1/* BEGIN_HEADER */
2/* Testing of mbedtls_ssl_decrypt_buf() specifically, focusing on negative
3 * testing (using malformed inputs). */
4
5#include <mbedtls/ssl.h>
6#include <ssl_misc.h>
7#include <test/ssl_helpers.h>
8
9/* END_HEADER */
10
11/* BEGIN_DEPENDENCIES
12 * depends_on:MBEDTLS_SSL_TLS_C
13 * END_DEPENDENCIES
14 */
15
16/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CIPHER_NULL_CIPHER */
17void ssl_decrypt_null(int hash_id)
18{
19    mbedtls_ssl_transform transform_in, transform_out;
20    mbedtls_ssl_transform_init(&transform_in);
21    mbedtls_ssl_transform_init(&transform_out);
22    const mbedtls_ssl_protocol_version version = MBEDTLS_SSL_VERSION_TLS1_2;
23    const mbedtls_cipher_type_t cipher_type = MBEDTLS_CIPHER_NULL;
24    mbedtls_record rec_good = {
25        .ctr = { 0 },
26        .type = MBEDTLS_SSL_MSG_APPLICATION_DATA,
27        .ver = { 0, 0 },    /* Will be set by a function call below */
28        .buf = NULL,
29        .buf_len = 0,
30        .data_offset = 0,
31        .data_len = 0,
32#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
33        .cid_len = 0,
34        .cid = { 0 },
35#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
36    };
37    mbedtls_ssl_write_version(rec_good.ver,
38                              MBEDTLS_SSL_TRANSPORT_STREAM,
39                              version);
40    const char sample_plaintext[3] = "ABC";
41    mbedtls_ssl_context ssl;
42    mbedtls_ssl_init(&ssl);
43    uint8_t *buf = NULL;
44
45    MD_OR_USE_PSA_INIT();
46
47    TEST_EQUAL(mbedtls_test_ssl_build_transforms(&transform_in, &transform_out,
48                                                 cipher_type, hash_id, 0, 0,
49                                                 version,
50                                                 0, 0), 0);
51
52    const size_t plaintext_length = sizeof(sample_plaintext);
53    rec_good.buf_len = plaintext_length + transform_in.maclen;
54    rec_good.data_len = plaintext_length;
55    TEST_CALLOC(rec_good.buf, rec_good.buf_len);
56    memcpy(rec_good.buf, sample_plaintext, plaintext_length);
57    TEST_EQUAL(mbedtls_test_ssl_prepare_record_mac(&rec_good,
58                                                   &transform_out), 0);
59
60    /* Good case */
61    mbedtls_record rec = rec_good;
62    TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec), 0);
63
64    /* Change any one byte of the plaintext or MAC. The MAC will be wrong. */
65    TEST_CALLOC(buf, rec.buf_len);
66    for (size_t i = 0; i < rec.buf_len; i++) {
67        mbedtls_test_set_step(i);
68        rec = rec_good;
69        rec.buf = buf;
70        memcpy(buf, rec_good.buf, rec.buf_len);
71        buf[i] ^= 1;
72        TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec),
73                   MBEDTLS_ERR_SSL_INVALID_MAC);
74    }
75    mbedtls_free(buf);
76    buf = NULL;
77
78    /* Shorter input buffer. Either the MAC will be wrong, or there isn't
79     * enough room for a MAC. */
80    for (size_t n = 1; n < rec.buf_len; n++) {
81        mbedtls_test_set_step(n);
82        rec = rec_good;
83        TEST_CALLOC(buf, n);
84        rec.buf = buf;
85        rec.buf_len = n;
86        rec.data_len = n;
87        memcpy(buf, rec_good.buf, n);
88        TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec),
89                   MBEDTLS_ERR_SSL_INVALID_MAC);
90        mbedtls_free(buf);
91        buf = NULL;
92    }
93
94    /* For robustness, check a 0-length buffer (non-null, then null).
95     * This should not reach mbedtls_ssl_decrypt_buf() as used in the library,
96     * so the exact error doesn't matter, but we don't want a crash. */
97    {
98        const uint8_t buf1[1] = { 'a' };
99        rec = rec_good;
100        /* We won't write to buf1[0] since it's out of range, so we can cast
101         * the const away. */
102        rec.buf = (uint8_t *) buf1;
103        rec.buf_len = 0;
104        TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec),
105                   MBEDTLS_ERR_SSL_INTERNAL_ERROR);
106    }
107    rec = rec_good;
108    rec.buf = NULL;
109    rec.buf_len = 0;
110    TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec),
111               MBEDTLS_ERR_SSL_INTERNAL_ERROR);
112
113exit:
114    mbedtls_ssl_transform_free(&transform_in);
115    mbedtls_ssl_transform_free(&transform_out);
116    mbedtls_free(rec_good.buf);
117    mbedtls_ssl_free(&ssl);
118    mbedtls_free(buf);
119    MD_OR_USE_PSA_DONE();
120}
121/* END_CASE */
122
123/* BEGIN_CASE depends_on:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2 */
124void ssl_decrypt_non_etm_cbc(int cipher_type, int hash_id, int trunc_hmac,
125                             int length_selector)
126{
127    /*
128     * Test record decryption for CBC without EtM, focused on the verification
129     * of padding and MAC.
130     *
131     * Actually depends on TLS 1.2 and either AES, ARIA or Camellia, but since
132     * the test framework doesn't support alternation in dependency statements,
133     * just depend on AES.
134     *
135     * The length_selector argument is interpreted as follows:
136     * - if it's -1, the plaintext length is 0 and minimal padding is applied
137     * - if it's -2, the plaintext length is 0 and maximal padding is applied
138     * - otherwise it must be in [0, 255] and is padding_length from RFC 5246:
139     *   it's the length of the rest of the padding, that is, excluding the
140     *   byte that encodes the length. The minimal non-zero plaintext length
141     *   that gives this padding_length is automatically selected.
142     */
143    mbedtls_ssl_context ssl; /* ONLY for debugging */
144    mbedtls_ssl_transform t0, t1;
145    mbedtls_record rec, rec_save;
146    unsigned char *buf = NULL, *buf_save = NULL;
147    size_t buflen, olen = 0;
148    size_t plaintext_len, block_size, i;
149    unsigned char padlen; /* excluding the padding_length byte */
150    int exp_ret;
151    int ret;
152    const unsigned char pad_max_len = 255; /* Per the standard */
153
154    mbedtls_ssl_init(&ssl);
155    mbedtls_ssl_transform_init(&t0);
156    mbedtls_ssl_transform_init(&t1);
157    MD_OR_USE_PSA_INIT();
158
159    /* Set up transforms with dummy keys */
160    ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id,
161                                            0, trunc_hmac,
162                                            MBEDTLS_SSL_VERSION_TLS1_2,
163                                            0, 0);
164
165    TEST_ASSERT(ret == 0);
166
167    /* Determine padding/plaintext length */
168    TEST_ASSERT(length_selector >= -2 && length_selector <= 255);
169    block_size = t0.ivlen;
170    if (length_selector < 0) {
171        plaintext_len = 0;
172
173        /* Minimal padding
174         * The +1 is for the padding_length byte, not counted in padlen. */
175        padlen = block_size - (t0.maclen + 1) % block_size;
176
177        /* Maximal padding? */
178        if (length_selector == -2) {
179            padlen += block_size * ((pad_max_len - padlen) / block_size);
180        }
181    } else {
182        padlen = length_selector;
183
184        /* Minimal non-zero plaintext_length giving desired padding.
185         * The +1 is for the padding_length byte, not counted in padlen. */
186        plaintext_len = block_size - (padlen + t0.maclen + 1) % block_size;
187    }
188
189    /* Prepare a buffer for record data */
190    buflen = block_size
191             + plaintext_len
192             + t0.maclen
193             + padlen + 1;
194    TEST_CALLOC(buf, buflen);
195    TEST_CALLOC(buf_save, buflen);
196
197    /* Prepare a dummy record header */
198    memset(rec.ctr, 0, sizeof(rec.ctr));
199    rec.type    = MBEDTLS_SSL_MSG_APPLICATION_DATA;
200    mbedtls_ssl_write_version(rec.ver, MBEDTLS_SSL_TRANSPORT_STREAM,
201                              MBEDTLS_SSL_VERSION_TLS1_2);
202#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
203    rec.cid_len = 0;
204#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
205
206    /* Prepare dummy record content */
207    rec.buf     = buf;
208    rec.buf_len = buflen;
209    rec.data_offset = block_size;
210    rec.data_len = plaintext_len;
211    memset(rec.buf + rec.data_offset, 42, rec.data_len);
212
213    /* Set dummy IV */
214    memset(t0.iv_enc, 0x55, t0.ivlen);
215    memcpy(rec.buf, t0.iv_enc, t0.ivlen);
216
217    /*
218     * Prepare a pre-encryption record (with MAC and padding), and save it.
219     */
220    TEST_EQUAL(0, mbedtls_test_ssl_prepare_record_mac(&rec, &t0));
221
222    /* Pad */
223    memset(rec.buf + rec.data_offset + rec.data_len, padlen, padlen + 1);
224    rec.data_len += padlen + 1;
225
226    /* Save correct pre-encryption record */
227    rec_save = rec;
228    rec_save.buf = buf_save;
229    memcpy(buf_save, buf, buflen);
230
231    /*
232     * Encrypt and decrypt the correct record, expecting success
233     */
234    TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper(
235                   &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset,
236                   rec.data_len, rec.buf + rec.data_offset, &olen));
237    rec.data_offset -= t0.ivlen;
238    rec.data_len    += t0.ivlen;
239
240    TEST_EQUAL(0, mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec));
241
242    /*
243     * Modify each byte of the pre-encryption record before encrypting and
244     * decrypting it, expecting failure every time.
245     */
246    for (i = block_size; i < buflen; i++) {
247        mbedtls_test_set_step(i);
248
249        /* Restore correct pre-encryption record */
250        rec = rec_save;
251        rec.buf = buf;
252        memcpy(buf, buf_save, buflen);
253
254        /* Corrupt one byte of the data (could be plaintext, MAC or padding) */
255        rec.buf[i] ^= 0x01;
256
257        /* Encrypt */
258        TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper(
259                       &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset,
260                       rec.data_len, rec.buf + rec.data_offset, &olen));
261        rec.data_offset -= t0.ivlen;
262        rec.data_len    += t0.ivlen;
263
264        /* Decrypt and expect failure */
265        TEST_EQUAL(MBEDTLS_ERR_SSL_INVALID_MAC,
266                   mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec));
267    }
268
269    /*
270     * Use larger values of the padding bytes - with small buffers, this tests
271     * the case where the announced padlen would be larger than the buffer
272     * (and before that, than the buffer minus the size of the MAC), to make
273     * sure our padding checking code does not perform any out-of-bounds reads
274     * in this case. (With larger buffers, ie when the plaintext is long or
275     * maximal length padding is used, this is less relevant but still doesn't
276     * hurt to test.)
277     *
278     * (Start the loop with correct padding, just to double-check that record
279     * saving did work, and that we're overwriting the correct bytes.)
280     */
281    for (i = padlen; i <= pad_max_len; i++) {
282        mbedtls_test_set_step(i);
283
284        /* Restore correct pre-encryption record */
285        rec = rec_save;
286        rec.buf = buf;
287        memcpy(buf, buf_save, buflen);
288
289        /* Set padding bytes to new value */
290        memset(buf + buflen - padlen - 1, i, padlen + 1);
291
292        /* Encrypt */
293        TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper(
294                       &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset,
295                       rec.data_len, rec.buf + rec.data_offset, &olen));
296        rec.data_offset -= t0.ivlen;
297        rec.data_len    += t0.ivlen;
298
299        /* Decrypt and expect failure except the first time */
300        exp_ret = (i == padlen) ? 0 : MBEDTLS_ERR_SSL_INVALID_MAC;
301        TEST_EQUAL(exp_ret, mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec));
302    }
303
304exit:
305    mbedtls_ssl_free(&ssl);
306    mbedtls_ssl_transform_free(&t0);
307    mbedtls_ssl_transform_free(&t1);
308    mbedtls_free(buf);
309    mbedtls_free(buf_save);
310    MD_OR_USE_PSA_DONE();
311}
312/* END_CASE */
313