1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Netflix Inc. 5 * Written by: John Baldwin <jhb@FreeBSD.org> 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 #include <sys/types.h> 30 #include <sys/endian.h> 31 #include <sys/event.h> 32 #include <sys/ktls.h> 33 #include <sys/socket.h> 34 #include <sys/sysctl.h> 35 #include <netinet/in.h> 36 #include <netinet/tcp.h> 37 #include <crypto/cryptodev.h> 38 #include <assert.h> 39 #include <err.h> 40 #include <fcntl.h> 41 #include <netdb.h> 42 #include <poll.h> 43 #include <stdbool.h> 44 #include <stdlib.h> 45 #include <atf-c.h> 46 47 #include <openssl/err.h> 48 #include <openssl/evp.h> 49 #include <openssl/hmac.h> 50 51 static void 52 require_ktls(void) 53 { 54 size_t len; 55 bool enable; 56 57 len = sizeof(enable); 58 if (sysctlbyname("kern.ipc.tls.enable", &enable, &len, NULL, 0) == -1) { 59 if (errno == ENOENT) 60 atf_tc_skip("kernel does not support TLS offload"); 61 atf_libc_error(errno, "Failed to read kern.ipc.tls.enable"); 62 } 63 64 if (!enable) 65 atf_tc_skip("Kernel TLS is disabled"); 66 } 67 68 #define ATF_REQUIRE_KTLS() require_ktls() 69 70 static char 71 rdigit(void) 72 { 73 /* ASCII printable values between 0x20 and 0x7e */ 74 return (0x20 + random() % (0x7f - 0x20)); 75 } 76 77 static char * 78 alloc_buffer(size_t len) 79 { 80 char *buf; 81 size_t i; 82 83 if (len == 0) 84 return (NULL); 85 buf = malloc(len); 86 for (i = 0; i < len; i++) 87 buf[i] = rdigit(); 88 return (buf); 89 } 90 91 static bool 92 socketpair_tcp(int sv[2]) 93 { 94 struct pollfd pfd; 95 struct sockaddr_in sin; 96 socklen_t len; 97 int as, cs, ls; 98 99 ls = socket(PF_INET, SOCK_STREAM, 0); 100 if (ls == -1) { 101 warn("socket() for listen"); 102 return (false); 103 } 104 105 memset(&sin, 0, sizeof(sin)); 106 sin.sin_len = sizeof(sin); 107 sin.sin_family = AF_INET; 108 sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK); 109 if (bind(ls, (struct sockaddr *)&sin, sizeof(sin)) == -1) { 110 warn("bind"); 111 close(ls); 112 return (false); 113 } 114 115 if (listen(ls, 1) == -1) { 116 warn("listen"); 117 close(ls); 118 return (false); 119 } 120 121 len = sizeof(sin); 122 if (getsockname(ls, (struct sockaddr *)&sin, &len) == -1) { 123 warn("getsockname"); 124 close(ls); 125 return (false); 126 } 127 128 cs = socket(PF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0); 129 if (cs == -1) { 130 warn("socket() for connect"); 131 close(ls); 132 return (false); 133 } 134 135 if (connect(cs, (struct sockaddr *)&sin, sizeof(sin)) == -1) { 136 if (errno != EINPROGRESS) { 137 warn("connect"); 138 close(ls); 139 close(cs); 140 return (false); 141 } 142 } 143 144 as = accept4(ls, NULL, NULL, SOCK_NONBLOCK); 145 if (as == -1) { 146 warn("accept4"); 147 close(ls); 148 close(cs); 149 return (false); 150 } 151 152 close(ls); 153 154 pfd.fd = cs; 155 pfd.events = POLLOUT; 156 pfd.revents = 0; 157 ATF_REQUIRE(poll(&pfd, 1, INFTIM) == 1); 158 ATF_REQUIRE(pfd.revents == POLLOUT); 159 160 sv[0] = cs; 161 sv[1] = as; 162 return (true); 163 } 164 165 static bool 166 echo_socket(const atf_tc_t *tc, int sv[2]) 167 { 168 const char *cause, *host, *port; 169 struct addrinfo hints, *ai, *tofree; 170 int error, flags, s; 171 172 host = atf_tc_get_config_var(tc, "ktls.host"); 173 port = atf_tc_get_config_var_wd(tc, "ktls.port", "echo"); 174 memset(&hints, 0, sizeof(hints)); 175 hints.ai_family = AF_UNSPEC; 176 hints.ai_socktype = SOCK_STREAM; 177 hints.ai_protocol = IPPROTO_TCP; 178 error = getaddrinfo(host, port, &hints, &tofree); 179 if (error != 0) { 180 warnx("getaddrinfo(%s:%s) failed: %s", host, port, 181 gai_strerror(error)); 182 return (false); 183 } 184 185 cause = NULL; 186 for (ai = tofree; ai != NULL; ai = ai->ai_next) { 187 s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 188 if (s == -1) { 189 cause = "socket"; 190 error = errno; 191 continue; 192 } 193 194 if (connect(s, ai->ai_addr, ai->ai_addrlen) == -1) { 195 cause = "connect"; 196 error = errno; 197 close(s); 198 continue; 199 } 200 201 freeaddrinfo(tofree); 202 203 ATF_REQUIRE((flags = fcntl(s, F_GETFL)) != -1); 204 flags |= O_NONBLOCK; 205 ATF_REQUIRE(fcntl(s, F_SETFL, flags) != -1); 206 207 sv[0] = s; 208 sv[1] = s; 209 return (true); 210 } 211 212 warnc(error, "%s", cause); 213 freeaddrinfo(tofree); 214 return (false); 215 } 216 217 static bool 218 open_sockets(const atf_tc_t *tc, int sv[2]) 219 { 220 if (atf_tc_has_config_var(tc, "ktls.host")) 221 return (echo_socket(tc, sv)); 222 else 223 return (socketpair_tcp(sv)); 224 } 225 226 static void 227 close_sockets(int sv[2]) 228 { 229 if (sv[0] != sv[1]) 230 ATF_REQUIRE(close(sv[1]) == 0); 231 ATF_REQUIRE(close(sv[0]) == 0); 232 } 233 234 static void 235 fd_set_blocking(int fd) 236 { 237 int flags; 238 239 ATF_REQUIRE((flags = fcntl(fd, F_GETFL)) != -1); 240 flags &= ~O_NONBLOCK; 241 ATF_REQUIRE(fcntl(fd, F_SETFL, flags) != -1); 242 } 243 244 static bool 245 cbc_decrypt(const EVP_CIPHER *cipher, const char *key, const char *iv, 246 const char *input, char *output, size_t size) 247 { 248 EVP_CIPHER_CTX *ctx; 249 int outl, total; 250 251 ctx = EVP_CIPHER_CTX_new(); 252 if (ctx == NULL) { 253 warnx("EVP_CIPHER_CTX_new failed: %s", 254 ERR_error_string(ERR_get_error(), NULL)); 255 return (false); 256 } 257 if (EVP_CipherInit_ex(ctx, cipher, NULL, (const u_char *)key, 258 (const u_char *)iv, 0) != 1) { 259 warnx("EVP_CipherInit_ex failed: %s", 260 ERR_error_string(ERR_get_error(), NULL)); 261 EVP_CIPHER_CTX_free(ctx); 262 return (false); 263 } 264 EVP_CIPHER_CTX_set_padding(ctx, 0); 265 if (EVP_CipherUpdate(ctx, (u_char *)output, &outl, 266 (const u_char *)input, size) != 1) { 267 warnx("EVP_CipherUpdate failed: %s", 268 ERR_error_string(ERR_get_error(), NULL)); 269 EVP_CIPHER_CTX_free(ctx); 270 return (false); 271 } 272 total = outl; 273 if (EVP_CipherFinal_ex(ctx, (u_char *)output + outl, &outl) != 1) { 274 warnx("EVP_CipherFinal_ex failed: %s", 275 ERR_error_string(ERR_get_error(), NULL)); 276 EVP_CIPHER_CTX_free(ctx); 277 return (false); 278 } 279 total += outl; 280 if ((size_t)total != size) { 281 warnx("decrypt size mismatch: %zu vs %d", size, total); 282 EVP_CIPHER_CTX_free(ctx); 283 return (false); 284 } 285 EVP_CIPHER_CTX_free(ctx); 286 return (true); 287 } 288 289 static bool 290 verify_hash(const EVP_MD *md, const void *key, size_t key_len, const void *aad, 291 size_t aad_len, const void *buffer, size_t len, const void *digest) 292 { 293 HMAC_CTX *ctx; 294 unsigned char digest2[EVP_MAX_MD_SIZE]; 295 u_int digest_len; 296 297 ctx = HMAC_CTX_new(); 298 if (ctx == NULL) { 299 warnx("HMAC_CTX_new failed: %s", 300 ERR_error_string(ERR_get_error(), NULL)); 301 return (false); 302 } 303 if (HMAC_Init_ex(ctx, key, key_len, md, NULL) != 1) { 304 warnx("HMAC_Init_ex failed: %s", 305 ERR_error_string(ERR_get_error(), NULL)); 306 HMAC_CTX_free(ctx); 307 return (false); 308 } 309 if (HMAC_Update(ctx, aad, aad_len) != 1) { 310 warnx("HMAC_Update (aad) failed: %s", 311 ERR_error_string(ERR_get_error(), NULL)); 312 HMAC_CTX_free(ctx); 313 return (false); 314 } 315 if (HMAC_Update(ctx, buffer, len) != 1) { 316 warnx("HMAC_Update (payload) failed: %s", 317 ERR_error_string(ERR_get_error(), NULL)); 318 HMAC_CTX_free(ctx); 319 return (false); 320 } 321 if (HMAC_Final(ctx, digest2, &digest_len) != 1) { 322 warnx("HMAC_Final failed: %s", 323 ERR_error_string(ERR_get_error(), NULL)); 324 HMAC_CTX_free(ctx); 325 return (false); 326 } 327 HMAC_CTX_free(ctx); 328 if (memcmp(digest, digest2, digest_len) != 0) { 329 warnx("HMAC mismatch"); 330 return (false); 331 } 332 return (true); 333 } 334 335 static bool 336 aead_encrypt(const EVP_CIPHER *cipher, const char *key, const char *nonce, 337 const void *aad, size_t aad_len, const char *input, char *output, 338 size_t size, char *tag, size_t tag_len) 339 { 340 EVP_CIPHER_CTX *ctx; 341 int outl, total; 342 343 ctx = EVP_CIPHER_CTX_new(); 344 if (ctx == NULL) { 345 warnx("EVP_CIPHER_CTX_new failed: %s", 346 ERR_error_string(ERR_get_error(), NULL)); 347 return (false); 348 } 349 if (EVP_EncryptInit_ex(ctx, cipher, NULL, (const u_char *)key, 350 (const u_char *)nonce) != 1) { 351 warnx("EVP_EncryptInit_ex failed: %s", 352 ERR_error_string(ERR_get_error(), NULL)); 353 EVP_CIPHER_CTX_free(ctx); 354 return (false); 355 } 356 EVP_CIPHER_CTX_set_padding(ctx, 0); 357 if (aad != NULL) { 358 if (EVP_EncryptUpdate(ctx, NULL, &outl, (const u_char *)aad, 359 aad_len) != 1) { 360 warnx("EVP_EncryptUpdate for AAD failed: %s", 361 ERR_error_string(ERR_get_error(), NULL)); 362 EVP_CIPHER_CTX_free(ctx); 363 return (false); 364 } 365 } 366 if (EVP_EncryptUpdate(ctx, (u_char *)output, &outl, 367 (const u_char *)input, size) != 1) { 368 warnx("EVP_EncryptUpdate failed: %s", 369 ERR_error_string(ERR_get_error(), NULL)); 370 EVP_CIPHER_CTX_free(ctx); 371 return (false); 372 } 373 total = outl; 374 if (EVP_EncryptFinal_ex(ctx, (u_char *)output + outl, &outl) != 1) { 375 warnx("EVP_EncryptFinal_ex failed: %s", 376 ERR_error_string(ERR_get_error(), NULL)); 377 EVP_CIPHER_CTX_free(ctx); 378 return (false); 379 } 380 total += outl; 381 if ((size_t)total != size) { 382 warnx("encrypt size mismatch: %zu vs %d", size, total); 383 EVP_CIPHER_CTX_free(ctx); 384 return (false); 385 } 386 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, tag_len, tag) != 387 1) { 388 warnx("EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_GET_TAG) failed: %s", 389 ERR_error_string(ERR_get_error(), NULL)); 390 EVP_CIPHER_CTX_free(ctx); 391 return (false); 392 } 393 EVP_CIPHER_CTX_free(ctx); 394 return (true); 395 } 396 397 static bool 398 aead_decrypt(const EVP_CIPHER *cipher, const char *key, const char *nonce, 399 const void *aad, size_t aad_len, const char *input, char *output, 400 size_t size, const char *tag, size_t tag_len) 401 { 402 EVP_CIPHER_CTX *ctx; 403 int outl, total; 404 bool valid; 405 406 ctx = EVP_CIPHER_CTX_new(); 407 if (ctx == NULL) { 408 warnx("EVP_CIPHER_CTX_new failed: %s", 409 ERR_error_string(ERR_get_error(), NULL)); 410 return (false); 411 } 412 if (EVP_DecryptInit_ex(ctx, cipher, NULL, (const u_char *)key, 413 (const u_char *)nonce) != 1) { 414 warnx("EVP_DecryptInit_ex failed: %s", 415 ERR_error_string(ERR_get_error(), NULL)); 416 EVP_CIPHER_CTX_free(ctx); 417 return (false); 418 } 419 EVP_CIPHER_CTX_set_padding(ctx, 0); 420 if (aad != NULL) { 421 if (EVP_DecryptUpdate(ctx, NULL, &outl, (const u_char *)aad, 422 aad_len) != 1) { 423 warnx("EVP_DecryptUpdate for AAD failed: %s", 424 ERR_error_string(ERR_get_error(), NULL)); 425 EVP_CIPHER_CTX_free(ctx); 426 return (false); 427 } 428 } 429 if (EVP_DecryptUpdate(ctx, (u_char *)output, &outl, 430 (const u_char *)input, size) != 1) { 431 warnx("EVP_DecryptUpdate failed: %s", 432 ERR_error_string(ERR_get_error(), NULL)); 433 EVP_CIPHER_CTX_free(ctx); 434 return (false); 435 } 436 total = outl; 437 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, 438 __DECONST(char *, tag)) != 1) { 439 warnx("EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed: %s", 440 ERR_error_string(ERR_get_error(), NULL)); 441 EVP_CIPHER_CTX_free(ctx); 442 return (false); 443 } 444 valid = (EVP_DecryptFinal_ex(ctx, (u_char *)output + outl, &outl) == 1); 445 total += outl; 446 if ((size_t)total != size) { 447 warnx("decrypt size mismatch: %zu vs %d", size, total); 448 EVP_CIPHER_CTX_free(ctx); 449 return (false); 450 } 451 if (!valid) 452 warnx("tag mismatch"); 453 EVP_CIPHER_CTX_free(ctx); 454 return (valid); 455 } 456 457 static void 458 build_tls_enable(int cipher_alg, size_t cipher_key_len, int auth_alg, 459 int minor, uint64_t seqno, struct tls_enable *en) 460 { 461 u_int auth_key_len, iv_len; 462 463 memset(en, 0, sizeof(*en)); 464 465 switch (cipher_alg) { 466 case CRYPTO_AES_CBC: 467 if (minor == TLS_MINOR_VER_ZERO) 468 iv_len = AES_BLOCK_LEN; 469 else 470 iv_len = 0; 471 break; 472 case CRYPTO_AES_NIST_GCM_16: 473 if (minor == TLS_MINOR_VER_TWO) 474 iv_len = TLS_AEAD_GCM_LEN; 475 else 476 iv_len = TLS_1_3_GCM_IV_LEN; 477 break; 478 case CRYPTO_CHACHA20_POLY1305: 479 iv_len = TLS_CHACHA20_IV_LEN; 480 break; 481 default: 482 iv_len = 0; 483 break; 484 } 485 switch (auth_alg) { 486 case CRYPTO_SHA1_HMAC: 487 auth_key_len = SHA1_HASH_LEN; 488 break; 489 case CRYPTO_SHA2_256_HMAC: 490 auth_key_len = SHA2_256_HASH_LEN; 491 break; 492 case CRYPTO_SHA2_384_HMAC: 493 auth_key_len = SHA2_384_HASH_LEN; 494 break; 495 default: 496 auth_key_len = 0; 497 break; 498 } 499 en->cipher_key = alloc_buffer(cipher_key_len); 500 en->iv = alloc_buffer(iv_len); 501 en->auth_key = alloc_buffer(auth_key_len); 502 en->cipher_algorithm = cipher_alg; 503 en->cipher_key_len = cipher_key_len; 504 en->iv_len = iv_len; 505 en->auth_algorithm = auth_alg; 506 en->auth_key_len = auth_key_len; 507 en->tls_vmajor = TLS_MAJOR_VER_ONE; 508 en->tls_vminor = minor; 509 be64enc(en->rec_seq, seqno); 510 } 511 512 static void 513 free_tls_enable(struct tls_enable *en) 514 { 515 free(__DECONST(void *, en->cipher_key)); 516 free(__DECONST(void *, en->iv)); 517 free(__DECONST(void *, en->auth_key)); 518 } 519 520 static const EVP_CIPHER * 521 tls_EVP_CIPHER(const struct tls_enable *en) 522 { 523 switch (en->cipher_algorithm) { 524 case CRYPTO_AES_CBC: 525 switch (en->cipher_key_len) { 526 case 128 / 8: 527 return (EVP_aes_128_cbc()); 528 case 256 / 8: 529 return (EVP_aes_256_cbc()); 530 default: 531 return (NULL); 532 } 533 break; 534 case CRYPTO_AES_NIST_GCM_16: 535 switch (en->cipher_key_len) { 536 case 128 / 8: 537 return (EVP_aes_128_gcm()); 538 case 256 / 8: 539 return (EVP_aes_256_gcm()); 540 default: 541 return (NULL); 542 } 543 break; 544 case CRYPTO_CHACHA20_POLY1305: 545 return (EVP_chacha20_poly1305()); 546 default: 547 return (NULL); 548 } 549 } 550 551 static const EVP_MD * 552 tls_EVP_MD(const struct tls_enable *en) 553 { 554 switch (en->auth_algorithm) { 555 case CRYPTO_SHA1_HMAC: 556 return (EVP_sha1()); 557 case CRYPTO_SHA2_256_HMAC: 558 return (EVP_sha256()); 559 case CRYPTO_SHA2_384_HMAC: 560 return (EVP_sha384()); 561 default: 562 return (NULL); 563 } 564 } 565 566 static size_t 567 tls_header_len(struct tls_enable *en) 568 { 569 size_t len; 570 571 len = sizeof(struct tls_record_layer); 572 switch (en->cipher_algorithm) { 573 case CRYPTO_AES_CBC: 574 if (en->tls_vminor != TLS_MINOR_VER_ZERO) 575 len += AES_BLOCK_LEN; 576 return (len); 577 case CRYPTO_AES_NIST_GCM_16: 578 if (en->tls_vminor == TLS_MINOR_VER_TWO) 579 len += sizeof(uint64_t); 580 return (len); 581 case CRYPTO_CHACHA20_POLY1305: 582 return (len); 583 default: 584 return (0); 585 } 586 } 587 588 static size_t 589 tls_mac_len(struct tls_enable *en) 590 { 591 switch (en->cipher_algorithm) { 592 case CRYPTO_AES_CBC: 593 switch (en->auth_algorithm) { 594 case CRYPTO_SHA1_HMAC: 595 return (SHA1_HASH_LEN); 596 case CRYPTO_SHA2_256_HMAC: 597 return (SHA2_256_HASH_LEN); 598 case CRYPTO_SHA2_384_HMAC: 599 return (SHA2_384_HASH_LEN); 600 default: 601 return (0); 602 } 603 case CRYPTO_AES_NIST_GCM_16: 604 return (AES_GMAC_HASH_LEN); 605 case CRYPTO_CHACHA20_POLY1305: 606 return (POLY1305_HASH_LEN); 607 default: 608 return (0); 609 } 610 } 611 612 /* Includes maximum padding for MTE. */ 613 static size_t 614 tls_trailer_len(struct tls_enable *en) 615 { 616 size_t len; 617 618 len = tls_mac_len(en); 619 if (en->cipher_algorithm == CRYPTO_AES_CBC) 620 len += AES_BLOCK_LEN; 621 if (en->tls_vminor == TLS_MINOR_VER_THREE) 622 len++; 623 return (len); 624 } 625 626 /* 'len' is the length of the payload application data. */ 627 static void 628 tls_mte_aad(struct tls_enable *en, size_t len, 629 const struct tls_record_layer *hdr, uint64_t seqno, struct tls_mac_data *ad) 630 { 631 ad->seq = htobe64(seqno); 632 ad->type = hdr->tls_type; 633 ad->tls_vmajor = hdr->tls_vmajor; 634 ad->tls_vminor = hdr->tls_vminor; 635 ad->tls_length = htons(len); 636 } 637 638 static void 639 tls_12_aead_aad(struct tls_enable *en, size_t len, 640 const struct tls_record_layer *hdr, uint64_t seqno, 641 struct tls_aead_data *ad) 642 { 643 ad->seq = htobe64(seqno); 644 ad->type = hdr->tls_type; 645 ad->tls_vmajor = hdr->tls_vmajor; 646 ad->tls_vminor = hdr->tls_vminor; 647 ad->tls_length = htons(len); 648 } 649 650 static void 651 tls_13_aad(struct tls_enable *en, const struct tls_record_layer *hdr, 652 uint64_t seqno, struct tls_aead_data_13 *ad) 653 { 654 ad->type = hdr->tls_type; 655 ad->tls_vmajor = hdr->tls_vmajor; 656 ad->tls_vminor = hdr->tls_vminor; 657 ad->tls_length = hdr->tls_length; 658 } 659 660 static void 661 tls_12_gcm_nonce(struct tls_enable *en, const struct tls_record_layer *hdr, 662 char *nonce) 663 { 664 memcpy(nonce, en->iv, TLS_AEAD_GCM_LEN); 665 memcpy(nonce + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t)); 666 } 667 668 static void 669 tls_13_nonce(struct tls_enable *en, uint64_t seqno, char *nonce) 670 { 671 static_assert(TLS_1_3_GCM_IV_LEN == TLS_CHACHA20_IV_LEN, 672 "TLS 1.3 nonce length mismatch"); 673 memcpy(nonce, en->iv, TLS_1_3_GCM_IV_LEN); 674 *(uint64_t *)(nonce + 4) ^= htobe64(seqno); 675 } 676 677 /* 678 * Decrypt a TLS record 'len' bytes long at 'src' and store the result at 679 * 'dst'. If the TLS record header length doesn't match or 'dst' doesn't 680 * have sufficient room ('avail'), fail the test. 681 */ 682 static size_t 683 decrypt_tls_aes_cbc_mte(struct tls_enable *en, uint64_t seqno, const void *src, 684 size_t len, void *dst, size_t avail, uint8_t *record_type) 685 { 686 const struct tls_record_layer *hdr; 687 struct tls_mac_data aad; 688 const char *iv; 689 char *buf; 690 size_t hdr_len, mac_len, payload_len; 691 int padding; 692 693 hdr = src; 694 hdr_len = tls_header_len(en); 695 mac_len = tls_mac_len(en); 696 ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE); 697 ATF_REQUIRE(hdr->tls_vminor == en->tls_vminor); 698 699 /* First, decrypt the outer payload into a temporary buffer. */ 700 payload_len = len - hdr_len; 701 buf = malloc(payload_len); 702 if (en->tls_vminor == TLS_MINOR_VER_ZERO) 703 iv = en->iv; 704 else 705 iv = (void *)(hdr + 1); 706 ATF_REQUIRE(cbc_decrypt(tls_EVP_CIPHER(en), en->cipher_key, iv, 707 (const u_char *)src + hdr_len, buf, payload_len)); 708 709 /* 710 * Copy the last encrypted block to use as the IV for the next 711 * record for TLS 1.0. 712 */ 713 if (en->tls_vminor == TLS_MINOR_VER_ZERO) 714 memcpy(__DECONST(uint8_t *, en->iv), (const u_char *)src + 715 (len - AES_BLOCK_LEN), AES_BLOCK_LEN); 716 717 /* 718 * Verify trailing padding and strip. 719 * 720 * The kernel always generates the smallest amount of padding. 721 */ 722 padding = buf[payload_len - 1] + 1; 723 ATF_REQUIRE(padding > 0 && padding <= AES_BLOCK_LEN); 724 ATF_REQUIRE(payload_len >= mac_len + padding); 725 payload_len -= padding; 726 727 /* Verify HMAC. */ 728 payload_len -= mac_len; 729 tls_mte_aad(en, payload_len, hdr, seqno, &aad); 730 ATF_REQUIRE(verify_hash(tls_EVP_MD(en), en->auth_key, en->auth_key_len, 731 &aad, sizeof(aad), buf, payload_len, buf + payload_len)); 732 733 ATF_REQUIRE(payload_len <= avail); 734 memcpy(dst, buf, payload_len); 735 *record_type = hdr->tls_type; 736 return (payload_len); 737 } 738 739 static size_t 740 decrypt_tls_12_aead(struct tls_enable *en, uint64_t seqno, const void *src, 741 size_t len, void *dst, uint8_t *record_type) 742 { 743 const struct tls_record_layer *hdr; 744 struct tls_aead_data aad; 745 char nonce[12]; 746 size_t hdr_len, mac_len, payload_len; 747 748 hdr = src; 749 750 hdr_len = tls_header_len(en); 751 mac_len = tls_mac_len(en); 752 payload_len = len - (hdr_len + mac_len); 753 ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE); 754 ATF_REQUIRE(hdr->tls_vminor == TLS_MINOR_VER_TWO); 755 756 tls_12_aead_aad(en, payload_len, hdr, seqno, &aad); 757 if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16) 758 tls_12_gcm_nonce(en, hdr, nonce); 759 else 760 tls_13_nonce(en, seqno, nonce); 761 762 ATF_REQUIRE(aead_decrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 763 &aad, sizeof(aad), (const char *)src + hdr_len, dst, payload_len, 764 (const char *)src + hdr_len + payload_len, mac_len)); 765 766 *record_type = hdr->tls_type; 767 return (payload_len); 768 } 769 770 static size_t 771 decrypt_tls_13_aead(struct tls_enable *en, uint64_t seqno, const void *src, 772 size_t len, void *dst, uint8_t *record_type) 773 { 774 const struct tls_record_layer *hdr; 775 struct tls_aead_data_13 aad; 776 char nonce[12]; 777 char *buf; 778 size_t hdr_len, mac_len, payload_len; 779 780 hdr = src; 781 782 hdr_len = tls_header_len(en); 783 mac_len = tls_mac_len(en); 784 payload_len = len - (hdr_len + mac_len); 785 ATF_REQUIRE(payload_len >= 1); 786 ATF_REQUIRE(hdr->tls_type == TLS_RLTYPE_APP); 787 ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE); 788 ATF_REQUIRE(hdr->tls_vminor == TLS_MINOR_VER_TWO); 789 790 tls_13_aad(en, hdr, seqno, &aad); 791 tls_13_nonce(en, seqno, nonce); 792 793 /* 794 * Have to use a temporary buffer for the output due to the 795 * record type as the last byte of the trailer. 796 */ 797 buf = malloc(payload_len); 798 799 ATF_REQUIRE(aead_decrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 800 &aad, sizeof(aad), (const char *)src + hdr_len, buf, payload_len, 801 (const char *)src + hdr_len + payload_len, mac_len)); 802 803 /* Trim record type. */ 804 *record_type = buf[payload_len - 1]; 805 payload_len--; 806 807 memcpy(dst, buf, payload_len); 808 free(buf); 809 810 return (payload_len); 811 } 812 813 static size_t 814 decrypt_tls_aead(struct tls_enable *en, uint64_t seqno, const void *src, 815 size_t len, void *dst, size_t avail, uint8_t *record_type) 816 { 817 const struct tls_record_layer *hdr; 818 size_t payload_len; 819 820 hdr = src; 821 ATF_REQUIRE(ntohs(hdr->tls_length) + sizeof(*hdr) == len); 822 823 payload_len = len - (tls_header_len(en) + tls_trailer_len(en)); 824 ATF_REQUIRE(payload_len <= avail); 825 826 if (en->tls_vminor == TLS_MINOR_VER_TWO) { 827 ATF_REQUIRE(decrypt_tls_12_aead(en, seqno, src, len, dst, 828 record_type) == payload_len); 829 } else { 830 ATF_REQUIRE(decrypt_tls_13_aead(en, seqno, src, len, dst, 831 record_type) == payload_len); 832 } 833 834 return (payload_len); 835 } 836 837 static size_t 838 decrypt_tls_record(struct tls_enable *en, uint64_t seqno, const void *src, 839 size_t len, void *dst, size_t avail, uint8_t *record_type) 840 { 841 if (en->cipher_algorithm == CRYPTO_AES_CBC) 842 return (decrypt_tls_aes_cbc_mte(en, seqno, src, len, dst, avail, 843 record_type)); 844 else 845 return (decrypt_tls_aead(en, seqno, src, len, dst, avail, 846 record_type)); 847 } 848 849 /* 850 * Encrypt a TLS record of type 'record_type' with payload 'len' bytes 851 * long at 'src' and store the result at 'dst'. If 'dst' doesn't have 852 * sufficient room ('avail'), fail the test. 853 */ 854 static size_t 855 encrypt_tls_12_aead(struct tls_enable *en, uint8_t record_type, uint64_t seqno, 856 const void *src, size_t len, void *dst) 857 { 858 struct tls_record_layer *hdr; 859 struct tls_aead_data aad; 860 char nonce[12]; 861 size_t hdr_len, mac_len, record_len; 862 863 hdr = dst; 864 865 hdr_len = tls_header_len(en); 866 mac_len = tls_mac_len(en); 867 record_len = hdr_len + len + mac_len; 868 869 hdr->tls_type = record_type; 870 hdr->tls_vmajor = TLS_MAJOR_VER_ONE; 871 hdr->tls_vminor = TLS_MINOR_VER_TWO; 872 hdr->tls_length = htons(record_len - sizeof(*hdr)); 873 if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16) 874 memcpy(hdr + 1, &seqno, sizeof(seqno)); 875 876 tls_12_aead_aad(en, len, hdr, seqno, &aad); 877 if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16) 878 tls_12_gcm_nonce(en, hdr, nonce); 879 else 880 tls_13_nonce(en, seqno, nonce); 881 882 ATF_REQUIRE(aead_encrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 883 &aad, sizeof(aad), src, (char *)dst + hdr_len, len, 884 (char *)dst + hdr_len + len, mac_len)); 885 886 return (record_len); 887 } 888 889 static size_t 890 encrypt_tls_13_aead(struct tls_enable *en, uint8_t record_type, uint64_t seqno, 891 const void *src, size_t len, void *dst, size_t padding) 892 { 893 struct tls_record_layer *hdr; 894 struct tls_aead_data_13 aad; 895 char nonce[12]; 896 char *buf; 897 size_t hdr_len, mac_len, record_len; 898 899 hdr = dst; 900 901 hdr_len = tls_header_len(en); 902 mac_len = tls_mac_len(en); 903 record_len = hdr_len + len + 1 + padding + mac_len; 904 905 hdr->tls_type = TLS_RLTYPE_APP; 906 hdr->tls_vmajor = TLS_MAJOR_VER_ONE; 907 hdr->tls_vminor = TLS_MINOR_VER_TWO; 908 hdr->tls_length = htons(record_len - sizeof(*hdr)); 909 910 tls_13_aad(en, hdr, seqno, &aad); 911 tls_13_nonce(en, seqno, nonce); 912 913 /* 914 * Have to use a temporary buffer for the input so that the record 915 * type can be appended. 916 */ 917 buf = malloc(len + 1 + padding); 918 memcpy(buf, src, len); 919 buf[len] = record_type; 920 memset(buf + len + 1, 0, padding); 921 922 ATF_REQUIRE(aead_encrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 923 &aad, sizeof(aad), buf, (char *)dst + hdr_len, len + 1 + padding, 924 (char *)dst + hdr_len + len + 1 + padding, mac_len)); 925 926 free(buf); 927 928 return (record_len); 929 } 930 931 static size_t 932 encrypt_tls_aead(struct tls_enable *en, uint8_t record_type, uint64_t seqno, 933 const void *src, size_t len, void *dst, size_t avail, size_t padding) 934 { 935 size_t record_len; 936 937 record_len = tls_header_len(en) + len + padding + tls_trailer_len(en); 938 ATF_REQUIRE(record_len <= avail); 939 940 if (en->tls_vminor == TLS_MINOR_VER_TWO) { 941 ATF_REQUIRE(padding == 0); 942 ATF_REQUIRE(encrypt_tls_12_aead(en, record_type, seqno, src, 943 len, dst) == record_len); 944 } else 945 ATF_REQUIRE(encrypt_tls_13_aead(en, record_type, seqno, src, 946 len, dst, padding) == record_len); 947 948 return (record_len); 949 } 950 951 static size_t 952 encrypt_tls_record(struct tls_enable *en, uint8_t record_type, uint64_t seqno, 953 const void *src, size_t len, void *dst, size_t avail, size_t padding) 954 { 955 return (encrypt_tls_aead(en, record_type, seqno, src, len, dst, avail, 956 padding)); 957 } 958 959 static void 960 test_ktls_transmit_app_data(const atf_tc_t *tc, struct tls_enable *en, 961 uint64_t seqno, size_t len) 962 { 963 struct kevent ev; 964 struct tls_record_layer *hdr; 965 char *plaintext, *decrypted, *outbuf; 966 size_t decrypted_len, outbuf_len, outbuf_cap, record_len, written; 967 ssize_t rv; 968 int kq, sockets[2]; 969 uint8_t record_type; 970 971 plaintext = alloc_buffer(len); 972 decrypted = malloc(len); 973 outbuf_cap = tls_header_len(en) + TLS_MAX_MSG_SIZE_V10_2 + 974 tls_trailer_len(en); 975 outbuf = malloc(outbuf_cap); 976 hdr = (struct tls_record_layer *)outbuf; 977 978 ATF_REQUIRE((kq = kqueue()) != -1); 979 980 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 981 982 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 983 sizeof(*en)) == 0); 984 985 EV_SET(&ev, sockets[0], EVFILT_READ, EV_ADD, 0, 0, NULL); 986 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 987 EV_SET(&ev, sockets[1], EVFILT_WRITE, EV_ADD, 0, 0, NULL); 988 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 989 990 decrypted_len = 0; 991 outbuf_len = 0; 992 written = 0; 993 994 while (decrypted_len != len) { 995 ATF_REQUIRE(kevent(kq, NULL, 0, &ev, 1, NULL) == 1); 996 997 switch (ev.filter) { 998 case EVFILT_WRITE: 999 /* Try to write any remaining data. */ 1000 rv = write(ev.ident, plaintext + written, 1001 len - written); 1002 ATF_REQUIRE_MSG(rv > 0, 1003 "failed to write to socket"); 1004 written += rv; 1005 if (written == len) { 1006 ev.flags = EV_DISABLE; 1007 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, 1008 NULL) == 0); 1009 } 1010 break; 1011 1012 case EVFILT_READ: 1013 ATF_REQUIRE((ev.flags & EV_EOF) == 0); 1014 1015 /* 1016 * Try to read data for the next TLS record 1017 * into outbuf. Start by reading the header 1018 * to determine how much additional data to 1019 * read. 1020 */ 1021 if (outbuf_len < sizeof(struct tls_record_layer)) { 1022 rv = read(ev.ident, outbuf + outbuf_len, 1023 sizeof(struct tls_record_layer) - 1024 outbuf_len); 1025 ATF_REQUIRE_MSG(rv > 0, 1026 "failed to read from socket"); 1027 outbuf_len += rv; 1028 } 1029 1030 if (outbuf_len < sizeof(struct tls_record_layer)) 1031 break; 1032 1033 record_len = sizeof(struct tls_record_layer) + 1034 ntohs(hdr->tls_length); 1035 ATF_REQUIRE(record_len <= outbuf_cap); 1036 ATF_REQUIRE(record_len > outbuf_len); 1037 rv = read(ev.ident, outbuf + outbuf_len, 1038 record_len - outbuf_len); 1039 if (rv == -1 && errno == EAGAIN) 1040 break; 1041 ATF_REQUIRE_MSG(rv > 0, "failed to read from socket"); 1042 1043 outbuf_len += rv; 1044 if (outbuf_len == record_len) { 1045 decrypted_len += decrypt_tls_record(en, seqno, 1046 outbuf, outbuf_len, 1047 decrypted + decrypted_len, 1048 len - decrypted_len, &record_type); 1049 ATF_REQUIRE(record_type == TLS_RLTYPE_APP); 1050 1051 seqno++; 1052 outbuf_len = 0; 1053 } 1054 break; 1055 } 1056 } 1057 1058 ATF_REQUIRE_MSG(written == decrypted_len, 1059 "read %zu decrypted bytes, but wrote %zu", decrypted_len, written); 1060 1061 ATF_REQUIRE(memcmp(plaintext, decrypted, len) == 0); 1062 1063 free(outbuf); 1064 free(decrypted); 1065 free(plaintext); 1066 1067 close_sockets(sockets); 1068 ATF_REQUIRE(close(kq) == 0); 1069 } 1070 1071 static void 1072 ktls_send_control_message(int fd, uint8_t type, void *data, size_t len) 1073 { 1074 struct msghdr msg; 1075 struct cmsghdr *cmsg; 1076 char cbuf[CMSG_SPACE(sizeof(type))]; 1077 struct iovec iov; 1078 1079 memset(&msg, 0, sizeof(msg)); 1080 1081 msg.msg_control = cbuf; 1082 msg.msg_controllen = sizeof(cbuf); 1083 cmsg = CMSG_FIRSTHDR(&msg); 1084 cmsg->cmsg_level = IPPROTO_TCP; 1085 cmsg->cmsg_type = TLS_SET_RECORD_TYPE; 1086 cmsg->cmsg_len = CMSG_LEN(sizeof(type)); 1087 *(uint8_t *)CMSG_DATA(cmsg) = type; 1088 1089 iov.iov_base = data; 1090 iov.iov_len = len; 1091 msg.msg_iov = &iov; 1092 msg.msg_iovlen = 1; 1093 1094 ATF_REQUIRE(sendmsg(fd, &msg, 0) == (ssize_t)len); 1095 } 1096 1097 static void 1098 test_ktls_transmit_control(const atf_tc_t *tc, struct tls_enable *en, 1099 uint64_t seqno, uint8_t type, size_t len) 1100 { 1101 struct tls_record_layer *hdr; 1102 char *plaintext, *decrypted, *outbuf; 1103 size_t outbuf_cap, payload_len, record_len; 1104 ssize_t rv; 1105 int sockets[2]; 1106 uint8_t record_type; 1107 1108 ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2); 1109 1110 plaintext = alloc_buffer(len); 1111 decrypted = malloc(len); 1112 outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en); 1113 outbuf = malloc(outbuf_cap); 1114 hdr = (struct tls_record_layer *)outbuf; 1115 1116 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1117 1118 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 1119 sizeof(*en)) == 0); 1120 1121 fd_set_blocking(sockets[0]); 1122 fd_set_blocking(sockets[1]); 1123 1124 ktls_send_control_message(sockets[1], type, plaintext, len); 1125 1126 /* 1127 * First read the header to determine how much additional data 1128 * to read. 1129 */ 1130 rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer)); 1131 ATF_REQUIRE(rv == sizeof(struct tls_record_layer)); 1132 payload_len = ntohs(hdr->tls_length); 1133 record_len = payload_len + sizeof(struct tls_record_layer); 1134 ATF_REQUIRE(record_len <= outbuf_cap); 1135 rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer), 1136 payload_len); 1137 ATF_REQUIRE(rv == (ssize_t)payload_len); 1138 1139 rv = decrypt_tls_record(en, seqno, outbuf, record_len, decrypted, len, 1140 &record_type); 1141 1142 ATF_REQUIRE_MSG((ssize_t)len == rv, 1143 "read %zd decrypted bytes, but wrote %zu", rv, len); 1144 ATF_REQUIRE(record_type == type); 1145 1146 ATF_REQUIRE(memcmp(plaintext, decrypted, len) == 0); 1147 1148 free(outbuf); 1149 free(decrypted); 1150 free(plaintext); 1151 1152 close_sockets(sockets); 1153 } 1154 1155 static void 1156 test_ktls_transmit_empty_fragment(const atf_tc_t *tc, struct tls_enable *en, 1157 uint64_t seqno) 1158 { 1159 struct tls_record_layer *hdr; 1160 char *outbuf; 1161 size_t outbuf_cap, payload_len, record_len; 1162 ssize_t rv; 1163 int sockets[2]; 1164 uint8_t record_type; 1165 1166 outbuf_cap = tls_header_len(en) + tls_trailer_len(en); 1167 outbuf = malloc(outbuf_cap); 1168 hdr = (struct tls_record_layer *)outbuf; 1169 1170 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1171 1172 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 1173 sizeof(*en)) == 0); 1174 1175 fd_set_blocking(sockets[0]); 1176 fd_set_blocking(sockets[1]); 1177 1178 /* 1179 * A write of zero bytes should send an empty fragment only for 1180 * TLS 1.0, otherwise an error should be raised. 1181 */ 1182 rv = write(sockets[1], NULL, 0); 1183 if (rv == 0) { 1184 ATF_REQUIRE(en->cipher_algorithm == CRYPTO_AES_CBC); 1185 ATF_REQUIRE(en->tls_vminor == TLS_MINOR_VER_ZERO); 1186 } else { 1187 ATF_REQUIRE(rv == -1); 1188 ATF_REQUIRE(errno == EINVAL); 1189 goto out; 1190 } 1191 1192 /* 1193 * First read the header to determine how much additional data 1194 * to read. 1195 */ 1196 rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer)); 1197 ATF_REQUIRE(rv == sizeof(struct tls_record_layer)); 1198 payload_len = ntohs(hdr->tls_length); 1199 record_len = payload_len + sizeof(struct tls_record_layer); 1200 ATF_REQUIRE(record_len <= outbuf_cap); 1201 rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer), 1202 payload_len); 1203 ATF_REQUIRE(rv == (ssize_t)payload_len); 1204 1205 rv = decrypt_tls_record(en, seqno, outbuf, record_len, NULL, 0, 1206 &record_type); 1207 1208 ATF_REQUIRE_MSG(rv == 0, 1209 "read %zd decrypted bytes for an empty fragment", rv); 1210 ATF_REQUIRE(record_type == TLS_RLTYPE_APP); 1211 1212 out: 1213 free(outbuf); 1214 1215 close_sockets(sockets); 1216 } 1217 1218 static size_t 1219 ktls_receive_tls_record(struct tls_enable *en, int fd, uint8_t record_type, 1220 void *data, size_t len) 1221 { 1222 struct msghdr msg; 1223 struct cmsghdr *cmsg; 1224 struct tls_get_record *tgr; 1225 char cbuf[CMSG_SPACE(sizeof(*tgr))]; 1226 struct iovec iov; 1227 ssize_t rv; 1228 1229 memset(&msg, 0, sizeof(msg)); 1230 1231 msg.msg_control = cbuf; 1232 msg.msg_controllen = sizeof(cbuf); 1233 1234 iov.iov_base = data; 1235 iov.iov_len = len; 1236 msg.msg_iov = &iov; 1237 msg.msg_iovlen = 1; 1238 1239 ATF_REQUIRE((rv = recvmsg(fd, &msg, 0)) > 0); 1240 1241 ATF_REQUIRE((msg.msg_flags & (MSG_EOR | MSG_CTRUNC)) == MSG_EOR); 1242 1243 cmsg = CMSG_FIRSTHDR(&msg); 1244 ATF_REQUIRE(cmsg != NULL); 1245 ATF_REQUIRE(cmsg->cmsg_level == IPPROTO_TCP); 1246 ATF_REQUIRE(cmsg->cmsg_type == TLS_GET_RECORD); 1247 ATF_REQUIRE(cmsg->cmsg_len == CMSG_LEN(sizeof(*tgr))); 1248 1249 tgr = (struct tls_get_record *)CMSG_DATA(cmsg); 1250 ATF_REQUIRE(tgr->tls_type == record_type); 1251 ATF_REQUIRE(tgr->tls_vmajor == en->tls_vmajor); 1252 /* XXX: Not sure if this is what OpenSSL expects? */ 1253 if (en->tls_vminor == TLS_MINOR_VER_THREE) 1254 ATF_REQUIRE(tgr->tls_vminor == TLS_MINOR_VER_TWO); 1255 else 1256 ATF_REQUIRE(tgr->tls_vminor == en->tls_vminor); 1257 ATF_REQUIRE(tgr->tls_length == htons(rv)); 1258 1259 return (rv); 1260 } 1261 1262 static void 1263 test_ktls_receive_app_data(const atf_tc_t *tc, struct tls_enable *en, 1264 uint64_t seqno, size_t len, size_t padding) 1265 { 1266 struct kevent ev; 1267 char *plaintext, *received, *outbuf; 1268 size_t outbuf_cap, outbuf_len, outbuf_sent, received_len, todo, written; 1269 ssize_t rv; 1270 int kq, sockets[2]; 1271 1272 plaintext = alloc_buffer(len); 1273 received = malloc(len); 1274 outbuf_cap = tls_header_len(en) + TLS_MAX_MSG_SIZE_V10_2 + 1275 tls_trailer_len(en); 1276 outbuf = malloc(outbuf_cap); 1277 1278 ATF_REQUIRE((kq = kqueue()) != -1); 1279 1280 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1281 1282 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 1283 sizeof(*en)) == 0); 1284 1285 EV_SET(&ev, sockets[0], EVFILT_READ, EV_ADD, 0, 0, NULL); 1286 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 1287 EV_SET(&ev, sockets[1], EVFILT_WRITE, EV_ADD, 0, 0, NULL); 1288 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 1289 1290 received_len = 0; 1291 outbuf_len = 0; 1292 written = 0; 1293 1294 while (received_len != len) { 1295 ATF_REQUIRE(kevent(kq, NULL, 0, &ev, 1, NULL) == 1); 1296 1297 switch (ev.filter) { 1298 case EVFILT_WRITE: 1299 /* 1300 * Compose the next TLS record to send. 1301 */ 1302 if (outbuf_len == 0) { 1303 ATF_REQUIRE(written < len); 1304 todo = len - written; 1305 if (todo > TLS_MAX_MSG_SIZE_V10_2 - padding) 1306 todo = TLS_MAX_MSG_SIZE_V10_2 - padding; 1307 outbuf_len = encrypt_tls_record(en, 1308 TLS_RLTYPE_APP, seqno, plaintext + written, 1309 todo, outbuf, outbuf_cap, padding); 1310 outbuf_sent = 0; 1311 written += todo; 1312 seqno++; 1313 } 1314 1315 /* 1316 * Try to write the remainder of the current 1317 * TLS record. 1318 */ 1319 rv = write(ev.ident, outbuf + outbuf_sent, 1320 outbuf_len - outbuf_sent); 1321 ATF_REQUIRE_MSG(rv > 0, 1322 "failed to write to socket"); 1323 outbuf_sent += rv; 1324 if (outbuf_sent == outbuf_len) { 1325 outbuf_len = 0; 1326 if (written == len) { 1327 ev.flags = EV_DISABLE; 1328 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, 1329 NULL) == 0); 1330 } 1331 } 1332 break; 1333 1334 case EVFILT_READ: 1335 ATF_REQUIRE((ev.flags & EV_EOF) == 0); 1336 1337 rv = ktls_receive_tls_record(en, ev.ident, 1338 TLS_RLTYPE_APP, received + received_len, 1339 len - received_len); 1340 received_len += rv; 1341 break; 1342 } 1343 } 1344 1345 ATF_REQUIRE_MSG(written == received_len, 1346 "read %zu decrypted bytes, but wrote %zu", received_len, written); 1347 1348 ATF_REQUIRE(memcmp(plaintext, received, len) == 0); 1349 1350 free(outbuf); 1351 free(received); 1352 free(plaintext); 1353 1354 close_sockets(sockets); 1355 ATF_REQUIRE(close(kq) == 0); 1356 } 1357 1358 #define TLS_10_TESTS(M) \ 1359 M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1360 CRYPTO_SHA1_HMAC) \ 1361 M(aes256_cbc_1_0_sha1, CRYPTO_AES_CBC, 256 / 8, \ 1362 CRYPTO_SHA1_HMAC) 1363 1364 #define TLS_13_TESTS(M) \ 1365 M(aes128_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1366 TLS_MINOR_VER_THREE) \ 1367 M(aes256_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \ 1368 TLS_MINOR_VER_THREE) \ 1369 M(chacha20_poly1305_1_3, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1370 TLS_MINOR_VER_THREE) 1371 1372 #define AES_CBC_TESTS(M) \ 1373 M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1374 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO) \ 1375 M(aes256_cbc_1_0_sha1, CRYPTO_AES_CBC, 256 / 8, \ 1376 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO) \ 1377 M(aes128_cbc_1_1_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1378 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ONE) \ 1379 M(aes256_cbc_1_1_sha1, CRYPTO_AES_CBC, 256 / 8, \ 1380 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ONE) \ 1381 M(aes128_cbc_1_2_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1382 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_TWO) \ 1383 M(aes256_cbc_1_2_sha1, CRYPTO_AES_CBC, 256 / 8, \ 1384 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_TWO) \ 1385 M(aes128_cbc_1_2_sha256, CRYPTO_AES_CBC, 128 / 8, \ 1386 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_TWO) \ 1387 M(aes256_cbc_1_2_sha256, CRYPTO_AES_CBC, 256 / 8, \ 1388 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_TWO) \ 1389 M(aes128_cbc_1_2_sha384, CRYPTO_AES_CBC, 128 / 8, \ 1390 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_TWO) \ 1391 M(aes256_cbc_1_2_sha384, CRYPTO_AES_CBC, 256 / 8, \ 1392 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_TWO) \ 1393 1394 #define AES_GCM_TESTS(M) \ 1395 M(aes128_gcm_1_2, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1396 TLS_MINOR_VER_TWO) \ 1397 M(aes256_gcm_1_2, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \ 1398 TLS_MINOR_VER_TWO) \ 1399 M(aes128_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1400 TLS_MINOR_VER_THREE) \ 1401 M(aes256_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \ 1402 TLS_MINOR_VER_THREE) 1403 1404 #define CHACHA20_TESTS(M) \ 1405 M(chacha20_poly1305_1_2, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1406 TLS_MINOR_VER_TWO) \ 1407 M(chacha20_poly1305_1_3, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1408 TLS_MINOR_VER_THREE) 1409 1410 #define GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1411 auth_alg, minor, name, len) \ 1412 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_##name); \ 1413 ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc) \ 1414 { \ 1415 struct tls_enable en; \ 1416 uint64_t seqno; \ 1417 \ 1418 ATF_REQUIRE_KTLS(); \ 1419 seqno = random(); \ 1420 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1421 &en); \ 1422 test_ktls_transmit_app_data(tc, &en, seqno, len); \ 1423 free_tls_enable(&en); \ 1424 } 1425 1426 #define ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1427 auth_alg, minor, name) \ 1428 ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name); 1429 1430 #define GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1431 auth_alg, minor, name, type, len) \ 1432 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_##name); \ 1433 ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc) \ 1434 { \ 1435 struct tls_enable en; \ 1436 uint64_t seqno; \ 1437 \ 1438 ATF_REQUIRE_KTLS(); \ 1439 seqno = random(); \ 1440 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1441 &en); \ 1442 test_ktls_transmit_control(tc, &en, seqno, type, len); \ 1443 free_tls_enable(&en); \ 1444 } 1445 1446 #define ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1447 auth_alg, minor, name) \ 1448 ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name); 1449 1450 #define GEN_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \ 1451 key_size, auth_alg, minor) \ 1452 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_empty_fragment); \ 1453 ATF_TC_BODY(ktls_transmit_##cipher_name##_empty_fragment, tc) \ 1454 { \ 1455 struct tls_enable en; \ 1456 uint64_t seqno; \ 1457 \ 1458 ATF_REQUIRE_KTLS(); \ 1459 seqno = random(); \ 1460 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1461 &en); \ 1462 test_ktls_transmit_empty_fragment(tc, &en, seqno); \ 1463 free_tls_enable(&en); \ 1464 } 1465 1466 #define ADD_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \ 1467 key_size, auth_alg, minor) \ 1468 ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_empty_fragment); 1469 1470 #define GEN_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 1471 minor) \ 1472 GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1473 auth_alg, minor, short, 64) \ 1474 GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1475 auth_alg, minor, long, 64 * 1024) \ 1476 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1477 auth_alg, minor, control, 0x21 /* Alert */, 32) 1478 1479 #define ADD_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 1480 minor) \ 1481 ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1482 auth_alg, minor, short) \ 1483 ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1484 auth_alg, minor, long) \ 1485 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1486 auth_alg, minor, control) 1487 1488 /* 1489 * For each supported cipher suite, run three transmit tests: 1490 * 1491 * - a short test which sends 64 bytes of application data (likely as 1492 * a single TLS record) 1493 * 1494 * - a long test which sends 64KB of application data (split across 1495 * multiple TLS records) 1496 * 1497 * - a control test which sends a single record with a specific 1498 * content type via sendmsg() 1499 */ 1500 AES_CBC_TESTS(GEN_TRANSMIT_TESTS); 1501 AES_GCM_TESTS(GEN_TRANSMIT_TESTS); 1502 CHACHA20_TESTS(GEN_TRANSMIT_TESTS); 1503 1504 #define GEN_TRANSMIT_PADDING_TESTS(cipher_name, cipher_alg, key_size, \ 1505 auth_alg, minor) \ 1506 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1507 auth_alg, minor, padding_1, 0x21 /* Alert */, 1) \ 1508 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1509 auth_alg, minor, padding_2, 0x21 /* Alert */, 2) \ 1510 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1511 auth_alg, minor, padding_3, 0x21 /* Alert */, 3) \ 1512 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1513 auth_alg, minor, padding_4, 0x21 /* Alert */, 4) \ 1514 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1515 auth_alg, minor, padding_5, 0x21 /* Alert */, 5) \ 1516 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1517 auth_alg, minor, padding_6, 0x21 /* Alert */, 6) \ 1518 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1519 auth_alg, minor, padding_7, 0x21 /* Alert */, 7) \ 1520 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1521 auth_alg, minor, padding_8, 0x21 /* Alert */, 8) \ 1522 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1523 auth_alg, minor, padding_9, 0x21 /* Alert */, 9) \ 1524 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1525 auth_alg, minor, padding_10, 0x21 /* Alert */, 10) \ 1526 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1527 auth_alg, minor, padding_11, 0x21 /* Alert */, 11) \ 1528 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1529 auth_alg, minor, padding_12, 0x21 /* Alert */, 12) \ 1530 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1531 auth_alg, minor, padding_13, 0x21 /* Alert */, 13) \ 1532 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1533 auth_alg, minor, padding_14, 0x21 /* Alert */, 14) \ 1534 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1535 auth_alg, minor, padding_15, 0x21 /* Alert */, 15) \ 1536 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1537 auth_alg, minor, padding_16, 0x21 /* Alert */, 16) 1538 1539 #define ADD_TRANSMIT_PADDING_TESTS(cipher_name, cipher_alg, key_size, \ 1540 auth_alg, minor) \ 1541 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1542 auth_alg, minor, padding_1) \ 1543 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1544 auth_alg, minor, padding_2) \ 1545 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1546 auth_alg, minor, padding_3) \ 1547 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1548 auth_alg, minor, padding_4) \ 1549 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1550 auth_alg, minor, padding_5) \ 1551 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1552 auth_alg, minor, padding_6) \ 1553 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1554 auth_alg, minor, padding_7) \ 1555 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1556 auth_alg, minor, padding_8) \ 1557 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1558 auth_alg, minor, padding_9) \ 1559 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1560 auth_alg, minor, padding_10) \ 1561 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1562 auth_alg, minor, padding_11) \ 1563 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1564 auth_alg, minor, padding_12) \ 1565 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1566 auth_alg, minor, padding_13) \ 1567 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1568 auth_alg, minor, padding_14) \ 1569 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1570 auth_alg, minor, padding_15) \ 1571 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1572 auth_alg, minor, padding_16) 1573 1574 /* 1575 * For AES-CBC MTE cipher suites using padding, add tests of messages 1576 * with each possible padding size. Note that the padding_<N> tests 1577 * do not necessarily test <N> bytes of padding as the padding is a 1578 * function of the cipher suite's MAC length. However, cycling 1579 * through all of the payload sizes from 1 to 16 should exercise all 1580 * of the possible padding lengths for each suite. 1581 */ 1582 AES_CBC_TESTS(GEN_TRANSMIT_PADDING_TESTS); 1583 1584 /* 1585 * Test "empty fragments" which are TLS records with no payload that 1586 * OpenSSL can send for TLS 1.0 connections. 1587 */ 1588 AES_CBC_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); 1589 AES_GCM_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); 1590 CHACHA20_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); 1591 1592 static void 1593 test_ktls_invalid_transmit_cipher_suite(const atf_tc_t *tc, 1594 struct tls_enable *en) 1595 { 1596 int sockets[2]; 1597 1598 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1599 1600 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 1601 sizeof(*en)) == -1); 1602 ATF_REQUIRE(errno == EINVAL); 1603 1604 close_sockets(sockets); 1605 } 1606 1607 #define GEN_INVALID_TRANSMIT_TEST(name, cipher_alg, key_size, auth_alg, \ 1608 minor) \ 1609 ATF_TC_WITHOUT_HEAD(ktls_transmit_invalid_##name); \ 1610 ATF_TC_BODY(ktls_transmit_invalid_##name, tc) \ 1611 { \ 1612 struct tls_enable en; \ 1613 uint64_t seqno; \ 1614 \ 1615 ATF_REQUIRE_KTLS(); \ 1616 seqno = random(); \ 1617 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1618 &en); \ 1619 test_ktls_invalid_transmit_cipher_suite(tc, &en); \ 1620 free_tls_enable(&en); \ 1621 } 1622 1623 #define ADD_INVALID_TRANSMIT_TEST(name, cipher_alg, key_size, auth_alg, \ 1624 minor) \ 1625 ATF_TP_ADD_TC(tp, ktls_transmit_invalid_##name); 1626 1627 #define INVALID_CIPHER_SUITES(M) \ 1628 M(aes128_cbc_1_0_sha256, CRYPTO_AES_CBC, 128 / 8, \ 1629 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_ZERO) \ 1630 M(aes128_cbc_1_0_sha384, CRYPTO_AES_CBC, 128 / 8, \ 1631 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_ZERO) \ 1632 M(aes128_gcm_1_0, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1633 TLS_MINOR_VER_ZERO) \ 1634 M(chacha20_poly1305_1_0, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1635 TLS_MINOR_VER_ZERO) \ 1636 M(aes128_cbc_1_1_sha256, CRYPTO_AES_CBC, 128 / 8, \ 1637 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_ONE) \ 1638 M(aes128_cbc_1_1_sha384, CRYPTO_AES_CBC, 128 / 8, \ 1639 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_ONE) \ 1640 M(aes128_gcm_1_1, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1641 TLS_MINOR_VER_ONE) \ 1642 M(chacha20_poly1305_1_1, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1643 TLS_MINOR_VER_ONE) \ 1644 M(aes128_cbc_1_3_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1645 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_THREE) \ 1646 M(aes128_cbc_1_3_sha256, CRYPTO_AES_CBC, 128 / 8, \ 1647 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_THREE) \ 1648 M(aes128_cbc_1_3_sha384, CRYPTO_AES_CBC, 128 / 8, \ 1649 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_THREE) 1650 1651 /* 1652 * Ensure that invalid cipher suites are rejected for transmit. 1653 */ 1654 INVALID_CIPHER_SUITES(GEN_INVALID_TRANSMIT_TEST); 1655 1656 #define GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1657 auth_alg, minor, name, len, padding) \ 1658 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_##name); \ 1659 ATF_TC_BODY(ktls_receive_##cipher_name##_##name, tc) \ 1660 { \ 1661 struct tls_enable en; \ 1662 uint64_t seqno; \ 1663 \ 1664 ATF_REQUIRE_KTLS(); \ 1665 seqno = random(); \ 1666 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1667 &en); \ 1668 test_ktls_receive_app_data(tc, &en, seqno, len, padding); \ 1669 free_tls_enable(&en); \ 1670 } 1671 1672 #define ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1673 auth_alg, minor, name) \ 1674 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_##name); 1675 1676 #define GEN_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 1677 minor) \ 1678 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1679 auth_alg, minor, short, 64, 0) \ 1680 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1681 auth_alg, minor, long, 64 * 1024, 0) 1682 1683 #define ADD_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 1684 minor) \ 1685 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1686 auth_alg, minor, short) \ 1687 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1688 auth_alg, minor, long) 1689 1690 /* 1691 * For each supported cipher suite, run two receive tests: 1692 * 1693 * - a short test which sends 64 bytes of application data (likely as 1694 * a single TLS record) 1695 * 1696 * - a long test which sends 64KB of application data (split across 1697 * multiple TLS records) 1698 * 1699 * Note that receive is currently only supported for TLS 1.2 AEAD 1700 * cipher suites. 1701 */ 1702 AES_GCM_TESTS(GEN_RECEIVE_TESTS); 1703 CHACHA20_TESTS(GEN_RECEIVE_TESTS); 1704 1705 #define GEN_PADDING_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, \ 1706 auth_alg, minor) \ 1707 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1708 auth_alg, minor, short_padded, 64, 16) \ 1709 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1710 auth_alg, minor, long_padded, 64 * 1024, 15) 1711 1712 #define ADD_PADDING_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, \ 1713 auth_alg, minor) \ 1714 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1715 auth_alg, minor, short_padded) \ 1716 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1717 auth_alg, minor, long_padded) 1718 1719 /* 1720 * For TLS 1.3 cipher suites, run two additional receive tests which 1721 * use add padding to each record. 1722 */ 1723 TLS_13_TESTS(GEN_PADDING_RECEIVE_TESTS); 1724 1725 static void 1726 test_ktls_invalid_receive_cipher_suite(const atf_tc_t *tc, 1727 struct tls_enable *en) 1728 { 1729 int sockets[2]; 1730 1731 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1732 1733 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 1734 sizeof(*en)) == -1); 1735 ATF_REQUIRE(errno == EINVAL); 1736 1737 close_sockets(sockets); 1738 } 1739 1740 #define GEN_INVALID_RECEIVE_TEST(name, cipher_alg, key_size, auth_alg, \ 1741 minor) \ 1742 ATF_TC_WITHOUT_HEAD(ktls_receive_invalid_##name); \ 1743 ATF_TC_BODY(ktls_receive_invalid_##name, tc) \ 1744 { \ 1745 struct tls_enable en; \ 1746 uint64_t seqno; \ 1747 \ 1748 ATF_REQUIRE_KTLS(); \ 1749 seqno = random(); \ 1750 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1751 &en); \ 1752 test_ktls_invalid_receive_cipher_suite(tc, &en); \ 1753 free_tls_enable(&en); \ 1754 } 1755 1756 #define ADD_INVALID_RECEIVE_TEST(name, cipher_alg, key_size, auth_alg, \ 1757 minor) \ 1758 ATF_TP_ADD_TC(tp, ktls_receive_invalid_##name); 1759 1760 /* 1761 * Ensure that invalid cipher suites are rejected for receive. 1762 */ 1763 INVALID_CIPHER_SUITES(GEN_INVALID_RECEIVE_TEST); 1764 1765 static void 1766 test_ktls_unsupported_receive_cipher_suite(const atf_tc_t *tc, 1767 struct tls_enable *en) 1768 { 1769 int sockets[2]; 1770 1771 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1772 1773 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 1774 sizeof(*en)) == -1); 1775 ATF_REQUIRE(errno == EPROTONOSUPPORT); 1776 1777 close_sockets(sockets); 1778 } 1779 1780 #define GEN_UNSUPPORTED_RECEIVE_TEST(name, cipher_alg, key_size, \ 1781 auth_alg, minor) \ 1782 ATF_TC_WITHOUT_HEAD(ktls_receive_unsupported_##name); \ 1783 ATF_TC_BODY(ktls_receive_unsupported_##name, tc) \ 1784 { \ 1785 struct tls_enable en; \ 1786 uint64_t seqno; \ 1787 \ 1788 ATF_REQUIRE_KTLS(); \ 1789 seqno = random(); \ 1790 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1791 &en); \ 1792 test_ktls_unsupported_receive_cipher_suite(tc, &en); \ 1793 free_tls_enable(&en); \ 1794 } 1795 1796 #define ADD_UNSUPPORTED_RECEIVE_TEST(name, cipher_alg, key_size, \ 1797 auth_alg, minor) \ 1798 ATF_TP_ADD_TC(tp, ktls_receive_unsupported_##name); 1799 1800 /* 1801 * Ensure that valid cipher suites not supported for receive are 1802 * rejected. 1803 */ 1804 AES_CBC_TESTS(GEN_UNSUPPORTED_RECEIVE_TEST); 1805 1806 /* 1807 * Try to perform an invalid sendto(2) on a TXTLS-enabled socket, to exercise 1808 * KTLS error handling in the socket layer. 1809 */ 1810 ATF_TC_WITHOUT_HEAD(ktls_sendto_baddst); 1811 ATF_TC_BODY(ktls_sendto_baddst, tc) 1812 { 1813 char buf[32]; 1814 struct sockaddr_in dst; 1815 struct tls_enable en; 1816 ssize_t n; 1817 int s; 1818 1819 ATF_REQUIRE_KTLS(); 1820 1821 s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 1822 ATF_REQUIRE(s >= 0); 1823 1824 build_tls_enable(CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, 1825 TLS_MINOR_VER_THREE, (uint64_t)random(), &en); 1826 1827 ATF_REQUIRE(setsockopt(s, IPPROTO_TCP, TCP_TXTLS_ENABLE, &en, 1828 sizeof(en)) == 0); 1829 1830 memset(&dst, 0, sizeof(dst)); 1831 dst.sin_family = AF_INET; 1832 dst.sin_len = sizeof(dst); 1833 dst.sin_addr.s_addr = htonl(INADDR_BROADCAST); 1834 dst.sin_port = htons(12345); 1835 1836 memset(buf, 0, sizeof(buf)); 1837 n = sendto(s, buf, sizeof(buf), 0, (struct sockaddr *)&dst, 1838 sizeof(dst)); 1839 1840 /* Can't transmit to the broadcast address over TCP. */ 1841 ATF_REQUIRE_ERRNO(EACCES, n == -1); 1842 ATF_REQUIRE(close(s) == 0); 1843 } 1844 1845 ATF_TP_ADD_TCS(tp) 1846 { 1847 /* Transmit tests */ 1848 AES_CBC_TESTS(ADD_TRANSMIT_TESTS); 1849 AES_GCM_TESTS(ADD_TRANSMIT_TESTS); 1850 CHACHA20_TESTS(ADD_TRANSMIT_TESTS); 1851 AES_CBC_TESTS(ADD_TRANSMIT_PADDING_TESTS); 1852 AES_CBC_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); 1853 AES_GCM_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); 1854 CHACHA20_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); 1855 INVALID_CIPHER_SUITES(ADD_INVALID_TRANSMIT_TEST); 1856 1857 /* Receive tests */ 1858 AES_CBC_TESTS(ADD_UNSUPPORTED_RECEIVE_TEST); 1859 AES_GCM_TESTS(ADD_RECEIVE_TESTS); 1860 CHACHA20_TESTS(ADD_RECEIVE_TESTS); 1861 TLS_13_TESTS(ADD_PADDING_RECEIVE_TESTS); 1862 INVALID_CIPHER_SUITES(ADD_INVALID_RECEIVE_TEST); 1863 1864 /* Miscellaneous */ 1865 ATF_TP_ADD_TC(tp, ktls_sendto_baddst); 1866 1867 return (atf_no_error()); 1868 } 1869