xref: /freebsd/tests/sys/kern/ktls_test.c (revision 0ff2a12ae32a3a88be63f4036599c1324ce04f78)
1a10482eaSJohn Baldwin /*-
2a10482eaSJohn Baldwin  * SPDX-License-Identifier: BSD-2-Clause
3a10482eaSJohn Baldwin  *
4a10482eaSJohn Baldwin  * Copyright (c) 2021 Netflix Inc.
5a10482eaSJohn Baldwin  * Written by: John Baldwin <jhb@FreeBSD.org>
6a10482eaSJohn Baldwin  *
7a10482eaSJohn Baldwin  * Redistribution and use in source and binary forms, with or without
8a10482eaSJohn Baldwin  * modification, are permitted provided that the following conditions
9a10482eaSJohn Baldwin  * are met:
10a10482eaSJohn Baldwin  * 1. Redistributions of source code must retain the above copyright
11a10482eaSJohn Baldwin  *    notice, this list of conditions and the following disclaimer.
12a10482eaSJohn Baldwin  * 2. Redistributions in binary form must reproduce the above copyright
13a10482eaSJohn Baldwin  *    notice, this list of conditions and the following disclaimer in the
14a10482eaSJohn Baldwin  *    documentation and/or other materials provided with the distribution.
15a10482eaSJohn Baldwin  *
16a10482eaSJohn Baldwin  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17a10482eaSJohn Baldwin  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18a10482eaSJohn Baldwin  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19a10482eaSJohn Baldwin  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20a10482eaSJohn Baldwin  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21a10482eaSJohn Baldwin  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22a10482eaSJohn Baldwin  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23a10482eaSJohn Baldwin  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24a10482eaSJohn Baldwin  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25a10482eaSJohn Baldwin  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26a10482eaSJohn Baldwin  * SUCH DAMAGE.
27a10482eaSJohn Baldwin  */
28a10482eaSJohn Baldwin 
29a10482eaSJohn Baldwin #include <sys/types.h>
30a10482eaSJohn Baldwin #include <sys/endian.h>
31a10482eaSJohn Baldwin #include <sys/event.h>
32a10482eaSJohn Baldwin #include <sys/ktls.h>
33a10482eaSJohn Baldwin #include <sys/socket.h>
34a10482eaSJohn Baldwin #include <sys/sysctl.h>
35a10482eaSJohn Baldwin #include <netinet/in.h>
36a10482eaSJohn Baldwin #include <netinet/tcp.h>
37a10482eaSJohn Baldwin #include <crypto/cryptodev.h>
38a10482eaSJohn Baldwin #include <assert.h>
39a10482eaSJohn Baldwin #include <err.h>
40a10482eaSJohn Baldwin #include <fcntl.h>
41a10482eaSJohn Baldwin #include <poll.h>
42a10482eaSJohn Baldwin #include <stdbool.h>
43a10482eaSJohn Baldwin #include <stdlib.h>
44a10482eaSJohn Baldwin #include <atf-c.h>
45a10482eaSJohn Baldwin 
46a10482eaSJohn Baldwin #include <openssl/err.h>
47a10482eaSJohn Baldwin #include <openssl/evp.h>
48a10482eaSJohn Baldwin #include <openssl/hmac.h>
49a10482eaSJohn Baldwin 
50a10482eaSJohn Baldwin static void
51a10482eaSJohn Baldwin require_ktls(void)
52a10482eaSJohn Baldwin {
53a10482eaSJohn Baldwin 	size_t len;
54a10482eaSJohn Baldwin 	bool enable;
55a10482eaSJohn Baldwin 
56a10482eaSJohn Baldwin 	len = sizeof(enable);
57a10482eaSJohn Baldwin 	if (sysctlbyname("kern.ipc.tls.enable", &enable, &len, NULL, 0) == -1) {
58a10482eaSJohn Baldwin 		if (errno == ENOENT)
59a10482eaSJohn Baldwin 			atf_tc_skip("kernel does not support TLS offload");
60a10482eaSJohn Baldwin 		atf_libc_error(errno, "Failed to read kern.ipc.tls.enable");
61a10482eaSJohn Baldwin 	}
62a10482eaSJohn Baldwin 
63a10482eaSJohn Baldwin 	if (!enable)
64a10482eaSJohn Baldwin 		atf_tc_skip("Kernel TLS is disabled");
65a10482eaSJohn Baldwin }
66a10482eaSJohn Baldwin 
67a10482eaSJohn Baldwin #define	ATF_REQUIRE_KTLS()	require_ktls()
68a10482eaSJohn Baldwin 
69a10482eaSJohn Baldwin static char
70a10482eaSJohn Baldwin rdigit(void)
71a10482eaSJohn Baldwin {
72a10482eaSJohn Baldwin 	/* ASCII printable values between 0x20 and 0x7e */
73a10482eaSJohn Baldwin 	return (0x20 + random() % (0x7f - 0x20));
74a10482eaSJohn Baldwin }
75a10482eaSJohn Baldwin 
76a10482eaSJohn Baldwin static char *
77a10482eaSJohn Baldwin alloc_buffer(size_t len)
78a10482eaSJohn Baldwin {
79a10482eaSJohn Baldwin 	char *buf;
80a10482eaSJohn Baldwin 	size_t i;
81a10482eaSJohn Baldwin 
82a10482eaSJohn Baldwin 	if (len == 0)
83a10482eaSJohn Baldwin 		return (NULL);
84a10482eaSJohn Baldwin 	buf = malloc(len);
85a10482eaSJohn Baldwin 	for (i = 0; i < len; i++)
86a10482eaSJohn Baldwin 		buf[i] = rdigit();
87a10482eaSJohn Baldwin 	return (buf);
88a10482eaSJohn Baldwin }
89a10482eaSJohn Baldwin 
90a10482eaSJohn Baldwin static bool
91a10482eaSJohn Baldwin socketpair_tcp(int *sv)
92a10482eaSJohn Baldwin {
93a10482eaSJohn Baldwin 	struct pollfd pfd;
94a10482eaSJohn Baldwin 	struct sockaddr_in sin;
95a10482eaSJohn Baldwin 	socklen_t len;
96a10482eaSJohn Baldwin 	int as, cs, ls;
97a10482eaSJohn Baldwin 
98a10482eaSJohn Baldwin 	ls = socket(PF_INET, SOCK_STREAM, 0);
99a10482eaSJohn Baldwin 	if (ls == -1) {
100a10482eaSJohn Baldwin 		warn("socket() for listen");
101a10482eaSJohn Baldwin 		return (false);
102a10482eaSJohn Baldwin 	}
103a10482eaSJohn Baldwin 
104a10482eaSJohn Baldwin 	memset(&sin, 0, sizeof(sin));
105a10482eaSJohn Baldwin 	sin.sin_len = sizeof(sin);
106a10482eaSJohn Baldwin 	sin.sin_family = AF_INET;
107a10482eaSJohn Baldwin 	sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
108a10482eaSJohn Baldwin 	if (bind(ls, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
109a10482eaSJohn Baldwin 		warn("bind");
110a10482eaSJohn Baldwin 		close(ls);
111a10482eaSJohn Baldwin 		return (false);
112a10482eaSJohn Baldwin 	}
113a10482eaSJohn Baldwin 
114a10482eaSJohn Baldwin 	if (listen(ls, 1) == -1) {
115a10482eaSJohn Baldwin 		warn("listen");
116a10482eaSJohn Baldwin 		close(ls);
117a10482eaSJohn Baldwin 		return (false);
118a10482eaSJohn Baldwin 	}
119a10482eaSJohn Baldwin 
120a10482eaSJohn Baldwin 	len = sizeof(sin);
121a10482eaSJohn Baldwin 	if (getsockname(ls, (struct sockaddr *)&sin, &len) == -1) {
122a10482eaSJohn Baldwin 		warn("getsockname");
123a10482eaSJohn Baldwin 		close(ls);
124a10482eaSJohn Baldwin 		return (false);
125a10482eaSJohn Baldwin 	}
126a10482eaSJohn Baldwin 
127a10482eaSJohn Baldwin 	cs = socket(PF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0);
128a10482eaSJohn Baldwin 	if (cs == -1) {
129a10482eaSJohn Baldwin 		warn("socket() for connect");
130a10482eaSJohn Baldwin 		close(ls);
131a10482eaSJohn Baldwin 		return (false);
132a10482eaSJohn Baldwin 	}
133a10482eaSJohn Baldwin 
134a10482eaSJohn Baldwin 	if (connect(cs, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
135a10482eaSJohn Baldwin 		if (errno != EINPROGRESS) {
136a10482eaSJohn Baldwin 			warn("connect");
137a10482eaSJohn Baldwin 			close(ls);
138a10482eaSJohn Baldwin 			close(cs);
139a10482eaSJohn Baldwin 			return (false);
140a10482eaSJohn Baldwin 		}
141a10482eaSJohn Baldwin 	}
142a10482eaSJohn Baldwin 
143a10482eaSJohn Baldwin 	as = accept4(ls, NULL, NULL, SOCK_NONBLOCK);
144a10482eaSJohn Baldwin 	if (as == -1) {
145a10482eaSJohn Baldwin 		warn("accept4");
146a10482eaSJohn Baldwin 		close(ls);
147a10482eaSJohn Baldwin 		close(cs);
148a10482eaSJohn Baldwin 		return (false);
149a10482eaSJohn Baldwin 	}
150a10482eaSJohn Baldwin 
151a10482eaSJohn Baldwin 	close(ls);
152a10482eaSJohn Baldwin 
153a10482eaSJohn Baldwin 	pfd.fd = cs;
154a10482eaSJohn Baldwin 	pfd.events = POLLOUT;
155a10482eaSJohn Baldwin 	pfd.revents = 0;
156a10482eaSJohn Baldwin 	ATF_REQUIRE(poll(&pfd, 1, INFTIM) == 1);
157a10482eaSJohn Baldwin 	ATF_REQUIRE(pfd.revents == POLLOUT);
158a10482eaSJohn Baldwin 
159a10482eaSJohn Baldwin 	sv[0] = cs;
160a10482eaSJohn Baldwin 	sv[1] = as;
161a10482eaSJohn Baldwin 	return (true);
162a10482eaSJohn Baldwin }
163a10482eaSJohn Baldwin 
164a10482eaSJohn Baldwin static void
165a10482eaSJohn Baldwin fd_set_blocking(int fd)
166a10482eaSJohn Baldwin {
167a10482eaSJohn Baldwin 	int flags;
168a10482eaSJohn Baldwin 
169a10482eaSJohn Baldwin 	ATF_REQUIRE((flags = fcntl(fd, F_GETFL)) != -1);
170a10482eaSJohn Baldwin 	flags &= ~O_NONBLOCK;
171a10482eaSJohn Baldwin 	ATF_REQUIRE(fcntl(fd, F_SETFL, flags) != -1);
172a10482eaSJohn Baldwin }
173a10482eaSJohn Baldwin 
174a10482eaSJohn Baldwin static bool
175a10482eaSJohn Baldwin cbc_decrypt(const EVP_CIPHER *cipher, const char *key, const char *iv,
176a10482eaSJohn Baldwin     const char *input, char *output, size_t size)
177a10482eaSJohn Baldwin {
178a10482eaSJohn Baldwin 	EVP_CIPHER_CTX *ctx;
179a10482eaSJohn Baldwin 	int outl, total;
180a10482eaSJohn Baldwin 
181a10482eaSJohn Baldwin 	ctx = EVP_CIPHER_CTX_new();
182a10482eaSJohn Baldwin 	if (ctx == NULL) {
183a10482eaSJohn Baldwin 		warnx("EVP_CIPHER_CTX_new failed: %s",
184a10482eaSJohn Baldwin 		    ERR_error_string(ERR_get_error(), NULL));
185a10482eaSJohn Baldwin 		return (false);
186a10482eaSJohn Baldwin 	}
187a10482eaSJohn Baldwin 	if (EVP_CipherInit_ex(ctx, cipher, NULL, (const u_char *)key,
188a10482eaSJohn Baldwin 	    (const u_char *)iv, 0) != 1) {
189a10482eaSJohn Baldwin 		warnx("EVP_CipherInit_ex failed: %s",
190a10482eaSJohn Baldwin 		    ERR_error_string(ERR_get_error(), NULL));
191a10482eaSJohn Baldwin 		EVP_CIPHER_CTX_free(ctx);
192a10482eaSJohn Baldwin 		return (false);
193a10482eaSJohn Baldwin 	}
194a10482eaSJohn Baldwin 	EVP_CIPHER_CTX_set_padding(ctx, 0);
195a10482eaSJohn Baldwin 	if (EVP_CipherUpdate(ctx, (u_char *)output, &outl,
196a10482eaSJohn Baldwin 	    (const u_char *)input, size) != 1) {
197a10482eaSJohn Baldwin 		warnx("EVP_CipherUpdate failed: %s",
198a10482eaSJohn Baldwin 		    ERR_error_string(ERR_get_error(), NULL));
199a10482eaSJohn Baldwin 		EVP_CIPHER_CTX_free(ctx);
200a10482eaSJohn Baldwin 		return (false);
201a10482eaSJohn Baldwin 	}
202a10482eaSJohn Baldwin 	total = outl;
203a10482eaSJohn Baldwin 	if (EVP_CipherFinal_ex(ctx, (u_char *)output + outl, &outl) != 1) {
204a10482eaSJohn Baldwin 		warnx("EVP_CipherFinal_ex failed: %s",
205a10482eaSJohn Baldwin 		    ERR_error_string(ERR_get_error(), NULL));
206a10482eaSJohn Baldwin 		EVP_CIPHER_CTX_free(ctx);
207a10482eaSJohn Baldwin 		return (false);
208a10482eaSJohn Baldwin 	}
209a10482eaSJohn Baldwin 	total += outl;
210a10482eaSJohn Baldwin 	if ((size_t)total != size) {
211a10482eaSJohn Baldwin 		warnx("decrypt size mismatch: %zu vs %d", size, total);
212a10482eaSJohn Baldwin 		EVP_CIPHER_CTX_free(ctx);
213a10482eaSJohn Baldwin 		return (false);
214a10482eaSJohn Baldwin 	}
215a10482eaSJohn Baldwin 	EVP_CIPHER_CTX_free(ctx);
216a10482eaSJohn Baldwin 	return (true);
217a10482eaSJohn Baldwin }
218a10482eaSJohn Baldwin 
219a10482eaSJohn Baldwin static bool
220a10482eaSJohn Baldwin verify_hash(const EVP_MD *md, const void *key, size_t key_len, const void *aad,
221a10482eaSJohn Baldwin     size_t aad_len, const void *buffer, size_t len, const void *digest)
222a10482eaSJohn Baldwin {
223a10482eaSJohn Baldwin 	HMAC_CTX *ctx;
224a10482eaSJohn Baldwin 	unsigned char digest2[EVP_MAX_MD_SIZE];
225a10482eaSJohn Baldwin 	u_int digest_len;
226a10482eaSJohn Baldwin 
227a10482eaSJohn Baldwin 	ctx = HMAC_CTX_new();
228a10482eaSJohn Baldwin 	if (ctx == NULL) {
229a10482eaSJohn Baldwin 		warnx("HMAC_CTX_new failed: %s",
230a10482eaSJohn Baldwin 		    ERR_error_string(ERR_get_error(), NULL));
231a10482eaSJohn Baldwin 		return (false);
232a10482eaSJohn Baldwin 	}
233a10482eaSJohn Baldwin 	if (HMAC_Init_ex(ctx, key, key_len, md, NULL) != 1) {
234a10482eaSJohn Baldwin 		warnx("HMAC_Init_ex failed: %s",
235a10482eaSJohn Baldwin 		    ERR_error_string(ERR_get_error(), NULL));
236a10482eaSJohn Baldwin 		HMAC_CTX_free(ctx);
237a10482eaSJohn Baldwin 		return (false);
238a10482eaSJohn Baldwin 	}
239a10482eaSJohn Baldwin 	if (HMAC_Update(ctx, aad, aad_len) != 1) {
240a10482eaSJohn Baldwin 		warnx("HMAC_Update (aad) failed: %s",
241a10482eaSJohn Baldwin 		    ERR_error_string(ERR_get_error(), NULL));
242a10482eaSJohn Baldwin 		HMAC_CTX_free(ctx);
243a10482eaSJohn Baldwin 		return (false);
244a10482eaSJohn Baldwin 	}
245a10482eaSJohn Baldwin 	if (HMAC_Update(ctx, buffer, len) != 1) {
246a10482eaSJohn Baldwin 		warnx("HMAC_Update (payload) failed: %s",
247a10482eaSJohn Baldwin 		    ERR_error_string(ERR_get_error(), NULL));
248a10482eaSJohn Baldwin 		HMAC_CTX_free(ctx);
249a10482eaSJohn Baldwin 		return (false);
250a10482eaSJohn Baldwin 	}
251a10482eaSJohn Baldwin 	if (HMAC_Final(ctx, digest2, &digest_len) != 1) {
252a10482eaSJohn Baldwin 		warnx("HMAC_Final failed: %s",
253a10482eaSJohn Baldwin 		    ERR_error_string(ERR_get_error(), NULL));
254a10482eaSJohn Baldwin 		HMAC_CTX_free(ctx);
255a10482eaSJohn Baldwin 		return (false);
256a10482eaSJohn Baldwin 	}
257a10482eaSJohn Baldwin 	HMAC_CTX_free(ctx);
258a10482eaSJohn Baldwin 	if (memcmp(digest, digest2, digest_len) != 0) {
259a10482eaSJohn Baldwin 		warnx("HMAC mismatch");
260a10482eaSJohn Baldwin 		return (false);
261a10482eaSJohn Baldwin 	}
262a10482eaSJohn Baldwin 	return (true);
263a10482eaSJohn Baldwin }
264a10482eaSJohn Baldwin 
265a10482eaSJohn Baldwin static bool
266a10482eaSJohn Baldwin aead_decrypt(const EVP_CIPHER *cipher, const char *key, const char *nonce,
267a10482eaSJohn Baldwin     const void *aad, size_t aad_len, const char *input, char *output,
268a10482eaSJohn Baldwin     size_t size, const char *tag, size_t tag_len)
269a10482eaSJohn Baldwin {
270a10482eaSJohn Baldwin 	EVP_CIPHER_CTX *ctx;
271a10482eaSJohn Baldwin 	int outl, total;
272a10482eaSJohn Baldwin 	bool valid;
273a10482eaSJohn Baldwin 
274a10482eaSJohn Baldwin 	ctx = EVP_CIPHER_CTX_new();
275a10482eaSJohn Baldwin 	if (ctx == NULL) {
276a10482eaSJohn Baldwin 		warnx("EVP_CIPHER_CTX_new failed: %s",
277a10482eaSJohn Baldwin 		    ERR_error_string(ERR_get_error(), NULL));
278a10482eaSJohn Baldwin 		return (false);
279a10482eaSJohn Baldwin 	}
280a10482eaSJohn Baldwin 	if (EVP_DecryptInit_ex(ctx, cipher, NULL, (const u_char *)key,
281a10482eaSJohn Baldwin 	    (const u_char *)nonce) != 1) {
282a10482eaSJohn Baldwin 		warnx("EVP_DecryptInit_ex failed: %s",
283a10482eaSJohn Baldwin 		    ERR_error_string(ERR_get_error(), NULL));
284a10482eaSJohn Baldwin 		EVP_CIPHER_CTX_free(ctx);
285a10482eaSJohn Baldwin 		return (false);
286a10482eaSJohn Baldwin 	}
287a10482eaSJohn Baldwin 	EVP_CIPHER_CTX_set_padding(ctx, 0);
288a10482eaSJohn Baldwin 	if (aad != NULL) {
289a10482eaSJohn Baldwin 		if (EVP_DecryptUpdate(ctx, NULL, &outl, (const u_char *)aad,
290a10482eaSJohn Baldwin 		    aad_len) != 1) {
291a10482eaSJohn Baldwin 			warnx("EVP_DecryptUpdate for AAD failed: %s",
292a10482eaSJohn Baldwin 			    ERR_error_string(ERR_get_error(), NULL));
293a10482eaSJohn Baldwin 			EVP_CIPHER_CTX_free(ctx);
294a10482eaSJohn Baldwin 			return (false);
295a10482eaSJohn Baldwin 		}
296a10482eaSJohn Baldwin 	}
297a10482eaSJohn Baldwin 	if (EVP_DecryptUpdate(ctx, (u_char *)output, &outl,
298a10482eaSJohn Baldwin 	    (const u_char *)input, size) != 1) {
299a10482eaSJohn Baldwin 		warnx("EVP_DecryptUpdate failed: %s",
300a10482eaSJohn Baldwin 		    ERR_error_string(ERR_get_error(), NULL));
301a10482eaSJohn Baldwin 		EVP_CIPHER_CTX_free(ctx);
302a10482eaSJohn Baldwin 		return (false);
303a10482eaSJohn Baldwin 	}
304a10482eaSJohn Baldwin 	total = outl;
305a10482eaSJohn Baldwin 	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len,
306a10482eaSJohn Baldwin 	    __DECONST(char *, tag)) != 1) {
307a10482eaSJohn Baldwin 		warnx("EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed: %s",
308a10482eaSJohn Baldwin 		    ERR_error_string(ERR_get_error(), NULL));
309a10482eaSJohn Baldwin 		EVP_CIPHER_CTX_free(ctx);
310a10482eaSJohn Baldwin 		return (false);
311a10482eaSJohn Baldwin 	}
312a10482eaSJohn Baldwin 	valid = (EVP_DecryptFinal_ex(ctx, (u_char *)output + outl, &outl) == 1);
313a10482eaSJohn Baldwin 	total += outl;
314a10482eaSJohn Baldwin 	if ((size_t)total != size) {
315a10482eaSJohn Baldwin 		warnx("decrypt size mismatch: %zu vs %d", size, total);
316a10482eaSJohn Baldwin 		EVP_CIPHER_CTX_free(ctx);
317a10482eaSJohn Baldwin 		return (false);
318a10482eaSJohn Baldwin 	}
319a10482eaSJohn Baldwin 	if (!valid)
320a10482eaSJohn Baldwin 		warnx("tag mismatch");
321a10482eaSJohn Baldwin 	EVP_CIPHER_CTX_free(ctx);
322a10482eaSJohn Baldwin 	return (valid);
323a10482eaSJohn Baldwin }
324a10482eaSJohn Baldwin 
325a10482eaSJohn Baldwin static void
326a10482eaSJohn Baldwin build_tls_enable(int cipher_alg, size_t cipher_key_len, int auth_alg,
327a10482eaSJohn Baldwin     int minor, uint64_t seqno, struct tls_enable *en)
328a10482eaSJohn Baldwin {
329a10482eaSJohn Baldwin 	u_int auth_key_len, iv_len;
330a10482eaSJohn Baldwin 
331a10482eaSJohn Baldwin 	memset(en, 0, sizeof(*en));
332a10482eaSJohn Baldwin 
333a10482eaSJohn Baldwin 	switch (cipher_alg) {
334a10482eaSJohn Baldwin 	case CRYPTO_AES_CBC:
335a10482eaSJohn Baldwin 		if (minor == TLS_MINOR_VER_ZERO)
336a10482eaSJohn Baldwin 			iv_len = AES_BLOCK_LEN;
337a10482eaSJohn Baldwin 		else
338a10482eaSJohn Baldwin 			iv_len = 0;
339a10482eaSJohn Baldwin 		break;
340a10482eaSJohn Baldwin 	case CRYPTO_AES_NIST_GCM_16:
341a10482eaSJohn Baldwin 		if (minor == TLS_MINOR_VER_TWO)
342a10482eaSJohn Baldwin 			iv_len = TLS_AEAD_GCM_LEN;
343a10482eaSJohn Baldwin 		else
344a10482eaSJohn Baldwin 			iv_len = TLS_1_3_GCM_IV_LEN;
345a10482eaSJohn Baldwin 		break;
346a10482eaSJohn Baldwin 	case CRYPTO_CHACHA20_POLY1305:
347a10482eaSJohn Baldwin 		iv_len = TLS_CHACHA20_IV_LEN;
348a10482eaSJohn Baldwin 		break;
349a10482eaSJohn Baldwin 	default:
350a10482eaSJohn Baldwin 		iv_len = 0;
351a10482eaSJohn Baldwin 		break;
352a10482eaSJohn Baldwin 	}
353a10482eaSJohn Baldwin 	switch (auth_alg) {
354a10482eaSJohn Baldwin 	case CRYPTO_SHA1_HMAC:
355a10482eaSJohn Baldwin 		auth_key_len = SHA1_HASH_LEN;
356a10482eaSJohn Baldwin 		break;
357a10482eaSJohn Baldwin 	case CRYPTO_SHA2_256_HMAC:
358a10482eaSJohn Baldwin 		auth_key_len = SHA2_256_HASH_LEN;
359a10482eaSJohn Baldwin 		break;
360a10482eaSJohn Baldwin 	case CRYPTO_SHA2_384_HMAC:
361a10482eaSJohn Baldwin 		auth_key_len = SHA2_384_HASH_LEN;
362a10482eaSJohn Baldwin 		break;
363a10482eaSJohn Baldwin 	default:
364a10482eaSJohn Baldwin 		auth_key_len = 0;
365a10482eaSJohn Baldwin 		break;
366a10482eaSJohn Baldwin 	}
367a10482eaSJohn Baldwin 	en->cipher_key = alloc_buffer(cipher_key_len);
368a10482eaSJohn Baldwin 	en->iv = alloc_buffer(iv_len);
369a10482eaSJohn Baldwin 	en->auth_key = alloc_buffer(auth_key_len);
370a10482eaSJohn Baldwin 	en->cipher_algorithm = cipher_alg;
371a10482eaSJohn Baldwin 	en->cipher_key_len = cipher_key_len;
372a10482eaSJohn Baldwin 	en->iv_len = iv_len;
373a10482eaSJohn Baldwin 	en->auth_algorithm = auth_alg;
374a10482eaSJohn Baldwin 	en->auth_key_len = auth_key_len;
375a10482eaSJohn Baldwin 	en->tls_vmajor = TLS_MAJOR_VER_ONE;
376a10482eaSJohn Baldwin 	en->tls_vminor = minor;
377a10482eaSJohn Baldwin 	be64enc(en->rec_seq, seqno);
378a10482eaSJohn Baldwin }
379a10482eaSJohn Baldwin 
380a10482eaSJohn Baldwin static void
381a10482eaSJohn Baldwin free_tls_enable(struct tls_enable *en)
382a10482eaSJohn Baldwin {
383a10482eaSJohn Baldwin 	free(__DECONST(void *, en->cipher_key));
384a10482eaSJohn Baldwin 	free(__DECONST(void *, en->iv));
385a10482eaSJohn Baldwin 	free(__DECONST(void *, en->auth_key));
386a10482eaSJohn Baldwin }
387a10482eaSJohn Baldwin 
388a10482eaSJohn Baldwin static const EVP_CIPHER *
389a10482eaSJohn Baldwin tls_EVP_CIPHER(const struct tls_enable *en)
390a10482eaSJohn Baldwin {
391a10482eaSJohn Baldwin 	switch (en->cipher_algorithm) {
392a10482eaSJohn Baldwin 	case CRYPTO_AES_CBC:
393a10482eaSJohn Baldwin 		switch (en->cipher_key_len) {
394a10482eaSJohn Baldwin 		case 128 / 8:
395a10482eaSJohn Baldwin 			return (EVP_aes_128_cbc());
396a10482eaSJohn Baldwin 		case 256 / 8:
397a10482eaSJohn Baldwin 			return (EVP_aes_256_cbc());
398a10482eaSJohn Baldwin 		default:
399a10482eaSJohn Baldwin 			return (NULL);
400a10482eaSJohn Baldwin 		}
401a10482eaSJohn Baldwin 		break;
402a10482eaSJohn Baldwin 	case CRYPTO_AES_NIST_GCM_16:
403a10482eaSJohn Baldwin 		switch (en->cipher_key_len) {
404a10482eaSJohn Baldwin 		case 128 / 8:
405a10482eaSJohn Baldwin 			return (EVP_aes_128_gcm());
406a10482eaSJohn Baldwin 		case 256 / 8:
407a10482eaSJohn Baldwin 			return (EVP_aes_256_gcm());
408a10482eaSJohn Baldwin 		default:
409a10482eaSJohn Baldwin 			return (NULL);
410a10482eaSJohn Baldwin 		}
411a10482eaSJohn Baldwin 		break;
412a10482eaSJohn Baldwin 	case CRYPTO_CHACHA20_POLY1305:
413a10482eaSJohn Baldwin 		return (EVP_chacha20_poly1305());
414a10482eaSJohn Baldwin 	default:
415a10482eaSJohn Baldwin 		return (NULL);
416a10482eaSJohn Baldwin 	}
417a10482eaSJohn Baldwin }
418a10482eaSJohn Baldwin 
419a10482eaSJohn Baldwin static const EVP_MD *
420a10482eaSJohn Baldwin tls_EVP_MD(const struct tls_enable *en)
421a10482eaSJohn Baldwin {
422a10482eaSJohn Baldwin 	switch (en->auth_algorithm) {
423a10482eaSJohn Baldwin 	case CRYPTO_SHA1_HMAC:
424a10482eaSJohn Baldwin 		return (EVP_sha1());
425a10482eaSJohn Baldwin 	case CRYPTO_SHA2_256_HMAC:
426a10482eaSJohn Baldwin 		return (EVP_sha256());
427a10482eaSJohn Baldwin 	case CRYPTO_SHA2_384_HMAC:
428a10482eaSJohn Baldwin 		return (EVP_sha384());
429a10482eaSJohn Baldwin 	default:
430a10482eaSJohn Baldwin 		return (NULL);
431a10482eaSJohn Baldwin 	}
432a10482eaSJohn Baldwin }
433a10482eaSJohn Baldwin 
434a10482eaSJohn Baldwin static size_t
435a10482eaSJohn Baldwin tls_header_len(struct tls_enable *en)
436a10482eaSJohn Baldwin {
437a10482eaSJohn Baldwin 	size_t len;
438a10482eaSJohn Baldwin 
439a10482eaSJohn Baldwin 	len = sizeof(struct tls_record_layer);
440a10482eaSJohn Baldwin 	switch (en->cipher_algorithm) {
441a10482eaSJohn Baldwin 	case CRYPTO_AES_CBC:
442a10482eaSJohn Baldwin 		if (en->tls_vminor != TLS_MINOR_VER_ZERO)
443a10482eaSJohn Baldwin 			len += AES_BLOCK_LEN;
444a10482eaSJohn Baldwin 		return (len);
445a10482eaSJohn Baldwin 	case CRYPTO_AES_NIST_GCM_16:
446a10482eaSJohn Baldwin 		if (en->tls_vminor == TLS_MINOR_VER_TWO)
447a10482eaSJohn Baldwin 			len += sizeof(uint64_t);
448a10482eaSJohn Baldwin 		return (len);
449a10482eaSJohn Baldwin 	case CRYPTO_CHACHA20_POLY1305:
450a10482eaSJohn Baldwin 		return (len);
451a10482eaSJohn Baldwin 	default:
452a10482eaSJohn Baldwin 		return (0);
453a10482eaSJohn Baldwin 	}
454a10482eaSJohn Baldwin }
455a10482eaSJohn Baldwin 
456a10482eaSJohn Baldwin static size_t
457a10482eaSJohn Baldwin tls_mac_len(struct tls_enable *en)
458a10482eaSJohn Baldwin {
459a10482eaSJohn Baldwin 	switch (en->cipher_algorithm) {
460a10482eaSJohn Baldwin 	case CRYPTO_AES_CBC:
461a10482eaSJohn Baldwin 		switch (en->auth_algorithm) {
462a10482eaSJohn Baldwin 		case CRYPTO_SHA1_HMAC:
463a10482eaSJohn Baldwin 			return (SHA1_HASH_LEN);
464a10482eaSJohn Baldwin 		case CRYPTO_SHA2_256_HMAC:
465a10482eaSJohn Baldwin 			return (SHA2_256_HASH_LEN);
466a10482eaSJohn Baldwin 		case CRYPTO_SHA2_384_HMAC:
467a10482eaSJohn Baldwin 			return (SHA2_384_HASH_LEN);
468a10482eaSJohn Baldwin 		default:
469a10482eaSJohn Baldwin 			return (0);
470a10482eaSJohn Baldwin 		}
471a10482eaSJohn Baldwin 	case CRYPTO_AES_NIST_GCM_16:
472a10482eaSJohn Baldwin 		return (AES_GMAC_HASH_LEN);
473a10482eaSJohn Baldwin 	case CRYPTO_CHACHA20_POLY1305:
474a10482eaSJohn Baldwin 		return (POLY1305_HASH_LEN);
475a10482eaSJohn Baldwin 	default:
476a10482eaSJohn Baldwin 		return (0);
477a10482eaSJohn Baldwin 	}
478a10482eaSJohn Baldwin }
479a10482eaSJohn Baldwin 
480a10482eaSJohn Baldwin /* Includes maximum padding for MTE. */
481a10482eaSJohn Baldwin static size_t
482a10482eaSJohn Baldwin tls_trailer_len(struct tls_enable *en)
483a10482eaSJohn Baldwin {
484a10482eaSJohn Baldwin 	size_t len;
485a10482eaSJohn Baldwin 
486a10482eaSJohn Baldwin 	len = tls_mac_len(en);
487a10482eaSJohn Baldwin 	if (en->cipher_algorithm == CRYPTO_AES_CBC)
488a10482eaSJohn Baldwin 		len += AES_BLOCK_LEN;
489a10482eaSJohn Baldwin 	if (en->tls_vminor == TLS_MINOR_VER_THREE)
490a10482eaSJohn Baldwin 		len++;
491a10482eaSJohn Baldwin 	return (len);
492a10482eaSJohn Baldwin }
493a10482eaSJohn Baldwin 
494a10482eaSJohn Baldwin /* 'len' is the length of the payload application data. */
495a10482eaSJohn Baldwin static void
496a10482eaSJohn Baldwin tls_mte_aad(struct tls_enable *en, size_t len,
497a10482eaSJohn Baldwin     const struct tls_record_layer *hdr, uint64_t seqno, struct tls_mac_data *ad)
498a10482eaSJohn Baldwin {
499a10482eaSJohn Baldwin 	ad->seq = htobe64(seqno);
500a10482eaSJohn Baldwin 	ad->type = hdr->tls_type;
501a10482eaSJohn Baldwin 	ad->tls_vmajor = hdr->tls_vmajor;
502a10482eaSJohn Baldwin 	ad->tls_vminor = hdr->tls_vminor;
503a10482eaSJohn Baldwin 	ad->tls_length = htons(len);
504a10482eaSJohn Baldwin }
505a10482eaSJohn Baldwin 
506a10482eaSJohn Baldwin static void
507a10482eaSJohn Baldwin tls_12_aead_aad(struct tls_enable *en, size_t len,
508a10482eaSJohn Baldwin     const struct tls_record_layer *hdr, uint64_t seqno,
509a10482eaSJohn Baldwin     struct tls_aead_data *ad)
510a10482eaSJohn Baldwin {
511a10482eaSJohn Baldwin 	ad->seq = htobe64(seqno);
512a10482eaSJohn Baldwin 	ad->type = hdr->tls_type;
513a10482eaSJohn Baldwin 	ad->tls_vmajor = hdr->tls_vmajor;
514a10482eaSJohn Baldwin 	ad->tls_vminor = hdr->tls_vminor;
515a10482eaSJohn Baldwin 	ad->tls_length = htons(len);
516a10482eaSJohn Baldwin }
517a10482eaSJohn Baldwin 
518a10482eaSJohn Baldwin static void
519a10482eaSJohn Baldwin tls_13_aad(struct tls_enable *en, const struct tls_record_layer *hdr,
520a10482eaSJohn Baldwin     uint64_t seqno, struct tls_aead_data_13 *ad)
521a10482eaSJohn Baldwin {
522a10482eaSJohn Baldwin 	ad->type = hdr->tls_type;
523a10482eaSJohn Baldwin 	ad->tls_vmajor = hdr->tls_vmajor;
524a10482eaSJohn Baldwin 	ad->tls_vminor = hdr->tls_vminor;
525a10482eaSJohn Baldwin 	ad->tls_length = hdr->tls_length;
526a10482eaSJohn Baldwin }
527a10482eaSJohn Baldwin 
528a10482eaSJohn Baldwin static void
529a10482eaSJohn Baldwin tls_12_gcm_nonce(struct tls_enable *en, const struct tls_record_layer *hdr,
530a10482eaSJohn Baldwin     char *nonce)
531a10482eaSJohn Baldwin {
532a10482eaSJohn Baldwin 	memcpy(nonce, en->iv, TLS_AEAD_GCM_LEN);
533a10482eaSJohn Baldwin 	memcpy(nonce + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t));
534a10482eaSJohn Baldwin }
535a10482eaSJohn Baldwin 
536a10482eaSJohn Baldwin static void
537a10482eaSJohn Baldwin tls_13_nonce(struct tls_enable *en, uint64_t seqno, char *nonce)
538a10482eaSJohn Baldwin {
539a10482eaSJohn Baldwin 	static_assert(TLS_1_3_GCM_IV_LEN == TLS_CHACHA20_IV_LEN,
540a10482eaSJohn Baldwin 	    "TLS 1.3 nonce length mismatch");
541a10482eaSJohn Baldwin 	memcpy(nonce, en->iv, TLS_1_3_GCM_IV_LEN);
542a10482eaSJohn Baldwin 	*(uint64_t *)(nonce + 4) ^= htobe64(seqno);
543a10482eaSJohn Baldwin }
544a10482eaSJohn Baldwin 
545a10482eaSJohn Baldwin /*
546a10482eaSJohn Baldwin  * Decrypt a TLS record 'len' bytes long at 'src' and store the result at
547a10482eaSJohn Baldwin  * 'dst'.  If the TLS record header length doesn't match or 'dst' doesn't
548a10482eaSJohn Baldwin  * have sufficient room ('avail'), fail the test.
549a10482eaSJohn Baldwin  */
550a10482eaSJohn Baldwin static size_t
551a10482eaSJohn Baldwin decrypt_tls_aes_cbc_mte(struct tls_enable *en, uint64_t seqno, const void *src,
552a10482eaSJohn Baldwin     size_t len, void *dst, size_t avail, uint8_t *record_type)
553a10482eaSJohn Baldwin {
554a10482eaSJohn Baldwin 	const struct tls_record_layer *hdr;
555a10482eaSJohn Baldwin 	struct tls_mac_data aad;
556a10482eaSJohn Baldwin 	const char *iv;
557a10482eaSJohn Baldwin 	char *buf;
558a10482eaSJohn Baldwin 	size_t hdr_len, mac_len, payload_len;
559a10482eaSJohn Baldwin 	int padding;
560a10482eaSJohn Baldwin 
561a10482eaSJohn Baldwin 	hdr = src;
562a10482eaSJohn Baldwin 	hdr_len = tls_header_len(en);
563a10482eaSJohn Baldwin 	mac_len = tls_mac_len(en);
564a10482eaSJohn Baldwin 	ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE);
565a10482eaSJohn Baldwin 	ATF_REQUIRE(hdr->tls_vminor == en->tls_vminor);
566a10482eaSJohn Baldwin 
567a10482eaSJohn Baldwin 	/* First, decrypt the outer payload into a temporary buffer. */
568a10482eaSJohn Baldwin 	payload_len = len - hdr_len;
569a10482eaSJohn Baldwin 	buf = malloc(payload_len);
570a10482eaSJohn Baldwin 	if (en->tls_vminor == TLS_MINOR_VER_ZERO)
571a10482eaSJohn Baldwin 		iv = en->iv;
572a10482eaSJohn Baldwin 	else
573a10482eaSJohn Baldwin 		iv = (void *)(hdr + 1);
574a10482eaSJohn Baldwin 	ATF_REQUIRE(cbc_decrypt(tls_EVP_CIPHER(en), en->cipher_key, iv,
575a10482eaSJohn Baldwin 	    (const u_char *)src + hdr_len, buf, payload_len));
576a10482eaSJohn Baldwin 
577a10482eaSJohn Baldwin 	/*
578a10482eaSJohn Baldwin 	 * Copy the last encrypted block to use as the IV for the next
579a10482eaSJohn Baldwin 	 * record for TLS 1.0.
580a10482eaSJohn Baldwin 	 */
581a10482eaSJohn Baldwin 	if (en->tls_vminor == TLS_MINOR_VER_ZERO)
582a10482eaSJohn Baldwin 		memcpy(__DECONST(uint8_t *, en->iv), (const u_char *)src +
583a10482eaSJohn Baldwin 		    (len - AES_BLOCK_LEN), AES_BLOCK_LEN);
584a10482eaSJohn Baldwin 
585a10482eaSJohn Baldwin 	/*
586a10482eaSJohn Baldwin 	 * Verify trailing padding and strip.
587a10482eaSJohn Baldwin 	 *
588a10482eaSJohn Baldwin 	 * The kernel always generates the smallest amount of padding.
589a10482eaSJohn Baldwin 	 */
590a10482eaSJohn Baldwin 	padding = buf[payload_len - 1] + 1;
591a10482eaSJohn Baldwin 	ATF_REQUIRE(padding > 0 && padding <= AES_BLOCK_LEN);
592a10482eaSJohn Baldwin 	ATF_REQUIRE(payload_len >= mac_len + padding);
593a10482eaSJohn Baldwin 	payload_len -= padding;
594a10482eaSJohn Baldwin 
595a10482eaSJohn Baldwin 	/* Verify HMAC. */
596a10482eaSJohn Baldwin 	payload_len -= mac_len;
597a10482eaSJohn Baldwin 	tls_mte_aad(en, payload_len, hdr, seqno, &aad);
598a10482eaSJohn Baldwin 	ATF_REQUIRE(verify_hash(tls_EVP_MD(en), en->auth_key, en->auth_key_len,
599a10482eaSJohn Baldwin 	    &aad, sizeof(aad), buf, payload_len, buf + payload_len));
600a10482eaSJohn Baldwin 
601a10482eaSJohn Baldwin 	ATF_REQUIRE(payload_len <= avail);
602a10482eaSJohn Baldwin 	memcpy(dst, buf, payload_len);
603a10482eaSJohn Baldwin 	*record_type = hdr->tls_type;
604a10482eaSJohn Baldwin 	return (payload_len);
605a10482eaSJohn Baldwin }
606a10482eaSJohn Baldwin 
607a10482eaSJohn Baldwin static size_t
608a10482eaSJohn Baldwin decrypt_tls_12_aead(struct tls_enable *en, uint64_t seqno, const void *src,
609a10482eaSJohn Baldwin     size_t len, void *dst, uint8_t *record_type)
610a10482eaSJohn Baldwin {
611a10482eaSJohn Baldwin 	const struct tls_record_layer *hdr;
612a10482eaSJohn Baldwin 	struct tls_aead_data aad;
613a10482eaSJohn Baldwin 	char nonce[12];
614a10482eaSJohn Baldwin 	size_t hdr_len, mac_len, payload_len;
615a10482eaSJohn Baldwin 
616a10482eaSJohn Baldwin 	hdr = src;
617a10482eaSJohn Baldwin 
618a10482eaSJohn Baldwin 	hdr_len = tls_header_len(en);
619a10482eaSJohn Baldwin 	mac_len = tls_mac_len(en);
620a10482eaSJohn Baldwin 	payload_len = len - (hdr_len + mac_len);
621a10482eaSJohn Baldwin 	ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE);
622a10482eaSJohn Baldwin 	ATF_REQUIRE(hdr->tls_vminor == TLS_MINOR_VER_TWO);
623a10482eaSJohn Baldwin 
624a10482eaSJohn Baldwin 	tls_12_aead_aad(en, payload_len, hdr, seqno, &aad);
625a10482eaSJohn Baldwin 	if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16)
626a10482eaSJohn Baldwin 		tls_12_gcm_nonce(en, hdr, nonce);
627a10482eaSJohn Baldwin 	else
628a10482eaSJohn Baldwin 		tls_13_nonce(en, seqno, nonce);
629a10482eaSJohn Baldwin 
630a10482eaSJohn Baldwin 	ATF_REQUIRE(aead_decrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce,
631a10482eaSJohn Baldwin 	    &aad, sizeof(aad), (const char *)src + hdr_len, dst, payload_len,
632a10482eaSJohn Baldwin 	    (const char *)src + hdr_len + payload_len, mac_len));
633a10482eaSJohn Baldwin 
634a10482eaSJohn Baldwin 	*record_type = hdr->tls_type;
635a10482eaSJohn Baldwin 	return (payload_len);
636a10482eaSJohn Baldwin }
637a10482eaSJohn Baldwin 
638a10482eaSJohn Baldwin static size_t
639a10482eaSJohn Baldwin decrypt_tls_13_aead(struct tls_enable *en, uint64_t seqno, const void *src,
640a10482eaSJohn Baldwin     size_t len, void *dst, uint8_t *record_type)
641a10482eaSJohn Baldwin {
642a10482eaSJohn Baldwin 	const struct tls_record_layer *hdr;
643a10482eaSJohn Baldwin 	struct tls_aead_data_13 aad;
644a10482eaSJohn Baldwin 	char nonce[12];
645a10482eaSJohn Baldwin 	char *buf;
646a10482eaSJohn Baldwin 	size_t hdr_len, mac_len, payload_len;
647a10482eaSJohn Baldwin 
648a10482eaSJohn Baldwin 	hdr = src;
649a10482eaSJohn Baldwin 
650a10482eaSJohn Baldwin 	hdr_len = tls_header_len(en);
651a10482eaSJohn Baldwin 	mac_len = tls_mac_len(en);
652a10482eaSJohn Baldwin 	payload_len = len - (hdr_len + mac_len);
653a10482eaSJohn Baldwin 	ATF_REQUIRE(payload_len >= 1);
654a10482eaSJohn Baldwin 	ATF_REQUIRE(hdr->tls_type == TLS_RLTYPE_APP);
655a10482eaSJohn Baldwin 	ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE);
656a10482eaSJohn Baldwin 	ATF_REQUIRE(hdr->tls_vminor == TLS_MINOR_VER_TWO);
657a10482eaSJohn Baldwin 
658a10482eaSJohn Baldwin 	tls_13_aad(en, hdr, seqno, &aad);
659a10482eaSJohn Baldwin 	tls_13_nonce(en, seqno, nonce);
660a10482eaSJohn Baldwin 
661a10482eaSJohn Baldwin 	/*
662a10482eaSJohn Baldwin 	 * Have to use a temporary buffer for the output due to the
663a10482eaSJohn Baldwin 	 * record type as the last byte of the trailer.
664a10482eaSJohn Baldwin 	 */
665a10482eaSJohn Baldwin 	buf = malloc(payload_len);
666a10482eaSJohn Baldwin 
667a10482eaSJohn Baldwin 	ATF_REQUIRE(aead_decrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce,
668a10482eaSJohn Baldwin 	    &aad, sizeof(aad), (const char *)src + hdr_len, buf, payload_len,
669a10482eaSJohn Baldwin 	    (const char *)src + hdr_len + payload_len, mac_len));
670a10482eaSJohn Baldwin 
671a10482eaSJohn Baldwin 	/* Trim record type. */
672a10482eaSJohn Baldwin 	*record_type = buf[payload_len - 1];
673a10482eaSJohn Baldwin 	payload_len--;
674a10482eaSJohn Baldwin 
675a10482eaSJohn Baldwin 	memcpy(dst, buf, payload_len);
676a10482eaSJohn Baldwin 	free(buf);
677a10482eaSJohn Baldwin 
678a10482eaSJohn Baldwin 	return (payload_len);
679a10482eaSJohn Baldwin }
680a10482eaSJohn Baldwin 
681a10482eaSJohn Baldwin static size_t
682a10482eaSJohn Baldwin decrypt_tls_aead(struct tls_enable *en, uint64_t seqno, const void *src,
683a10482eaSJohn Baldwin     size_t len, void *dst, size_t avail, uint8_t *record_type)
684a10482eaSJohn Baldwin {
685a10482eaSJohn Baldwin 	const struct tls_record_layer *hdr;
686a10482eaSJohn Baldwin 	size_t payload_len;
687a10482eaSJohn Baldwin 
688a10482eaSJohn Baldwin 	hdr = src;
689a10482eaSJohn Baldwin 	ATF_REQUIRE(ntohs(hdr->tls_length) + sizeof(*hdr) == len);
690a10482eaSJohn Baldwin 
691a10482eaSJohn Baldwin 	payload_len = len - (tls_header_len(en) + tls_trailer_len(en));
692a10482eaSJohn Baldwin 	ATF_REQUIRE(payload_len <= avail);
693a10482eaSJohn Baldwin 
694a10482eaSJohn Baldwin 	if (en->tls_vminor == TLS_MINOR_VER_TWO) {
695a10482eaSJohn Baldwin 		ATF_REQUIRE(decrypt_tls_12_aead(en, seqno, src, len, dst,
696a10482eaSJohn Baldwin 		    record_type) == payload_len);
697a10482eaSJohn Baldwin 	} else {
698a10482eaSJohn Baldwin 		ATF_REQUIRE(decrypt_tls_13_aead(en, seqno, src, len, dst,
699a10482eaSJohn Baldwin 		    record_type) == payload_len);
700a10482eaSJohn Baldwin 	}
701a10482eaSJohn Baldwin 
702a10482eaSJohn Baldwin 	return (payload_len);
703a10482eaSJohn Baldwin }
704a10482eaSJohn Baldwin 
705a10482eaSJohn Baldwin static size_t
706a10482eaSJohn Baldwin decrypt_tls_record(struct tls_enable *en, uint64_t seqno, const void *src,
707a10482eaSJohn Baldwin     size_t len, void *dst, size_t avail, uint8_t *record_type)
708a10482eaSJohn Baldwin {
709a10482eaSJohn Baldwin 	if (en->cipher_algorithm == CRYPTO_AES_CBC)
710a10482eaSJohn Baldwin 		return (decrypt_tls_aes_cbc_mte(en, seqno, src, len, dst, avail,
711a10482eaSJohn Baldwin 		    record_type));
712a10482eaSJohn Baldwin 	else
713a10482eaSJohn Baldwin 		return (decrypt_tls_aead(en, seqno, src, len, dst, avail,
714a10482eaSJohn Baldwin 		    record_type));
715a10482eaSJohn Baldwin }
716a10482eaSJohn Baldwin 
717a10482eaSJohn Baldwin static void
718a10482eaSJohn Baldwin test_ktls_transmit_app_data(struct tls_enable *en, uint64_t seqno, size_t len)
719a10482eaSJohn Baldwin {
720a10482eaSJohn Baldwin 	struct kevent ev;
721a10482eaSJohn Baldwin 	struct tls_record_layer *hdr;
722a10482eaSJohn Baldwin 	char *plaintext, *decrypted, *outbuf;
723a10482eaSJohn Baldwin 	size_t decrypted_len, outbuf_len, outbuf_cap, record_len, written;
724a10482eaSJohn Baldwin 	ssize_t rv;
725a10482eaSJohn Baldwin 	int kq, sockets[2];
726a10482eaSJohn Baldwin 	uint8_t record_type;
727a10482eaSJohn Baldwin 
728a10482eaSJohn Baldwin 	plaintext = alloc_buffer(len);
729a10482eaSJohn Baldwin 	decrypted = malloc(len);
730a10482eaSJohn Baldwin 	outbuf_cap = tls_header_len(en) + TLS_MAX_MSG_SIZE_V10_2 +
731a10482eaSJohn Baldwin 	    tls_trailer_len(en);
732a10482eaSJohn Baldwin 	outbuf = malloc(outbuf_cap);
733a10482eaSJohn Baldwin 	hdr = (struct tls_record_layer *)outbuf;
734a10482eaSJohn Baldwin 
735a10482eaSJohn Baldwin 	ATF_REQUIRE((kq = kqueue()) != -1);
736a10482eaSJohn Baldwin 
737a10482eaSJohn Baldwin 	ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets");
738a10482eaSJohn Baldwin 
739a10482eaSJohn Baldwin 	ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en,
740a10482eaSJohn Baldwin 	    sizeof(*en)) == 0);
741a10482eaSJohn Baldwin 
742a10482eaSJohn Baldwin 	EV_SET(&ev, sockets[0], EVFILT_READ, EV_ADD, 0, 0, NULL);
743a10482eaSJohn Baldwin 	ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0);
744a10482eaSJohn Baldwin 	EV_SET(&ev, sockets[1], EVFILT_WRITE, EV_ADD, 0, 0, NULL);
745a10482eaSJohn Baldwin 	ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0);
746a10482eaSJohn Baldwin 
747a10482eaSJohn Baldwin 	decrypted_len = 0;
748a10482eaSJohn Baldwin 	outbuf_len = 0;
749a10482eaSJohn Baldwin 	written = 0;
750a10482eaSJohn Baldwin 
751a10482eaSJohn Baldwin 	while (decrypted_len != len) {
752a10482eaSJohn Baldwin 		ATF_REQUIRE(kevent(kq, NULL, 0, &ev, 1, NULL) == 1);
753a10482eaSJohn Baldwin 
754a10482eaSJohn Baldwin 		switch (ev.filter) {
755a10482eaSJohn Baldwin 		case EVFILT_WRITE:
756a10482eaSJohn Baldwin 			/* Try to write any remaining data. */
757a10482eaSJohn Baldwin 			rv = write(ev.ident, plaintext + written,
758a10482eaSJohn Baldwin 			    len - written);
759a10482eaSJohn Baldwin 			ATF_REQUIRE_MSG(rv > 0,
760a10482eaSJohn Baldwin 			    "failed to write to socket");
761a10482eaSJohn Baldwin 			written += rv;
762a10482eaSJohn Baldwin 			if (written == len) {
763a10482eaSJohn Baldwin 				ev.flags = EV_DISABLE;
764a10482eaSJohn Baldwin 				ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0,
765a10482eaSJohn Baldwin 				    NULL) == 0);
766a10482eaSJohn Baldwin 			}
767a10482eaSJohn Baldwin 			break;
768a10482eaSJohn Baldwin 
769a10482eaSJohn Baldwin 		case EVFILT_READ:
770a10482eaSJohn Baldwin 			ATF_REQUIRE((ev.flags & EV_EOF) == 0);
771a10482eaSJohn Baldwin 
772a10482eaSJohn Baldwin 			/*
773a10482eaSJohn Baldwin 			 * Try to read data for the next TLS record
774a10482eaSJohn Baldwin 			 * into outbuf.  Start by reading the header
775a10482eaSJohn Baldwin 			 * to determine how much additional data to
776a10482eaSJohn Baldwin 			 * read.
777a10482eaSJohn Baldwin 			 */
778a10482eaSJohn Baldwin 			if (outbuf_len < sizeof(struct tls_record_layer)) {
779a10482eaSJohn Baldwin 				rv = read(ev.ident, outbuf + outbuf_len,
780a10482eaSJohn Baldwin 				    sizeof(struct tls_record_layer) -
781a10482eaSJohn Baldwin 				    outbuf_len);
782a10482eaSJohn Baldwin 				ATF_REQUIRE_MSG(rv > 0,
783a10482eaSJohn Baldwin 				    "failed to read from socket");
784a10482eaSJohn Baldwin 				outbuf_len += rv;
785a10482eaSJohn Baldwin 			}
786a10482eaSJohn Baldwin 
787a10482eaSJohn Baldwin 			if (outbuf_len < sizeof(struct tls_record_layer))
788a10482eaSJohn Baldwin 				break;
789a10482eaSJohn Baldwin 
790a10482eaSJohn Baldwin 			record_len = sizeof(struct tls_record_layer) +
791a10482eaSJohn Baldwin 			    ntohs(hdr->tls_length);
792a10482eaSJohn Baldwin 			assert(record_len <= outbuf_cap);
793a10482eaSJohn Baldwin 			assert(record_len > outbuf_len);
794a10482eaSJohn Baldwin 			rv = read(ev.ident, outbuf + outbuf_len,
795a10482eaSJohn Baldwin 			    record_len - outbuf_len);
796a10482eaSJohn Baldwin 			if (rv == -1 && errno == EAGAIN)
797a10482eaSJohn Baldwin 				break;
798a10482eaSJohn Baldwin 			ATF_REQUIRE_MSG(rv > 0, "failed to read from socket");
799a10482eaSJohn Baldwin 
800a10482eaSJohn Baldwin 			outbuf_len += rv;
801a10482eaSJohn Baldwin 			if (outbuf_len == record_len) {
802a10482eaSJohn Baldwin 				decrypted_len += decrypt_tls_record(en, seqno,
803a10482eaSJohn Baldwin 				    outbuf, outbuf_len,
804a10482eaSJohn Baldwin 				    decrypted + decrypted_len,
805a10482eaSJohn Baldwin 				    len - decrypted_len, &record_type);
806a10482eaSJohn Baldwin 				ATF_REQUIRE(record_type == TLS_RLTYPE_APP);
807a10482eaSJohn Baldwin 
808a10482eaSJohn Baldwin 				seqno++;
809a10482eaSJohn Baldwin 				outbuf_len = 0;
810a10482eaSJohn Baldwin 			}
811a10482eaSJohn Baldwin 			break;
812a10482eaSJohn Baldwin 		}
813a10482eaSJohn Baldwin 	}
814a10482eaSJohn Baldwin 
815a10482eaSJohn Baldwin 	ATF_REQUIRE_MSG(written == decrypted_len,
816a10482eaSJohn Baldwin 	    "read %zu decrypted bytes, but wrote %zu", decrypted_len, written);
817a10482eaSJohn Baldwin 
818a10482eaSJohn Baldwin 	ATF_REQUIRE(memcmp(plaintext, decrypted, len) == 0);
819a10482eaSJohn Baldwin 
820a10482eaSJohn Baldwin 	free(outbuf);
821a10482eaSJohn Baldwin 	free(decrypted);
822a10482eaSJohn Baldwin 	free(plaintext);
823a10482eaSJohn Baldwin 
824a10482eaSJohn Baldwin 	close(sockets[1]);
825a10482eaSJohn Baldwin 	close(sockets[0]);
826a10482eaSJohn Baldwin 	close(kq);
827a10482eaSJohn Baldwin }
828a10482eaSJohn Baldwin 
829a10482eaSJohn Baldwin static void
830a10482eaSJohn Baldwin ktls_send_control_message(int fd, uint8_t type, void *data, size_t len)
831a10482eaSJohn Baldwin {
832a10482eaSJohn Baldwin 	struct msghdr msg;
833a10482eaSJohn Baldwin 	struct cmsghdr *cmsg;
834a10482eaSJohn Baldwin 	char cbuf[CMSG_SPACE(sizeof(type))];
835a10482eaSJohn Baldwin 	struct iovec iov;
836a10482eaSJohn Baldwin 
837a10482eaSJohn Baldwin 	memset(&msg, 0, sizeof(msg));
838a10482eaSJohn Baldwin 
839a10482eaSJohn Baldwin 	msg.msg_control = cbuf;
840a10482eaSJohn Baldwin 	msg.msg_controllen = sizeof(cbuf);
841a10482eaSJohn Baldwin 	cmsg = CMSG_FIRSTHDR(&msg);
842a10482eaSJohn Baldwin 	cmsg->cmsg_level = IPPROTO_TCP;
843a10482eaSJohn Baldwin 	cmsg->cmsg_type = TLS_SET_RECORD_TYPE;
844a10482eaSJohn Baldwin 	cmsg->cmsg_len = CMSG_LEN(sizeof(type));
845a10482eaSJohn Baldwin 	*(uint8_t *)CMSG_DATA(cmsg) = type;
846a10482eaSJohn Baldwin 
847a10482eaSJohn Baldwin 	iov.iov_base = data;
848a10482eaSJohn Baldwin 	iov.iov_len = len;
849a10482eaSJohn Baldwin 	msg.msg_iov = &iov;
850a10482eaSJohn Baldwin 	msg.msg_iovlen = 1;
851a10482eaSJohn Baldwin 
852a10482eaSJohn Baldwin 	ATF_REQUIRE(sendmsg(fd, &msg, 0) == (ssize_t)len);
853a10482eaSJohn Baldwin }
854a10482eaSJohn Baldwin 
855a10482eaSJohn Baldwin static void
856a10482eaSJohn Baldwin test_ktls_transmit_control(struct tls_enable *en, uint64_t seqno, uint8_t type,
857a10482eaSJohn Baldwin     size_t len)
858a10482eaSJohn Baldwin {
859a10482eaSJohn Baldwin 	struct tls_record_layer *hdr;
860a10482eaSJohn Baldwin 	char *plaintext, *decrypted, *outbuf;
861a10482eaSJohn Baldwin 	size_t outbuf_cap, payload_len, record_len;
862a10482eaSJohn Baldwin 	ssize_t rv;
863a10482eaSJohn Baldwin 	int sockets[2];
864a10482eaSJohn Baldwin 	uint8_t record_type;
865a10482eaSJohn Baldwin 
866a10482eaSJohn Baldwin 	ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2);
867a10482eaSJohn Baldwin 
868a10482eaSJohn Baldwin 	plaintext = alloc_buffer(len);
869a10482eaSJohn Baldwin 	decrypted = malloc(len);
870a10482eaSJohn Baldwin 	outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en);
871a10482eaSJohn Baldwin 	outbuf = malloc(outbuf_cap);
872a10482eaSJohn Baldwin 	hdr = (struct tls_record_layer *)outbuf;
873a10482eaSJohn Baldwin 
874a10482eaSJohn Baldwin 	ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets");
875a10482eaSJohn Baldwin 
876a10482eaSJohn Baldwin 	ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en,
877a10482eaSJohn Baldwin 	    sizeof(*en)) == 0);
878a10482eaSJohn Baldwin 
879a10482eaSJohn Baldwin 	fd_set_blocking(sockets[0]);
880a10482eaSJohn Baldwin 	fd_set_blocking(sockets[1]);
881a10482eaSJohn Baldwin 
882a10482eaSJohn Baldwin 	ktls_send_control_message(sockets[1], type, plaintext, len);
883a10482eaSJohn Baldwin 
884a10482eaSJohn Baldwin 	/*
885a10482eaSJohn Baldwin 	 * First read the header to determine how much additional data
886a10482eaSJohn Baldwin 	 * to read.
887a10482eaSJohn Baldwin 	 */
888a10482eaSJohn Baldwin 	rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer));
889a10482eaSJohn Baldwin 	ATF_REQUIRE(rv == sizeof(struct tls_record_layer));
890a10482eaSJohn Baldwin 	payload_len = ntohs(hdr->tls_length);
891a10482eaSJohn Baldwin 	record_len = payload_len + sizeof(struct tls_record_layer);
892a10482eaSJohn Baldwin 	assert(record_len <= outbuf_cap);
893a10482eaSJohn Baldwin 	rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer),
894a10482eaSJohn Baldwin 	    payload_len);
895a10482eaSJohn Baldwin 	ATF_REQUIRE(rv == (ssize_t)payload_len);
896a10482eaSJohn Baldwin 
897a10482eaSJohn Baldwin 	rv = decrypt_tls_record(en, seqno, outbuf, record_len, decrypted, len,
898a10482eaSJohn Baldwin 	    &record_type);
899a10482eaSJohn Baldwin 
900a10482eaSJohn Baldwin 	ATF_REQUIRE_MSG((ssize_t)len == rv,
901a10482eaSJohn Baldwin 	    "read %zd decrypted bytes, but wrote %zu", rv, len);
902a10482eaSJohn Baldwin 	ATF_REQUIRE(record_type == type);
903a10482eaSJohn Baldwin 
904a10482eaSJohn Baldwin 	ATF_REQUIRE(memcmp(plaintext, decrypted, len) == 0);
905a10482eaSJohn Baldwin 
906a10482eaSJohn Baldwin 	free(outbuf);
907a10482eaSJohn Baldwin 	free(decrypted);
908a10482eaSJohn Baldwin 	free(plaintext);
909a10482eaSJohn Baldwin 
910a10482eaSJohn Baldwin 	close(sockets[1]);
911a10482eaSJohn Baldwin 	close(sockets[0]);
912a10482eaSJohn Baldwin }
913a10482eaSJohn Baldwin 
914*0ff2a12aSJohn Baldwin static void
915*0ff2a12aSJohn Baldwin test_ktls_transmit_empty_fragment(struct tls_enable *en, uint64_t seqno)
916*0ff2a12aSJohn Baldwin {
917*0ff2a12aSJohn Baldwin 	struct tls_record_layer *hdr;
918*0ff2a12aSJohn Baldwin 	char *outbuf;
919*0ff2a12aSJohn Baldwin 	size_t outbuf_cap, payload_len, record_len;
920*0ff2a12aSJohn Baldwin 	ssize_t rv;
921*0ff2a12aSJohn Baldwin 	int sockets[2];
922*0ff2a12aSJohn Baldwin 	uint8_t record_type;
923*0ff2a12aSJohn Baldwin 
924*0ff2a12aSJohn Baldwin 	outbuf_cap = tls_header_len(en) + tls_trailer_len(en);
925*0ff2a12aSJohn Baldwin 	outbuf = malloc(outbuf_cap);
926*0ff2a12aSJohn Baldwin 	hdr = (struct tls_record_layer *)outbuf;
927*0ff2a12aSJohn Baldwin 
928*0ff2a12aSJohn Baldwin 	ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets");
929*0ff2a12aSJohn Baldwin 
930*0ff2a12aSJohn Baldwin 	ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en,
931*0ff2a12aSJohn Baldwin 	    sizeof(*en)) == 0);
932*0ff2a12aSJohn Baldwin 
933*0ff2a12aSJohn Baldwin 	fd_set_blocking(sockets[0]);
934*0ff2a12aSJohn Baldwin 	fd_set_blocking(sockets[1]);
935*0ff2a12aSJohn Baldwin 
936*0ff2a12aSJohn Baldwin 	/* A write of zero bytes should send an empty fragment. */
937*0ff2a12aSJohn Baldwin 	rv = write(sockets[1], NULL, 0);
938*0ff2a12aSJohn Baldwin 	ATF_REQUIRE(rv == 0);
939*0ff2a12aSJohn Baldwin 
940*0ff2a12aSJohn Baldwin 	/*
941*0ff2a12aSJohn Baldwin 	 * First read the header to determine how much additional data
942*0ff2a12aSJohn Baldwin 	 * to read.
943*0ff2a12aSJohn Baldwin 	 */
944*0ff2a12aSJohn Baldwin 	rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer));
945*0ff2a12aSJohn Baldwin 	ATF_REQUIRE(rv == sizeof(struct tls_record_layer));
946*0ff2a12aSJohn Baldwin 	payload_len = ntohs(hdr->tls_length);
947*0ff2a12aSJohn Baldwin 	record_len = payload_len + sizeof(struct tls_record_layer);
948*0ff2a12aSJohn Baldwin 	ATF_REQUIRE(record_len <= outbuf_cap);
949*0ff2a12aSJohn Baldwin 	rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer),
950*0ff2a12aSJohn Baldwin 	    payload_len);
951*0ff2a12aSJohn Baldwin 	ATF_REQUIRE(rv == (ssize_t)payload_len);
952*0ff2a12aSJohn Baldwin 
953*0ff2a12aSJohn Baldwin 	rv = decrypt_tls_record(en, seqno, outbuf, record_len, NULL, 0,
954*0ff2a12aSJohn Baldwin 	    &record_type);
955*0ff2a12aSJohn Baldwin 
956*0ff2a12aSJohn Baldwin 	ATF_REQUIRE_MSG(rv == 0,
957*0ff2a12aSJohn Baldwin 	    "read %zd decrypted bytes for an empty fragment", rv);
958*0ff2a12aSJohn Baldwin 	ATF_REQUIRE(record_type == TLS_RLTYPE_APP);
959*0ff2a12aSJohn Baldwin 
960*0ff2a12aSJohn Baldwin 	free(outbuf);
961*0ff2a12aSJohn Baldwin 
962*0ff2a12aSJohn Baldwin 	close(sockets[1]);
963*0ff2a12aSJohn Baldwin 	close(sockets[0]);
964*0ff2a12aSJohn Baldwin }
965*0ff2a12aSJohn Baldwin 
966*0ff2a12aSJohn Baldwin #define	TLS_10_TESTS(M)							\
967*0ff2a12aSJohn Baldwin 	M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8,			\
968*0ff2a12aSJohn Baldwin 	    CRYPTO_SHA1_HMAC)						\
969*0ff2a12aSJohn Baldwin 	M(aes256_cbc_1_0_sha1, CRYPTO_AES_CBC, 256 / 8,			\
970*0ff2a12aSJohn Baldwin 	    CRYPTO_SHA1_HMAC)
971*0ff2a12aSJohn Baldwin 
972a10482eaSJohn Baldwin #define	AES_CBC_TESTS(M)						\
973a10482eaSJohn Baldwin 	M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8,			\
974a10482eaSJohn Baldwin 	    CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO)			\
975a10482eaSJohn Baldwin 	M(aes256_cbc_1_0_sha1, CRYPTO_AES_CBC, 256 / 8,			\
976a10482eaSJohn Baldwin 	    CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO)			\
977a10482eaSJohn Baldwin 	M(aes128_cbc_1_1_sha1, CRYPTO_AES_CBC, 128 / 8,			\
978a10482eaSJohn Baldwin 	    CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ONE)			\
979a10482eaSJohn Baldwin 	M(aes256_cbc_1_1_sha1, CRYPTO_AES_CBC, 256 / 8,			\
980a10482eaSJohn Baldwin 	    CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ONE)			\
981a10482eaSJohn Baldwin 	M(aes128_cbc_1_2_sha1, CRYPTO_AES_CBC, 128 / 8,			\
982a10482eaSJohn Baldwin 	    CRYPTO_SHA1_HMAC, TLS_MINOR_VER_TWO)			\
983a10482eaSJohn Baldwin 	M(aes256_cbc_1_2_sha1, CRYPTO_AES_CBC, 256 / 8,			\
984a10482eaSJohn Baldwin 	    CRYPTO_SHA1_HMAC, TLS_MINOR_VER_TWO)			\
985a10482eaSJohn Baldwin 	M(aes128_cbc_1_2_sha256, CRYPTO_AES_CBC, 128 / 8,		\
986a10482eaSJohn Baldwin 	    CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_TWO)			\
987a10482eaSJohn Baldwin 	M(aes256_cbc_1_2_sha256, CRYPTO_AES_CBC, 256 / 8,		\
988a10482eaSJohn Baldwin 	    CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_TWO)			\
989a10482eaSJohn Baldwin 	M(aes128_cbc_1_2_sha384, CRYPTO_AES_CBC, 128 / 8,		\
990a10482eaSJohn Baldwin 	    CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_TWO)			\
991a10482eaSJohn Baldwin 	M(aes256_cbc_1_2_sha384, CRYPTO_AES_CBC, 256 / 8,		\
992a10482eaSJohn Baldwin 	    CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_TWO)			\
993a10482eaSJohn Baldwin 
994a10482eaSJohn Baldwin #define AES_GCM_TESTS(M)						\
995a10482eaSJohn Baldwin 	M(aes128_gcm_1_2, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0,		\
996a10482eaSJohn Baldwin 	    TLS_MINOR_VER_TWO)						\
997a10482eaSJohn Baldwin 	M(aes256_gcm_1_2, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0,		\
998a10482eaSJohn Baldwin 	    TLS_MINOR_VER_TWO)						\
999a10482eaSJohn Baldwin 	M(aes128_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0,		\
1000a10482eaSJohn Baldwin 	    TLS_MINOR_VER_THREE)					\
1001a10482eaSJohn Baldwin 	M(aes256_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0,		\
1002a10482eaSJohn Baldwin 	    TLS_MINOR_VER_THREE)
1003a10482eaSJohn Baldwin 
1004a10482eaSJohn Baldwin #define CHACHA20_TESTS(M)						\
1005a10482eaSJohn Baldwin 	M(chacha20_poly1305_1_2, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0,	\
1006a10482eaSJohn Baldwin 	    TLS_MINOR_VER_TWO)						\
1007a10482eaSJohn Baldwin 	M(chacha20_poly1305_1_3, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0,	\
1008a10482eaSJohn Baldwin 	    TLS_MINOR_VER_THREE)
1009a10482eaSJohn Baldwin 
1010a10482eaSJohn Baldwin #define GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1011a10482eaSJohn Baldwin 	    auth_alg, minor, name, len)					\
1012a10482eaSJohn Baldwin ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_##name);		\
1013a10482eaSJohn Baldwin ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc)			\
1014a10482eaSJohn Baldwin {									\
1015a10482eaSJohn Baldwin 	struct tls_enable en;						\
1016a10482eaSJohn Baldwin 	uint64_t seqno;							\
1017a10482eaSJohn Baldwin 									\
1018a10482eaSJohn Baldwin 	ATF_REQUIRE_KTLS();						\
1019a10482eaSJohn Baldwin 	seqno = random();						\
1020a10482eaSJohn Baldwin 	build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno,	\
1021a10482eaSJohn Baldwin 	    &en);							\
1022a10482eaSJohn Baldwin 	test_ktls_transmit_app_data(&en, seqno, len);			\
1023a10482eaSJohn Baldwin 	free_tls_enable(&en);						\
1024a10482eaSJohn Baldwin }
1025a10482eaSJohn Baldwin 
1026a10482eaSJohn Baldwin #define ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1027a10482eaSJohn Baldwin 	    auth_alg, minor, name)					\
1028a10482eaSJohn Baldwin 	ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name);
1029a10482eaSJohn Baldwin 
1030a10482eaSJohn Baldwin #define GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
103144265dc3SJohn Baldwin 	    auth_alg, minor, name, type, len)				\
103244265dc3SJohn Baldwin ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_##name);		\
103344265dc3SJohn Baldwin ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc)			\
1034a10482eaSJohn Baldwin {									\
1035a10482eaSJohn Baldwin 	struct tls_enable en;						\
1036a10482eaSJohn Baldwin 	uint64_t seqno;							\
1037a10482eaSJohn Baldwin 									\
1038a10482eaSJohn Baldwin 	ATF_REQUIRE_KTLS();						\
1039a10482eaSJohn Baldwin 	seqno = random();						\
1040a10482eaSJohn Baldwin 	build_tls_enable(cipher_alg, key_size, auth_alg, minor,	seqno,	\
1041a10482eaSJohn Baldwin 	    &en);							\
1042a10482eaSJohn Baldwin 	test_ktls_transmit_control(&en, seqno, type, len);		\
1043a10482eaSJohn Baldwin 	free_tls_enable(&en);						\
1044a10482eaSJohn Baldwin }
1045a10482eaSJohn Baldwin 
1046a10482eaSJohn Baldwin #define ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
104744265dc3SJohn Baldwin 	    auth_alg, minor, name)					\
104844265dc3SJohn Baldwin 	ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name);
1049a10482eaSJohn Baldwin 
1050*0ff2a12aSJohn Baldwin #define GEN_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg,	\
1051*0ff2a12aSJohn Baldwin 	    key_size, auth_alg)						\
1052*0ff2a12aSJohn Baldwin ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_empty_fragment);	\
1053*0ff2a12aSJohn Baldwin ATF_TC_BODY(ktls_transmit_##cipher_name##_empty_fragment, tc)		\
1054*0ff2a12aSJohn Baldwin {									\
1055*0ff2a12aSJohn Baldwin 	struct tls_enable en;						\
1056*0ff2a12aSJohn Baldwin 	uint64_t seqno;							\
1057*0ff2a12aSJohn Baldwin 									\
1058*0ff2a12aSJohn Baldwin 	ATF_REQUIRE_KTLS();						\
1059*0ff2a12aSJohn Baldwin 	seqno = random();						\
1060*0ff2a12aSJohn Baldwin 	build_tls_enable(cipher_alg, key_size, auth_alg,		\
1061*0ff2a12aSJohn Baldwin 	    TLS_MINOR_VER_ZERO,	seqno, &en);				\
1062*0ff2a12aSJohn Baldwin 	test_ktls_transmit_empty_fragment(&en, seqno);			\
1063*0ff2a12aSJohn Baldwin 	free_tls_enable(&en);						\
1064*0ff2a12aSJohn Baldwin }
1065*0ff2a12aSJohn Baldwin 
1066*0ff2a12aSJohn Baldwin #define ADD_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg,	\
1067*0ff2a12aSJohn Baldwin 	    key_size, auth_alg)						\
1068*0ff2a12aSJohn Baldwin 	ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_empty_fragment);
1069*0ff2a12aSJohn Baldwin 
1070a10482eaSJohn Baldwin #define GEN_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg,	\
1071a10482eaSJohn Baldwin 	    minor)							\
1072a10482eaSJohn Baldwin 	GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1073a10482eaSJohn Baldwin 	    auth_alg, minor, short, 64)					\
1074a10482eaSJohn Baldwin 	GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1075a10482eaSJohn Baldwin 	    auth_alg, minor, long, 64 * 1024)				\
1076a10482eaSJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
107744265dc3SJohn Baldwin 	    auth_alg, minor, control, 0x21 /* Alert */, 32)
1078a10482eaSJohn Baldwin 
1079a10482eaSJohn Baldwin #define ADD_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg,	\
1080a10482eaSJohn Baldwin 	    minor)							\
1081a10482eaSJohn Baldwin 	ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1082a10482eaSJohn Baldwin 	    auth_alg, minor, short)					\
1083a10482eaSJohn Baldwin 	ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1084a10482eaSJohn Baldwin 	    auth_alg, minor, long)					\
1085a10482eaSJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
108644265dc3SJohn Baldwin 	    auth_alg, minor, control)
1087a10482eaSJohn Baldwin 
1088a10482eaSJohn Baldwin /*
1089a10482eaSJohn Baldwin  * For each supported cipher suite, run three transmit tests:
1090a10482eaSJohn Baldwin  *
1091a10482eaSJohn Baldwin  * - a short test which sends 64 bytes of application data (likely as
1092a10482eaSJohn Baldwin  *   a single TLS record)
1093a10482eaSJohn Baldwin  *
1094a10482eaSJohn Baldwin  * - a long test which sends 64KB of application data (split across
1095a10482eaSJohn Baldwin  *   multiple TLS records)
1096a10482eaSJohn Baldwin  *
1097a10482eaSJohn Baldwin  * - a control test which sends a single record with a specific
1098a10482eaSJohn Baldwin  *   content type via sendmsg()
1099a10482eaSJohn Baldwin  */
1100a10482eaSJohn Baldwin AES_CBC_TESTS(GEN_TRANSMIT_TESTS);
1101a10482eaSJohn Baldwin AES_GCM_TESTS(GEN_TRANSMIT_TESTS);
1102a10482eaSJohn Baldwin CHACHA20_TESTS(GEN_TRANSMIT_TESTS);
1103a10482eaSJohn Baldwin 
110444265dc3SJohn Baldwin #define GEN_TRANSMIT_PADDING_TESTS(cipher_name, cipher_alg, key_size,	\
110544265dc3SJohn Baldwin 	    auth_alg, minor)						\
110644265dc3SJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
110744265dc3SJohn Baldwin 	    auth_alg, minor, padding_1, 0x21 /* Alert */, 1)		\
110844265dc3SJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
110944265dc3SJohn Baldwin 	    auth_alg, minor, padding_2, 0x21 /* Alert */, 2)		\
111044265dc3SJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
111144265dc3SJohn Baldwin 	    auth_alg, minor, padding_3, 0x21 /* Alert */, 3)		\
111244265dc3SJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
111344265dc3SJohn Baldwin 	    auth_alg, minor, padding_4, 0x21 /* Alert */, 4)		\
111444265dc3SJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
111544265dc3SJohn Baldwin 	    auth_alg, minor, padding_5, 0x21 /* Alert */, 5)		\
111644265dc3SJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
111744265dc3SJohn Baldwin 	    auth_alg, minor, padding_6, 0x21 /* Alert */, 6)		\
111844265dc3SJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
111944265dc3SJohn Baldwin 	    auth_alg, minor, padding_7, 0x21 /* Alert */, 7)		\
112044265dc3SJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
112144265dc3SJohn Baldwin 	    auth_alg, minor, padding_8, 0x21 /* Alert */, 8)		\
112244265dc3SJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
112344265dc3SJohn Baldwin 	    auth_alg, minor, padding_9, 0x21 /* Alert */, 9)		\
112444265dc3SJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
112544265dc3SJohn Baldwin 	    auth_alg, minor, padding_10, 0x21 /* Alert */, 10)		\
112644265dc3SJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
112744265dc3SJohn Baldwin 	    auth_alg, minor, padding_11, 0x21 /* Alert */, 11)		\
112844265dc3SJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
112944265dc3SJohn Baldwin 	    auth_alg, minor, padding_12, 0x21 /* Alert */, 12)		\
113044265dc3SJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
113144265dc3SJohn Baldwin 	    auth_alg, minor, padding_13, 0x21 /* Alert */, 13)		\
113244265dc3SJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
113344265dc3SJohn Baldwin 	    auth_alg, minor, padding_14, 0x21 /* Alert */, 14)		\
113444265dc3SJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
113544265dc3SJohn Baldwin 	    auth_alg, minor, padding_15, 0x21 /* Alert */, 15)		\
113644265dc3SJohn Baldwin 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
113744265dc3SJohn Baldwin 	    auth_alg, minor, padding_16, 0x21 /* Alert */, 16)
113844265dc3SJohn Baldwin 
113944265dc3SJohn Baldwin #define ADD_TRANSMIT_PADDING_TESTS(cipher_name, cipher_alg, key_size,	\
114044265dc3SJohn Baldwin 	    auth_alg, minor)						\
114144265dc3SJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
114244265dc3SJohn Baldwin 	    auth_alg, minor, padding_1)					\
114344265dc3SJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
114444265dc3SJohn Baldwin 	    auth_alg, minor, padding_2)					\
114544265dc3SJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
114644265dc3SJohn Baldwin 	    auth_alg, minor, padding_3)					\
114744265dc3SJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
114844265dc3SJohn Baldwin 	    auth_alg, minor, padding_4)					\
114944265dc3SJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
115044265dc3SJohn Baldwin 	    auth_alg, minor, padding_5)					\
115144265dc3SJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
115244265dc3SJohn Baldwin 	    auth_alg, minor, padding_6)					\
115344265dc3SJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
115444265dc3SJohn Baldwin 	    auth_alg, minor, padding_7)					\
115544265dc3SJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
115644265dc3SJohn Baldwin 	    auth_alg, minor, padding_8)					\
115744265dc3SJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
115844265dc3SJohn Baldwin 	    auth_alg, minor, padding_9)					\
115944265dc3SJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
116044265dc3SJohn Baldwin 	    auth_alg, minor, padding_10)				\
116144265dc3SJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
116244265dc3SJohn Baldwin 	    auth_alg, minor, padding_11)				\
116344265dc3SJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
116444265dc3SJohn Baldwin 	    auth_alg, minor, padding_12)				\
116544265dc3SJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
116644265dc3SJohn Baldwin 	    auth_alg, minor, padding_13)				\
116744265dc3SJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
116844265dc3SJohn Baldwin 	    auth_alg, minor, padding_14)				\
116944265dc3SJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
117044265dc3SJohn Baldwin 	    auth_alg, minor, padding_15)				\
117144265dc3SJohn Baldwin 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
117244265dc3SJohn Baldwin 	    auth_alg, minor, padding_16)
117344265dc3SJohn Baldwin 
117444265dc3SJohn Baldwin /*
117544265dc3SJohn Baldwin  * For AES-CBC MTE cipher suites using padding, add tests of messages
117644265dc3SJohn Baldwin  * with each possible padding size.  Note that the padding_<N> tests
117744265dc3SJohn Baldwin  * do not necessarily test <N> bytes of padding as the padding is a
117844265dc3SJohn Baldwin  * function of the cipher suite's MAC length.  However, cycling
117944265dc3SJohn Baldwin  * through all of the payload sizes from 1 to 16 should exercise all
118044265dc3SJohn Baldwin  * of the possible padding lengths for each suite.
118144265dc3SJohn Baldwin  */
118244265dc3SJohn Baldwin AES_CBC_TESTS(GEN_TRANSMIT_PADDING_TESTS);
118344265dc3SJohn Baldwin 
1184*0ff2a12aSJohn Baldwin /*
1185*0ff2a12aSJohn Baldwin  * Test "empty fragments" which are TLS records with no payload that
1186*0ff2a12aSJohn Baldwin  * OpenSSL can send for TLS 1.0 connections.
1187*0ff2a12aSJohn Baldwin  */
1188*0ff2a12aSJohn Baldwin TLS_10_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST);
1189*0ff2a12aSJohn Baldwin 
1190a10482eaSJohn Baldwin ATF_TP_ADD_TCS(tp)
1191a10482eaSJohn Baldwin {
1192a10482eaSJohn Baldwin 	AES_CBC_TESTS(ADD_TRANSMIT_TESTS);
1193a10482eaSJohn Baldwin 	AES_GCM_TESTS(ADD_TRANSMIT_TESTS);
1194a10482eaSJohn Baldwin 	CHACHA20_TESTS(ADD_TRANSMIT_TESTS);
119544265dc3SJohn Baldwin 	AES_CBC_TESTS(ADD_TRANSMIT_PADDING_TESTS);
1196*0ff2a12aSJohn Baldwin 	TLS_10_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST);
1197a10482eaSJohn Baldwin 
1198a10482eaSJohn Baldwin 	return (atf_no_error());
1199a10482eaSJohn Baldwin }
1200