labels.name); \ 1533 } 1534 MBEDTLS_SSL_TLS1_3_LABEL_LIST 1535#undef MBEDTLS_SSL_TLS1_3_LABEL 1536 TEST_ASSERT(lbl != NULL); 1537 1538 /* Check sanity of test parameters. */ 1539 TEST_ASSERT((size_t) desired_length <= sizeof(dst)); 1540 TEST_ASSERT((size_t) desired_length == expected->len); 1541 1542 PSA_INIT(); 1543 1544 TEST_ASSERT(mbedtls_ssl_tls13_hkdf_expand_label( 1545 (psa_algorithm_t) hash_alg, 1546 secret->x, secret->len, 1547 lbl, lbl_len, 1548 ctx->x, ctx->len, 1549 dst, desired_length) == 0); 1550 1551 TEST_MEMORY_COMPARE(dst, (size_t) desired_length, 1552 expected->x, (size_t) expected->len); 1553 1554exit: 1555 PSA_DONE(); 1556} 1557/* END_CASE */ 1558 1559/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 1560void ssl_tls13_traffic_key_generation(int hash_alg, 1561 data_t *server_secret, 1562 data_t *client_secret, 1563 int desired_iv_len, 1564 int desired_key_len, 1565 data_t *expected_server_write_key, 1566 data_t *expected_server_write_iv, 1567 data_t *expected_client_write_key, 1568 data_t *expected_client_write_iv) 1569{ 1570 mbedtls_ssl_key_set keys; 1571 1572 /* Check sanity of test parameters. */ 1573 TEST_ASSERT(client_secret->len == server_secret->len); 1574 TEST_ASSERT( 1575 expected_client_write_iv->len == expected_server_write_iv->len && 1576 expected_client_write_iv->len == (size_t) desired_iv_len); 1577 TEST_ASSERT( 1578 expected_client_write_key->len == expected_server_write_key->len && 1579 expected_client_write_key->len == (size_t) desired_key_len); 1580 1581 PSA_INIT(); 1582 1583 TEST_ASSERT(mbedtls_ssl_tls13_make_traffic_keys( 1584 (psa_algorithm_t) hash_alg, 1585 client_secret->x, 1586 server_secret->x, 1587 client_secret->len /* == server_secret->len */, 1588 desired_key_len, desired_iv_len, 1589 &keys) == 0); 1590 1591 TEST_MEMORY_COMPARE(keys.client_write_key, 1592 keys.key_len, 1593 expected_client_write_key->x, 1594 (size_t) desired_key_len); 1595 TEST_MEMORY_COMPARE(keys.server_write_key, 1596 keys.key_len, 1597 expected_server_write_key->x, 1598 (size_t) desired_key_len); 1599 TEST_MEMORY_COMPARE(keys.client_write_iv, 1600 keys.iv_len, 1601 expected_client_write_iv->x, 1602 (size_t) desired_iv_len); 1603 TEST_MEMORY_COMPARE(keys.server_write_iv, 1604 keys.iv_len, 1605 expected_server_write_iv->x, 1606 (size_t) desired_iv_len); 1607 1608exit: 1609 PSA_DONE(); 1610} 1611/* END_CASE */ 1612 1613/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 1614void ssl_tls13_derive_secret(int hash_alg, 1615 data_t *secret, 1616 int label_idx, 1617 data_t *ctx, 1618 int desired_length, 1619 int already_hashed, 1620 data_t *expected) 1621{ 1622 unsigned char dst[100]; 1623 1624 unsigned char const *lbl = NULL; 1625 size_t lbl_len; 1626#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \ 1627 if (label_idx == (int) tls13_label_ ## name) \ 1628 { \ 1629 lbl = mbedtls_ssl_tls13_labels.name; \ 1630 lbl_len = sizeof(mbedtls_ssl_tls13_labels.name); \ 1631 } 1632 MBEDTLS_SSL_TLS1_3_LABEL_LIST 1633#undef MBEDTLS_SSL_TLS1_3_LABEL 1634 TEST_ASSERT(lbl != NULL); 1635 1636 /* Check sanity of test parameters. */ 1637 TEST_ASSERT((size_t) desired_length <= sizeof(dst)); 1638 TEST_ASSERT((size_t) desired_length == expected->len); 1639 1640 PSA_INIT(); 1641 1642 TEST_ASSERT(mbedtls_ssl_tls13_derive_secret( 1643 (psa_algorithm_t) hash_alg, 1644 secret->x, secret->len, 1645 lbl, lbl_len, 1646 ctx->x, ctx->len, 1647 already_hashed, 1648 dst, desired_length) == 0); 1649 1650 TEST_MEMORY_COMPARE(dst, desired_length, 1651 expected->x, desired_length); 1652 1653exit: 1654 PSA_DONE(); 1655} 1656/* END_CASE */ 1657 1658/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 1659void ssl_tls13_derive_early_secrets(int hash_alg, 1660 data_t *secret, 1661 data_t *transcript, 1662 data_t *traffic_expected, 1663 data_t *exporter_expected) 1664{ 1665 mbedtls_ssl_tls13_early_secrets secrets; 1666 1667 /* Double-check that we've passed sane parameters. */ 1668 psa_algorithm_t alg = (psa_algorithm_t) hash_alg; 1669 size_t const hash_len = PSA_HASH_LENGTH(alg); 1670 TEST_ASSERT(PSA_ALG_IS_HASH(alg) && 1671 secret->len == hash_len && 1672 transcript->len == hash_len && 1673 traffic_expected->len == hash_len && 1674 exporter_expected->len == hash_len); 1675 1676 PSA_INIT(); 1677 1678 TEST_ASSERT(mbedtls_ssl_tls13_derive_early_secrets( 1679 alg, secret->x, transcript->x, transcript->len, 1680 &secrets) == 0); 1681 1682 TEST_MEMORY_COMPARE(secrets.client_early_traffic_secret, hash_len, 1683 traffic_expected->x, traffic_expected->len); 1684 TEST_MEMORY_COMPARE(secrets.early_exporter_master_secret, hash_len, 1685 exporter_expected->x, exporter_expected->len); 1686 1687exit: 1688 PSA_DONE(); 1689} 1690/* END_CASE */ 1691 1692/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 1693void ssl_tls13_derive_handshake_secrets(int hash_alg, 1694 data_t *secret, 1695 data_t *transcript, 1696 data_t *client_expected, 1697 data_t *server_expected) 1698{ 1699 mbedtls_ssl_tls13_handshake_secrets secrets; 1700 1701 /* Double-check that we've passed sane parameters. */ 1702 psa_algorithm_t alg = (psa_algorithm_t) hash_alg; 1703 size_t const hash_len = PSA_HASH_LENGTH(alg); 1704 TEST_ASSERT(PSA_ALG_IS_HASH(alg) && 1705 secret->len == hash_len && 1706 transcript->len == hash_len && 1707 client_expected->len == hash_len && 1708 server_expected->len == hash_len); 1709 1710 PSA_INIT(); 1711 1712 TEST_ASSERT(mbedtls_ssl_tls13_derive_handshake_secrets( 1713 alg, secret->x, transcript->x, transcript->len, 1714 &secrets) == 0); 1715 1716 TEST_MEMORY_COMPARE(secrets.client_handshake_traffic_secret, hash_len, 1717 client_expected->x, client_expected->len); 1718 TEST_MEMORY_COMPARE(secrets.server_handshake_traffic_secret, hash_len, 1719 server_expected->x, server_expected->len); 1720 1721exit: 1722 PSA_DONE(); 1723} 1724/* END_CASE */ 1725 1726/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 1727void ssl_tls13_derive_application_secrets(int hash_alg, 1728 data_t *secret, 1729 data_t *transcript, 1730 data_t *client_expected, 1731 data_t *server_expected, 1732 data_t *exporter_expected) 1733{ 1734 mbedtls_ssl_tls13_application_secrets secrets; 1735 1736 /* Double-check that we've passed sane parameters. */ 1737 psa_algorithm_t alg = (psa_algorithm_t) hash_alg; 1738 size_t const hash_len = PSA_HASH_LENGTH(alg); 1739 TEST_ASSERT(PSA_ALG_IS_HASH(alg) && 1740 secret->len == hash_len && 1741 transcript->len == hash_len && 1742 client_expected->len == hash_len && 1743 server_expected->len == hash_len && 1744 exporter_expected->len == hash_len); 1745 1746 PSA_INIT(); 1747 1748 TEST_ASSERT(mbedtls_ssl_tls13_derive_application_secrets( 1749 alg, secret->x, transcript->x, transcript->len, 1750 &secrets) == 0); 1751 1752 TEST_MEMORY_COMPARE(secrets.client_application_traffic_secret_N, hash_len, 1753 client_expected->x, client_expected->len); 1754 TEST_MEMORY_COMPARE(secrets.server_application_traffic_secret_N, hash_len, 1755 server_expected->x, server_expected->len); 1756 TEST_MEMORY_COMPARE(secrets.exporter_master_secret, hash_len, 1757 exporter_expected->x, exporter_expected->len); 1758 1759exit: 1760 PSA_DONE(); 1761} 1762/* END_CASE */ 1763 1764/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 1765void ssl_tls13_derive_resumption_secrets(int hash_alg, 1766 data_t *secret, 1767 data_t *transcript, 1768 data_t *resumption_expected) 1769{ 1770 mbedtls_ssl_tls13_application_secrets secrets; 1771 1772 /* Double-check that we've passed sane parameters. */ 1773 psa_algorithm_t alg = (psa_algorithm_t) hash_alg; 1774 size_t const hash_len = PSA_HASH_LENGTH(alg); 1775 TEST_ASSERT(PSA_ALG_IS_HASH(alg) && 1776 secret->len == hash_len && 1777 transcript->len == hash_len && 1778 resumption_expected->len == hash_len); 1779 1780 PSA_INIT(); 1781 1782 TEST_ASSERT(mbedtls_ssl_tls13_derive_resumption_master_secret( 1783 alg, secret->x, transcript->x, transcript->len, 1784 &secrets) == 0); 1785 1786 TEST_MEMORY_COMPARE(secrets.resumption_master_secret, hash_len, 1787 resumption_expected->x, resumption_expected->len); 1788 1789exit: 1790 PSA_DONE(); 1791} 1792/* END_CASE */ 1793 1794/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 1795void ssl_tls13_create_psk_binder(int hash_alg, 1796 data_t *psk, 1797 int psk_type, 1798 data_t *transcript, 1799 data_t *binder_expected) 1800{ 1801 unsigned char binder[MBEDTLS_MD_MAX_SIZE]; 1802 1803 /* Double-check that we've passed sane parameters. */ 1804 psa_algorithm_t alg = (psa_algorithm_t) hash_alg; 1805 size_t const hash_len = PSA_HASH_LENGTH(alg); 1806 TEST_ASSERT(PSA_ALG_IS_HASH(alg) && 1807 transcript->len == hash_len && 1808 binder_expected->len == hash_len); 1809 1810 PSA_INIT(); 1811 1812 TEST_ASSERT(mbedtls_ssl_tls13_create_psk_binder( 1813 NULL, /* SSL context for debugging only */ 1814 alg, 1815 psk->x, psk->len, 1816 psk_type, 1817 transcript->x, 1818 binder) == 0); 1819 1820 TEST_MEMORY_COMPARE(binder, hash_len, 1821 binder_expected->x, binder_expected->len); 1822 1823exit: 1824 PSA_DONE(); 1825} 1826/* END_CASE */ 1827 1828/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 1829void ssl_tls13_record_protection(int ciphersuite, 1830 int endpoint, 1831 int ctr, 1832 int padding_used, 1833 data_t *server_write_key, 1834 data_t *server_write_iv, 1835 data_t *client_write_key, 1836 data_t *client_write_iv, 1837 data_t *plaintext, 1838 data_t *ciphertext) 1839{ 1840 mbedtls_ssl_key_set keys; 1841 mbedtls_ssl_transform transform_send; 1842 mbedtls_ssl_transform_init(&transform_send); 1843 mbedtls_ssl_transform transform_recv; 1844 mbedtls_ssl_transform_init(&transform_recv); 1845 mbedtls_record rec; 1846 unsigned char *buf = NULL; 1847 size_t buf_len; 1848 int other_endpoint; 1849 1850 TEST_ASSERT(endpoint == MBEDTLS_SSL_IS_CLIENT || 1851 endpoint == MBEDTLS_SSL_IS_SERVER); 1852 1853 if (endpoint == MBEDTLS_SSL_IS_SERVER) { 1854 other_endpoint = MBEDTLS_SSL_IS_CLIENT; 1855 } 1856 if (endpoint == MBEDTLS_SSL_IS_CLIENT) { 1857 other_endpoint = MBEDTLS_SSL_IS_SERVER; 1858 } 1859 1860 TEST_ASSERT(server_write_key->len == client_write_key->len); 1861 TEST_ASSERT(server_write_iv->len == client_write_iv->len); 1862 1863 memcpy(keys.client_write_key, 1864 client_write_key->x, client_write_key->len); 1865 memcpy(keys.client_write_iv, 1866 client_write_iv->x, client_write_iv->len); 1867 memcpy(keys.server_write_key, 1868 server_write_key->x, server_write_key->len); 1869 memcpy(keys.server_write_iv, 1870 server_write_iv->x, server_write_iv->len); 1871 1872 keys.key_len = server_write_key->len; 1873 keys.iv_len = server_write_iv->len; 1874 1875 MD_OR_USE_PSA_INIT(); 1876 1877 TEST_ASSERT(mbedtls_ssl_tls13_populate_transform( 1878 &transform_send, endpoint, 1879 ciphersuite, &keys, NULL) == 0); 1880 TEST_ASSERT(mbedtls_ssl_tls13_populate_transform( 1881 &transform_recv, other_endpoint, 1882 ciphersuite, &keys, NULL) == 0); 1883 1884 /* Make sure we have enough space in the buffer even if 1885 * we use more padding than the KAT. */ 1886 buf_len = ciphertext->len + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY; 1887 TEST_CALLOC(buf, buf_len); 1888 rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA; 1889 1890 /* TLS 1.3 uses the version identifier from TLS 1.2 on the wire. */ 1891 mbedtls_ssl_write_version(rec.ver, 1892 MBEDTLS_SSL_TRANSPORT_STREAM, 1893 MBEDTLS_SSL_VERSION_TLS1_2); 1894 1895 /* Copy plaintext into record structure */ 1896 rec.buf = buf; 1897 rec.buf_len = buf_len; 1898 rec.data_offset = 0; 1899 TEST_ASSERT(plaintext->len <= ciphertext->len); 1900 memcpy(rec.buf + rec.data_offset, plaintext->x, plaintext->len); 1901 rec.data_len = plaintext->len; 1902#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1903 rec.cid_len = 0; 1904#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1905 1906 memset(&rec.ctr[0], 0, 8); 1907 rec.ctr[7] = ctr; 1908 1909 TEST_ASSERT(mbedtls_ssl_encrypt_buf(NULL, &transform_send, &rec, 1910 NULL, NULL) == 0); 1911 1912 if (padding_used == MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) { 1913 TEST_MEMORY_COMPARE(rec.buf + rec.data_offset, rec.data_len, 1914 ciphertext->x, ciphertext->len); 1915 } 1916 1917 TEST_ASSERT(mbedtls_ssl_decrypt_buf(NULL, &transform_recv, &rec) == 0); 1918 TEST_MEMORY_COMPARE(rec.buf + rec.data_offset, rec.data_len, 1919 plaintext->x, plaintext->len); 1920 1921exit: 1922 mbedtls_free(buf); 1923 mbedtls_ssl_transform_free(&transform_send); 1924 mbedtls_ssl_transform_free(&transform_recv); 1925 MD_OR_USE_PSA_DONE(); 1926} 1927/* END_CASE */ 1928 1929/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ 1930void ssl_tls13_key_evolution(int hash_alg, 1931 data_t *secret, 1932 data_t *input, 1933 data_t *expected) 1934{ 1935 unsigned char secret_new[MBEDTLS_MD_MAX_SIZE]; 1936 1937 PSA_INIT(); 1938 1939 TEST_ASSERT(mbedtls_ssl_tls13_evolve_secret( 1940 (psa_algorithm_t) hash_alg, 1941 secret->len ? secret->x : NULL, 1942 input->len ? input->x : NULL, input->len, 1943 secret_new) == 0); 1944 1945 TEST_MEMORY_COMPARE(secret_new, (size_t) expected->len, 1946 expected->x, (size_t) expected->len); 1947 1948exit: 1949 PSA_DONE(); 1950} 1951/* END_CASE */ 1952 1953/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2 */ 1954void ssl_tls_prf(int type, data_t *secret, data_t *random, 1955 char *label, data_t *result_str, int exp_ret) 1956{ 1957 unsigned char *output; 1958 1959 output = mbedtls_calloc(1, result_str->len); 1960 if (output == NULL) { 1961 goto exit; 1962 } 1963 1964 MD_OR_USE_PSA_INIT(); 1965 1966 TEST_ASSERT(mbedtls_ssl_tls_prf(type, secret->x, secret->len, 1967 label, random->x, random->len, 1968 output, result_str->len) == exp_ret); 1969 1970 if (exp_ret == 0) { 1971 TEST_ASSERT(mbedtls_test_hexcmp(output, result_str->x, 1972 result_str->len, result_str->len) == 0); 1973 } 1974exit: 1975 1976 mbedtls_free(output); 1977 MD_OR_USE_PSA_DONE(); 1978} 1979/* END_CASE */ 1980 1981/* BEGIN_CASE */ 1982void ssl_serialize_session_save_load(int ticket_len, char *crt_file, 1983 int endpoint_type, int tls_version) 1984{ 1985 mbedtls_ssl_session original, restored; 1986 unsigned char *buf = NULL; 1987 size_t len; 1988 1989 /* 1990 * Test that a save-load pair is the identity 1991 */ 1992 mbedtls_ssl_session_init(&original); 1993 mbedtls_ssl_session_init(&restored); 1994 USE_PSA_INIT(); 1995 1996 /* Prepare a dummy session to work on */ 1997 ((void) tls_version); 1998 ((void) ticket_len); 1999 ((void) crt_file); 2000#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2001 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 2002 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session( 2003 &original, 0, endpoint_type) == 0); 2004 } 2005#endif 2006 2007#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2008 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 2009 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( 2010 &original, ticket_len, endpoint_type, crt_file) == 0); 2011 } 2012#endif 2013 2014 /* Serialize it */ 2015 TEST_ASSERT(mbedtls_ssl_session_save(&original, NULL, 0, &len) 2016 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); 2017 TEST_CALLOC(buf, len); 2018 TEST_ASSERT(mbedtls_ssl_session_save(&original, buf, len, &len) 2019 == 0); 2020 2021 /* Restore session from serialized data */ 2022 TEST_ASSERT(mbedtls_ssl_session_load(&restored, buf, len) == 0); 2023 2024 /* 2025 * Make sure both session structures are identical 2026 */ 2027#if defined(MBEDTLS_HAVE_TIME) 2028 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 2029 TEST_ASSERT(original.start == restored.start); 2030 } 2031#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C) 2032 TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time); 2033#endif 2034#endif /* MBEDTLS_HAVE_TIME */ 2035 2036 TEST_ASSERT(original.tls_version == restored.tls_version); 2037 TEST_ASSERT(original.endpoint == restored.endpoint); 2038 TEST_ASSERT(original.ciphersuite == restored.ciphersuite); 2039#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2040 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 2041 TEST_ASSERT(original.id_len == restored.id_len); 2042 TEST_ASSERT(memcmp(original.id, 2043 restored.id, sizeof(original.id)) == 0); 2044 TEST_ASSERT(memcmp(original.master, 2045 restored.master, sizeof(original.master)) == 0); 2046 2047#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2048#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 2049 TEST_ASSERT((original.peer_cert == NULL) == 2050 (restored.peer_cert == NULL)); 2051 if (original.peer_cert != NULL) { 2052 TEST_ASSERT(original.peer_cert->raw.len == 2053 restored.peer_cert->raw.len); 2054 TEST_ASSERT(memcmp(original.peer_cert->raw.p, 2055 restored.peer_cert->raw.p, 2056 original.peer_cert->raw.len) == 0); 2057 } 2058#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 2059 TEST_ASSERT(original.peer_cert_digest_type == 2060 restored.peer_cert_digest_type); 2061 TEST_ASSERT(original.peer_cert_digest_len == 2062 restored.peer_cert_digest_len); 2063 TEST_ASSERT((original.peer_cert_digest == NULL) == 2064 (restored.peer_cert_digest == NULL)); 2065 if (original.peer_cert_digest != NULL) { 2066 TEST_ASSERT(memcmp(original.peer_cert_digest, 2067 restored.peer_cert_digest, 2068 original.peer_cert_digest_len) == 0); 2069 } 2070#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 2071#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2072 TEST_ASSERT(original.verify_result == restored.verify_result); 2073 2074#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 2075 TEST_ASSERT(original.mfl_code == restored.mfl_code); 2076#endif 2077 2078#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 2079 TEST_ASSERT(original.encrypt_then_mac == restored.encrypt_then_mac); 2080#endif 2081#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 2082 TEST_ASSERT(original.ticket_len == restored.ticket_len); 2083 if (original.ticket_len != 0) { 2084 TEST_ASSERT(original.ticket != NULL); 2085 TEST_ASSERT(restored.ticket != NULL); 2086 TEST_ASSERT(memcmp(original.ticket, 2087 restored.ticket, original.ticket_len) == 0); 2088 } 2089 TEST_ASSERT(original.ticket_lifetime == restored.ticket_lifetime); 2090#endif 2091 } 2092#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2093 2094#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2095 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 2096#if defined(MBEDTLS_SSL_SESSION_TICKETS) 2097 TEST_ASSERT(original.ticket_age_add == restored.ticket_age_add); 2098 TEST_ASSERT(original.ticket_flags == restored.ticket_flags); 2099 TEST_ASSERT(original.resumption_key_len == restored.resumption_key_len); 2100 if (original.resumption_key_len != 0) { 2101 TEST_ASSERT(original.resumption_key != NULL); 2102 TEST_ASSERT(restored.resumption_key != NULL); 2103 TEST_ASSERT(memcmp(original.resumption_key, 2104 restored.resumption_key, 2105 original.resumption_key_len) == 0); 2106 } 2107#endif /* MBEDTLS_SSL_SESSION_TICKETS */ 2108 2109#if defined(MBEDTLS_SSL_SRV_C) 2110 if (endpoint_type == MBEDTLS_SSL_IS_SERVER) { 2111#if defined(MBEDTLS_SSL_SESSION_TICKETS) 2112#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 2113 TEST_ASSERT(original.ticket_alpn != NULL); 2114 TEST_ASSERT(restored.ticket_alpn != NULL); 2115 TEST_MEMORY_COMPARE(original.ticket_alpn, strlen(original.ticket_alpn), 2116 restored.ticket_alpn, strlen(restored.ticket_alpn)); 2117#endif 2118#endif /* MBEDTLS_SSL_SESSION_TICKETS */ 2119 } 2120#endif /* MBEDTLS_SSL_SRV_C */ 2121 2122#if defined(MBEDTLS_SSL_CLI_C) 2123 if (endpoint_type == MBEDTLS_SSL_IS_CLIENT) { 2124#if defined(MBEDTLS_SSL_SESSION_TICKETS) 2125#if defined(MBEDTLS_HAVE_TIME) 2126 TEST_ASSERT(original.ticket_reception_time == restored.ticket_reception_time); 2127#endif 2128 TEST_ASSERT(original.ticket_lifetime == restored.ticket_lifetime); 2129 TEST_ASSERT(original.ticket_len == restored.ticket_len); 2130 if (original.ticket_len != 0) { 2131 TEST_ASSERT(original.ticket != NULL); 2132 TEST_ASSERT(restored.ticket != NULL); 2133 TEST_ASSERT(memcmp(original.ticket, 2134 restored.ticket, 2135 original.ticket_len) == 0); 2136 } 2137#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2138 TEST_ASSERT(original.hostname != NULL); 2139 TEST_ASSERT(restored.hostname != NULL); 2140 TEST_MEMORY_COMPARE(original.hostname, strlen(original.hostname), 2141 restored.hostname, strlen(restored.hostname)); 2142#endif 2143#endif /* MBEDTLS_SSL_SESSION_TICKETS */ 2144 } 2145#endif /* MBEDTLS_SSL_CLI_C */ 2146 } 2147#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 2148 2149#if defined(MBEDTLS_SSL_EARLY_DATA) 2150 TEST_ASSERT( 2151 original.max_early_data_size == restored.max_early_data_size); 2152#endif 2153 2154#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 2155 TEST_ASSERT(original.record_size_limit == restored.record_size_limit); 2156#endif 2157 2158exit: 2159 mbedtls_ssl_session_free(&original); 2160 mbedtls_ssl_session_free(&restored); 2161 mbedtls_free(buf); 2162 USE_PSA_DONE(); 2163} 2164/* END_CASE */ 2165 2166/* BEGIN_CASE */ 2167void ssl_serialize_session_load_save(int ticket_len, char *crt_file, 2168 int endpoint_type, int tls_version) 2169{ 2170 mbedtls_ssl_session session; 2171 unsigned char *buf1 = NULL, *buf2 = NULL; 2172 size_t len0, len1, len2; 2173 2174 /* 2175 * Test that a load-save pair is the identity 2176 */ 2177 mbedtls_ssl_session_init(&session); 2178 USE_PSA_INIT(); 2179 2180 /* Prepare a dummy session to work on */ 2181 ((void) ticket_len); 2182 ((void) crt_file); 2183 2184 switch (tls_version) { 2185#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2186 case MBEDTLS_SSL_VERSION_TLS1_3: 2187 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session( 2188 &session, 0, endpoint_type) == 0); 2189 break; 2190#endif 2191 2192#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2193 case MBEDTLS_SSL_VERSION_TLS1_2: 2194 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( 2195 &session, ticket_len, endpoint_type, crt_file) == 0); 2196 break; 2197#endif 2198 default: 2199 /* should never happen */ 2200 TEST_ASSERT(0); 2201 break; 2202 } 2203 2204 /* Get desired buffer size for serializing */ 2205 TEST_ASSERT(mbedtls_ssl_session_save(&session, NULL, 0, &len0) 2206 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); 2207 2208 /* Allocate first buffer */ 2209 buf1 = mbedtls_calloc(1, len0); 2210 TEST_ASSERT(buf1 != NULL); 2211 2212 /* Serialize to buffer and free live session */ 2213 TEST_ASSERT(mbedtls_ssl_session_save(&session, buf1, len0, &len1) 2214 == 0); 2215 TEST_ASSERT(len0 == len1); 2216 mbedtls_ssl_session_free(&session); 2217 2218 /* Restore session from serialized data */ 2219 TEST_ASSERT(mbedtls_ssl_session_load(&session, buf1, len1) == 0); 2220 2221 /* Allocate second buffer and serialize to it */ 2222 buf2 = mbedtls_calloc(1, len0); 2223 TEST_ASSERT(buf2 != NULL); 2224 TEST_ASSERT(mbedtls_ssl_session_save(&session, buf2, len0, &len2) 2225 == 0); 2226 2227 /* Make sure both serialized versions are identical */ 2228 TEST_ASSERT(len1 == len2); 2229 TEST_ASSERT(memcmp(buf1, buf2, len1) == 0); 2230 2231exit: 2232 mbedtls_ssl_session_free(&session); 2233 mbedtls_free(buf1); 2234 mbedtls_free(buf2); 2235 USE_PSA_DONE(); 2236} 2237/* END_CASE */ 2238 2239/* BEGIN_CASE */ 2240void ssl_serialize_session_save_buf_size(int ticket_len, char *crt_file, 2241 int endpoint_type, int tls_version) 2242{ 2243 mbedtls_ssl_session session; 2244 unsigned char *buf = NULL; 2245 size_t good_len, bad_len, test_len; 2246 2247 /* 2248 * Test that session_save() fails cleanly on small buffers 2249 */ 2250 mbedtls_ssl_session_init(&session); 2251 USE_PSA_INIT(); 2252 2253 /* Prepare dummy session and get serialized size */ 2254 ((void) ticket_len); 2255 ((void) crt_file); 2256 2257 switch (tls_version) { 2258#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2259 case MBEDTLS_SSL_VERSION_TLS1_3: 2260 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session( 2261 &session, 0, endpoint_type) == 0); 2262 break; 2263#endif 2264#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2265 case MBEDTLS_SSL_VERSION_TLS1_2: 2266 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( 2267 &session, ticket_len, endpoint_type, crt_file) == 0); 2268 break; 2269#endif 2270 default: 2271 /* should never happen */ 2272 TEST_ASSERT(0); 2273 break; 2274 } 2275 2276 TEST_ASSERT(mbedtls_ssl_session_save(&session, NULL, 0, &good_len) 2277 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); 2278 2279 /* Try all possible bad lengths */ 2280 for (bad_len = 1; bad_len < good_len; bad_len++) { 2281 /* Allocate exact size so that asan/valgrind can detect any overwrite */ 2282 mbedtls_free(buf); 2283 buf = NULL; 2284 TEST_CALLOC(buf, bad_len); 2285 TEST_ASSERT(mbedtls_ssl_session_save(&session, buf, bad_len, 2286 &test_len) 2287 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); 2288 TEST_ASSERT(test_len == good_len); 2289 } 2290 2291exit: 2292 mbedtls_ssl_session_free(&session); 2293 mbedtls_free(buf); 2294 USE_PSA_DONE(); 2295} 2296/* END_CASE */ 2297 2298/* BEGIN_CASE */ 2299void ssl_serialize_session_load_buf_size(int ticket_len, char *crt_file, 2300 int endpoint_type, int tls_version) 2301{ 2302 mbedtls_ssl_session session; 2303 unsigned char *good_buf = NULL, *bad_buf = NULL; 2304 size_t good_len, bad_len; 2305 2306 /* 2307 * Test that session_load() fails cleanly on small buffers 2308 */ 2309 mbedtls_ssl_session_init(&session); 2310 USE_PSA_INIT(); 2311 2312 /* Prepare serialized session data */ 2313 ((void) ticket_len); 2314 ((void) crt_file); 2315 2316 switch (tls_version) { 2317#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2318 case MBEDTLS_SSL_VERSION_TLS1_3: 2319 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session( 2320 &session, 0, endpoint_type) == 0); 2321 break; 2322#endif 2323 2324#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2325 case MBEDTLS_SSL_VERSION_TLS1_2: 2326 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( 2327 &session, ticket_len, endpoint_type, crt_file) == 0); 2328 break; 2329#endif 2330 2331 default: 2332 /* should never happen */ 2333 TEST_ASSERT(0); 2334 break; 2335 } 2336 2337 TEST_ASSERT(mbedtls_ssl_session_save(&session, NULL, 0, &good_len) 2338 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); 2339 TEST_CALLOC(good_buf, good_len); 2340 TEST_ASSERT(mbedtls_ssl_session_save(&session, good_buf, good_len, 2341 &good_len) == 0); 2342 mbedtls_ssl_session_free(&session); 2343 2344 /* Try all possible bad lengths */ 2345 for (bad_len = 0; bad_len < good_len; bad_len++) { 2346 /* Allocate exact size so that asan/valgrind can detect any overread */ 2347 mbedtls_free(bad_buf); 2348 bad_buf = NULL; 2349 TEST_CALLOC_NONNULL(bad_buf, bad_len); 2350 memcpy(bad_buf, good_buf, bad_len); 2351 2352 TEST_ASSERT(mbedtls_ssl_session_load(&session, bad_buf, bad_len) 2353 == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 2354 } 2355 2356exit: 2357 mbedtls_ssl_session_free(&session); 2358 mbedtls_free(good_buf); 2359 mbedtls_free(bad_buf); 2360 USE_PSA_DONE(); 2361} 2362/* END_CASE */ 2363 2364/* BEGIN_CASE */ 2365void ssl_session_serialize_version_check(int corrupt_major, 2366 int corrupt_minor, 2367 int corrupt_patch, 2368 int corrupt_config, 2369 int endpoint_type, 2370 int tls_version) 2371{ 2372 unsigned char serialized_session[2048]; 2373 size_t serialized_session_len; 2374 unsigned cur_byte; 2375 mbedtls_ssl_session session; 2376 uint8_t should_corrupt_byte[] = { corrupt_major == 1, 2377 corrupt_minor == 1, 2378 corrupt_patch == 1, 2379 corrupt_config == 1, 2380 corrupt_config == 1 }; 2381 2382 mbedtls_ssl_session_init(&session); 2383 USE_PSA_INIT(); 2384 2385 switch (tls_version) { 2386#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2387 case MBEDTLS_SSL_VERSION_TLS1_3: 2388 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session( 2389 &session, 0, endpoint_type) == 0); 2390 break; 2391#endif 2392#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2393 case MBEDTLS_SSL_VERSION_TLS1_2: 2394 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( 2395 &session, 0, endpoint_type, NULL) == 0); 2396 2397 break; 2398#endif 2399 default: 2400 /* should never happen */ 2401 TEST_ASSERT(0); 2402 break; 2403 } 2404 2405 /* Infer length of serialized session. */ 2406 TEST_ASSERT(mbedtls_ssl_session_save(&session, 2407 serialized_session, 2408 sizeof(serialized_session), 2409 &serialized_session_len) == 0); 2410 2411 mbedtls_ssl_session_free(&session); 2412 2413 /* Without any modification, we should be able to successfully 2414 * de-serialize the session - double-check that. */ 2415 TEST_ASSERT(mbedtls_ssl_session_load(&session, 2416 serialized_session, 2417 serialized_session_len) == 0); 2418 mbedtls_ssl_session_free(&session); 2419 2420 /* Go through the bytes in the serialized session header and 2421 * corrupt them bit-by-bit. */ 2422 for (cur_byte = 0; cur_byte < sizeof(should_corrupt_byte); cur_byte++) { 2423 int cur_bit; 2424 unsigned char *const byte = &serialized_session[cur_byte]; 2425 2426 if (should_corrupt_byte[cur_byte] == 0) { 2427 continue; 2428 } 2429 2430 for (cur_bit = 0; cur_bit < CHAR_BIT; cur_bit++) { 2431 unsigned char const corrupted_bit = 0x1u << cur_bit; 2432 /* Modify a single bit in the serialized session. */ 2433 *byte ^= corrupted_bit; 2434 2435 /* Attempt to deserialize */ 2436 TEST_ASSERT(mbedtls_ssl_session_load(&session, 2437 serialized_session, 2438 serialized_session_len) == 2439 MBEDTLS_ERR_SSL_VERSION_MISMATCH); 2440 2441 /* Undo the change */ 2442 *byte ^= corrupted_bit; 2443 } 2444 } 2445exit: 2446 USE_PSA_DONE(); 2447} 2448/* END_CASE */ 2449 2450/* BEGIN_CASE */ 2451void ssl_session_id_accessors_check(int tls_version) 2452{ 2453 mbedtls_ssl_session session; 2454 int ciphersuite_id; 2455 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 2456 2457 mbedtls_ssl_session_init(&session); 2458 USE_PSA_INIT(); 2459 2460 switch (tls_version) { 2461#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2462 case MBEDTLS_SSL_VERSION_TLS1_3: 2463 ciphersuite_id = MBEDTLS_TLS1_3_AES_128_GCM_SHA256; 2464 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session( 2465 &session, 0, MBEDTLS_SSL_IS_SERVER) == 0); 2466 break; 2467#endif 2468#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2469 case MBEDTLS_SSL_VERSION_TLS1_2: 2470 ciphersuite_id = MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256; 2471 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session( 2472 &session, 0, MBEDTLS_SSL_IS_SERVER, NULL) == 0); 2473 2474 break; 2475#endif 2476 default: 2477 /* should never happen */ 2478 TEST_ASSERT(0); 2479 break; 2480 } 2481 TEST_ASSERT(*mbedtls_ssl_session_get_id(&session) == session.id); 2482 TEST_ASSERT(mbedtls_ssl_session_get_id_len(&session) == session.id_len); 2483 /* mbedtls_test_ssl_tls1x_populate_session sets a mock suite-id of 0xabcd */ 2484 TEST_ASSERT(mbedtls_ssl_session_get_ciphersuite_id(&session) == 0xabcd); 2485 2486 /* Test setting a reference id for tls1.3 and tls1.2 */ 2487 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite_id); 2488 if (ciphersuite_info != NULL) { 2489 TEST_ASSERT(mbedtls_ssl_ciphersuite_get_id(ciphersuite_info) == ciphersuite_id); 2490 } 2491 2492exit: 2493 mbedtls_ssl_session_free(&session); 2494 USE_PSA_DONE(); 2495} 2496/* END_CASE */ 2497 2498/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256 */ 2499void mbedtls_endpoint_sanity(int endpoint_type) 2500{ 2501 enum { BUFFSIZE = 1024 }; 2502 mbedtls_test_ssl_endpoint ep; 2503 int ret = -1; 2504 mbedtls_test_handshake_test_options options; 2505 mbedtls_test_init_handshake_options(&options); 2506 options.pk_alg = MBEDTLS_PK_RSA; 2507 2508 MD_OR_USE_PSA_INIT(); 2509 2510 ret = mbedtls_test_ssl_endpoint_init(NULL, endpoint_type, &options, 2511 NULL, NULL, NULL); 2512 TEST_ASSERT(MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret); 2513 2514 ret = mbedtls_test_ssl_endpoint_certificate_init(NULL, options.pk_alg, 2515 0, 0, 0); 2516 TEST_ASSERT(MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret); 2517 2518 ret = mbedtls_test_ssl_endpoint_init(&ep, endpoint_type, &options, 2519 NULL, NULL, NULL); 2520 TEST_ASSERT(ret == 0); 2521 2522exit: 2523 mbedtls_test_ssl_endpoint_free(&ep, NULL); 2524 mbedtls_test_free_handshake_options(&options); 2525 MD_OR_USE_PSA_DONE(); 2526} 2527/* END_CASE */ 2528 2529/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_HAVE_ECC_KEYS */ 2530void move_handshake_to_state(int endpoint_type, int tls_version, int state, int need_pass) 2531{ 2532 enum { BUFFSIZE = 1024 }; 2533 mbedtls_test_ssl_endpoint base_ep, second_ep; 2534 int ret = -1; 2535 (void) tls_version; 2536 2537 mbedtls_test_handshake_test_options options; 2538 mbedtls_test_init_handshake_options(&options); 2539 2540 options.pk_alg = MBEDTLS_PK_RSA; 2541 2542 /* 2543 * If both TLS 1.2 and 1.3 are enabled and we want to do a TLS 1.2 2544 * handshake, force the TLS 1.2 version on endpoint under test. 2545 */ 2546#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_PROTO_TLS1_2) 2547 if (MBEDTLS_SSL_VERSION_TLS1_2 == tls_version) { 2548 if (MBEDTLS_SSL_IS_CLIENT == endpoint_type) { 2549 options.client_min_version = MBEDTLS_SSL_VERSION_TLS1_2; 2550 options.client_max_version = MBEDTLS_SSL_VERSION_TLS1_2; 2551 } else { 2552 options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2; 2553 options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2; 2554 } 2555 } 2556#endif 2557 2558 MD_OR_USE_PSA_INIT(); 2559 mbedtls_platform_zeroize(&base_ep, sizeof(base_ep)); 2560 mbedtls_platform_zeroize(&second_ep, sizeof(second_ep)); 2561 2562 ret = mbedtls_test_ssl_endpoint_init(&base_ep, endpoint_type, &options, 2563 NULL, NULL, NULL); 2564 TEST_ASSERT(ret == 0); 2565 2566 ret = mbedtls_test_ssl_endpoint_init( 2567 &second_ep, 2568 (endpoint_type == MBEDTLS_SSL_IS_SERVER) ? 2569 MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER, 2570 &options, NULL, NULL, NULL); 2571 2572 TEST_ASSERT(ret == 0); 2573 2574 ret = mbedtls_test_mock_socket_connect(&(base_ep.socket), 2575 &(second_ep.socket), 2576 BUFFSIZE); 2577 TEST_ASSERT(ret == 0); 2578 2579 ret = mbedtls_test_move_handshake_to_state(&(base_ep.ssl), 2580 &(second_ep.ssl), 2581 state); 2582 if (need_pass) { 2583 TEST_ASSERT(ret == 0 || 2584 ret == MBEDTLS_ERR_SSL_WANT_READ || 2585 ret == MBEDTLS_ERR_SSL_WANT_WRITE); 2586 TEST_ASSERT(base_ep.ssl.state == state); 2587 } else { 2588 TEST_ASSERT(ret != 0 && 2589 ret != MBEDTLS_ERR_SSL_WANT_READ && 2590 ret != MBEDTLS_ERR_SSL_WANT_WRITE); 2591 TEST_ASSERT(base_ep.ssl.state != state); 2592 } 2593 2594exit: 2595 mbedtls_test_free_handshake_options(&options); 2596 mbedtls_test_ssl_endpoint_free(&base_ep, NULL); 2597 mbedtls_test_ssl_endpoint_free(&second_ep, NULL); 2598 MD_OR_USE_PSA_DONE(); 2599} 2600/* END_CASE */ 2601 2602/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */ 2603void handshake_version(int dtls, int client_min_version, int client_max_version, 2604 int server_min_version, int server_max_version, 2605 int expected_negotiated_version) 2606{ 2607 mbedtls_test_handshake_test_options options; 2608 mbedtls_test_init_handshake_options(&options); 2609 2610 options.client_min_version = client_min_version; 2611 options.client_max_version = client_max_version; 2612 options.server_min_version = server_min_version; 2613 options.server_max_version = server_max_version; 2614 options.expected_negotiated_version = expected_negotiated_version; 2615 2616 options.dtls = dtls; 2617 mbedtls_test_ssl_perform_handshake(&options); 2618 2619 /* The goto below is used to avoid an "unused label" warning.*/ 2620 goto exit; 2621 2622exit: 2623 mbedtls_test_free_handshake_options(&options); 2624} 2625/* END_CASE */ 2626 2627/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256 */ 2628void handshake_psk_cipher(char *cipher, int pk_alg, data_t *psk_str, int dtls) 2629{ 2630 mbedtls_test_handshake_test_options options; 2631 mbedtls_test_init_handshake_options(&options); 2632 2633 options.cipher = cipher; 2634 options.dtls = dtls; 2635 options.psk_str = psk_str; 2636 options.pk_alg = pk_alg; 2637 2638 options.client_min_version = MBEDTLS_SSL_VERSION_TLS1_2; 2639 options.client_max_version = MBEDTLS_SSL_VERSION_TLS1_2; 2640 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2; 2641 2642 mbedtls_test_ssl_perform_handshake(&options); 2643 2644 /* The goto below is used to avoid an "unused label" warning.*/ 2645 goto exit; 2646 2647exit: 2648 mbedtls_test_free_handshake_options(&options); 2649} 2650/* END_CASE */ 2651 2652/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256 */ 2653void handshake_cipher(char *cipher, int pk_alg, int dtls) 2654{ 2655 test_handshake_psk_cipher(cipher, pk_alg, NULL, dtls); 2656 2657 /* The goto below is used to avoid an "unused label" warning.*/ 2658 goto exit; 2659} 2660/* END_CASE */ 2661 2662/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256 */ 2663void handshake_ciphersuite_select(char *cipher, int pk_alg, data_t *psk_str, 2664 int psa_alg, int psa_alg2, int psa_usage, 2665 int expected_handshake_result, 2666 int expected_ciphersuite) 2667{ 2668 mbedtls_test_handshake_test_options options; 2669 mbedtls_test_init_handshake_options(&options); 2670 2671 options.cipher = cipher; 2672 options.psk_str = psk_str; 2673 options.pk_alg = pk_alg; 2674 options.opaque_alg = psa_alg; 2675 options.opaque_alg2 = psa_alg2; 2676 options.opaque_usage = psa_usage; 2677 options.expected_handshake_result = expected_handshake_result; 2678 options.expected_ciphersuite = expected_ciphersuite; 2679 2680 options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2; 2681 options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2; 2682 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2; 2683 2684 mbedtls_test_ssl_perform_handshake(&options); 2685 2686 /* The goto below is used to avoid an "unused label" warning.*/ 2687 goto exit; 2688 2689exit: 2690 mbedtls_test_free_handshake_options(&options); 2691} 2692/* END_CASE */ 2693 2694/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 */ 2695void app_data(int mfl, int cli_msg_len, int srv_msg_len, 2696 int expected_cli_fragments, 2697 int expected_srv_fragments, int dtls) 2698{ 2699 mbedtls_test_handshake_test_options options; 2700 mbedtls_test_init_handshake_options(&options); 2701 2702 options.mfl = mfl; 2703 options.cli_msg_len = cli_msg_len; 2704 options.srv_msg_len = srv_msg_len; 2705 options.expected_cli_fragments = expected_cli_fragments; 2706 options.expected_srv_fragments = expected_srv_fragments; 2707 options.dtls = dtls; 2708 2709 options.client_min_version = MBEDTLS_SSL_VERSION_TLS1_2; 2710 options.client_max_version = MBEDTLS_SSL_VERSION_TLS1_2; 2711 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2; 2712 2713 mbedtls_test_ssl_perform_handshake(&options); 2714 2715 /* The goto below is used to avoid an "unused label" warning.*/ 2716 goto exit; 2717 2718exit: 2719 mbedtls_test_free_handshake_options(&options); 2720} 2721/* END_CASE */ 2722 2723/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */ 2724void app_data_tls(int mfl, int cli_msg_len, int srv_msg_len, 2725 int expected_cli_fragments, 2726 int expected_srv_fragments) 2727{ 2728 test_app_data(mfl, cli_msg_len, srv_msg_len, expected_cli_fragments, 2729 expected_srv_fragments, 0); 2730 /* The goto below is used to avoid an "unused label" warning.*/ 2731 goto exit; 2732} 2733/* END_CASE */ 2734 2735/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */ 2736void app_data_dtls(int mfl, int cli_msg_len, int srv_msg_len, 2737 int expected_cli_fragments, 2738 int expected_srv_fragments) 2739{ 2740 test_app_data(mfl, cli_msg_len, srv_msg_len, expected_cli_fragments, 2741 expected_srv_fragments, 1); 2742 /* The goto below is used to avoid an "unused label" warning.*/ 2743 goto exit; 2744} 2745/* END_CASE */ 2746 2747/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */ 2748void handshake_serialization() 2749{ 2750 mbedtls_test_handshake_test_options options; 2751 mbedtls_test_init_handshake_options(&options); 2752 2753 options.serialize = 1; 2754 options.dtls = 1; 2755 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2; 2756 mbedtls_test_ssl_perform_handshake(&options); 2757 /* The goto below is used to avoid an "unused label" warning.*/ 2758 goto exit; 2759exit: 2760 mbedtls_test_free_handshake_options(&options); 2761} 2762/* END_CASE */ 2763 2764/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_SSL_HAVE_AES:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ 2765void handshake_fragmentation(int mfl, 2766 int expected_srv_hs_fragmentation, 2767 int expected_cli_hs_fragmentation) 2768{ 2769 mbedtls_test_handshake_test_options options; 2770 mbedtls_test_ssl_log_pattern srv_pattern, cli_pattern; 2771 2772 srv_pattern.pattern = cli_pattern.pattern = "found fragmented DTLS handshake"; 2773 srv_pattern.counter = 0; 2774 cli_pattern.counter = 0; 2775 2776 mbedtls_test_init_handshake_options(&options); 2777 options.dtls = 1; 2778 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2; 2779 options.mfl = mfl; 2780 /* Set cipher to one using CBC so that record splitting can be tested */ 2781 options.cipher = "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"; 2782 options.srv_auth_mode = MBEDTLS_SSL_VERIFY_REQUIRED; 2783 options.srv_log_obj = &srv_pattern; 2784 options.cli_log_obj = &cli_pattern; 2785 options.srv_log_fun = mbedtls_test_ssl_log_analyzer; 2786 options.cli_log_fun = mbedtls_test_ssl_log_analyzer; 2787 2788 mbedtls_test_ssl_perform_handshake(&options); 2789 2790 /* Test if the server received a fragmented handshake */ 2791 if (expected_srv_hs_fragmentation) { 2792 TEST_ASSERT(srv_pattern.counter >= 1); 2793 } 2794 /* Test if the client received a fragmented handshake */ 2795 if (expected_cli_hs_fragmentation) { 2796 TEST_ASSERT(cli_pattern.counter >= 1); 2797 } 2798 2799exit: 2800 mbedtls_test_free_handshake_options(&options); 2801} 2802/* END_CASE */ 2803 2804/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */ 2805void renegotiation(int legacy_renegotiation) 2806{ 2807 mbedtls_test_handshake_test_options options; 2808 mbedtls_test_init_handshake_options(&options); 2809 2810 options.renegotiate = 1; 2811 options.legacy_renegotiation = legacy_renegotiation; 2812 options.dtls = 1; 2813 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2; 2814 2815 mbedtls_test_ssl_perform_handshake(&options); 2816 2817 /* The goto below is used to avoid an "unused label" warning.*/ 2818 goto exit; 2819exit: 2820 mbedtls_test_free_handshake_options(&options); 2821} 2822/* END_CASE */ 2823 2824/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 */ 2825void resize_buffers(int mfl, int renegotiation, int legacy_renegotiation, 2826 int serialize, int dtls, char *cipher) 2827{ 2828 mbedtls_test_handshake_test_options options; 2829 mbedtls_test_init_handshake_options(&options); 2830 2831 options.mfl = mfl; 2832 options.cipher = cipher; 2833 options.renegotiate = renegotiation; 2834 options.legacy_renegotiation = legacy_renegotiation; 2835 options.serialize = serialize; 2836 options.dtls = dtls; 2837 if (dtls) { 2838 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2; 2839 } 2840 options.resize_buffers = 1; 2841 2842 mbedtls_test_ssl_perform_handshake(&options); 2843 2844 /* The goto below is used to avoid an "unused label" warning.*/ 2845 goto exit; 2846exit: 2847 mbedtls_test_free_handshake_options(&options); 2848} 2849/* END_CASE */ 2850 2851/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */ 2852void resize_buffers_serialize_mfl(int mfl) 2853{ 2854 test_resize_buffers(mfl, 0, MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION, 1, 1, 2855 (char *) ""); 2856 /* The goto below is used to avoid an "unused label" warning.*/ 2857 goto exit; 2858} 2859/* END_CASE */ 2860 2861/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */ 2862void resize_buffers_renegotiate_mfl(int mfl, int legacy_renegotiation, 2863 char *cipher) 2864{ 2865 test_resize_buffers(mfl, 1, legacy_renegotiation, 0, 1, cipher); 2866 /* The goto below is used to avoid an "unused label" warning.*/ 2867 goto exit; 2868} 2869/* END_CASE */ 2870 2871/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 2872void test_multiple_psks() 2873{ 2874 unsigned char psk0[10] = { 0 }; 2875 unsigned char psk0_identity[] = { 'f', 'o', 'o' }; 2876 2877 unsigned char psk1[10] = { 0 }; 2878 unsigned char psk1_identity[] = { 'b', 'a', 'r' }; 2879 2880 mbedtls_ssl_config conf; 2881 2882 mbedtls_ssl_config_init(&conf); 2883 MD_OR_USE_PSA_INIT(); 2884 2885 TEST_ASSERT(mbedtls_ssl_conf_psk(&conf, 2886 psk0, sizeof(psk0), 2887 psk0_identity, sizeof(psk0_identity)) == 0); 2888 TEST_ASSERT(mbedtls_ssl_conf_psk(&conf, 2889 psk1, sizeof(psk1), 2890 psk1_identity, sizeof(psk1_identity)) == 2891 MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE); 2892 2893exit: 2894 mbedtls_ssl_config_free(&conf); 2895 MD_OR_USE_PSA_DONE(); 2896} 2897/* END_CASE */ 2898 2899/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO */ 2900void test_multiple_psks_opaque(int mode) 2901{ 2902 /* 2903 * Mode 0: Raw PSK, then opaque PSK 2904 * Mode 1: Opaque PSK, then raw PSK 2905 * Mode 2: 2x opaque PSK 2906 */ 2907 2908 unsigned char psk0_raw[10] = { 0 }; 2909 unsigned char psk0_raw_identity[] = { 'f', 'o', 'o' }; 2910 2911 mbedtls_svc_key_id_t psk0_opaque = mbedtls_svc_key_id_make(0x1, (psa_key_id_t) 1); 2912 2913 unsigned char psk0_opaque_identity[] = { 'f', 'o', 'o' }; 2914 2915 unsigned char psk1_raw[10] = { 0 }; 2916 unsigned char psk1_raw_identity[] = { 'b', 'a', 'r' }; 2917 2918 mbedtls_svc_key_id_t psk1_opaque = mbedtls_svc_key_id_make(0x1, (psa_key_id_t) 2); 2919 2920 unsigned char psk1_opaque_identity[] = { 'b', 'a', 'r' }; 2921 2922 mbedtls_ssl_config conf; 2923 2924 mbedtls_ssl_config_init(&conf); 2925 MD_OR_USE_PSA_INIT(); 2926 2927 switch (mode) { 2928 case 0: 2929 2930 TEST_ASSERT(mbedtls_ssl_conf_psk(&conf, 2931 psk0_raw, sizeof(psk0_raw), 2932 psk0_raw_identity, sizeof(psk0_raw_identity)) 2933 == 0); 2934 TEST_ASSERT(mbedtls_ssl_conf_psk_opaque(&conf, 2935 psk1_opaque, 2936 psk1_opaque_identity, 2937 sizeof(psk1_opaque_identity)) 2938 == MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE); 2939 break; 2940 2941 case 1: 2942 2943 TEST_ASSERT(mbedtls_ssl_conf_psk_opaque(&conf, 2944 psk0_opaque, 2945 psk0_opaque_identity, 2946 sizeof(psk0_opaque_identity)) 2947 == 0); 2948 TEST_ASSERT(mbedtls_ssl_conf_psk(&conf, 2949 psk1_raw, sizeof(psk1_raw), 2950 psk1_raw_identity, sizeof(psk1_raw_identity)) 2951 == MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE); 2952 2953 break; 2954 2955 case 2: 2956 2957 TEST_ASSERT(mbedtls_ssl_conf_psk_opaque(&conf, 2958 psk0_opaque, 2959 psk0_opaque_identity, 2960 sizeof(psk0_opaque_identity)) 2961 == 0); 2962 TEST_ASSERT(mbedtls_ssl_conf_psk_opaque(&conf, 2963 psk1_opaque, 2964 psk1_opaque_identity, 2965 sizeof(psk1_opaque_identity)) 2966 == MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE); 2967 2968 break; 2969 2970 default: 2971 TEST_ASSERT(0); 2972 break; 2973 } 2974 2975exit: 2976 mbedtls_ssl_config_free(&conf); 2977 MD_OR_USE_PSA_DONE(); 2978 2979} 2980/* END_CASE */ 2981 2982/* BEGIN_CASE */ 2983void conf_version(int endpoint, int transport, 2984 int min_tls_version, int max_tls_version, 2985 int expected_ssl_setup_result) 2986{ 2987 mbedtls_ssl_config conf; 2988 mbedtls_ssl_context ssl; 2989 2990 mbedtls_ssl_config_init(&conf); 2991 mbedtls_ssl_init(&ssl); 2992 MD_OR_USE_PSA_INIT(); 2993 2994 mbedtls_ssl_conf_endpoint(&conf, endpoint); 2995 mbedtls_ssl_conf_transport(&conf, transport); 2996 mbedtls_ssl_conf_min_tls_version(&conf, min_tls_version); 2997 mbedtls_ssl_conf_max_tls_version(&conf, max_tls_version); 2998 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); 2999 3000 TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == expected_ssl_setup_result); 3001 TEST_EQUAL(mbedtls_ssl_conf_get_endpoint( 3002 mbedtls_ssl_context_get_config(&ssl)), endpoint); 3003 3004 mbedtls_ssl_free(&ssl); 3005 mbedtls_ssl_config_free(&conf); 3006 3007exit: 3008 MD_OR_USE_PSA_DONE(); 3009} 3010/* END_CASE */ 3011 3012/* BEGIN_CASE depends_on:MBEDTLS_ECP_C:!MBEDTLS_DEPRECATED_REMOVED:!MBEDTLS_DEPRECATED_WARNING:MBEDTLS_ECP_HAVE_SECP192R1:MBEDTLS_ECP_HAVE_SECP224R1:MBEDTLS_ECP_HAVE_SECP256R1 */ 3013void conf_curve() 3014{ 3015 3016 mbedtls_ecp_group_id curve_list[] = { MBEDTLS_ECP_DP_SECP192R1, 3017 MBEDTLS_ECP_DP_SECP224R1, 3018 MBEDTLS_ECP_DP_SECP256R1, 3019 MBEDTLS_ECP_DP_NONE }; 3020 uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, 3021 MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, 3022 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 3023 MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; 3024 3025 mbedtls_ssl_config conf; 3026 mbedtls_ssl_config_init(&conf); 3027#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3028 mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2); 3029 mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2); 3030#else 3031 mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3); 3032 mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3); 3033#endif 3034 mbedtls_ssl_conf_curves(&conf, curve_list); 3035 3036 mbedtls_ssl_context ssl; 3037 mbedtls_ssl_init(&ssl); 3038 MD_OR_USE_PSA_INIT(); 3039 3040 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); 3041 3042 TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); 3043 3044 TEST_ASSERT(ssl.handshake != NULL && ssl.handshake->group_list != NULL); 3045 TEST_ASSERT(ssl.conf != NULL && ssl.conf->group_list == NULL); 3046 3047 TEST_EQUAL(ssl.handshake-> 3048 group_list[ARRAY_LENGTH(iana_tls_group_list) - 1], 3049 MBEDTLS_SSL_IANA_TLS_GROUP_NONE); 3050 3051 for (size_t i = 0; i < ARRAY_LENGTH(iana_tls_group_list); i++) { 3052 TEST_EQUAL(iana_tls_group_list[i], ssl.handshake->group_list[i]); 3053 } 3054 3055exit: 3056 mbedtls_ssl_free(&ssl); 3057 mbedtls_ssl_config_free(&conf); 3058 MD_OR_USE_PSA_DONE(); 3059} 3060/* END_CASE */ 3061 3062/* BEGIN_CASE depends_on:MBEDTLS_DEPRECATED_REMOVED */ 3063void conf_group() 3064{ 3065 uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, 3066 MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, 3067 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 3068 MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; 3069 3070 mbedtls_ssl_config conf; 3071 mbedtls_ssl_config_init(&conf); 3072 3073 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); 3074 mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2); 3075 mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2); 3076 3077 mbedtls_ssl_conf_groups(&conf, iana_tls_group_list); 3078 3079 mbedtls_ssl_context ssl; 3080 mbedtls_ssl_init(&ssl); 3081 MD_OR_USE_PSA_INIT(); 3082 3083 TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); 3084 3085 TEST_ASSERT(ssl.conf != NULL && ssl.conf->group_list != NULL); 3086 3087 TEST_EQUAL(ssl.conf-> 3088 group_list[ARRAY_LENGTH(iana_tls_group_list) - 1], 3089 MBEDTLS_SSL_IANA_TLS_GROUP_NONE); 3090 3091 for (size_t i = 0; i < ARRAY_LENGTH(iana_tls_group_list); i++) { 3092 TEST_EQUAL(iana_tls_group_list[i], ssl.conf->group_list[i]); 3093 } 3094 3095exit: 3096 mbedtls_ssl_free(&ssl); 3097 mbedtls_ssl_config_free(&conf); 3098 MD_OR_USE_PSA_DONE(); 3099} 3100/* END_CASE */ 3101 3102/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_CACHE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_DEBUG_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256 */ 3103void force_bad_session_id_len() 3104{ 3105 enum { BUFFSIZE = 1024 }; 3106 mbedtls_test_handshake_test_options options; 3107 mbedtls_test_ssl_endpoint client, server; 3108 mbedtls_test_ssl_log_pattern srv_pattern, cli_pattern; 3109 mbedtls_test_message_socket_context server_context, client_context; 3110 3111 srv_pattern.pattern = cli_pattern.pattern = "cache did not store session"; 3112 srv_pattern.counter = 0; 3113 mbedtls_test_init_handshake_options(&options); 3114 3115 options.srv_log_obj = &srv_pattern; 3116 options.srv_log_fun = mbedtls_test_ssl_log_analyzer; 3117 3118 mbedtls_platform_zeroize(&client, sizeof(client)); 3119 mbedtls_platform_zeroize(&server, sizeof(server)); 3120 3121 mbedtls_test_message_socket_init(&server_context); 3122 mbedtls_test_message_socket_init(&client_context); 3123 MD_OR_USE_PSA_INIT(); 3124 3125 TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT, 3126 &options, NULL, NULL, 3127 NULL) == 0); 3128 3129 TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER, 3130 &options, NULL, NULL, NULL) == 0); 3131 3132 mbedtls_debug_set_threshold(1); 3133 mbedtls_ssl_conf_dbg(&server.conf, options.srv_log_fun, 3134 options.srv_log_obj); 3135 3136 TEST_ASSERT(mbedtls_test_mock_socket_connect(&(client.socket), 3137 &(server.socket), 3138 BUFFSIZE) == 0); 3139 3140 TEST_ASSERT(mbedtls_test_move_handshake_to_state( 3141 &(client.ssl), &(server.ssl), MBEDTLS_SSL_HANDSHAKE_WRAPUP) 3142 == 0); 3143 /* Force a bad session_id_len that will be read by the server in 3144 * mbedtls_ssl_cache_set. */ 3145 server.ssl.session_negotiate->id_len = 33; 3146 if (options.cli_msg_len != 0 || options.srv_msg_len != 0) { 3147 /* Start data exchanging test */ 3148 TEST_ASSERT(mbedtls_test_ssl_exchange_data( 3149 &(client.ssl), options.cli_msg_len, 3150 options.expected_cli_fragments, 3151 &(server.ssl), options.srv_msg_len, 3152 options.expected_srv_fragments) 3153 == 0); 3154 } 3155 3156 /* Make sure that the cache did not store the session */ 3157 TEST_EQUAL(srv_pattern.counter, 1); 3158exit: 3159 mbedtls_test_ssl_endpoint_free(&client, NULL); 3160 mbedtls_test_ssl_endpoint_free(&server, NULL); 3161 mbedtls_test_free_handshake_options(&options); 3162 mbedtls_debug_set_threshold(0); 3163 MD_OR_USE_PSA_DONE(); 3164} 3165/* END_CASE */ 3166 3167/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE:MBEDTLS_TEST_HOOKS */ 3168void cookie_parsing(data_t *cookie, int exp_ret) 3169{ 3170 mbedtls_ssl_context ssl; 3171 mbedtls_ssl_config conf; 3172 size_t len; 3173 3174 mbedtls_ssl_init(&ssl); 3175 mbedtls_ssl_config_init(&conf); 3176 USE_PSA_INIT(); 3177 3178 TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_SERVER, 3179 MBEDTLS_SSL_TRANSPORT_DATAGRAM, 3180 MBEDTLS_SSL_PRESET_DEFAULT), 3181 0); 3182 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); 3183 3184 TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0); 3185 TEST_EQUAL(mbedtls_ssl_check_dtls_clihlo_cookie(&ssl, ssl.cli_id, 3186 ssl.cli_id_len, 3187 cookie->x, cookie->len, 3188 ssl.out_buf, 3189 MBEDTLS_SSL_OUT_CONTENT_LEN, 3190 &len), 3191 exp_ret); 3192 3193exit: 3194 mbedtls_ssl_free(&ssl); 3195 mbedtls_ssl_config_free(&conf); 3196 USE_PSA_DONE(); 3197} 3198/* END_CASE */ 3199 3200/* BEGIN_CASE depends_on:MBEDTLS_TIMING_C:MBEDTLS_HAVE_TIME */ 3201void timing_final_delay_accessor() 3202{ 3203 mbedtls_timing_delay_context delay_context; 3204 3205 USE_PSA_INIT(); 3206 mbedtls_timing_set_delay(&delay_context, 50, 100); 3207 3208 TEST_ASSERT(mbedtls_timing_get_final_delay(&delay_context) == 100); 3209 3210exit: 3211 USE_PSA_DONE(); 3212} 3213/* END_CASE */ 3214 3215/* BEGIN_CASE depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID */ 3216void cid_sanity() 3217{ 3218 mbedtls_ssl_context ssl; 3219 mbedtls_ssl_config conf; 3220 3221 unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX]; 3222 unsigned char test_cid[MBEDTLS_SSL_CID_IN_LEN_MAX]; 3223 int cid_enabled; 3224 size_t own_cid_len; 3225 3226 mbedtls_test_rnd_std_rand(NULL, own_cid, sizeof(own_cid)); 3227 3228 mbedtls_ssl_init(&ssl); 3229 mbedtls_ssl_config_init(&conf); 3230 MD_OR_USE_PSA_INIT(); 3231 3232 TEST_ASSERT(mbedtls_ssl_config_defaults(&conf, 3233 MBEDTLS_SSL_IS_CLIENT, 3234 MBEDTLS_SSL_TRANSPORT_STREAM, 3235 MBEDTLS_SSL_PRESET_DEFAULT) 3236 == 0); 3237 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); 3238 3239 TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); 3240 3241 /* Can't use CID functions with stream transport. */ 3242 TEST_ASSERT(mbedtls_ssl_set_cid(&ssl, MBEDTLS_SSL_CID_ENABLED, own_cid, 3243 sizeof(own_cid)) 3244 == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 3245 3246 TEST_ASSERT(mbedtls_ssl_get_own_cid(&ssl, &cid_enabled, test_cid, 3247 &own_cid_len) 3248 == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 3249 3250 TEST_ASSERT(mbedtls_ssl_config_defaults(&conf, 3251 MBEDTLS_SSL_IS_CLIENT, 3252 MBEDTLS_SSL_TRANSPORT_DATAGRAM, 3253 MBEDTLS_SSL_PRESET_DEFAULT) 3254 == 0); 3255 3256 /* Attempt to set config cid size too big. */ 3257 TEST_ASSERT(mbedtls_ssl_conf_cid(&conf, MBEDTLS_SSL_CID_IN_LEN_MAX + 1, 3258 MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) 3259 == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 3260 3261 TEST_ASSERT(mbedtls_ssl_conf_cid(&conf, sizeof(own_cid), 3262 MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) 3263 == 0); 3264 3265 /* Attempt to set CID length not matching config. */ 3266 TEST_ASSERT(mbedtls_ssl_set_cid(&ssl, MBEDTLS_SSL_CID_ENABLED, own_cid, 3267 MBEDTLS_SSL_CID_IN_LEN_MAX - 1) 3268 == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 3269 3270 TEST_ASSERT(mbedtls_ssl_set_cid(&ssl, MBEDTLS_SSL_CID_ENABLED, own_cid, 3271 sizeof(own_cid)) 3272 == 0); 3273 3274 /* Test we get back what we put in. */ 3275 TEST_ASSERT(mbedtls_ssl_get_own_cid(&ssl, &cid_enabled, test_cid, 3276 &own_cid_len) 3277 == 0); 3278 3279 TEST_EQUAL(cid_enabled, MBEDTLS_SSL_CID_ENABLED); 3280 TEST_MEMORY_COMPARE(own_cid, own_cid_len, test_cid, own_cid_len); 3281 3282 /* Test disabling works. */ 3283 TEST_ASSERT(mbedtls_ssl_set_cid(&ssl, MBEDTLS_SSL_CID_DISABLED, NULL, 3284 0) 3285 == 0); 3286 3287 TEST_ASSERT(mbedtls_ssl_get_own_cid(&ssl, &cid_enabled, test_cid, 3288 &own_cid_len) 3289 == 0); 3290 3291 TEST_EQUAL(cid_enabled, MBEDTLS_SSL_CID_DISABLED); 3292 3293exit: 3294 mbedtls_ssl_free(&ssl); 3295 mbedtls_ssl_config_free(&conf); 3296 MD_OR_USE_PSA_DONE(); 3297} 3298/* END_CASE */ 3299 3300/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_SOME */ 3301void raw_key_agreement_fail(int bad_server_ecdhe_key) 3302{ 3303 enum { BUFFSIZE = 17000 }; 3304 mbedtls_test_ssl_endpoint client, server; 3305 mbedtls_psa_stats_t stats; 3306 size_t free_slots_before = -1; 3307 mbedtls_test_handshake_test_options client_options, server_options; 3308 mbedtls_test_init_handshake_options(&client_options); 3309 mbedtls_test_init_handshake_options(&server_options); 3310 3311 uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 3312 MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; 3313 MD_OR_USE_PSA_INIT(); 3314 mbedtls_platform_zeroize(&client, sizeof(client)); 3315 mbedtls_platform_zeroize(&server, sizeof(server)); 3316 3317 /* Client side, force SECP256R1 to make one key bitflip fail 3318 * the raw key agreement. Flipping the first byte makes the 3319 * required 0x04 identifier invalid. */ 3320 client_options.pk_alg = MBEDTLS_PK_ECDSA; 3321 client_options.group_list = iana_tls_group_list; 3322 TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT, 3323 &client_options, NULL, NULL, 3324 NULL), 0); 3325 3326 /* Server side */ 3327 server_options.pk_alg = MBEDTLS_PK_ECDSA; 3328 server_options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2; 3329 server_options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2; 3330 TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER, 3331 &server_options, NULL, NULL, 3332 NULL), 0); 3333 3334 TEST_EQUAL(mbedtls_test_mock_socket_connect(&(client.socket), 3335 &(server.socket), 3336 BUFFSIZE), 0); 3337 3338 TEST_EQUAL(mbedtls_test_move_handshake_to_state( 3339 &(client.ssl), &(server.ssl), 3340 MBEDTLS_SSL_CLIENT_KEY_EXCHANGE), 0); 3341 3342 mbedtls_psa_get_stats(&stats); 3343 /* Save the number of slots in use up to this point. 3344 * With PSA, one can be used for the ECDH private key. */ 3345 free_slots_before = stats.empty_slots; 3346 3347 if (bad_server_ecdhe_key) { 3348 /* Force a simulated bitflip in the server key. to make the 3349 * raw key agreement in ssl_write_client_key_exchange fail. */ 3350 (client.ssl).handshake->xxdh_psa_peerkey[0] ^= 0x02; 3351 } 3352 3353 TEST_EQUAL(mbedtls_test_move_handshake_to_state( 3354 &(client.ssl), &(server.ssl), MBEDTLS_SSL_HANDSHAKE_OVER), 3355 bad_server_ecdhe_key ? MBEDTLS_ERR_SSL_HW_ACCEL_FAILED : 0); 3356 3357 mbedtls_psa_get_stats(&stats); 3358 3359 /* Make sure that the key slot is already destroyed in case of failure, 3360 * without waiting to close the connection. */ 3361 if (bad_server_ecdhe_key) { 3362 TEST_EQUAL(free_slots_before, stats.empty_slots); 3363 } 3364 3365exit: 3366 mbedtls_test_ssl_endpoint_free(&client, NULL); 3367 mbedtls_test_ssl_endpoint_free(&server, NULL); 3368 mbedtls_test_free_handshake_options(&client_options); 3369 mbedtls_test_free_handshake_options(&server_options); 3370 3371 MD_OR_USE_PSA_DONE(); 3372} 3373/* END_CASE */ 3374/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_ECP_HAVE_SECP384R1 */ 3375void tls13_server_certificate_msg_invalid_vector_len() 3376{ 3377 int ret = -1; 3378 mbedtls_test_ssl_endpoint client_ep, server_ep; 3379 unsigned char *buf, *end; 3380 size_t buf_len; 3381 int step = 0; 3382 int expected_result; 3383 mbedtls_ssl_chk_buf_ptr_args expected_chk_buf_ptr_args; 3384 mbedtls_test_handshake_test_options client_options; 3385 mbedtls_test_handshake_test_options server_options; 3386 3387 /* 3388 * Test set-up 3389 */ 3390 mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); 3391 mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); 3392 3393 mbedtls_test_init_handshake_options(&client_options); 3394 MD_OR_USE_PSA_INIT(); 3395 3396 client_options.pk_alg = MBEDTLS_PK_ECDSA; 3397 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, 3398 &client_options, NULL, NULL, NULL); 3399 TEST_EQUAL(ret, 0); 3400 3401 mbedtls_test_init_handshake_options(&server_options); 3402 server_options.pk_alg = MBEDTLS_PK_ECDSA; 3403 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, 3404 &server_options, NULL, NULL, NULL); 3405 TEST_EQUAL(ret, 0); 3406 3407 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), 3408 &(server_ep.socket), 1024); 3409 TEST_EQUAL(ret, 0); 3410 3411 while (1) { 3412 mbedtls_test_set_step(++step); 3413 3414 ret = mbedtls_test_move_handshake_to_state( 3415 &(server_ep.ssl), &(client_ep.ssl), 3416 MBEDTLS_SSL_CERTIFICATE_VERIFY); 3417 TEST_EQUAL(ret, 0); 3418 3419 ret = mbedtls_ssl_flush_output(&(server_ep.ssl)); 3420 TEST_EQUAL(ret, 0); 3421 3422 ret = mbedtls_test_move_handshake_to_state( 3423 &(client_ep.ssl), &(server_ep.ssl), 3424 MBEDTLS_SSL_SERVER_CERTIFICATE); 3425 TEST_EQUAL(ret, 0); 3426 3427 ret = mbedtls_ssl_tls13_fetch_handshake_msg(&(client_ep.ssl), 3428 MBEDTLS_SSL_HS_CERTIFICATE, 3429 &buf, &buf_len); 3430 TEST_EQUAL(ret, 0); 3431 3432 end = buf + buf_len; 3433 3434 /* 3435 * Tweak server Certificate message and parse it. 3436 */ 3437 3438 ret = mbedtls_test_tweak_tls13_certificate_msg_vector_len( 3439 buf, &end, step, &expected_result, &expected_chk_buf_ptr_args); 3440 3441 if (ret != 0) { 3442 break; 3443 } 3444 3445 ret = mbedtls_ssl_tls13_parse_certificate(&(client_ep.ssl), buf, end); 3446 TEST_EQUAL(ret, expected_result); 3447 3448 TEST_ASSERT(mbedtls_ssl_cmp_chk_buf_ptr_fail_args( 3449 &expected_chk_buf_ptr_args) == 0); 3450 3451 mbedtls_ssl_reset_chk_buf_ptr_fail_args(); 3452 3453 ret = mbedtls_ssl_session_reset(&(client_ep.ssl)); 3454 TEST_EQUAL(ret, 0); 3455 3456 ret = mbedtls_ssl_session_reset(&(server_ep.ssl)); 3457 TEST_EQUAL(ret, 0); 3458 } 3459 3460exit: 3461 mbedtls_ssl_reset_chk_buf_ptr_fail_args(); 3462 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 3463 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 3464 mbedtls_test_free_handshake_options(&client_options); 3465 mbedtls_test_free_handshake_options(&server_options); 3466 MD_OR_USE_PSA_DONE(); 3467} 3468/* END_CASE */ 3469 3470/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 3471void ssl_ecjpake_set_password(int use_opaque_arg) 3472{ 3473 mbedtls_ssl_context ssl; 3474 mbedtls_ssl_config conf; 3475#if defined(MBEDTLS_USE_PSA_CRYPTO) 3476 mbedtls_svc_key_id_t pwd_slot = MBEDTLS_SVC_KEY_ID_INIT; 3477#else /* MBEDTLS_USE_PSA_CRYPTO */ 3478 (void) use_opaque_arg; 3479#endif /* MBEDTLS_USE_PSA_CRYPTO */ 3480 unsigned char pwd_string[sizeof(ECJPAKE_TEST_PWD)] = ""; 3481 size_t pwd_len = 0; 3482 int ret; 3483 3484 mbedtls_ssl_init(&ssl); 3485 MD_OR_USE_PSA_INIT(); 3486 3487 /* test with uninitalized SSL context */ 3488 ECJPAKE_TEST_SET_PASSWORD(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 3489 3490 mbedtls_ssl_config_init(&conf); 3491 3492 TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, 3493 MBEDTLS_SSL_IS_CLIENT, 3494 MBEDTLS_SSL_TRANSPORT_STREAM, 3495 MBEDTLS_SSL_PRESET_DEFAULT), 0); 3496 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); 3497 3498 TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0); 3499 3500 /* test with empty password or unitialized password key (depending on use_opaque_arg) */ 3501 ECJPAKE_TEST_SET_PASSWORD(MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 3502 3503 pwd_len = strlen(ECJPAKE_TEST_PWD); 3504 memcpy(pwd_string, ECJPAKE_TEST_PWD, pwd_len); 3505 3506#if defined(MBEDTLS_USE_PSA_CRYPTO) 3507 if (use_opaque_arg) { 3508 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 3509 psa_key_attributes_t check_attributes = PSA_KEY_ATTRIBUTES_INIT; 3510 3511 /* First try with an invalid usage */ 3512 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); 3513 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); 3514 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 3515 3516 PSA_ASSERT(psa_import_key(&attributes, pwd_string, 3517 pwd_len, &pwd_slot)); 3518 3519 ECJPAKE_TEST_SET_PASSWORD(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED); 3520 3521 /* check that the opaque key is still valid after failure */ 3522 TEST_EQUAL(psa_get_key_attributes(pwd_slot, &check_attributes), 3523 PSA_SUCCESS); 3524 3525 psa_destroy_key(pwd_slot); 3526 3527 /* Then set the correct usage */ 3528 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 3529 3530 PSA_ASSERT(psa_import_key(&attributes, pwd_string, 3531 pwd_len, &pwd_slot)); 3532 } 3533#endif /* MBEDTLS_USE_PSA_CRYPTO */ 3534 3535 /* final check which should work without errors */ 3536 ECJPAKE_TEST_SET_PASSWORD(0); 3537 3538#if defined(MBEDTLS_USE_PSA_CRYPTO) 3539 if (use_opaque_arg) { 3540 psa_destroy_key(pwd_slot); 3541 } 3542#endif /* MBEDTLS_USE_PSA_CRYPTO */ 3543 mbedtls_ssl_free(&ssl); 3544 mbedtls_ssl_config_free(&conf); 3545 3546 MD_OR_USE_PSA_DONE(); 3547} 3548/* END_CASE */ 3549 3550/* BEGIN_CASE */ 3551void elliptic_curve_get_properties() 3552{ 3553 psa_key_type_t psa_type = PSA_KEY_TYPE_NONE; 3554 size_t psa_bits; 3555 3556 MD_OR_USE_PSA_INIT(); 3557 3558#if defined(MBEDTLS_ECP_HAVE_SECP521R1) || defined(PSA_WANT_ECC_SECP_R1_521) 3559 TEST_AVAILABLE_ECC(25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521); 3560#else 3561 TEST_UNAVAILABLE_ECC(25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521); 3562#endif 3563#if defined(MBEDTLS_ECP_HAVE_BP512R1) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) 3564 TEST_AVAILABLE_ECC(28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512); 3565#else 3566 TEST_UNAVAILABLE_ECC(28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512); 3567#endif 3568#if defined(MBEDTLS_ECP_HAVE_SECP384R1) || defined(PSA_WANT_ECC_SECP_R1_384) 3569 TEST_AVAILABLE_ECC(24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384); 3570#else 3571 TEST_UNAVAILABLE_ECC(24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384); 3572#endif 3573#if defined(MBEDTLS_ECP_HAVE_BP384R1) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) 3574 TEST_AVAILABLE_ECC(27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384); 3575#else 3576 TEST_UNAVAILABLE_ECC(27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384); 3577#endif 3578#if defined(MBEDTLS_ECP_HAVE_SECP256R1) || defined(PSA_WANT_ECC_SECP_R1_256) 3579 TEST_AVAILABLE_ECC(23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256); 3580#else 3581 TEST_UNAVAILABLE_ECC(23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256); 3582#endif 3583#if defined(MBEDTLS_ECP_HAVE_SECP256K1) || defined(PSA_WANT_ECC_SECP_K1_256) 3584 TEST_AVAILABLE_ECC(22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256); 3585#else 3586 TEST_UNAVAILABLE_ECC(22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256); 3587#endif 3588#if defined(MBEDTLS_ECP_HAVE_BP256R1) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) 3589 TEST_AVAILABLE_ECC(26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256); 3590#else 3591 TEST_UNAVAILABLE_ECC(26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256); 3592#endif 3593#if defined(MBEDTLS_ECP_HAVE_SECP224R1) || defined(PSA_WANT_ECC_SECP_R1_224) 3594 TEST_AVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224); 3595#else 3596 TEST_UNAVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224); 3597#endif 3598#if defined(MBEDTLS_ECP_HAVE_SECP224K1) || defined(PSA_WANT_ECC_SECP_K1_224) 3599 TEST_AVAILABLE_ECC(20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224); 3600#else 3601 TEST_UNAVAILABLE_ECC(20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224); 3602#endif 3603#if defined(MBEDTLS_ECP_HAVE_SECP192R1) || defined(PSA_WANT_ECC_SECP_R1_192) 3604 TEST_AVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192); 3605#else 3606 TEST_UNAVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192); 3607#endif 3608#if defined(MBEDTLS_ECP_HAVE_SECP192K1) || defined(PSA_WANT_ECC_SECP_K1_192) 3609 TEST_AVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192); 3610#else 3611 TEST_UNAVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192); 3612#endif 3613#if defined(MBEDTLS_ECP_HAVE_CURVE25519) || defined(PSA_WANT_ECC_MONTGOMERY_255) 3614 TEST_AVAILABLE_ECC(29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255); 3615#else 3616 TEST_UNAVAILABLE_ECC(29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255); 3617#endif 3618#if defined(MBEDTLS_ECP_HAVE_CURVE448) || defined(PSA_WANT_ECC_MONTGOMERY_448) 3619 TEST_AVAILABLE_ECC(30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448); 3620#else 3621 TEST_UNAVAILABLE_ECC(30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448); 3622#endif 3623 goto exit; 3624exit: 3625 MD_OR_USE_PSA_DONE(); 3626} 3627/* END_CASE */ 3628 3629/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ 3630void tls13_resume_session_with_ticket() 3631{ 3632 int ret = -1; 3633 mbedtls_test_ssl_endpoint client_ep, server_ep; 3634 mbedtls_test_handshake_test_options client_options; 3635 mbedtls_test_handshake_test_options server_options; 3636 mbedtls_ssl_session saved_session; 3637 3638 mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); 3639 mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); 3640 mbedtls_test_init_handshake_options(&client_options); 3641 mbedtls_test_init_handshake_options(&server_options); 3642 mbedtls_ssl_session_init(&saved_session); 3643 3644 PSA_INIT(); 3645 3646 /* 3647 * Run first handshake to get a ticket from the server. 3648 */ 3649 client_options.pk_alg = MBEDTLS_PK_ECDSA; 3650 server_options.pk_alg = MBEDTLS_PK_ECDSA; 3651 3652 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, 3653 &saved_session); 3654 TEST_EQUAL(ret, 0); 3655 3656 /* 3657 * Prepare for handshake with the ticket. 3658 */ 3659 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, 3660 &client_options, NULL, NULL, NULL); 3661 TEST_EQUAL(ret, 0); 3662 3663 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, 3664 &server_options, NULL, NULL, NULL); 3665 TEST_EQUAL(ret, 0); 3666 3667 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, 3668 mbedtls_test_ticket_write, 3669 mbedtls_test_ticket_parse, 3670 NULL); 3671 TEST_EQUAL(ret, 0); 3672 3673 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), 3674 &(server_ep.socket), 1024); 3675 TEST_EQUAL(ret, 0); 3676 3677 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); 3678 TEST_EQUAL(ret, 0); 3679 3680 /* 3681 * Handshake with ticket. 3682 * 3683 * Run the handshake up to MBEDTLS_SSL_HANDSHAKE_WRAPUP and not 3684 * MBEDTLS_SSL_HANDSHAKE_OVER to preserve handshake data for the checks 3685 * below. 3686 */ 3687 TEST_EQUAL(mbedtls_test_move_handshake_to_state( 3688 &(server_ep.ssl), &(client_ep.ssl), 3689 MBEDTLS_SSL_HANDSHAKE_WRAPUP), 0); 3690 3691 TEST_EQUAL(server_ep.ssl.handshake->resume, 1); 3692 TEST_EQUAL(server_ep.ssl.handshake->new_session_tickets_count, 1); 3693 TEST_EQUAL(server_ep.ssl.handshake->key_exchange_mode, 3694 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL); 3695 3696exit: 3697 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 3698 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 3699 mbedtls_test_free_handshake_options(&client_options); 3700 mbedtls_test_free_handshake_options(&server_options); 3701 mbedtls_ssl_session_free(&saved_session); 3702 PSA_DONE(); 3703} 3704/* END_CASE */ 3705 3706/* 3707 * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_read_early_data() below is 3708 * a temporary workaround to not run the test in Windows-2013 where there is 3709 * an issue with mbedtls_vsnprintf(). 3710 */ 3711/* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ 3712void tls13_read_early_data(int scenario) 3713{ 3714 int ret = -1; 3715 unsigned char buf[64]; 3716 const char *early_data = "This is early data."; 3717 size_t early_data_len = strlen(early_data); 3718 mbedtls_test_ssl_endpoint client_ep, server_ep; 3719 mbedtls_test_handshake_test_options client_options; 3720 mbedtls_test_handshake_test_options server_options; 3721 mbedtls_ssl_session saved_session; 3722 mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 }; 3723 uint16_t group_list[3] = { 3724 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 3725 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, 3726 MBEDTLS_SSL_IANA_TLS_GROUP_NONE 3727 }; 3728 3729 mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); 3730 mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); 3731 mbedtls_test_init_handshake_options(&client_options); 3732 mbedtls_test_init_handshake_options(&server_options); 3733 mbedtls_ssl_session_init(&saved_session); 3734 3735 PSA_INIT(); 3736 3737 /* 3738 * Run first handshake to get a ticket from the server. 3739 */ 3740 3741 client_options.pk_alg = MBEDTLS_PK_ECDSA; 3742 client_options.group_list = group_list; 3743 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 3744 server_options.pk_alg = MBEDTLS_PK_ECDSA; 3745 server_options.group_list = group_list; 3746 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 3747 3748#if defined(MBEDTLS_SSL_ALPN) 3749 switch (scenario) { 3750 case TEST_EARLY_DATA_SAME_ALPN: 3751 case TEST_EARLY_DATA_DIFF_ALPN: 3752 case TEST_EARLY_DATA_NO_LATER_ALPN: 3753 client_options.alpn_list[0] = "ALPNExample"; 3754 client_options.alpn_list[1] = NULL; 3755 server_options.alpn_list[0] = "ALPNExample"; 3756 server_options.alpn_list[1] = NULL; 3757 break; 3758 } 3759#endif 3760 3761 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, 3762 &saved_session); 3763 TEST_EQUAL(ret, 0); 3764 3765 /* 3766 * Prepare for handshake with the ticket. 3767 */ 3768 switch (scenario) { 3769 case TEST_EARLY_DATA_ACCEPTED: 3770 break; 3771 3772 case TEST_EARLY_DATA_NO_INDICATION_SENT: 3773 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; 3774 break; 3775 3776 case TEST_EARLY_DATA_SERVER_REJECTS: 3777 mbedtls_debug_set_threshold(3); 3778 server_pattern.pattern = 3779 "EarlyData: deprotect and discard app data records."; 3780 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; 3781 break; 3782 3783 case TEST_EARLY_DATA_HRR: 3784 mbedtls_debug_set_threshold(3); 3785 server_pattern.pattern = 3786 "EarlyData: Ignore application message before 2nd ClientHello"; 3787 server_options.group_list = group_list + 1; 3788 break; 3789#if defined(MBEDTLS_SSL_ALPN) 3790 case TEST_EARLY_DATA_SAME_ALPN: 3791 client_options.alpn_list[0] = "ALPNExample"; 3792 client_options.alpn_list[1] = NULL; 3793 server_options.alpn_list[0] = "ALPNExample"; 3794 server_options.alpn_list[1] = NULL; 3795 break; 3796 case TEST_EARLY_DATA_DIFF_ALPN: 3797 case TEST_EARLY_DATA_NO_INITIAL_ALPN: 3798 client_options.alpn_list[0] = "ALPNExample2"; 3799 client_options.alpn_list[1] = NULL; 3800 server_options.alpn_list[0] = "ALPNExample2"; 3801 server_options.alpn_list[1] = NULL; 3802 mbedtls_debug_set_threshold(3); 3803 server_pattern.pattern = 3804 "EarlyData: rejected, the selected ALPN is different " 3805 "from the one associated with the pre-shared key."; 3806 break; 3807 case TEST_EARLY_DATA_NO_LATER_ALPN: 3808 client_options.alpn_list[0] = NULL; 3809 server_options.alpn_list[0] = NULL; 3810 mbedtls_debug_set_threshold(3); 3811 server_pattern.pattern = 3812 "EarlyData: rejected, the selected ALPN is different " 3813 "from the one associated with the pre-shared key."; 3814 break; 3815#endif 3816 3817 default: 3818 TEST_FAIL("Unknown scenario."); 3819 } 3820 3821 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, 3822 &client_options, NULL, NULL, NULL); 3823 TEST_EQUAL(ret, 0); 3824 3825 server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer; 3826 server_options.srv_log_obj = &server_pattern; 3827 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, 3828 &server_options, NULL, NULL, NULL); 3829 TEST_EQUAL(ret, 0); 3830 3831 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, 3832 mbedtls_test_ticket_write, 3833 mbedtls_test_ticket_parse, 3834 NULL); 3835 3836 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), 3837 &(server_ep.socket), 1024); 3838 TEST_EQUAL(ret, 0); 3839 3840 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); 3841 TEST_EQUAL(ret, 0); 3842 3843 /* 3844 * Handshake with ticket and send early data. 3845 */ 3846 TEST_EQUAL(mbedtls_test_move_handshake_to_state( 3847 &(client_ep.ssl), &(server_ep.ssl), 3848 MBEDTLS_SSL_SERVER_HELLO), 0); 3849 3850 ret = mbedtls_ssl_write_early_data(&(client_ep.ssl), 3851 (unsigned char *) early_data, 3852 early_data_len); 3853 3854 if (client_ep.ssl.early_data_state != 3855 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) { 3856 TEST_EQUAL(ret, early_data_len); 3857 } else { 3858 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 3859 } 3860 3861 ret = mbedtls_test_move_handshake_to_state( 3862 &(server_ep.ssl), &(client_ep.ssl), 3863 MBEDTLS_SSL_HANDSHAKE_WRAPUP); 3864 3865 switch (scenario) { 3866 case TEST_EARLY_DATA_ACCEPTED: 3867#if defined(MBEDTLS_SSL_ALPN) 3868 case TEST_EARLY_DATA_SAME_ALPN: 3869#endif 3870 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA); 3871 TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 1); 3872 TEST_EQUAL(mbedtls_ssl_read_early_data(&(server_ep.ssl), 3873 buf, sizeof(buf)), early_data_len); 3874 TEST_MEMORY_COMPARE(buf, early_data_len, early_data, early_data_len); 3875 break; 3876 3877 case TEST_EARLY_DATA_NO_INDICATION_SENT: 3878 TEST_EQUAL(ret, 0); 3879 TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0); 3880 break; 3881 3882 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 3883 case TEST_EARLY_DATA_HRR: 3884#if defined(MBEDTLS_SSL_ALPN) 3885 case TEST_EARLY_DATA_DIFF_ALPN: 3886 case TEST_EARLY_DATA_NO_INITIAL_ALPN: 3887 case TEST_EARLY_DATA_NO_LATER_ALPN: 3888#endif 3889 TEST_EQUAL(ret, 0); 3890 TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0); 3891 TEST_EQUAL(server_pattern.counter, 1); 3892 break; 3893 3894 default: 3895 TEST_FAIL("Unknown scenario."); 3896 } 3897 3898 TEST_EQUAL(mbedtls_test_move_handshake_to_state( 3899 &(server_ep.ssl), &(client_ep.ssl), 3900 MBEDTLS_SSL_HANDSHAKE_OVER), 0); 3901 3902exit: 3903 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 3904 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 3905 mbedtls_test_free_handshake_options(&client_options); 3906 mbedtls_test_free_handshake_options(&server_options); 3907 mbedtls_ssl_session_free(&saved_session); 3908 mbedtls_debug_set_threshold(0); 3909 PSA_DONE(); 3910} 3911/* END_CASE */ 3912 3913/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ 3914void tls13_cli_early_data_state(int scenario) 3915{ 3916 int ret = -1; 3917 mbedtls_test_ssl_endpoint client_ep, server_ep; 3918 mbedtls_test_handshake_test_options client_options; 3919 mbedtls_test_handshake_test_options server_options; 3920 mbedtls_ssl_session saved_session; 3921 uint16_t group_list[3] = { 3922 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 3923 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, 3924 MBEDTLS_SSL_IANA_TLS_GROUP_NONE 3925 }; 3926 uint8_t client_random[MBEDTLS_CLIENT_HELLO_RANDOM_LEN]; 3927 3928 mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); 3929 mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); 3930 mbedtls_test_init_handshake_options(&client_options); 3931 mbedtls_test_init_handshake_options(&server_options); 3932 mbedtls_ssl_session_init(&saved_session); 3933 3934 PSA_INIT(); 3935 3936 /* 3937 * Run first handshake to get a ticket from the server. 3938 */ 3939 client_options.pk_alg = MBEDTLS_PK_ECDSA; 3940 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 3941 server_options.pk_alg = MBEDTLS_PK_ECDSA; 3942 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 3943 if (scenario == TEST_EARLY_DATA_HRR) { 3944 client_options.group_list = group_list; 3945 server_options.group_list = group_list; 3946 } 3947 3948 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, 3949 &saved_session); 3950 TEST_EQUAL(ret, 0); 3951 3952 /* 3953 * Prepare for handshake with the ticket. 3954 */ 3955 switch (scenario) { 3956 case TEST_EARLY_DATA_ACCEPTED: 3957 break; 3958 3959 case TEST_EARLY_DATA_NO_INDICATION_SENT: 3960 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; 3961 break; 3962 3963 case TEST_EARLY_DATA_SERVER_REJECTS: 3964 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; 3965 break; 3966 3967 case TEST_EARLY_DATA_HRR: 3968 server_options.group_list = group_list + 1; 3969 break; 3970 3971 default: 3972 TEST_FAIL("Unknown scenario."); 3973 } 3974 3975 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, 3976 &client_options, NULL, NULL, NULL); 3977 TEST_EQUAL(ret, 0); 3978 3979 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, 3980 &server_options, NULL, NULL, NULL); 3981 TEST_EQUAL(ret, 0); 3982 3983 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, 3984 mbedtls_test_ticket_write, 3985 mbedtls_test_ticket_parse, 3986 NULL); 3987 3988 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), 3989 &(server_ep.socket), 1024); 3990 TEST_EQUAL(ret, 0); 3991 3992 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); 3993 TEST_EQUAL(ret, 0); 3994 3995 /* 3996 * Go through the handshake sequence, state by state, checking the early 3997 * data status each time. 3998 */ 3999 do { 4000 int state = client_ep.ssl.state; 4001 4002 /* Progress the handshake from at least one state */ 4003 while (client_ep.ssl.state == state) { 4004 ret = mbedtls_ssl_handshake_step(&(client_ep.ssl)); 4005 TEST_ASSERT((ret == 0) || 4006 (ret == MBEDTLS_ERR_SSL_WANT_READ) || 4007 (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); 4008 if (client_ep.ssl.state != state) { 4009 break; 4010 } 4011 ret = mbedtls_ssl_handshake_step(&(server_ep.ssl)); 4012 TEST_ASSERT((ret == 0) || 4013 (ret == MBEDTLS_ERR_SSL_WANT_READ) || 4014 (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); 4015 } 4016 4017 if (client_ep.ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) { 4018 TEST_EQUAL(mbedtls_ssl_get_early_data_status(&(client_ep.ssl)), 4019 MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 4020 } 4021 4022 switch (client_ep.ssl.state) { 4023 case MBEDTLS_SSL_CLIENT_HELLO: 4024 switch (scenario) { 4025 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 4026 case TEST_EARLY_DATA_NO_INDICATION_SENT: /* Intentional fallthrough */ 4027 case TEST_EARLY_DATA_SERVER_REJECTS: 4028 TEST_EQUAL(client_ep.ssl.early_data_state, 4029 MBEDTLS_SSL_EARLY_DATA_STATE_IDLE); 4030 break; 4031 4032 case TEST_EARLY_DATA_HRR: 4033 if (!client_ep.ssl.handshake->hello_retry_request_flag) { 4034 TEST_EQUAL(client_ep.ssl.early_data_state, 4035 MBEDTLS_SSL_EARLY_DATA_STATE_IDLE); 4036 } else { 4037 TEST_EQUAL(client_ep.ssl.early_data_state, 4038 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4039 } 4040 break; 4041 4042 default: 4043 TEST_FAIL("Unknown scenario."); 4044 } 4045 break; 4046 4047 case MBEDTLS_SSL_SERVER_HELLO: 4048 switch (scenario) { 4049 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 4050 case TEST_EARLY_DATA_SERVER_REJECTS: 4051 TEST_EQUAL(client_ep.ssl.early_data_state, 4052 MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE); 4053 break; 4054 4055 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4056 TEST_EQUAL(client_ep.ssl.early_data_state, 4057 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT); 4058 break; 4059 4060 case TEST_EARLY_DATA_HRR: 4061 if (!client_ep.ssl.handshake->hello_retry_request_flag) { 4062 TEST_EQUAL(client_ep.ssl.early_data_state, 4063 MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE); 4064 memcpy(client_random, 4065 client_ep.ssl.handshake->randbytes, 4066 MBEDTLS_CLIENT_HELLO_RANDOM_LEN); 4067 } else { 4068 TEST_EQUAL(client_ep.ssl.early_data_state, 4069 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4070 TEST_MEMORY_COMPARE(client_random, 4071 MBEDTLS_CLIENT_HELLO_RANDOM_LEN, 4072 client_ep.ssl.handshake->randbytes, 4073 MBEDTLS_CLIENT_HELLO_RANDOM_LEN); 4074 } 4075 break; 4076 4077 default: 4078 TEST_FAIL("Unknown scenario."); 4079 } 4080 break; 4081 4082 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: 4083 switch (scenario) { 4084 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 4085 case TEST_EARLY_DATA_SERVER_REJECTS: 4086 TEST_EQUAL(client_ep.ssl.early_data_state, 4087 MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE); 4088 break; 4089 4090 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4091 TEST_EQUAL(client_ep.ssl.early_data_state, 4092 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT); 4093 break; 4094 4095 case TEST_EARLY_DATA_HRR: 4096 TEST_EQUAL(client_ep.ssl.early_data_state, 4097 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4098 break; 4099 4100 default: 4101 TEST_FAIL("Unknown scenario."); 4102 } 4103 break; 4104 4105 case MBEDTLS_SSL_SERVER_FINISHED: 4106 switch (scenario) { 4107 case TEST_EARLY_DATA_ACCEPTED: 4108 TEST_EQUAL(client_ep.ssl.early_data_state, 4109 MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED); 4110 break; 4111 4112 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4113 TEST_EQUAL(client_ep.ssl.early_data_state, 4114 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT); 4115 break; 4116 4117 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4118 case TEST_EARLY_DATA_HRR: 4119 TEST_EQUAL(client_ep.ssl.early_data_state, 4120 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4121 break; 4122 4123 default: 4124 TEST_FAIL("Unknown scenario."); 4125 } 4126 break; 4127 4128 case MBEDTLS_SSL_END_OF_EARLY_DATA: 4129 TEST_EQUAL(scenario, TEST_EARLY_DATA_ACCEPTED); 4130 TEST_EQUAL(client_ep.ssl.early_data_state, 4131 MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED); 4132 break; 4133 4134 case MBEDTLS_SSL_CLIENT_CERTIFICATE: 4135 switch (scenario) { 4136 case TEST_EARLY_DATA_ACCEPTED: 4137 TEST_EQUAL(client_ep.ssl.early_data_state, 4138 MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED); 4139 break; 4140 4141 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4142 TEST_EQUAL(client_ep.ssl.early_data_state, 4143 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT); 4144 break; 4145 4146 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4147 case TEST_EARLY_DATA_HRR: 4148 TEST_EQUAL(client_ep.ssl.early_data_state, 4149 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4150 break; 4151 4152 default: 4153 TEST_FAIL("Unknown scenario."); 4154 } 4155 break; 4156 4157 case MBEDTLS_SSL_CLIENT_FINISHED: 4158 switch (scenario) { 4159 case TEST_EARLY_DATA_ACCEPTED: 4160 TEST_EQUAL(client_ep.ssl.early_data_state, 4161 MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED); 4162 break; 4163 4164 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4165 TEST_EQUAL(client_ep.ssl.early_data_state, 4166 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT); 4167 break; 4168 4169 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4170 case TEST_EARLY_DATA_HRR: 4171 TEST_EQUAL(client_ep.ssl.early_data_state, 4172 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4173 break; 4174 4175 default: 4176 TEST_FAIL("Unknown scenario."); 4177 } 4178 break; 4179 4180#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) 4181 case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: 4182 switch (scenario) { 4183 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 4184 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4185 case TEST_EARLY_DATA_HRR: 4186 TEST_EQUAL(client_ep.ssl.early_data_state, 4187 MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT); 4188 break; 4189 4190 default: 4191 TEST_FAIL("Unexpected or unknown scenario."); 4192 } 4193 break; 4194 4195 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: 4196 TEST_ASSERT(scenario == TEST_EARLY_DATA_HRR); 4197 TEST_EQUAL(client_ep.ssl.early_data_state, 4198 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4199 break; 4200 4201 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: 4202 switch (scenario) { 4203 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4204 TEST_EQUAL(client_ep.ssl.early_data_state, 4205 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT); 4206 break; 4207 4208 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4209 case TEST_EARLY_DATA_HRR: 4210 TEST_EQUAL(client_ep.ssl.early_data_state, 4211 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4212 break; 4213 4214 default: 4215 TEST_FAIL("Unexpected or unknown scenario."); 4216 } 4217 break; 4218#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ 4219 4220 case MBEDTLS_SSL_FLUSH_BUFFERS: /* Intentional fallthrough */ 4221 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: /* Intentional fallthrough */ 4222 case MBEDTLS_SSL_HANDSHAKE_OVER: 4223 switch (scenario) { 4224 case TEST_EARLY_DATA_ACCEPTED: 4225 TEST_EQUAL(client_ep.ssl.early_data_state, 4226 MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED); 4227 break; 4228 4229 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4230 TEST_EQUAL(client_ep.ssl.early_data_state, 4231 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT); 4232 break; 4233 4234 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4235 case TEST_EARLY_DATA_HRR: 4236 TEST_EQUAL(client_ep.ssl.early_data_state, 4237 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED); 4238 break; 4239 4240 default: 4241 TEST_FAIL("Unknown scenario."); 4242 } 4243 break; 4244 4245 default: 4246 TEST_FAIL("Unexpected state."); 4247 } 4248 } while (client_ep.ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER); 4249 4250 ret = mbedtls_ssl_get_early_data_status(&(client_ep.ssl)); 4251 switch (scenario) { 4252 case TEST_EARLY_DATA_ACCEPTED: 4253 TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED); 4254 break; 4255 4256 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4257 TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED); 4258 break; 4259 4260 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4261 case TEST_EARLY_DATA_HRR: 4262 TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED); 4263 break; 4264 4265 default: 4266 TEST_FAIL("Unknown scenario."); 4267 } 4268 4269 ret = mbedtls_ssl_get_early_data_status(&(server_ep.ssl)); 4270 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_BAD_INPUT_DATA); 4271 4272#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) 4273 TEST_EQUAL(client_ep.ssl.handshake->ccs_sent, 1); 4274#endif 4275 4276exit: 4277 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 4278 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 4279 mbedtls_test_free_handshake_options(&client_options); 4280 mbedtls_test_free_handshake_options(&server_options); 4281 mbedtls_ssl_session_free(&saved_session); 4282 PSA_DONE(); 4283} 4284/* END_CASE */ 4285 4286/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ 4287void tls13_write_early_data(int scenario) 4288{ 4289 int ret = -1; 4290 mbedtls_test_ssl_endpoint client_ep, server_ep; 4291 mbedtls_test_handshake_test_options client_options; 4292 mbedtls_test_handshake_test_options server_options; 4293 mbedtls_ssl_session saved_session; 4294 uint16_t group_list[3] = { 4295 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 4296 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, 4297 MBEDTLS_SSL_IANA_TLS_GROUP_NONE 4298 }; 4299 int beyond_first_hello = 0; 4300 4301 mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); 4302 mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); 4303 mbedtls_test_init_handshake_options(&client_options); 4304 mbedtls_test_init_handshake_options(&server_options); 4305 mbedtls_ssl_session_init(&saved_session); 4306 4307 PSA_INIT(); 4308 4309 /* 4310 * Run first handshake to get a ticket from the server. 4311 */ 4312 client_options.pk_alg = MBEDTLS_PK_ECDSA; 4313 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 4314 server_options.pk_alg = MBEDTLS_PK_ECDSA; 4315 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 4316 if (scenario == TEST_EARLY_DATA_HRR) { 4317 client_options.group_list = group_list; 4318 server_options.group_list = group_list; 4319 } 4320 4321 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, 4322 &saved_session); 4323 TEST_EQUAL(ret, 0); 4324 4325 /* 4326 * Prepare for handshake with the ticket. 4327 */ 4328 switch (scenario) { 4329 case TEST_EARLY_DATA_ACCEPTED: 4330 break; 4331 4332 case TEST_EARLY_DATA_NO_INDICATION_SENT: 4333 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; 4334 break; 4335 4336 case TEST_EARLY_DATA_SERVER_REJECTS: 4337 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; 4338 break; 4339 4340 case TEST_EARLY_DATA_HRR: 4341 /* 4342 * Remove server support for the group negotiated in 4343 * mbedtls_test_get_tls13_ticket() forcing a HelloRetryRequest. 4344 */ 4345 server_options.group_list = group_list + 1; 4346 break; 4347 4348 default: 4349 TEST_FAIL("Unknown scenario."); 4350 } 4351 4352 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, 4353 &client_options, NULL, NULL, NULL); 4354 TEST_EQUAL(ret, 0); 4355 4356 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, 4357 &server_options, NULL, NULL, NULL); 4358 TEST_EQUAL(ret, 0); 4359 4360 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, 4361 mbedtls_test_ticket_write, 4362 mbedtls_test_ticket_parse, 4363 NULL); 4364 4365 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), 4366 &(server_ep.socket), 1024); 4367 TEST_EQUAL(ret, 0); 4368 4369 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); 4370 TEST_EQUAL(ret, 0); 4371 4372 /* 4373 * Run handshakes going one state further in the handshake sequence at each 4374 * loop up to the point where we reach the MBEDTLS_SSL_HANDSHAKE_OVER 4375 * state. For each reached handshake state, check the result of the call 4376 * to mbedtls_ssl_write_early_data(), make sure we can complete the 4377 * handshake successfully and then reset the connection to restart the 4378 * handshake from scratch. 4379 */ 4380 do { 4381 int client_state = client_ep.ssl.state; 4382 int previous_client_state; 4383 const char *early_data_string = "This is early data."; 4384 const unsigned char *early_data = (const unsigned char *) early_data_string; 4385 size_t early_data_len = strlen(early_data_string); 4386 int write_early_data_ret, read_early_data_ret; 4387 unsigned char read_buf[64]; 4388 4389 write_early_data_ret = mbedtls_ssl_write_early_data(&(client_ep.ssl), 4390 early_data, 4391 early_data_len); 4392 4393 if (scenario == TEST_EARLY_DATA_NO_INDICATION_SENT) { 4394 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4395 TEST_EQUAL(client_ep.ssl.state, client_state); 4396 goto complete_handshake; 4397 } 4398 4399 switch (client_state) { 4400 case MBEDTLS_SSL_HELLO_REQUEST: /* Intentional fallthrough */ 4401 case MBEDTLS_SSL_CLIENT_HELLO: 4402 switch (scenario) { 4403 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 4404 case TEST_EARLY_DATA_SERVER_REJECTS: 4405 TEST_EQUAL(write_early_data_ret, early_data_len); 4406 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); 4407 break; 4408 4409 case TEST_EARLY_DATA_HRR: 4410 if (!client_ep.ssl.handshake->hello_retry_request_flag) { 4411 TEST_EQUAL(write_early_data_ret, early_data_len); 4412 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); 4413 } else { 4414 beyond_first_hello = 1; 4415 TEST_EQUAL(write_early_data_ret, 4416 MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4417 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_CLIENT_HELLO); 4418 } 4419 break; 4420 4421 default: 4422 TEST_FAIL("Unknown scenario."); 4423 } 4424 break; 4425 4426 case MBEDTLS_SSL_SERVER_HELLO: 4427 switch (scenario) { 4428 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 4429 case TEST_EARLY_DATA_SERVER_REJECTS: 4430 TEST_EQUAL(write_early_data_ret, early_data_len); 4431 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); 4432 break; 4433 4434 case TEST_EARLY_DATA_HRR: 4435 if (!client_ep.ssl.handshake->hello_retry_request_flag) { 4436 TEST_EQUAL(write_early_data_ret, early_data_len); 4437 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); 4438 } else { 4439 TEST_EQUAL(write_early_data_ret, 4440 MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4441 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); 4442 } 4443 break; 4444 4445 default: 4446 TEST_FAIL("Unknown scenario."); 4447 } 4448 break; 4449 4450 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS: 4451 switch (scenario) { 4452 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 4453 case TEST_EARLY_DATA_SERVER_REJECTS: 4454 TEST_EQUAL(write_early_data_ret, early_data_len); 4455 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); 4456 break; 4457 4458 case TEST_EARLY_DATA_HRR: 4459 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4460 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS); 4461 break; 4462 4463 default: 4464 TEST_FAIL("Unknown scenario."); 4465 } 4466 break; 4467 4468 case MBEDTLS_SSL_SERVER_FINISHED: 4469 switch (scenario) { 4470 case TEST_EARLY_DATA_ACCEPTED: 4471 TEST_EQUAL(write_early_data_ret, early_data_len); 4472 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED); 4473 break; 4474 4475 case TEST_EARLY_DATA_SERVER_REJECTS: 4476 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4477 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED); 4478 break; 4479 4480 case TEST_EARLY_DATA_HRR: 4481 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4482 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED); 4483 break; 4484 4485 default: 4486 TEST_FAIL("Unknown scenario."); 4487 } 4488 break; 4489 4490 case MBEDTLS_SSL_END_OF_EARLY_DATA: 4491 TEST_EQUAL(scenario, TEST_EARLY_DATA_ACCEPTED); 4492 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4493 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_END_OF_EARLY_DATA); 4494 break; 4495 4496#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) 4497 case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: 4498 switch (scenario) { 4499 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 4500 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4501 case TEST_EARLY_DATA_HRR: 4502 TEST_EQUAL(write_early_data_ret, early_data_len); 4503 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO); 4504 break; 4505 default: 4506 TEST_FAIL("Unknown scenario."); 4507 } 4508 break; 4509 4510 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO: 4511 TEST_EQUAL(scenario, TEST_EARLY_DATA_HRR); 4512 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4513 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO); 4514 break; 4515 4516 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: 4517 switch (scenario) { 4518 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4519 case TEST_EARLY_DATA_HRR: 4520 TEST_EQUAL(write_early_data_ret, 4521 MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4522 TEST_EQUAL(client_ep.ssl.state, 4523 MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED); 4524 break; 4525 default: 4526 TEST_FAIL("Unexpected or unknown scenario."); 4527 } 4528 break; 4529#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ 4530 4531 case MBEDTLS_SSL_CLIENT_CERTIFICATE: /* Intentional fallthrough */ 4532 case MBEDTLS_SSL_CLIENT_FINISHED: /* Intentional fallthrough */ 4533 case MBEDTLS_SSL_FLUSH_BUFFERS: /* Intentional fallthrough */ 4534 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: /* Intentional fallthrough */ 4535 case MBEDTLS_SSL_HANDSHAKE_OVER: 4536 switch (scenario) { 4537 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */ 4538 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4539 case TEST_EARLY_DATA_HRR: 4540 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4541 TEST_EQUAL(client_ep.ssl.state, client_state); 4542 break; 4543 default: 4544 TEST_FAIL("Unknown scenario."); 4545 } 4546 break; 4547 4548 default: 4549 TEST_FAIL("Unexpected state."); 4550 } 4551 4552complete_handshake: 4553 do { 4554 ret = mbedtls_test_move_handshake_to_state( 4555 &(server_ep.ssl), &(client_ep.ssl), 4556 MBEDTLS_SSL_HANDSHAKE_OVER); 4557 4558 if (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA) { 4559 read_early_data_ret = mbedtls_ssl_read_early_data( 4560 &(server_ep.ssl), read_buf, sizeof(read_buf)); 4561 4562 TEST_EQUAL(read_early_data_ret, early_data_len); 4563 } 4564 } while (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA); 4565 4566 TEST_EQUAL(ret, 0); 4567 TEST_EQUAL(mbedtls_test_move_handshake_to_state( 4568 &(client_ep.ssl), &(server_ep.ssl), 4569 MBEDTLS_SSL_HANDSHAKE_OVER), 0); 4570 4571 mbedtls_test_mock_socket_close(&(client_ep.socket)); 4572 mbedtls_test_mock_socket_close(&(server_ep.socket)); 4573 4574 ret = mbedtls_ssl_session_reset(&(client_ep.ssl)); 4575 TEST_EQUAL(ret, 0); 4576 4577 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); 4578 TEST_EQUAL(ret, 0); 4579 4580 ret = mbedtls_ssl_session_reset(&(server_ep.ssl)); 4581 TEST_EQUAL(ret, 0); 4582 4583 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), 4584 &(server_ep.socket), 1024); 4585 TEST_EQUAL(ret, 0); 4586 4587 previous_client_state = client_state; 4588 if (previous_client_state == MBEDTLS_SSL_HANDSHAKE_OVER) { 4589 break; 4590 } 4591 4592 /* In case of HRR scenario, once we have been through it, move over 4593 * the first ClientHello and ServerHello otherwise we just keep playing 4594 * this first part of the handshake with HRR. 4595 */ 4596 if ((scenario == TEST_EARLY_DATA_HRR) && (beyond_first_hello)) { 4597 TEST_ASSERT(mbedtls_test_move_handshake_to_state( 4598 &(client_ep.ssl), &(server_ep.ssl), 4599 MBEDTLS_SSL_SERVER_HELLO) == 0); 4600 TEST_ASSERT(mbedtls_test_move_handshake_to_state( 4601 &(client_ep.ssl), &(server_ep.ssl), 4602 MBEDTLS_SSL_CLIENT_HELLO) == 0); 4603 } 4604 4605 TEST_EQUAL(mbedtls_test_move_handshake_to_state( 4606 &(client_ep.ssl), &(server_ep.ssl), 4607 previous_client_state), 0); 4608 4609 /* Progress the handshake from at least one state */ 4610 while (client_ep.ssl.state == previous_client_state) { 4611 ret = mbedtls_ssl_handshake_step(&(client_ep.ssl)); 4612 TEST_ASSERT((ret == 0) || 4613 (ret == MBEDTLS_ERR_SSL_WANT_READ) || 4614 (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); 4615 if (client_ep.ssl.state != previous_client_state) { 4616 break; 4617 } 4618 ret = mbedtls_ssl_handshake_step(&(server_ep.ssl)); 4619 TEST_ASSERT((ret == 0) || 4620 (ret == MBEDTLS_ERR_SSL_WANT_READ) || 4621 (ret == MBEDTLS_ERR_SSL_WANT_WRITE)); 4622 } 4623 } while (1); 4624 4625exit: 4626 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 4627 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 4628 mbedtls_test_free_handshake_options(&client_options); 4629 mbedtls_test_free_handshake_options(&server_options); 4630 mbedtls_ssl_session_free(&saved_session); 4631 PSA_DONE(); 4632} 4633/* END_CASE */ 4634 4635/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ 4636void tls13_cli_max_early_data_size(int max_early_data_size_arg) 4637{ 4638 int ret = -1; 4639 mbedtls_test_ssl_endpoint client_ep, server_ep; 4640 mbedtls_test_handshake_test_options client_options; 4641 mbedtls_test_handshake_test_options server_options; 4642 mbedtls_ssl_session saved_session; 4643 unsigned char *buf = NULL; 4644 uint32_t buf_size = 64; 4645 uint32_t max_early_data_size; 4646 uint32_t written_early_data_size = 0; 4647 uint32_t read_early_data_size = 0; 4648 4649 mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); 4650 mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); 4651 mbedtls_test_init_handshake_options(&client_options); 4652 mbedtls_test_init_handshake_options(&server_options); 4653 mbedtls_ssl_session_init(&saved_session); 4654 4655 PSA_INIT(); 4656 TEST_CALLOC(buf, buf_size); 4657 4658 /* 4659 * Run first handshake to get a ticket from the server. 4660 */ 4661 4662 client_options.pk_alg = MBEDTLS_PK_ECDSA; 4663 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 4664 server_options.pk_alg = MBEDTLS_PK_ECDSA; 4665 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 4666 server_options.max_early_data_size = max_early_data_size_arg; 4667 4668 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, 4669 &saved_session); 4670 TEST_EQUAL(ret, 0); 4671 4672 /* 4673 * Prepare for handshake with the ticket. 4674 */ 4675 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, 4676 &client_options, NULL, NULL, NULL); 4677 TEST_EQUAL(ret, 0); 4678 4679 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, 4680 &server_options, NULL, NULL, NULL); 4681 TEST_EQUAL(ret, 0); 4682 4683 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, 4684 mbedtls_test_ticket_write, 4685 mbedtls_test_ticket_parse, 4686 NULL); 4687 4688 max_early_data_size = saved_session.max_early_data_size; 4689 /* 4690 * (max_early_data_size + 1024) for the size of the socket buffers for the 4691 * server one to be able to contain the maximum number of early data bytes 4692 * plus the first flight of client messages. Needed because we cannot 4693 * initiate the handshake on server side before doing all the calls to 4694 * mbedtls_ssl_write_early_data() we want to test. See below for more 4695 * information. 4696 */ 4697 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), 4698 &(server_ep.socket), 4699 max_early_data_size + 1024); 4700 TEST_EQUAL(ret, 0); 4701 4702 /* If our server is configured with max_early_data_size equal to zero, it 4703 * does not set the MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA flag for 4704 * the tickets it creates. To be able to test early data with a ticket 4705 * allowing early data in its flags but with max_early_data_size equal to 4706 * zero (case supported by our client) tweak the ticket flags here. 4707 */ 4708 if (max_early_data_size == 0) { 4709 saved_session.ticket_flags |= MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA; 4710 } 4711 4712 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); 4713 TEST_EQUAL(ret, 0); 4714 4715 while (written_early_data_size < max_early_data_size) { 4716 uint32_t remaining = max_early_data_size - written_early_data_size; 4717 4718 for (size_t i = 0; i < buf_size; i++) { 4719 buf[i] = (unsigned char) (written_early_data_size + i); 4720 } 4721 4722 ret = mbedtls_ssl_write_early_data(&(client_ep.ssl), 4723 buf, 4724 buf_size); 4725 4726 if (buf_size <= remaining) { 4727 TEST_EQUAL(ret, buf_size); 4728 } else { 4729 TEST_EQUAL(ret, remaining); 4730 } 4731 written_early_data_size += buf_size; 4732 } 4733 TEST_EQUAL(client_ep.ssl.total_early_data_size, max_early_data_size); 4734 4735 ret = mbedtls_ssl_write_early_data(&(client_ep.ssl), buf, 1); 4736 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA); 4737 TEST_EQUAL(client_ep.ssl.total_early_data_size, max_early_data_size); 4738 TEST_EQUAL(client_ep.ssl.early_data_state, 4739 MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE); 4740 4741 /* 4742 * Now, check data on server side. It is not done in the previous loop as 4743 * in the first call to mbedtls_ssl_handshake(), the server ends up sending 4744 * its Finished message and then in the following call to 4745 * mbedtls_ssl_write_early_data() we go past the early data writing window 4746 * and we cannot test multiple calls to the API is this writing window. 4747 */ 4748 while (read_early_data_size < max_early_data_size) { 4749 ret = mbedtls_ssl_handshake(&(server_ep.ssl)); 4750 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA); 4751 4752 ret = mbedtls_ssl_read_early_data(&(server_ep.ssl), 4753 buf, 4754 buf_size); 4755 TEST_ASSERT(ret > 0); 4756 4757 for (size_t i = 0; i < (size_t) ret; i++) { 4758 TEST_EQUAL(buf[i], (unsigned char) (read_early_data_size + i)); 4759 } 4760 4761 read_early_data_size += ret; 4762 } 4763 TEST_EQUAL(read_early_data_size, max_early_data_size); 4764 4765 ret = mbedtls_ssl_handshake(&(server_ep.ssl)); 4766 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ); 4767 4768 TEST_ASSERT(mbedtls_test_move_handshake_to_state( 4769 &(client_ep.ssl), &(server_ep.ssl), MBEDTLS_SSL_HANDSHAKE_OVER) 4770 == 0); 4771 4772exit: 4773 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 4774 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 4775 mbedtls_test_free_handshake_options(&client_options); 4776 mbedtls_test_free_handshake_options(&server_options); 4777 mbedtls_ssl_session_free(&saved_session); 4778 mbedtls_free(buf); 4779 PSA_DONE(); 4780} 4781/* END_CASE */ 4782 4783/* 4784 * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_early_data() below is 4785 * a temporary workaround to not run the test in Windows-2013 where there is 4786 * an issue with mbedtls_vsnprintf(). 4787 */ 4788/* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */ 4789void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, int write_size_arg) 4790{ 4791 int ret = -1; 4792 mbedtls_test_ssl_endpoint client_ep, server_ep; 4793 mbedtls_test_handshake_test_options client_options; 4794 mbedtls_test_handshake_test_options server_options; 4795 mbedtls_ssl_session saved_session; 4796 mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 }; 4797 uint16_t group_list[3] = { 4798 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 4799 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, 4800 MBEDTLS_SSL_IANA_TLS_GROUP_NONE 4801 }; 4802 char pattern[128]; 4803 unsigned char *buf_write = NULL; 4804 uint32_t write_size = (uint32_t) write_size_arg; 4805 unsigned char *buf_read = NULL; 4806 uint32_t read_size; 4807 uint32_t expanded_early_data_chunk_size = 0; 4808 uint32_t written_early_data_size = 0; 4809 uint32_t max_early_data_size; 4810 4811 mbedtls_platform_zeroize(&client_ep, sizeof(client_ep)); 4812 mbedtls_platform_zeroize(&server_ep, sizeof(server_ep)); 4813 mbedtls_test_init_handshake_options(&client_options); 4814 mbedtls_test_init_handshake_options(&server_options); 4815 mbedtls_ssl_session_init(&saved_session); 4816 PSA_INIT(); 4817 4818 TEST_CALLOC(buf_write, write_size); 4819 4820 /* 4821 * Allocate a smaller buffer for early data reading to exercise the reading 4822 * of data in one record in multiple calls. 4823 */ 4824 read_size = (write_size / 2) + 1; 4825 TEST_CALLOC(buf_read, read_size); 4826 4827 /* 4828 * Run first handshake to get a ticket from the server. 4829 */ 4830 4831 client_options.pk_alg = MBEDTLS_PK_ECDSA; 4832 client_options.group_list = group_list; 4833 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 4834 server_options.pk_alg = MBEDTLS_PK_ECDSA; 4835 server_options.group_list = group_list; 4836 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED; 4837 server_options.max_early_data_size = max_early_data_size_arg; 4838 4839 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options, 4840 &saved_session); 4841 TEST_EQUAL(ret, 0); 4842 4843 /* 4844 * Prepare for handshake with the ticket. 4845 */ 4846 server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer; 4847 server_options.srv_log_obj = &server_pattern; 4848 server_pattern.pattern = pattern; 4849 4850 switch (scenario) { 4851 case TEST_EARLY_DATA_ACCEPTED: 4852 break; 4853 4854 case TEST_EARLY_DATA_SERVER_REJECTS: 4855 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED; 4856 ret = mbedtls_snprintf(pattern, sizeof(pattern), 4857 "EarlyData: deprotect and discard app data records."); 4858 TEST_ASSERT(ret < (int) sizeof(pattern)); 4859 mbedtls_debug_set_threshold(3); 4860 break; 4861 4862 case TEST_EARLY_DATA_HRR: 4863 /* 4864 * Remove server support for the group negotiated in 4865 * mbedtls_test_get_tls13_ticket() forcing an HelloRetryRequest. 4866 */ 4867 server_options.group_list = group_list + 1; 4868 ret = mbedtls_snprintf( 4869 pattern, sizeof(pattern), 4870 "EarlyData: Ignore application message before 2nd ClientHello"); 4871 TEST_ASSERT(ret < (int) sizeof(pattern)); 4872 mbedtls_debug_set_threshold(3); 4873 break; 4874 4875 default: 4876 TEST_FAIL("Unknown scenario."); 4877 } 4878 4879 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, 4880 &client_options, NULL, NULL, NULL); 4881 TEST_EQUAL(ret, 0); 4882 4883 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, 4884 &server_options, NULL, NULL, NULL); 4885 TEST_EQUAL(ret, 0); 4886 4887 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf, 4888 mbedtls_test_ticket_write, 4889 mbedtls_test_ticket_parse, 4890 NULL); 4891 4892 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket), 4893 &(server_ep.socket), 1024); 4894 TEST_EQUAL(ret, 0); 4895 4896 max_early_data_size = saved_session.max_early_data_size; 4897 4898 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session); 4899 TEST_EQUAL(ret, 0); 4900 4901 /* 4902 * Start an handshake based on the ticket up to the point where early data 4903 * can be sent from client side. Then send in a loop as much early data as 4904 * possible without going over the maximum permitted size for the ticket. 4905 * Finally, do a last writting to go past that maximum permitted size and 4906 * check that we detect it. 4907 */ 4908 TEST_EQUAL(mbedtls_test_move_handshake_to_state( 4909 &(client_ep.ssl), &(server_ep.ssl), 4910 MBEDTLS_SSL_SERVER_HELLO), 0); 4911 4912 TEST_ASSERT(client_ep.ssl.early_data_state != 4913 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT); 4914 4915 ret = mbedtls_ssl_handshake(&(server_ep.ssl)); 4916 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ); 4917 4918 /* 4919 * Write and if possible read as much as possible chunks of write_size 4920 * bytes data without getting over the max_early_data_size limit. 4921 */ 4922 do { 4923 uint32_t read_early_data_size = 0; 4924 4925 /* 4926 * The contents of the early data are not very important, write a 4927 * pattern that varies byte-by-byte and is different for every chunk of 4928 * early data. 4929 */ 4930 if ((written_early_data_size + write_size) > max_early_data_size) { 4931 break; 4932 } 4933 4934 /* 4935 * If the server rejected early data, base the determination of when 4936 * to stop the loop on the expanded size (padding and encryption 4937 * expansion) of early data on server side and the number of early data 4938 * received so far by the server (multiple of the expanded size). 4939 */ 4940 if ((expanded_early_data_chunk_size != 0) && 4941 ((server_ep.ssl.total_early_data_size + 4942 expanded_early_data_chunk_size) > max_early_data_size)) { 4943 break; 4944 } 4945 4946 for (size_t i = 0; i < write_size; i++) { 4947 buf_write[i] = (unsigned char) (written_early_data_size + i); 4948 } 4949 4950 ret = write_early_data(&(client_ep.ssl), buf_write, write_size); 4951 TEST_EQUAL(ret, write_size); 4952 written_early_data_size += write_size; 4953 4954 switch (scenario) { 4955 case TEST_EARLY_DATA_ACCEPTED: 4956 while (read_early_data_size < write_size) { 4957 ret = mbedtls_ssl_handshake(&(server_ep.ssl)); 4958 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA); 4959 4960 ret = mbedtls_ssl_read_early_data(&(server_ep.ssl), 4961 buf_read, read_size); 4962 TEST_ASSERT(ret > 0); 4963 4964 TEST_MEMORY_COMPARE(buf_read, ret, 4965 buf_write + read_early_data_size, ret); 4966 read_early_data_size += ret; 4967 4968 TEST_EQUAL(server_ep.ssl.total_early_data_size, 4969 written_early_data_size); 4970 } 4971 break; 4972 4973 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */ 4974 case TEST_EARLY_DATA_HRR: 4975 ret = mbedtls_ssl_handshake(&(server_ep.ssl)); 4976 /* 4977 * In this write loop we try to always stay below the 4978 * max_early_data_size limit but if max_early_data_size is very 4979 * small we may exceed the max_early_data_size limit on the 4980 * first write. In TEST_EARLY_DATA_SERVER_REJECTS/ 4981 * TEST_EARLY_DATA_HRR scenario, this is for sure the case if 4982 * max_early_data_size is smaller than the smallest possible 4983 * inner content/protected record. Take into account this 4984 * possibility here but only for max_early_data_size values 4985 * that are close to write_size. Below, '1' is for the inner 4986 * type byte and '16' is to take into account some AEAD 4987 * expansion (tag, ...). 4988 */ 4989 if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) { 4990 if (scenario == TEST_EARLY_DATA_SERVER_REJECTS) { 4991 TEST_LE_U(max_early_data_size, 4992 write_size + 1 + 4993 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY); 4994 } else { 4995 TEST_LE_U(max_early_data_size, 4996 write_size + 1 + 16 + 4997 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY); 4998 } 4999 goto exit; 5000 } 5001 5002 TEST_ASSERT(ret == MBEDTLS_ERR_SSL_WANT_READ); 5003 5004 TEST_EQUAL(server_pattern.counter, 1); 5005 server_pattern.counter = 0; 5006 if (expanded_early_data_chunk_size == 0) { 5007 expanded_early_data_chunk_size = server_ep.ssl.total_early_data_size; 5008 } 5009 break; 5010 } 5011 TEST_LE_U(server_ep.ssl.total_early_data_size, max_early_data_size); 5012 } while (1); 5013 5014 mbedtls_debug_set_threshold(3); 5015 ret = write_early_data(&(client_ep.ssl), buf_write, write_size); 5016 TEST_EQUAL(ret, write_size); 5017 5018 ret = mbedtls_snprintf(pattern, sizeof(pattern), 5019 "EarlyData: Too much early data received"); 5020 TEST_ASSERT(ret < (int) sizeof(pattern)); 5021 5022 ret = mbedtls_ssl_handshake(&(server_ep.ssl)); 5023 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE); 5024 TEST_EQUAL(server_pattern.counter, 1); 5025 5026exit: 5027 mbedtls_test_ssl_endpoint_free(&client_ep, NULL); 5028 mbedtls_test_ssl_endpoint_free(&server_ep, NULL); 5029 mbedtls_test_free_handshake_options(&client_options); 5030 mbedtls_test_free_handshake_options(&server_options); 5031 mbedtls_ssl_session_free(&saved_session); 5032 mbedtls_free(buf_write); 5033 mbedtls_free(buf_read); 5034 mbedtls_debug_set_threshold(0); 5035 PSA_DONE(); 5036} 5037/* END_CASE */ 5038
