1a10482eaSJohn Baldwin /*- 2a10482eaSJohn Baldwin * SPDX-License-Identifier: BSD-2-Clause 3a10482eaSJohn Baldwin * 4a10482eaSJohn Baldwin * Copyright (c) 2021 Netflix Inc. 5a10482eaSJohn Baldwin * Written by: John Baldwin <jhb@FreeBSD.org> 6a10482eaSJohn Baldwin * 7a10482eaSJohn Baldwin * Redistribution and use in source and binary forms, with or without 8a10482eaSJohn Baldwin * modification, are permitted provided that the following conditions 9a10482eaSJohn Baldwin * are met: 10a10482eaSJohn Baldwin * 1. Redistributions of source code must retain the above copyright 11a10482eaSJohn Baldwin * notice, this list of conditions and the following disclaimer. 12a10482eaSJohn Baldwin * 2. Redistributions in binary form must reproduce the above copyright 13a10482eaSJohn Baldwin * notice, this list of conditions and the following disclaimer in the 14a10482eaSJohn Baldwin * documentation and/or other materials provided with the distribution. 15a10482eaSJohn Baldwin * 16a10482eaSJohn Baldwin * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17a10482eaSJohn Baldwin * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18a10482eaSJohn Baldwin * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19a10482eaSJohn Baldwin * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20a10482eaSJohn Baldwin * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21a10482eaSJohn Baldwin * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22a10482eaSJohn Baldwin * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23a10482eaSJohn Baldwin * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24a10482eaSJohn Baldwin * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25a10482eaSJohn Baldwin * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26a10482eaSJohn Baldwin * SUCH DAMAGE. 27a10482eaSJohn Baldwin */ 28a10482eaSJohn Baldwin 29a10482eaSJohn Baldwin #include <sys/types.h> 30a10482eaSJohn Baldwin #include <sys/endian.h> 31a10482eaSJohn Baldwin #include <sys/event.h> 32a10482eaSJohn Baldwin #include <sys/ktls.h> 33a10482eaSJohn Baldwin #include <sys/socket.h> 34a10482eaSJohn Baldwin #include <sys/sysctl.h> 35a10482eaSJohn Baldwin #include <netinet/in.h> 36a10482eaSJohn Baldwin #include <netinet/tcp.h> 37a10482eaSJohn Baldwin #include <crypto/cryptodev.h> 38a10482eaSJohn Baldwin #include <assert.h> 39a10482eaSJohn Baldwin #include <err.h> 40a10482eaSJohn Baldwin #include <fcntl.h> 41a10482eaSJohn Baldwin #include <poll.h> 42a10482eaSJohn Baldwin #include <stdbool.h> 43a10482eaSJohn Baldwin #include <stdlib.h> 44a10482eaSJohn Baldwin #include <atf-c.h> 45a10482eaSJohn Baldwin 46a10482eaSJohn Baldwin #include <openssl/err.h> 47a10482eaSJohn Baldwin #include <openssl/evp.h> 48a10482eaSJohn Baldwin #include <openssl/hmac.h> 49a10482eaSJohn Baldwin 50a10482eaSJohn Baldwin static void 51a10482eaSJohn Baldwin require_ktls(void) 52a10482eaSJohn Baldwin { 53a10482eaSJohn Baldwin size_t len; 54a10482eaSJohn Baldwin bool enable; 55a10482eaSJohn Baldwin 56a10482eaSJohn Baldwin len = sizeof(enable); 57a10482eaSJohn Baldwin if (sysctlbyname("kern.ipc.tls.enable", &enable, &len, NULL, 0) == -1) { 58a10482eaSJohn Baldwin if (errno == ENOENT) 59a10482eaSJohn Baldwin atf_tc_skip("kernel does not support TLS offload"); 60a10482eaSJohn Baldwin atf_libc_error(errno, "Failed to read kern.ipc.tls.enable"); 61a10482eaSJohn Baldwin } 62a10482eaSJohn Baldwin 63a10482eaSJohn Baldwin if (!enable) 64a10482eaSJohn Baldwin atf_tc_skip("Kernel TLS is disabled"); 65a10482eaSJohn Baldwin } 66a10482eaSJohn Baldwin 67a10482eaSJohn Baldwin #define ATF_REQUIRE_KTLS() require_ktls() 68a10482eaSJohn Baldwin 69a10482eaSJohn Baldwin static char 70a10482eaSJohn Baldwin rdigit(void) 71a10482eaSJohn Baldwin { 72a10482eaSJohn Baldwin /* ASCII printable values between 0x20 and 0x7e */ 73a10482eaSJohn Baldwin return (0x20 + random() % (0x7f - 0x20)); 74a10482eaSJohn Baldwin } 75a10482eaSJohn Baldwin 76a10482eaSJohn Baldwin static char * 77a10482eaSJohn Baldwin alloc_buffer(size_t len) 78a10482eaSJohn Baldwin { 79a10482eaSJohn Baldwin char *buf; 80a10482eaSJohn Baldwin size_t i; 81a10482eaSJohn Baldwin 82a10482eaSJohn Baldwin if (len == 0) 83a10482eaSJohn Baldwin return (NULL); 84a10482eaSJohn Baldwin buf = malloc(len); 85a10482eaSJohn Baldwin for (i = 0; i < len; i++) 86a10482eaSJohn Baldwin buf[i] = rdigit(); 87a10482eaSJohn Baldwin return (buf); 88a10482eaSJohn Baldwin } 89a10482eaSJohn Baldwin 90a10482eaSJohn Baldwin static bool 91a10482eaSJohn Baldwin socketpair_tcp(int *sv) 92a10482eaSJohn Baldwin { 93a10482eaSJohn Baldwin struct pollfd pfd; 94a10482eaSJohn Baldwin struct sockaddr_in sin; 95a10482eaSJohn Baldwin socklen_t len; 96a10482eaSJohn Baldwin int as, cs, ls; 97a10482eaSJohn Baldwin 98a10482eaSJohn Baldwin ls = socket(PF_INET, SOCK_STREAM, 0); 99a10482eaSJohn Baldwin if (ls == -1) { 100a10482eaSJohn Baldwin warn("socket() for listen"); 101a10482eaSJohn Baldwin return (false); 102a10482eaSJohn Baldwin } 103a10482eaSJohn Baldwin 104a10482eaSJohn Baldwin memset(&sin, 0, sizeof(sin)); 105a10482eaSJohn Baldwin sin.sin_len = sizeof(sin); 106a10482eaSJohn Baldwin sin.sin_family = AF_INET; 107a10482eaSJohn Baldwin sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK); 108a10482eaSJohn Baldwin if (bind(ls, (struct sockaddr *)&sin, sizeof(sin)) == -1) { 109a10482eaSJohn Baldwin warn("bind"); 110a10482eaSJohn Baldwin close(ls); 111a10482eaSJohn Baldwin return (false); 112a10482eaSJohn Baldwin } 113a10482eaSJohn Baldwin 114a10482eaSJohn Baldwin if (listen(ls, 1) == -1) { 115a10482eaSJohn Baldwin warn("listen"); 116a10482eaSJohn Baldwin close(ls); 117a10482eaSJohn Baldwin return (false); 118a10482eaSJohn Baldwin } 119a10482eaSJohn Baldwin 120a10482eaSJohn Baldwin len = sizeof(sin); 121a10482eaSJohn Baldwin if (getsockname(ls, (struct sockaddr *)&sin, &len) == -1) { 122a10482eaSJohn Baldwin warn("getsockname"); 123a10482eaSJohn Baldwin close(ls); 124a10482eaSJohn Baldwin return (false); 125a10482eaSJohn Baldwin } 126a10482eaSJohn Baldwin 127a10482eaSJohn Baldwin cs = socket(PF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0); 128a10482eaSJohn Baldwin if (cs == -1) { 129a10482eaSJohn Baldwin warn("socket() for connect"); 130a10482eaSJohn Baldwin close(ls); 131a10482eaSJohn Baldwin return (false); 132a10482eaSJohn Baldwin } 133a10482eaSJohn Baldwin 134a10482eaSJohn Baldwin if (connect(cs, (struct sockaddr *)&sin, sizeof(sin)) == -1) { 135a10482eaSJohn Baldwin if (errno != EINPROGRESS) { 136a10482eaSJohn Baldwin warn("connect"); 137a10482eaSJohn Baldwin close(ls); 138a10482eaSJohn Baldwin close(cs); 139a10482eaSJohn Baldwin return (false); 140a10482eaSJohn Baldwin } 141a10482eaSJohn Baldwin } 142a10482eaSJohn Baldwin 143a10482eaSJohn Baldwin as = accept4(ls, NULL, NULL, SOCK_NONBLOCK); 144a10482eaSJohn Baldwin if (as == -1) { 145a10482eaSJohn Baldwin warn("accept4"); 146a10482eaSJohn Baldwin close(ls); 147a10482eaSJohn Baldwin close(cs); 148a10482eaSJohn Baldwin return (false); 149a10482eaSJohn Baldwin } 150a10482eaSJohn Baldwin 151a10482eaSJohn Baldwin close(ls); 152a10482eaSJohn Baldwin 153a10482eaSJohn Baldwin pfd.fd = cs; 154a10482eaSJohn Baldwin pfd.events = POLLOUT; 155a10482eaSJohn Baldwin pfd.revents = 0; 156a10482eaSJohn Baldwin ATF_REQUIRE(poll(&pfd, 1, INFTIM) == 1); 157a10482eaSJohn Baldwin ATF_REQUIRE(pfd.revents == POLLOUT); 158a10482eaSJohn Baldwin 159a10482eaSJohn Baldwin sv[0] = cs; 160a10482eaSJohn Baldwin sv[1] = as; 161a10482eaSJohn Baldwin return (true); 162a10482eaSJohn Baldwin } 163a10482eaSJohn Baldwin 164a10482eaSJohn Baldwin static void 165a10482eaSJohn Baldwin fd_set_blocking(int fd) 166a10482eaSJohn Baldwin { 167a10482eaSJohn Baldwin int flags; 168a10482eaSJohn Baldwin 169a10482eaSJohn Baldwin ATF_REQUIRE((flags = fcntl(fd, F_GETFL)) != -1); 170a10482eaSJohn Baldwin flags &= ~O_NONBLOCK; 171a10482eaSJohn Baldwin ATF_REQUIRE(fcntl(fd, F_SETFL, flags) != -1); 172a10482eaSJohn Baldwin } 173a10482eaSJohn Baldwin 174a10482eaSJohn Baldwin static bool 175a10482eaSJohn Baldwin cbc_decrypt(const EVP_CIPHER *cipher, const char *key, const char *iv, 176a10482eaSJohn Baldwin const char *input, char *output, size_t size) 177a10482eaSJohn Baldwin { 178a10482eaSJohn Baldwin EVP_CIPHER_CTX *ctx; 179a10482eaSJohn Baldwin int outl, total; 180a10482eaSJohn Baldwin 181a10482eaSJohn Baldwin ctx = EVP_CIPHER_CTX_new(); 182a10482eaSJohn Baldwin if (ctx == NULL) { 183a10482eaSJohn Baldwin warnx("EVP_CIPHER_CTX_new failed: %s", 184a10482eaSJohn Baldwin ERR_error_string(ERR_get_error(), NULL)); 185a10482eaSJohn Baldwin return (false); 186a10482eaSJohn Baldwin } 187a10482eaSJohn Baldwin if (EVP_CipherInit_ex(ctx, cipher, NULL, (const u_char *)key, 188a10482eaSJohn Baldwin (const u_char *)iv, 0) != 1) { 189a10482eaSJohn Baldwin warnx("EVP_CipherInit_ex failed: %s", 190a10482eaSJohn Baldwin ERR_error_string(ERR_get_error(), NULL)); 191a10482eaSJohn Baldwin EVP_CIPHER_CTX_free(ctx); 192a10482eaSJohn Baldwin return (false); 193a10482eaSJohn Baldwin } 194a10482eaSJohn Baldwin EVP_CIPHER_CTX_set_padding(ctx, 0); 195a10482eaSJohn Baldwin if (EVP_CipherUpdate(ctx, (u_char *)output, &outl, 196a10482eaSJohn Baldwin (const u_char *)input, size) != 1) { 197a10482eaSJohn Baldwin warnx("EVP_CipherUpdate failed: %s", 198a10482eaSJohn Baldwin ERR_error_string(ERR_get_error(), NULL)); 199a10482eaSJohn Baldwin EVP_CIPHER_CTX_free(ctx); 200a10482eaSJohn Baldwin return (false); 201a10482eaSJohn Baldwin } 202a10482eaSJohn Baldwin total = outl; 203a10482eaSJohn Baldwin if (EVP_CipherFinal_ex(ctx, (u_char *)output + outl, &outl) != 1) { 204a10482eaSJohn Baldwin warnx("EVP_CipherFinal_ex failed: %s", 205a10482eaSJohn Baldwin ERR_error_string(ERR_get_error(), NULL)); 206a10482eaSJohn Baldwin EVP_CIPHER_CTX_free(ctx); 207a10482eaSJohn Baldwin return (false); 208a10482eaSJohn Baldwin } 209a10482eaSJohn Baldwin total += outl; 210a10482eaSJohn Baldwin if ((size_t)total != size) { 211a10482eaSJohn Baldwin warnx("decrypt size mismatch: %zu vs %d", size, total); 212a10482eaSJohn Baldwin EVP_CIPHER_CTX_free(ctx); 213a10482eaSJohn Baldwin return (false); 214a10482eaSJohn Baldwin } 215a10482eaSJohn Baldwin EVP_CIPHER_CTX_free(ctx); 216a10482eaSJohn Baldwin return (true); 217a10482eaSJohn Baldwin } 218a10482eaSJohn Baldwin 219a10482eaSJohn Baldwin static bool 220a10482eaSJohn Baldwin verify_hash(const EVP_MD *md, const void *key, size_t key_len, const void *aad, 221a10482eaSJohn Baldwin size_t aad_len, const void *buffer, size_t len, const void *digest) 222a10482eaSJohn Baldwin { 223a10482eaSJohn Baldwin HMAC_CTX *ctx; 224a10482eaSJohn Baldwin unsigned char digest2[EVP_MAX_MD_SIZE]; 225a10482eaSJohn Baldwin u_int digest_len; 226a10482eaSJohn Baldwin 227a10482eaSJohn Baldwin ctx = HMAC_CTX_new(); 228a10482eaSJohn Baldwin if (ctx == NULL) { 229a10482eaSJohn Baldwin warnx("HMAC_CTX_new failed: %s", 230a10482eaSJohn Baldwin ERR_error_string(ERR_get_error(), NULL)); 231a10482eaSJohn Baldwin return (false); 232a10482eaSJohn Baldwin } 233a10482eaSJohn Baldwin if (HMAC_Init_ex(ctx, key, key_len, md, NULL) != 1) { 234a10482eaSJohn Baldwin warnx("HMAC_Init_ex failed: %s", 235a10482eaSJohn Baldwin ERR_error_string(ERR_get_error(), NULL)); 236a10482eaSJohn Baldwin HMAC_CTX_free(ctx); 237a10482eaSJohn Baldwin return (false); 238a10482eaSJohn Baldwin } 239a10482eaSJohn Baldwin if (HMAC_Update(ctx, aad, aad_len) != 1) { 240a10482eaSJohn Baldwin warnx("HMAC_Update (aad) failed: %s", 241a10482eaSJohn Baldwin ERR_error_string(ERR_get_error(), NULL)); 242a10482eaSJohn Baldwin HMAC_CTX_free(ctx); 243a10482eaSJohn Baldwin return (false); 244a10482eaSJohn Baldwin } 245a10482eaSJohn Baldwin if (HMAC_Update(ctx, buffer, len) != 1) { 246a10482eaSJohn Baldwin warnx("HMAC_Update (payload) failed: %s", 247a10482eaSJohn Baldwin ERR_error_string(ERR_get_error(), NULL)); 248a10482eaSJohn Baldwin HMAC_CTX_free(ctx); 249a10482eaSJohn Baldwin return (false); 250a10482eaSJohn Baldwin } 251a10482eaSJohn Baldwin if (HMAC_Final(ctx, digest2, &digest_len) != 1) { 252a10482eaSJohn Baldwin warnx("HMAC_Final failed: %s", 253a10482eaSJohn Baldwin ERR_error_string(ERR_get_error(), NULL)); 254a10482eaSJohn Baldwin HMAC_CTX_free(ctx); 255a10482eaSJohn Baldwin return (false); 256a10482eaSJohn Baldwin } 257a10482eaSJohn Baldwin HMAC_CTX_free(ctx); 258a10482eaSJohn Baldwin if (memcmp(digest, digest2, digest_len) != 0) { 259a10482eaSJohn Baldwin warnx("HMAC mismatch"); 260a10482eaSJohn Baldwin return (false); 261a10482eaSJohn Baldwin } 262a10482eaSJohn Baldwin return (true); 263a10482eaSJohn Baldwin } 264a10482eaSJohn Baldwin 265a10482eaSJohn Baldwin static bool 266a10482eaSJohn Baldwin aead_decrypt(const EVP_CIPHER *cipher, const char *key, const char *nonce, 267a10482eaSJohn Baldwin const void *aad, size_t aad_len, const char *input, char *output, 268a10482eaSJohn Baldwin size_t size, const char *tag, size_t tag_len) 269a10482eaSJohn Baldwin { 270a10482eaSJohn Baldwin EVP_CIPHER_CTX *ctx; 271a10482eaSJohn Baldwin int outl, total; 272a10482eaSJohn Baldwin bool valid; 273a10482eaSJohn Baldwin 274a10482eaSJohn Baldwin ctx = EVP_CIPHER_CTX_new(); 275a10482eaSJohn Baldwin if (ctx == NULL) { 276a10482eaSJohn Baldwin warnx("EVP_CIPHER_CTX_new failed: %s", 277a10482eaSJohn Baldwin ERR_error_string(ERR_get_error(), NULL)); 278a10482eaSJohn Baldwin return (false); 279a10482eaSJohn Baldwin } 280a10482eaSJohn Baldwin if (EVP_DecryptInit_ex(ctx, cipher, NULL, (const u_char *)key, 281a10482eaSJohn Baldwin (const u_char *)nonce) != 1) { 282a10482eaSJohn Baldwin warnx("EVP_DecryptInit_ex failed: %s", 283a10482eaSJohn Baldwin ERR_error_string(ERR_get_error(), NULL)); 284a10482eaSJohn Baldwin EVP_CIPHER_CTX_free(ctx); 285a10482eaSJohn Baldwin return (false); 286a10482eaSJohn Baldwin } 287a10482eaSJohn Baldwin EVP_CIPHER_CTX_set_padding(ctx, 0); 288a10482eaSJohn Baldwin if (aad != NULL) { 289a10482eaSJohn Baldwin if (EVP_DecryptUpdate(ctx, NULL, &outl, (const u_char *)aad, 290a10482eaSJohn Baldwin aad_len) != 1) { 291a10482eaSJohn Baldwin warnx("EVP_DecryptUpdate for AAD failed: %s", 292a10482eaSJohn Baldwin ERR_error_string(ERR_get_error(), NULL)); 293a10482eaSJohn Baldwin EVP_CIPHER_CTX_free(ctx); 294a10482eaSJohn Baldwin return (false); 295a10482eaSJohn Baldwin } 296a10482eaSJohn Baldwin } 297a10482eaSJohn Baldwin if (EVP_DecryptUpdate(ctx, (u_char *)output, &outl, 298a10482eaSJohn Baldwin (const u_char *)input, size) != 1) { 299a10482eaSJohn Baldwin warnx("EVP_DecryptUpdate failed: %s", 300a10482eaSJohn Baldwin ERR_error_string(ERR_get_error(), NULL)); 301a10482eaSJohn Baldwin EVP_CIPHER_CTX_free(ctx); 302a10482eaSJohn Baldwin return (false); 303a10482eaSJohn Baldwin } 304a10482eaSJohn Baldwin total = outl; 305a10482eaSJohn Baldwin if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, 306a10482eaSJohn Baldwin __DECONST(char *, tag)) != 1) { 307a10482eaSJohn Baldwin warnx("EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed: %s", 308a10482eaSJohn Baldwin ERR_error_string(ERR_get_error(), NULL)); 309a10482eaSJohn Baldwin EVP_CIPHER_CTX_free(ctx); 310a10482eaSJohn Baldwin return (false); 311a10482eaSJohn Baldwin } 312a10482eaSJohn Baldwin valid = (EVP_DecryptFinal_ex(ctx, (u_char *)output + outl, &outl) == 1); 313a10482eaSJohn Baldwin total += outl; 314a10482eaSJohn Baldwin if ((size_t)total != size) { 315a10482eaSJohn Baldwin warnx("decrypt size mismatch: %zu vs %d", size, total); 316a10482eaSJohn Baldwin EVP_CIPHER_CTX_free(ctx); 317a10482eaSJohn Baldwin return (false); 318a10482eaSJohn Baldwin } 319a10482eaSJohn Baldwin if (!valid) 320a10482eaSJohn Baldwin warnx("tag mismatch"); 321a10482eaSJohn Baldwin EVP_CIPHER_CTX_free(ctx); 322a10482eaSJohn Baldwin return (valid); 323a10482eaSJohn Baldwin } 324a10482eaSJohn Baldwin 325a10482eaSJohn Baldwin static void 326a10482eaSJohn Baldwin build_tls_enable(int cipher_alg, size_t cipher_key_len, int auth_alg, 327a10482eaSJohn Baldwin int minor, uint64_t seqno, struct tls_enable *en) 328a10482eaSJohn Baldwin { 329a10482eaSJohn Baldwin u_int auth_key_len, iv_len; 330a10482eaSJohn Baldwin 331a10482eaSJohn Baldwin memset(en, 0, sizeof(*en)); 332a10482eaSJohn Baldwin 333a10482eaSJohn Baldwin switch (cipher_alg) { 334a10482eaSJohn Baldwin case CRYPTO_AES_CBC: 335a10482eaSJohn Baldwin if (minor == TLS_MINOR_VER_ZERO) 336a10482eaSJohn Baldwin iv_len = AES_BLOCK_LEN; 337a10482eaSJohn Baldwin else 338a10482eaSJohn Baldwin iv_len = 0; 339a10482eaSJohn Baldwin break; 340a10482eaSJohn Baldwin case CRYPTO_AES_NIST_GCM_16: 341a10482eaSJohn Baldwin if (minor == TLS_MINOR_VER_TWO) 342a10482eaSJohn Baldwin iv_len = TLS_AEAD_GCM_LEN; 343a10482eaSJohn Baldwin else 344a10482eaSJohn Baldwin iv_len = TLS_1_3_GCM_IV_LEN; 345a10482eaSJohn Baldwin break; 346a10482eaSJohn Baldwin case CRYPTO_CHACHA20_POLY1305: 347a10482eaSJohn Baldwin iv_len = TLS_CHACHA20_IV_LEN; 348a10482eaSJohn Baldwin break; 349a10482eaSJohn Baldwin default: 350a10482eaSJohn Baldwin iv_len = 0; 351a10482eaSJohn Baldwin break; 352a10482eaSJohn Baldwin } 353a10482eaSJohn Baldwin switch (auth_alg) { 354a10482eaSJohn Baldwin case CRYPTO_SHA1_HMAC: 355a10482eaSJohn Baldwin auth_key_len = SHA1_HASH_LEN; 356a10482eaSJohn Baldwin break; 357a10482eaSJohn Baldwin case CRYPTO_SHA2_256_HMAC: 358a10482eaSJohn Baldwin auth_key_len = SHA2_256_HASH_LEN; 359a10482eaSJohn Baldwin break; 360a10482eaSJohn Baldwin case CRYPTO_SHA2_384_HMAC: 361a10482eaSJohn Baldwin auth_key_len = SHA2_384_HASH_LEN; 362a10482eaSJohn Baldwin break; 363a10482eaSJohn Baldwin default: 364a10482eaSJohn Baldwin auth_key_len = 0; 365a10482eaSJohn Baldwin break; 366a10482eaSJohn Baldwin } 367a10482eaSJohn Baldwin en->cipher_key = alloc_buffer(cipher_key_len); 368a10482eaSJohn Baldwin en->iv = alloc_buffer(iv_len); 369a10482eaSJohn Baldwin en->auth_key = alloc_buffer(auth_key_len); 370a10482eaSJohn Baldwin en->cipher_algorithm = cipher_alg; 371a10482eaSJohn Baldwin en->cipher_key_len = cipher_key_len; 372a10482eaSJohn Baldwin en->iv_len = iv_len; 373a10482eaSJohn Baldwin en->auth_algorithm = auth_alg; 374a10482eaSJohn Baldwin en->auth_key_len = auth_key_len; 375a10482eaSJohn Baldwin en->tls_vmajor = TLS_MAJOR_VER_ONE; 376a10482eaSJohn Baldwin en->tls_vminor = minor; 377a10482eaSJohn Baldwin be64enc(en->rec_seq, seqno); 378a10482eaSJohn Baldwin } 379a10482eaSJohn Baldwin 380a10482eaSJohn Baldwin static void 381a10482eaSJohn Baldwin free_tls_enable(struct tls_enable *en) 382a10482eaSJohn Baldwin { 383a10482eaSJohn Baldwin free(__DECONST(void *, en->cipher_key)); 384a10482eaSJohn Baldwin free(__DECONST(void *, en->iv)); 385a10482eaSJohn Baldwin free(__DECONST(void *, en->auth_key)); 386a10482eaSJohn Baldwin } 387a10482eaSJohn Baldwin 388a10482eaSJohn Baldwin static const EVP_CIPHER * 389a10482eaSJohn Baldwin tls_EVP_CIPHER(const struct tls_enable *en) 390a10482eaSJohn Baldwin { 391a10482eaSJohn Baldwin switch (en->cipher_algorithm) { 392a10482eaSJohn Baldwin case CRYPTO_AES_CBC: 393a10482eaSJohn Baldwin switch (en->cipher_key_len) { 394a10482eaSJohn Baldwin case 128 / 8: 395a10482eaSJohn Baldwin return (EVP_aes_128_cbc()); 396a10482eaSJohn Baldwin case 256 / 8: 397a10482eaSJohn Baldwin return (EVP_aes_256_cbc()); 398a10482eaSJohn Baldwin default: 399a10482eaSJohn Baldwin return (NULL); 400a10482eaSJohn Baldwin } 401a10482eaSJohn Baldwin break; 402a10482eaSJohn Baldwin case CRYPTO_AES_NIST_GCM_16: 403a10482eaSJohn Baldwin switch (en->cipher_key_len) { 404a10482eaSJohn Baldwin case 128 / 8: 405a10482eaSJohn Baldwin return (EVP_aes_128_gcm()); 406a10482eaSJohn Baldwin case 256 / 8: 407a10482eaSJohn Baldwin return (EVP_aes_256_gcm()); 408a10482eaSJohn Baldwin default: 409a10482eaSJohn Baldwin return (NULL); 410a10482eaSJohn Baldwin } 411a10482eaSJohn Baldwin break; 412a10482eaSJohn Baldwin case CRYPTO_CHACHA20_POLY1305: 413a10482eaSJohn Baldwin return (EVP_chacha20_poly1305()); 414a10482eaSJohn Baldwin default: 415a10482eaSJohn Baldwin return (NULL); 416a10482eaSJohn Baldwin } 417a10482eaSJohn Baldwin } 418a10482eaSJohn Baldwin 419a10482eaSJohn Baldwin static const EVP_MD * 420a10482eaSJohn Baldwin tls_EVP_MD(const struct tls_enable *en) 421a10482eaSJohn Baldwin { 422a10482eaSJohn Baldwin switch (en->auth_algorithm) { 423a10482eaSJohn Baldwin case CRYPTO_SHA1_HMAC: 424a10482eaSJohn Baldwin return (EVP_sha1()); 425a10482eaSJohn Baldwin case CRYPTO_SHA2_256_HMAC: 426a10482eaSJohn Baldwin return (EVP_sha256()); 427a10482eaSJohn Baldwin case CRYPTO_SHA2_384_HMAC: 428a10482eaSJohn Baldwin return (EVP_sha384()); 429a10482eaSJohn Baldwin default: 430a10482eaSJohn Baldwin return (NULL); 431a10482eaSJohn Baldwin } 432a10482eaSJohn Baldwin } 433a10482eaSJohn Baldwin 434a10482eaSJohn Baldwin static size_t 435a10482eaSJohn Baldwin tls_header_len(struct tls_enable *en) 436a10482eaSJohn Baldwin { 437a10482eaSJohn Baldwin size_t len; 438a10482eaSJohn Baldwin 439a10482eaSJohn Baldwin len = sizeof(struct tls_record_layer); 440a10482eaSJohn Baldwin switch (en->cipher_algorithm) { 441a10482eaSJohn Baldwin case CRYPTO_AES_CBC: 442a10482eaSJohn Baldwin if (en->tls_vminor != TLS_MINOR_VER_ZERO) 443a10482eaSJohn Baldwin len += AES_BLOCK_LEN; 444a10482eaSJohn Baldwin return (len); 445a10482eaSJohn Baldwin case CRYPTO_AES_NIST_GCM_16: 446a10482eaSJohn Baldwin if (en->tls_vminor == TLS_MINOR_VER_TWO) 447a10482eaSJohn Baldwin len += sizeof(uint64_t); 448a10482eaSJohn Baldwin return (len); 449a10482eaSJohn Baldwin case CRYPTO_CHACHA20_POLY1305: 450a10482eaSJohn Baldwin return (len); 451a10482eaSJohn Baldwin default: 452a10482eaSJohn Baldwin return (0); 453a10482eaSJohn Baldwin } 454a10482eaSJohn Baldwin } 455a10482eaSJohn Baldwin 456a10482eaSJohn Baldwin static size_t 457a10482eaSJohn Baldwin tls_mac_len(struct tls_enable *en) 458a10482eaSJohn Baldwin { 459a10482eaSJohn Baldwin switch (en->cipher_algorithm) { 460a10482eaSJohn Baldwin case CRYPTO_AES_CBC: 461a10482eaSJohn Baldwin switch (en->auth_algorithm) { 462a10482eaSJohn Baldwin case CRYPTO_SHA1_HMAC: 463a10482eaSJohn Baldwin return (SHA1_HASH_LEN); 464a10482eaSJohn Baldwin case CRYPTO_SHA2_256_HMAC: 465a10482eaSJohn Baldwin return (SHA2_256_HASH_LEN); 466a10482eaSJohn Baldwin case CRYPTO_SHA2_384_HMAC: 467a10482eaSJohn Baldwin return (SHA2_384_HASH_LEN); 468a10482eaSJohn Baldwin default: 469a10482eaSJohn Baldwin return (0); 470a10482eaSJohn Baldwin } 471a10482eaSJohn Baldwin case CRYPTO_AES_NIST_GCM_16: 472a10482eaSJohn Baldwin return (AES_GMAC_HASH_LEN); 473a10482eaSJohn Baldwin case CRYPTO_CHACHA20_POLY1305: 474a10482eaSJohn Baldwin return (POLY1305_HASH_LEN); 475a10482eaSJohn Baldwin default: 476a10482eaSJohn Baldwin return (0); 477a10482eaSJohn Baldwin } 478a10482eaSJohn Baldwin } 479a10482eaSJohn Baldwin 480a10482eaSJohn Baldwin /* Includes maximum padding for MTE. */ 481a10482eaSJohn Baldwin static size_t 482a10482eaSJohn Baldwin tls_trailer_len(struct tls_enable *en) 483a10482eaSJohn Baldwin { 484a10482eaSJohn Baldwin size_t len; 485a10482eaSJohn Baldwin 486a10482eaSJohn Baldwin len = tls_mac_len(en); 487a10482eaSJohn Baldwin if (en->cipher_algorithm == CRYPTO_AES_CBC) 488a10482eaSJohn Baldwin len += AES_BLOCK_LEN; 489a10482eaSJohn Baldwin if (en->tls_vminor == TLS_MINOR_VER_THREE) 490a10482eaSJohn Baldwin len++; 491a10482eaSJohn Baldwin return (len); 492a10482eaSJohn Baldwin } 493a10482eaSJohn Baldwin 494a10482eaSJohn Baldwin /* 'len' is the length of the payload application data. */ 495a10482eaSJohn Baldwin static void 496a10482eaSJohn Baldwin tls_mte_aad(struct tls_enable *en, size_t len, 497a10482eaSJohn Baldwin const struct tls_record_layer *hdr, uint64_t seqno, struct tls_mac_data *ad) 498a10482eaSJohn Baldwin { 499a10482eaSJohn Baldwin ad->seq = htobe64(seqno); 500a10482eaSJohn Baldwin ad->type = hdr->tls_type; 501a10482eaSJohn Baldwin ad->tls_vmajor = hdr->tls_vmajor; 502a10482eaSJohn Baldwin ad->tls_vminor = hdr->tls_vminor; 503a10482eaSJohn Baldwin ad->tls_length = htons(len); 504a10482eaSJohn Baldwin } 505a10482eaSJohn Baldwin 506a10482eaSJohn Baldwin static void 507a10482eaSJohn Baldwin tls_12_aead_aad(struct tls_enable *en, size_t len, 508a10482eaSJohn Baldwin const struct tls_record_layer *hdr, uint64_t seqno, 509a10482eaSJohn Baldwin struct tls_aead_data *ad) 510a10482eaSJohn Baldwin { 511a10482eaSJohn Baldwin ad->seq = htobe64(seqno); 512a10482eaSJohn Baldwin ad->type = hdr->tls_type; 513a10482eaSJohn Baldwin ad->tls_vmajor = hdr->tls_vmajor; 514a10482eaSJohn Baldwin ad->tls_vminor = hdr->tls_vminor; 515a10482eaSJohn Baldwin ad->tls_length = htons(len); 516a10482eaSJohn Baldwin } 517a10482eaSJohn Baldwin 518a10482eaSJohn Baldwin static void 519a10482eaSJohn Baldwin tls_13_aad(struct tls_enable *en, const struct tls_record_layer *hdr, 520a10482eaSJohn Baldwin uint64_t seqno, struct tls_aead_data_13 *ad) 521a10482eaSJohn Baldwin { 522a10482eaSJohn Baldwin ad->type = hdr->tls_type; 523a10482eaSJohn Baldwin ad->tls_vmajor = hdr->tls_vmajor; 524a10482eaSJohn Baldwin ad->tls_vminor = hdr->tls_vminor; 525a10482eaSJohn Baldwin ad->tls_length = hdr->tls_length; 526a10482eaSJohn Baldwin } 527a10482eaSJohn Baldwin 528a10482eaSJohn Baldwin static void 529a10482eaSJohn Baldwin tls_12_gcm_nonce(struct tls_enable *en, const struct tls_record_layer *hdr, 530a10482eaSJohn Baldwin char *nonce) 531a10482eaSJohn Baldwin { 532a10482eaSJohn Baldwin memcpy(nonce, en->iv, TLS_AEAD_GCM_LEN); 533a10482eaSJohn Baldwin memcpy(nonce + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t)); 534a10482eaSJohn Baldwin } 535a10482eaSJohn Baldwin 536a10482eaSJohn Baldwin static void 537a10482eaSJohn Baldwin tls_13_nonce(struct tls_enable *en, uint64_t seqno, char *nonce) 538a10482eaSJohn Baldwin { 539a10482eaSJohn Baldwin static_assert(TLS_1_3_GCM_IV_LEN == TLS_CHACHA20_IV_LEN, 540a10482eaSJohn Baldwin "TLS 1.3 nonce length mismatch"); 541a10482eaSJohn Baldwin memcpy(nonce, en->iv, TLS_1_3_GCM_IV_LEN); 542a10482eaSJohn Baldwin *(uint64_t *)(nonce + 4) ^= htobe64(seqno); 543a10482eaSJohn Baldwin } 544a10482eaSJohn Baldwin 545a10482eaSJohn Baldwin /* 546a10482eaSJohn Baldwin * Decrypt a TLS record 'len' bytes long at 'src' and store the result at 547a10482eaSJohn Baldwin * 'dst'. If the TLS record header length doesn't match or 'dst' doesn't 548a10482eaSJohn Baldwin * have sufficient room ('avail'), fail the test. 549a10482eaSJohn Baldwin */ 550a10482eaSJohn Baldwin static size_t 551a10482eaSJohn Baldwin decrypt_tls_aes_cbc_mte(struct tls_enable *en, uint64_t seqno, const void *src, 552a10482eaSJohn Baldwin size_t len, void *dst, size_t avail, uint8_t *record_type) 553a10482eaSJohn Baldwin { 554a10482eaSJohn Baldwin const struct tls_record_layer *hdr; 555a10482eaSJohn Baldwin struct tls_mac_data aad; 556a10482eaSJohn Baldwin const char *iv; 557a10482eaSJohn Baldwin char *buf; 558a10482eaSJohn Baldwin size_t hdr_len, mac_len, payload_len; 559a10482eaSJohn Baldwin int padding; 560a10482eaSJohn Baldwin 561a10482eaSJohn Baldwin hdr = src; 562a10482eaSJohn Baldwin hdr_len = tls_header_len(en); 563a10482eaSJohn Baldwin mac_len = tls_mac_len(en); 564a10482eaSJohn Baldwin ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE); 565a10482eaSJohn Baldwin ATF_REQUIRE(hdr->tls_vminor == en->tls_vminor); 566a10482eaSJohn Baldwin 567a10482eaSJohn Baldwin /* First, decrypt the outer payload into a temporary buffer. */ 568a10482eaSJohn Baldwin payload_len = len - hdr_len; 569a10482eaSJohn Baldwin buf = malloc(payload_len); 570a10482eaSJohn Baldwin if (en->tls_vminor == TLS_MINOR_VER_ZERO) 571a10482eaSJohn Baldwin iv = en->iv; 572a10482eaSJohn Baldwin else 573a10482eaSJohn Baldwin iv = (void *)(hdr + 1); 574a10482eaSJohn Baldwin ATF_REQUIRE(cbc_decrypt(tls_EVP_CIPHER(en), en->cipher_key, iv, 575a10482eaSJohn Baldwin (const u_char *)src + hdr_len, buf, payload_len)); 576a10482eaSJohn Baldwin 577a10482eaSJohn Baldwin /* 578a10482eaSJohn Baldwin * Copy the last encrypted block to use as the IV for the next 579a10482eaSJohn Baldwin * record for TLS 1.0. 580a10482eaSJohn Baldwin */ 581a10482eaSJohn Baldwin if (en->tls_vminor == TLS_MINOR_VER_ZERO) 582a10482eaSJohn Baldwin memcpy(__DECONST(uint8_t *, en->iv), (const u_char *)src + 583a10482eaSJohn Baldwin (len - AES_BLOCK_LEN), AES_BLOCK_LEN); 584a10482eaSJohn Baldwin 585a10482eaSJohn Baldwin /* 586a10482eaSJohn Baldwin * Verify trailing padding and strip. 587a10482eaSJohn Baldwin * 588a10482eaSJohn Baldwin * The kernel always generates the smallest amount of padding. 589a10482eaSJohn Baldwin */ 590a10482eaSJohn Baldwin padding = buf[payload_len - 1] + 1; 591a10482eaSJohn Baldwin ATF_REQUIRE(padding > 0 && padding <= AES_BLOCK_LEN); 592a10482eaSJohn Baldwin ATF_REQUIRE(payload_len >= mac_len + padding); 593a10482eaSJohn Baldwin payload_len -= padding; 594a10482eaSJohn Baldwin 595a10482eaSJohn Baldwin /* Verify HMAC. */ 596a10482eaSJohn Baldwin payload_len -= mac_len; 597a10482eaSJohn Baldwin tls_mte_aad(en, payload_len, hdr, seqno, &aad); 598a10482eaSJohn Baldwin ATF_REQUIRE(verify_hash(tls_EVP_MD(en), en->auth_key, en->auth_key_len, 599a10482eaSJohn Baldwin &aad, sizeof(aad), buf, payload_len, buf + payload_len)); 600a10482eaSJohn Baldwin 601a10482eaSJohn Baldwin ATF_REQUIRE(payload_len <= avail); 602a10482eaSJohn Baldwin memcpy(dst, buf, payload_len); 603a10482eaSJohn Baldwin *record_type = hdr->tls_type; 604a10482eaSJohn Baldwin return (payload_len); 605a10482eaSJohn Baldwin } 606a10482eaSJohn Baldwin 607a10482eaSJohn Baldwin static size_t 608a10482eaSJohn Baldwin decrypt_tls_12_aead(struct tls_enable *en, uint64_t seqno, const void *src, 609a10482eaSJohn Baldwin size_t len, void *dst, uint8_t *record_type) 610a10482eaSJohn Baldwin { 611a10482eaSJohn Baldwin const struct tls_record_layer *hdr; 612a10482eaSJohn Baldwin struct tls_aead_data aad; 613a10482eaSJohn Baldwin char nonce[12]; 614a10482eaSJohn Baldwin size_t hdr_len, mac_len, payload_len; 615a10482eaSJohn Baldwin 616a10482eaSJohn Baldwin hdr = src; 617a10482eaSJohn Baldwin 618a10482eaSJohn Baldwin hdr_len = tls_header_len(en); 619a10482eaSJohn Baldwin mac_len = tls_mac_len(en); 620a10482eaSJohn Baldwin payload_len = len - (hdr_len + mac_len); 621a10482eaSJohn Baldwin ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE); 622a10482eaSJohn Baldwin ATF_REQUIRE(hdr->tls_vminor == TLS_MINOR_VER_TWO); 623a10482eaSJohn Baldwin 624a10482eaSJohn Baldwin tls_12_aead_aad(en, payload_len, hdr, seqno, &aad); 625a10482eaSJohn Baldwin if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16) 626a10482eaSJohn Baldwin tls_12_gcm_nonce(en, hdr, nonce); 627a10482eaSJohn Baldwin else 628a10482eaSJohn Baldwin tls_13_nonce(en, seqno, nonce); 629a10482eaSJohn Baldwin 630a10482eaSJohn Baldwin ATF_REQUIRE(aead_decrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 631a10482eaSJohn Baldwin &aad, sizeof(aad), (const char *)src + hdr_len, dst, payload_len, 632a10482eaSJohn Baldwin (const char *)src + hdr_len + payload_len, mac_len)); 633a10482eaSJohn Baldwin 634a10482eaSJohn Baldwin *record_type = hdr->tls_type; 635a10482eaSJohn Baldwin return (payload_len); 636a10482eaSJohn Baldwin } 637a10482eaSJohn Baldwin 638a10482eaSJohn Baldwin static size_t 639a10482eaSJohn Baldwin decrypt_tls_13_aead(struct tls_enable *en, uint64_t seqno, const void *src, 640a10482eaSJohn Baldwin size_t len, void *dst, uint8_t *record_type) 641a10482eaSJohn Baldwin { 642a10482eaSJohn Baldwin const struct tls_record_layer *hdr; 643a10482eaSJohn Baldwin struct tls_aead_data_13 aad; 644a10482eaSJohn Baldwin char nonce[12]; 645a10482eaSJohn Baldwin char *buf; 646a10482eaSJohn Baldwin size_t hdr_len, mac_len, payload_len; 647a10482eaSJohn Baldwin 648a10482eaSJohn Baldwin hdr = src; 649a10482eaSJohn Baldwin 650a10482eaSJohn Baldwin hdr_len = tls_header_len(en); 651a10482eaSJohn Baldwin mac_len = tls_mac_len(en); 652a10482eaSJohn Baldwin payload_len = len - (hdr_len + mac_len); 653a10482eaSJohn Baldwin ATF_REQUIRE(payload_len >= 1); 654a10482eaSJohn Baldwin ATF_REQUIRE(hdr->tls_type == TLS_RLTYPE_APP); 655a10482eaSJohn Baldwin ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE); 656a10482eaSJohn Baldwin ATF_REQUIRE(hdr->tls_vminor == TLS_MINOR_VER_TWO); 657a10482eaSJohn Baldwin 658a10482eaSJohn Baldwin tls_13_aad(en, hdr, seqno, &aad); 659a10482eaSJohn Baldwin tls_13_nonce(en, seqno, nonce); 660a10482eaSJohn Baldwin 661a10482eaSJohn Baldwin /* 662a10482eaSJohn Baldwin * Have to use a temporary buffer for the output due to the 663a10482eaSJohn Baldwin * record type as the last byte of the trailer. 664a10482eaSJohn Baldwin */ 665a10482eaSJohn Baldwin buf = malloc(payload_len); 666a10482eaSJohn Baldwin 667a10482eaSJohn Baldwin ATF_REQUIRE(aead_decrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 668a10482eaSJohn Baldwin &aad, sizeof(aad), (const char *)src + hdr_len, buf, payload_len, 669a10482eaSJohn Baldwin (const char *)src + hdr_len + payload_len, mac_len)); 670a10482eaSJohn Baldwin 671a10482eaSJohn Baldwin /* Trim record type. */ 672a10482eaSJohn Baldwin *record_type = buf[payload_len - 1]; 673a10482eaSJohn Baldwin payload_len--; 674a10482eaSJohn Baldwin 675a10482eaSJohn Baldwin memcpy(dst, buf, payload_len); 676a10482eaSJohn Baldwin free(buf); 677a10482eaSJohn Baldwin 678a10482eaSJohn Baldwin return (payload_len); 679a10482eaSJohn Baldwin } 680a10482eaSJohn Baldwin 681a10482eaSJohn Baldwin static size_t 682a10482eaSJohn Baldwin decrypt_tls_aead(struct tls_enable *en, uint64_t seqno, const void *src, 683a10482eaSJohn Baldwin size_t len, void *dst, size_t avail, uint8_t *record_type) 684a10482eaSJohn Baldwin { 685a10482eaSJohn Baldwin const struct tls_record_layer *hdr; 686a10482eaSJohn Baldwin size_t payload_len; 687a10482eaSJohn Baldwin 688a10482eaSJohn Baldwin hdr = src; 689a10482eaSJohn Baldwin ATF_REQUIRE(ntohs(hdr->tls_length) + sizeof(*hdr) == len); 690a10482eaSJohn Baldwin 691a10482eaSJohn Baldwin payload_len = len - (tls_header_len(en) + tls_trailer_len(en)); 692a10482eaSJohn Baldwin ATF_REQUIRE(payload_len <= avail); 693a10482eaSJohn Baldwin 694a10482eaSJohn Baldwin if (en->tls_vminor == TLS_MINOR_VER_TWO) { 695a10482eaSJohn Baldwin ATF_REQUIRE(decrypt_tls_12_aead(en, seqno, src, len, dst, 696a10482eaSJohn Baldwin record_type) == payload_len); 697a10482eaSJohn Baldwin } else { 698a10482eaSJohn Baldwin ATF_REQUIRE(decrypt_tls_13_aead(en, seqno, src, len, dst, 699a10482eaSJohn Baldwin record_type) == payload_len); 700a10482eaSJohn Baldwin } 701a10482eaSJohn Baldwin 702a10482eaSJohn Baldwin return (payload_len); 703a10482eaSJohn Baldwin } 704a10482eaSJohn Baldwin 705a10482eaSJohn Baldwin static size_t 706a10482eaSJohn Baldwin decrypt_tls_record(struct tls_enable *en, uint64_t seqno, const void *src, 707a10482eaSJohn Baldwin size_t len, void *dst, size_t avail, uint8_t *record_type) 708a10482eaSJohn Baldwin { 709a10482eaSJohn Baldwin if (en->cipher_algorithm == CRYPTO_AES_CBC) 710a10482eaSJohn Baldwin return (decrypt_tls_aes_cbc_mte(en, seqno, src, len, dst, avail, 711a10482eaSJohn Baldwin record_type)); 712a10482eaSJohn Baldwin else 713a10482eaSJohn Baldwin return (decrypt_tls_aead(en, seqno, src, len, dst, avail, 714a10482eaSJohn Baldwin record_type)); 715a10482eaSJohn Baldwin } 716a10482eaSJohn Baldwin 717a10482eaSJohn Baldwin static void 718a10482eaSJohn Baldwin test_ktls_transmit_app_data(struct tls_enable *en, uint64_t seqno, size_t len) 719a10482eaSJohn Baldwin { 720a10482eaSJohn Baldwin struct kevent ev; 721a10482eaSJohn Baldwin struct tls_record_layer *hdr; 722a10482eaSJohn Baldwin char *plaintext, *decrypted, *outbuf; 723a10482eaSJohn Baldwin size_t decrypted_len, outbuf_len, outbuf_cap, record_len, written; 724a10482eaSJohn Baldwin ssize_t rv; 725a10482eaSJohn Baldwin int kq, sockets[2]; 726a10482eaSJohn Baldwin uint8_t record_type; 727a10482eaSJohn Baldwin 728a10482eaSJohn Baldwin plaintext = alloc_buffer(len); 729a10482eaSJohn Baldwin decrypted = malloc(len); 730a10482eaSJohn Baldwin outbuf_cap = tls_header_len(en) + TLS_MAX_MSG_SIZE_V10_2 + 731a10482eaSJohn Baldwin tls_trailer_len(en); 732a10482eaSJohn Baldwin outbuf = malloc(outbuf_cap); 733a10482eaSJohn Baldwin hdr = (struct tls_record_layer *)outbuf; 734a10482eaSJohn Baldwin 735a10482eaSJohn Baldwin ATF_REQUIRE((kq = kqueue()) != -1); 736a10482eaSJohn Baldwin 737a10482eaSJohn Baldwin ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); 738a10482eaSJohn Baldwin 739a10482eaSJohn Baldwin ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 740a10482eaSJohn Baldwin sizeof(*en)) == 0); 741a10482eaSJohn Baldwin 742a10482eaSJohn Baldwin EV_SET(&ev, sockets[0], EVFILT_READ, EV_ADD, 0, 0, NULL); 743a10482eaSJohn Baldwin ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 744a10482eaSJohn Baldwin EV_SET(&ev, sockets[1], EVFILT_WRITE, EV_ADD, 0, 0, NULL); 745a10482eaSJohn Baldwin ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 746a10482eaSJohn Baldwin 747a10482eaSJohn Baldwin decrypted_len = 0; 748a10482eaSJohn Baldwin outbuf_len = 0; 749a10482eaSJohn Baldwin written = 0; 750a10482eaSJohn Baldwin 751a10482eaSJohn Baldwin while (decrypted_len != len) { 752a10482eaSJohn Baldwin ATF_REQUIRE(kevent(kq, NULL, 0, &ev, 1, NULL) == 1); 753a10482eaSJohn Baldwin 754a10482eaSJohn Baldwin switch (ev.filter) { 755a10482eaSJohn Baldwin case EVFILT_WRITE: 756a10482eaSJohn Baldwin /* Try to write any remaining data. */ 757a10482eaSJohn Baldwin rv = write(ev.ident, plaintext + written, 758a10482eaSJohn Baldwin len - written); 759a10482eaSJohn Baldwin ATF_REQUIRE_MSG(rv > 0, 760a10482eaSJohn Baldwin "failed to write to socket"); 761a10482eaSJohn Baldwin written += rv; 762a10482eaSJohn Baldwin if (written == len) { 763a10482eaSJohn Baldwin ev.flags = EV_DISABLE; 764a10482eaSJohn Baldwin ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, 765a10482eaSJohn Baldwin NULL) == 0); 766a10482eaSJohn Baldwin } 767a10482eaSJohn Baldwin break; 768a10482eaSJohn Baldwin 769a10482eaSJohn Baldwin case EVFILT_READ: 770a10482eaSJohn Baldwin ATF_REQUIRE((ev.flags & EV_EOF) == 0); 771a10482eaSJohn Baldwin 772a10482eaSJohn Baldwin /* 773a10482eaSJohn Baldwin * Try to read data for the next TLS record 774a10482eaSJohn Baldwin * into outbuf. Start by reading the header 775a10482eaSJohn Baldwin * to determine how much additional data to 776a10482eaSJohn Baldwin * read. 777a10482eaSJohn Baldwin */ 778a10482eaSJohn Baldwin if (outbuf_len < sizeof(struct tls_record_layer)) { 779a10482eaSJohn Baldwin rv = read(ev.ident, outbuf + outbuf_len, 780a10482eaSJohn Baldwin sizeof(struct tls_record_layer) - 781a10482eaSJohn Baldwin outbuf_len); 782a10482eaSJohn Baldwin ATF_REQUIRE_MSG(rv > 0, 783a10482eaSJohn Baldwin "failed to read from socket"); 784a10482eaSJohn Baldwin outbuf_len += rv; 785a10482eaSJohn Baldwin } 786a10482eaSJohn Baldwin 787a10482eaSJohn Baldwin if (outbuf_len < sizeof(struct tls_record_layer)) 788a10482eaSJohn Baldwin break; 789a10482eaSJohn Baldwin 790a10482eaSJohn Baldwin record_len = sizeof(struct tls_record_layer) + 791a10482eaSJohn Baldwin ntohs(hdr->tls_length); 792a10482eaSJohn Baldwin assert(record_len <= outbuf_cap); 793a10482eaSJohn Baldwin assert(record_len > outbuf_len); 794a10482eaSJohn Baldwin rv = read(ev.ident, outbuf + outbuf_len, 795a10482eaSJohn Baldwin record_len - outbuf_len); 796a10482eaSJohn Baldwin if (rv == -1 && errno == EAGAIN) 797a10482eaSJohn Baldwin break; 798a10482eaSJohn Baldwin ATF_REQUIRE_MSG(rv > 0, "failed to read from socket"); 799a10482eaSJohn Baldwin 800a10482eaSJohn Baldwin outbuf_len += rv; 801a10482eaSJohn Baldwin if (outbuf_len == record_len) { 802a10482eaSJohn Baldwin decrypted_len += decrypt_tls_record(en, seqno, 803a10482eaSJohn Baldwin outbuf, outbuf_len, 804a10482eaSJohn Baldwin decrypted + decrypted_len, 805a10482eaSJohn Baldwin len - decrypted_len, &record_type); 806a10482eaSJohn Baldwin ATF_REQUIRE(record_type == TLS_RLTYPE_APP); 807a10482eaSJohn Baldwin 808a10482eaSJohn Baldwin seqno++; 809a10482eaSJohn Baldwin outbuf_len = 0; 810a10482eaSJohn Baldwin } 811a10482eaSJohn Baldwin break; 812a10482eaSJohn Baldwin } 813a10482eaSJohn Baldwin } 814a10482eaSJohn Baldwin 815a10482eaSJohn Baldwin ATF_REQUIRE_MSG(written == decrypted_len, 816a10482eaSJohn Baldwin "read %zu decrypted bytes, but wrote %zu", decrypted_len, written); 817a10482eaSJohn Baldwin 818a10482eaSJohn Baldwin ATF_REQUIRE(memcmp(plaintext, decrypted, len) == 0); 819a10482eaSJohn Baldwin 820a10482eaSJohn Baldwin free(outbuf); 821a10482eaSJohn Baldwin free(decrypted); 822a10482eaSJohn Baldwin free(plaintext); 823a10482eaSJohn Baldwin 824a10482eaSJohn Baldwin close(sockets[1]); 825a10482eaSJohn Baldwin close(sockets[0]); 826a10482eaSJohn Baldwin close(kq); 827a10482eaSJohn Baldwin } 828a10482eaSJohn Baldwin 829a10482eaSJohn Baldwin static void 830a10482eaSJohn Baldwin ktls_send_control_message(int fd, uint8_t type, void *data, size_t len) 831a10482eaSJohn Baldwin { 832a10482eaSJohn Baldwin struct msghdr msg; 833a10482eaSJohn Baldwin struct cmsghdr *cmsg; 834a10482eaSJohn Baldwin char cbuf[CMSG_SPACE(sizeof(type))]; 835a10482eaSJohn Baldwin struct iovec iov; 836a10482eaSJohn Baldwin 837a10482eaSJohn Baldwin memset(&msg, 0, sizeof(msg)); 838a10482eaSJohn Baldwin 839a10482eaSJohn Baldwin msg.msg_control = cbuf; 840a10482eaSJohn Baldwin msg.msg_controllen = sizeof(cbuf); 841a10482eaSJohn Baldwin cmsg = CMSG_FIRSTHDR(&msg); 842a10482eaSJohn Baldwin cmsg->cmsg_level = IPPROTO_TCP; 843a10482eaSJohn Baldwin cmsg->cmsg_type = TLS_SET_RECORD_TYPE; 844a10482eaSJohn Baldwin cmsg->cmsg_len = CMSG_LEN(sizeof(type)); 845a10482eaSJohn Baldwin *(uint8_t *)CMSG_DATA(cmsg) = type; 846a10482eaSJohn Baldwin 847a10482eaSJohn Baldwin iov.iov_base = data; 848a10482eaSJohn Baldwin iov.iov_len = len; 849a10482eaSJohn Baldwin msg.msg_iov = &iov; 850a10482eaSJohn Baldwin msg.msg_iovlen = 1; 851a10482eaSJohn Baldwin 852a10482eaSJohn Baldwin ATF_REQUIRE(sendmsg(fd, &msg, 0) == (ssize_t)len); 853a10482eaSJohn Baldwin } 854a10482eaSJohn Baldwin 855a10482eaSJohn Baldwin static void 856a10482eaSJohn Baldwin test_ktls_transmit_control(struct tls_enable *en, uint64_t seqno, uint8_t type, 857a10482eaSJohn Baldwin size_t len) 858a10482eaSJohn Baldwin { 859a10482eaSJohn Baldwin struct tls_record_layer *hdr; 860a10482eaSJohn Baldwin char *plaintext, *decrypted, *outbuf; 861a10482eaSJohn Baldwin size_t outbuf_cap, payload_len, record_len; 862a10482eaSJohn Baldwin ssize_t rv; 863a10482eaSJohn Baldwin int sockets[2]; 864a10482eaSJohn Baldwin uint8_t record_type; 865a10482eaSJohn Baldwin 866a10482eaSJohn Baldwin ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2); 867a10482eaSJohn Baldwin 868a10482eaSJohn Baldwin plaintext = alloc_buffer(len); 869a10482eaSJohn Baldwin decrypted = malloc(len); 870a10482eaSJohn Baldwin outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en); 871a10482eaSJohn Baldwin outbuf = malloc(outbuf_cap); 872a10482eaSJohn Baldwin hdr = (struct tls_record_layer *)outbuf; 873a10482eaSJohn Baldwin 874a10482eaSJohn Baldwin ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); 875a10482eaSJohn Baldwin 876a10482eaSJohn Baldwin ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 877a10482eaSJohn Baldwin sizeof(*en)) == 0); 878a10482eaSJohn Baldwin 879a10482eaSJohn Baldwin fd_set_blocking(sockets[0]); 880a10482eaSJohn Baldwin fd_set_blocking(sockets[1]); 881a10482eaSJohn Baldwin 882a10482eaSJohn Baldwin ktls_send_control_message(sockets[1], type, plaintext, len); 883a10482eaSJohn Baldwin 884a10482eaSJohn Baldwin /* 885a10482eaSJohn Baldwin * First read the header to determine how much additional data 886a10482eaSJohn Baldwin * to read. 887a10482eaSJohn Baldwin */ 888a10482eaSJohn Baldwin rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer)); 889a10482eaSJohn Baldwin ATF_REQUIRE(rv == sizeof(struct tls_record_layer)); 890a10482eaSJohn Baldwin payload_len = ntohs(hdr->tls_length); 891a10482eaSJohn Baldwin record_len = payload_len + sizeof(struct tls_record_layer); 892a10482eaSJohn Baldwin assert(record_len <= outbuf_cap); 893a10482eaSJohn Baldwin rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer), 894a10482eaSJohn Baldwin payload_len); 895a10482eaSJohn Baldwin ATF_REQUIRE(rv == (ssize_t)payload_len); 896a10482eaSJohn Baldwin 897a10482eaSJohn Baldwin rv = decrypt_tls_record(en, seqno, outbuf, record_len, decrypted, len, 898a10482eaSJohn Baldwin &record_type); 899a10482eaSJohn Baldwin 900a10482eaSJohn Baldwin ATF_REQUIRE_MSG((ssize_t)len == rv, 901a10482eaSJohn Baldwin "read %zd decrypted bytes, but wrote %zu", rv, len); 902a10482eaSJohn Baldwin ATF_REQUIRE(record_type == type); 903a10482eaSJohn Baldwin 904a10482eaSJohn Baldwin ATF_REQUIRE(memcmp(plaintext, decrypted, len) == 0); 905a10482eaSJohn Baldwin 906a10482eaSJohn Baldwin free(outbuf); 907a10482eaSJohn Baldwin free(decrypted); 908a10482eaSJohn Baldwin free(plaintext); 909a10482eaSJohn Baldwin 910a10482eaSJohn Baldwin close(sockets[1]); 911a10482eaSJohn Baldwin close(sockets[0]); 912a10482eaSJohn Baldwin } 913a10482eaSJohn Baldwin 914*0ff2a12aSJohn Baldwin static void 915*0ff2a12aSJohn Baldwin test_ktls_transmit_empty_fragment(struct tls_enable *en, uint64_t seqno) 916*0ff2a12aSJohn Baldwin { 917*0ff2a12aSJohn Baldwin struct tls_record_layer *hdr; 918*0ff2a12aSJohn Baldwin char *outbuf; 919*0ff2a12aSJohn Baldwin size_t outbuf_cap, payload_len, record_len; 920*0ff2a12aSJohn Baldwin ssize_t rv; 921*0ff2a12aSJohn Baldwin int sockets[2]; 922*0ff2a12aSJohn Baldwin uint8_t record_type; 923*0ff2a12aSJohn Baldwin 924*0ff2a12aSJohn Baldwin outbuf_cap = tls_header_len(en) + tls_trailer_len(en); 925*0ff2a12aSJohn Baldwin outbuf = malloc(outbuf_cap); 926*0ff2a12aSJohn Baldwin hdr = (struct tls_record_layer *)outbuf; 927*0ff2a12aSJohn Baldwin 928*0ff2a12aSJohn Baldwin ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); 929*0ff2a12aSJohn Baldwin 930*0ff2a12aSJohn Baldwin ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 931*0ff2a12aSJohn Baldwin sizeof(*en)) == 0); 932*0ff2a12aSJohn Baldwin 933*0ff2a12aSJohn Baldwin fd_set_blocking(sockets[0]); 934*0ff2a12aSJohn Baldwin fd_set_blocking(sockets[1]); 935*0ff2a12aSJohn Baldwin 936*0ff2a12aSJohn Baldwin /* A write of zero bytes should send an empty fragment. */ 937*0ff2a12aSJohn Baldwin rv = write(sockets[1], NULL, 0); 938*0ff2a12aSJohn Baldwin ATF_REQUIRE(rv == 0); 939*0ff2a12aSJohn Baldwin 940*0ff2a12aSJohn Baldwin /* 941*0ff2a12aSJohn Baldwin * First read the header to determine how much additional data 942*0ff2a12aSJohn Baldwin * to read. 943*0ff2a12aSJohn Baldwin */ 944*0ff2a12aSJohn Baldwin rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer)); 945*0ff2a12aSJohn Baldwin ATF_REQUIRE(rv == sizeof(struct tls_record_layer)); 946*0ff2a12aSJohn Baldwin payload_len = ntohs(hdr->tls_length); 947*0ff2a12aSJohn Baldwin record_len = payload_len + sizeof(struct tls_record_layer); 948*0ff2a12aSJohn Baldwin ATF_REQUIRE(record_len <= outbuf_cap); 949*0ff2a12aSJohn Baldwin rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer), 950*0ff2a12aSJohn Baldwin payload_len); 951*0ff2a12aSJohn Baldwin ATF_REQUIRE(rv == (ssize_t)payload_len); 952*0ff2a12aSJohn Baldwin 953*0ff2a12aSJohn Baldwin rv = decrypt_tls_record(en, seqno, outbuf, record_len, NULL, 0, 954*0ff2a12aSJohn Baldwin &record_type); 955*0ff2a12aSJohn Baldwin 956*0ff2a12aSJohn Baldwin ATF_REQUIRE_MSG(rv == 0, 957*0ff2a12aSJohn Baldwin "read %zd decrypted bytes for an empty fragment", rv); 958*0ff2a12aSJohn Baldwin ATF_REQUIRE(record_type == TLS_RLTYPE_APP); 959*0ff2a12aSJohn Baldwin 960*0ff2a12aSJohn Baldwin free(outbuf); 961*0ff2a12aSJohn Baldwin 962*0ff2a12aSJohn Baldwin close(sockets[1]); 963*0ff2a12aSJohn Baldwin close(sockets[0]); 964*0ff2a12aSJohn Baldwin } 965*0ff2a12aSJohn Baldwin 966*0ff2a12aSJohn Baldwin #define TLS_10_TESTS(M) \ 967*0ff2a12aSJohn Baldwin M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8, \ 968*0ff2a12aSJohn Baldwin CRYPTO_SHA1_HMAC) \ 969*0ff2a12aSJohn Baldwin M(aes256_cbc_1_0_sha1, CRYPTO_AES_CBC, 256 / 8, \ 970*0ff2a12aSJohn Baldwin CRYPTO_SHA1_HMAC) 971*0ff2a12aSJohn Baldwin 972a10482eaSJohn Baldwin #define AES_CBC_TESTS(M) \ 973a10482eaSJohn Baldwin M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8, \ 974a10482eaSJohn Baldwin CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO) \ 975a10482eaSJohn Baldwin M(aes256_cbc_1_0_sha1, CRYPTO_AES_CBC, 256 / 8, \ 976a10482eaSJohn Baldwin CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO) \ 977a10482eaSJohn Baldwin M(aes128_cbc_1_1_sha1, CRYPTO_AES_CBC, 128 / 8, \ 978a10482eaSJohn Baldwin CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ONE) \ 979a10482eaSJohn Baldwin M(aes256_cbc_1_1_sha1, CRYPTO_AES_CBC, 256 / 8, \ 980a10482eaSJohn Baldwin CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ONE) \ 981a10482eaSJohn Baldwin M(aes128_cbc_1_2_sha1, CRYPTO_AES_CBC, 128 / 8, \ 982a10482eaSJohn Baldwin CRYPTO_SHA1_HMAC, TLS_MINOR_VER_TWO) \ 983a10482eaSJohn Baldwin M(aes256_cbc_1_2_sha1, CRYPTO_AES_CBC, 256 / 8, \ 984a10482eaSJohn Baldwin CRYPTO_SHA1_HMAC, TLS_MINOR_VER_TWO) \ 985a10482eaSJohn Baldwin M(aes128_cbc_1_2_sha256, CRYPTO_AES_CBC, 128 / 8, \ 986a10482eaSJohn Baldwin CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_TWO) \ 987a10482eaSJohn Baldwin M(aes256_cbc_1_2_sha256, CRYPTO_AES_CBC, 256 / 8, \ 988a10482eaSJohn Baldwin CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_TWO) \ 989a10482eaSJohn Baldwin M(aes128_cbc_1_2_sha384, CRYPTO_AES_CBC, 128 / 8, \ 990a10482eaSJohn Baldwin CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_TWO) \ 991a10482eaSJohn Baldwin M(aes256_cbc_1_2_sha384, CRYPTO_AES_CBC, 256 / 8, \ 992a10482eaSJohn Baldwin CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_TWO) \ 993a10482eaSJohn Baldwin 994a10482eaSJohn Baldwin #define AES_GCM_TESTS(M) \ 995a10482eaSJohn Baldwin M(aes128_gcm_1_2, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 996a10482eaSJohn Baldwin TLS_MINOR_VER_TWO) \ 997a10482eaSJohn Baldwin M(aes256_gcm_1_2, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \ 998a10482eaSJohn Baldwin TLS_MINOR_VER_TWO) \ 999a10482eaSJohn Baldwin M(aes128_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1000a10482eaSJohn Baldwin TLS_MINOR_VER_THREE) \ 1001a10482eaSJohn Baldwin M(aes256_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \ 1002a10482eaSJohn Baldwin TLS_MINOR_VER_THREE) 1003a10482eaSJohn Baldwin 1004a10482eaSJohn Baldwin #define CHACHA20_TESTS(M) \ 1005a10482eaSJohn Baldwin M(chacha20_poly1305_1_2, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1006a10482eaSJohn Baldwin TLS_MINOR_VER_TWO) \ 1007a10482eaSJohn Baldwin M(chacha20_poly1305_1_3, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1008a10482eaSJohn Baldwin TLS_MINOR_VER_THREE) 1009a10482eaSJohn Baldwin 1010a10482eaSJohn Baldwin #define GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1011a10482eaSJohn Baldwin auth_alg, minor, name, len) \ 1012a10482eaSJohn Baldwin ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_##name); \ 1013a10482eaSJohn Baldwin ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc) \ 1014a10482eaSJohn Baldwin { \ 1015a10482eaSJohn Baldwin struct tls_enable en; \ 1016a10482eaSJohn Baldwin uint64_t seqno; \ 1017a10482eaSJohn Baldwin \ 1018a10482eaSJohn Baldwin ATF_REQUIRE_KTLS(); \ 1019a10482eaSJohn Baldwin seqno = random(); \ 1020a10482eaSJohn Baldwin build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1021a10482eaSJohn Baldwin &en); \ 1022a10482eaSJohn Baldwin test_ktls_transmit_app_data(&en, seqno, len); \ 1023a10482eaSJohn Baldwin free_tls_enable(&en); \ 1024a10482eaSJohn Baldwin } 1025a10482eaSJohn Baldwin 1026a10482eaSJohn Baldwin #define ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1027a10482eaSJohn Baldwin auth_alg, minor, name) \ 1028a10482eaSJohn Baldwin ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name); 1029a10482eaSJohn Baldwin 1030a10482eaSJohn Baldwin #define GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 103144265dc3SJohn Baldwin auth_alg, minor, name, type, len) \ 103244265dc3SJohn Baldwin ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_##name); \ 103344265dc3SJohn Baldwin ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc) \ 1034a10482eaSJohn Baldwin { \ 1035a10482eaSJohn Baldwin struct tls_enable en; \ 1036a10482eaSJohn Baldwin uint64_t seqno; \ 1037a10482eaSJohn Baldwin \ 1038a10482eaSJohn Baldwin ATF_REQUIRE_KTLS(); \ 1039a10482eaSJohn Baldwin seqno = random(); \ 1040a10482eaSJohn Baldwin build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1041a10482eaSJohn Baldwin &en); \ 1042a10482eaSJohn Baldwin test_ktls_transmit_control(&en, seqno, type, len); \ 1043a10482eaSJohn Baldwin free_tls_enable(&en); \ 1044a10482eaSJohn Baldwin } 1045a10482eaSJohn Baldwin 1046a10482eaSJohn Baldwin #define ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 104744265dc3SJohn Baldwin auth_alg, minor, name) \ 104844265dc3SJohn Baldwin ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name); 1049a10482eaSJohn Baldwin 1050*0ff2a12aSJohn Baldwin #define GEN_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \ 1051*0ff2a12aSJohn Baldwin key_size, auth_alg) \ 1052*0ff2a12aSJohn Baldwin ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_empty_fragment); \ 1053*0ff2a12aSJohn Baldwin ATF_TC_BODY(ktls_transmit_##cipher_name##_empty_fragment, tc) \ 1054*0ff2a12aSJohn Baldwin { \ 1055*0ff2a12aSJohn Baldwin struct tls_enable en; \ 1056*0ff2a12aSJohn Baldwin uint64_t seqno; \ 1057*0ff2a12aSJohn Baldwin \ 1058*0ff2a12aSJohn Baldwin ATF_REQUIRE_KTLS(); \ 1059*0ff2a12aSJohn Baldwin seqno = random(); \ 1060*0ff2a12aSJohn Baldwin build_tls_enable(cipher_alg, key_size, auth_alg, \ 1061*0ff2a12aSJohn Baldwin TLS_MINOR_VER_ZERO, seqno, &en); \ 1062*0ff2a12aSJohn Baldwin test_ktls_transmit_empty_fragment(&en, seqno); \ 1063*0ff2a12aSJohn Baldwin free_tls_enable(&en); \ 1064*0ff2a12aSJohn Baldwin } 1065*0ff2a12aSJohn Baldwin 1066*0ff2a12aSJohn Baldwin #define ADD_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \ 1067*0ff2a12aSJohn Baldwin key_size, auth_alg) \ 1068*0ff2a12aSJohn Baldwin ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_empty_fragment); 1069*0ff2a12aSJohn Baldwin 1070a10482eaSJohn Baldwin #define GEN_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 1071a10482eaSJohn Baldwin minor) \ 1072a10482eaSJohn Baldwin GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1073a10482eaSJohn Baldwin auth_alg, minor, short, 64) \ 1074a10482eaSJohn Baldwin GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1075a10482eaSJohn Baldwin auth_alg, minor, long, 64 * 1024) \ 1076a10482eaSJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 107744265dc3SJohn Baldwin auth_alg, minor, control, 0x21 /* Alert */, 32) 1078a10482eaSJohn Baldwin 1079a10482eaSJohn Baldwin #define ADD_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 1080a10482eaSJohn Baldwin minor) \ 1081a10482eaSJohn Baldwin ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1082a10482eaSJohn Baldwin auth_alg, minor, short) \ 1083a10482eaSJohn Baldwin ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1084a10482eaSJohn Baldwin auth_alg, minor, long) \ 1085a10482eaSJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 108644265dc3SJohn Baldwin auth_alg, minor, control) 1087a10482eaSJohn Baldwin 1088a10482eaSJohn Baldwin /* 1089a10482eaSJohn Baldwin * For each supported cipher suite, run three transmit tests: 1090a10482eaSJohn Baldwin * 1091a10482eaSJohn Baldwin * - a short test which sends 64 bytes of application data (likely as 1092a10482eaSJohn Baldwin * a single TLS record) 1093a10482eaSJohn Baldwin * 1094a10482eaSJohn Baldwin * - a long test which sends 64KB of application data (split across 1095a10482eaSJohn Baldwin * multiple TLS records) 1096a10482eaSJohn Baldwin * 1097a10482eaSJohn Baldwin * - a control test which sends a single record with a specific 1098a10482eaSJohn Baldwin * content type via sendmsg() 1099a10482eaSJohn Baldwin */ 1100a10482eaSJohn Baldwin AES_CBC_TESTS(GEN_TRANSMIT_TESTS); 1101a10482eaSJohn Baldwin AES_GCM_TESTS(GEN_TRANSMIT_TESTS); 1102a10482eaSJohn Baldwin CHACHA20_TESTS(GEN_TRANSMIT_TESTS); 1103a10482eaSJohn Baldwin 110444265dc3SJohn Baldwin #define GEN_TRANSMIT_PADDING_TESTS(cipher_name, cipher_alg, key_size, \ 110544265dc3SJohn Baldwin auth_alg, minor) \ 110644265dc3SJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 110744265dc3SJohn Baldwin auth_alg, minor, padding_1, 0x21 /* Alert */, 1) \ 110844265dc3SJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 110944265dc3SJohn Baldwin auth_alg, minor, padding_2, 0x21 /* Alert */, 2) \ 111044265dc3SJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 111144265dc3SJohn Baldwin auth_alg, minor, padding_3, 0x21 /* Alert */, 3) \ 111244265dc3SJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 111344265dc3SJohn Baldwin auth_alg, minor, padding_4, 0x21 /* Alert */, 4) \ 111444265dc3SJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 111544265dc3SJohn Baldwin auth_alg, minor, padding_5, 0x21 /* Alert */, 5) \ 111644265dc3SJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 111744265dc3SJohn Baldwin auth_alg, minor, padding_6, 0x21 /* Alert */, 6) \ 111844265dc3SJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 111944265dc3SJohn Baldwin auth_alg, minor, padding_7, 0x21 /* Alert */, 7) \ 112044265dc3SJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 112144265dc3SJohn Baldwin auth_alg, minor, padding_8, 0x21 /* Alert */, 8) \ 112244265dc3SJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 112344265dc3SJohn Baldwin auth_alg, minor, padding_9, 0x21 /* Alert */, 9) \ 112444265dc3SJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 112544265dc3SJohn Baldwin auth_alg, minor, padding_10, 0x21 /* Alert */, 10) \ 112644265dc3SJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 112744265dc3SJohn Baldwin auth_alg, minor, padding_11, 0x21 /* Alert */, 11) \ 112844265dc3SJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 112944265dc3SJohn Baldwin auth_alg, minor, padding_12, 0x21 /* Alert */, 12) \ 113044265dc3SJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 113144265dc3SJohn Baldwin auth_alg, minor, padding_13, 0x21 /* Alert */, 13) \ 113244265dc3SJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 113344265dc3SJohn Baldwin auth_alg, minor, padding_14, 0x21 /* Alert */, 14) \ 113444265dc3SJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 113544265dc3SJohn Baldwin auth_alg, minor, padding_15, 0x21 /* Alert */, 15) \ 113644265dc3SJohn Baldwin GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 113744265dc3SJohn Baldwin auth_alg, minor, padding_16, 0x21 /* Alert */, 16) 113844265dc3SJohn Baldwin 113944265dc3SJohn Baldwin #define ADD_TRANSMIT_PADDING_TESTS(cipher_name, cipher_alg, key_size, \ 114044265dc3SJohn Baldwin auth_alg, minor) \ 114144265dc3SJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 114244265dc3SJohn Baldwin auth_alg, minor, padding_1) \ 114344265dc3SJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 114444265dc3SJohn Baldwin auth_alg, minor, padding_2) \ 114544265dc3SJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 114644265dc3SJohn Baldwin auth_alg, minor, padding_3) \ 114744265dc3SJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 114844265dc3SJohn Baldwin auth_alg, minor, padding_4) \ 114944265dc3SJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 115044265dc3SJohn Baldwin auth_alg, minor, padding_5) \ 115144265dc3SJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 115244265dc3SJohn Baldwin auth_alg, minor, padding_6) \ 115344265dc3SJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 115444265dc3SJohn Baldwin auth_alg, minor, padding_7) \ 115544265dc3SJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 115644265dc3SJohn Baldwin auth_alg, minor, padding_8) \ 115744265dc3SJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 115844265dc3SJohn Baldwin auth_alg, minor, padding_9) \ 115944265dc3SJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 116044265dc3SJohn Baldwin auth_alg, minor, padding_10) \ 116144265dc3SJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 116244265dc3SJohn Baldwin auth_alg, minor, padding_11) \ 116344265dc3SJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 116444265dc3SJohn Baldwin auth_alg, minor, padding_12) \ 116544265dc3SJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 116644265dc3SJohn Baldwin auth_alg, minor, padding_13) \ 116744265dc3SJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 116844265dc3SJohn Baldwin auth_alg, minor, padding_14) \ 116944265dc3SJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 117044265dc3SJohn Baldwin auth_alg, minor, padding_15) \ 117144265dc3SJohn Baldwin ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 117244265dc3SJohn Baldwin auth_alg, minor, padding_16) 117344265dc3SJohn Baldwin 117444265dc3SJohn Baldwin /* 117544265dc3SJohn Baldwin * For AES-CBC MTE cipher suites using padding, add tests of messages 117644265dc3SJohn Baldwin * with each possible padding size. Note that the padding_<N> tests 117744265dc3SJohn Baldwin * do not necessarily test <N> bytes of padding as the padding is a 117844265dc3SJohn Baldwin * function of the cipher suite's MAC length. However, cycling 117944265dc3SJohn Baldwin * through all of the payload sizes from 1 to 16 should exercise all 118044265dc3SJohn Baldwin * of the possible padding lengths for each suite. 118144265dc3SJohn Baldwin */ 118244265dc3SJohn Baldwin AES_CBC_TESTS(GEN_TRANSMIT_PADDING_TESTS); 118344265dc3SJohn Baldwin 1184*0ff2a12aSJohn Baldwin /* 1185*0ff2a12aSJohn Baldwin * Test "empty fragments" which are TLS records with no payload that 1186*0ff2a12aSJohn Baldwin * OpenSSL can send for TLS 1.0 connections. 1187*0ff2a12aSJohn Baldwin */ 1188*0ff2a12aSJohn Baldwin TLS_10_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); 1189*0ff2a12aSJohn Baldwin 1190a10482eaSJohn Baldwin ATF_TP_ADD_TCS(tp) 1191a10482eaSJohn Baldwin { 1192a10482eaSJohn Baldwin AES_CBC_TESTS(ADD_TRANSMIT_TESTS); 1193a10482eaSJohn Baldwin AES_GCM_TESTS(ADD_TRANSMIT_TESTS); 1194a10482eaSJohn Baldwin CHACHA20_TESTS(ADD_TRANSMIT_TESTS); 119544265dc3SJohn Baldwin AES_CBC_TESTS(ADD_TRANSMIT_PADDING_TESTS); 1196*0ff2a12aSJohn Baldwin TLS_10_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); 1197a10482eaSJohn Baldwin 1198a10482eaSJohn Baldwin return (atf_no_error()); 1199a10482eaSJohn Baldwin } 1200