1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Netflix Inc. 5 * Written by: John Baldwin <jhb@FreeBSD.org> 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 #include <sys/types.h> 30 #include <sys/endian.h> 31 #include <sys/event.h> 32 #include <sys/ktls.h> 33 #include <sys/socket.h> 34 #include <sys/sysctl.h> 35 #include <netinet/in.h> 36 #include <netinet/tcp.h> 37 #include <crypto/cryptodev.h> 38 #include <assert.h> 39 #include <err.h> 40 #include <fcntl.h> 41 #include <poll.h> 42 #include <stdbool.h> 43 #include <stdlib.h> 44 #include <atf-c.h> 45 46 #include <openssl/err.h> 47 #include <openssl/evp.h> 48 #include <openssl/hmac.h> 49 50 static void 51 require_ktls(void) 52 { 53 size_t len; 54 bool enable; 55 56 len = sizeof(enable); 57 if (sysctlbyname("kern.ipc.tls.enable", &enable, &len, NULL, 0) == -1) { 58 if (errno == ENOENT) 59 atf_tc_skip("kernel does not support TLS offload"); 60 atf_libc_error(errno, "Failed to read kern.ipc.tls.enable"); 61 } 62 63 if (!enable) 64 atf_tc_skip("Kernel TLS is disabled"); 65 } 66 67 #define ATF_REQUIRE_KTLS() require_ktls() 68 69 static char 70 rdigit(void) 71 { 72 /* ASCII printable values between 0x20 and 0x7e */ 73 return (0x20 + random() % (0x7f - 0x20)); 74 } 75 76 static char * 77 alloc_buffer(size_t len) 78 { 79 char *buf; 80 size_t i; 81 82 if (len == 0) 83 return (NULL); 84 buf = malloc(len); 85 for (i = 0; i < len; i++) 86 buf[i] = rdigit(); 87 return (buf); 88 } 89 90 static bool 91 socketpair_tcp(int sv[2]) 92 { 93 struct pollfd pfd; 94 struct sockaddr_in sin; 95 socklen_t len; 96 int as, cs, ls; 97 98 ls = socket(PF_INET, SOCK_STREAM, 0); 99 if (ls == -1) { 100 warn("socket() for listen"); 101 return (false); 102 } 103 104 memset(&sin, 0, sizeof(sin)); 105 sin.sin_len = sizeof(sin); 106 sin.sin_family = AF_INET; 107 sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK); 108 if (bind(ls, (struct sockaddr *)&sin, sizeof(sin)) == -1) { 109 warn("bind"); 110 close(ls); 111 return (false); 112 } 113 114 if (listen(ls, 1) == -1) { 115 warn("listen"); 116 close(ls); 117 return (false); 118 } 119 120 len = sizeof(sin); 121 if (getsockname(ls, (struct sockaddr *)&sin, &len) == -1) { 122 warn("getsockname"); 123 close(ls); 124 return (false); 125 } 126 127 cs = socket(PF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0); 128 if (cs == -1) { 129 warn("socket() for connect"); 130 close(ls); 131 return (false); 132 } 133 134 if (connect(cs, (struct sockaddr *)&sin, sizeof(sin)) == -1) { 135 if (errno != EINPROGRESS) { 136 warn("connect"); 137 close(ls); 138 close(cs); 139 return (false); 140 } 141 } 142 143 as = accept4(ls, NULL, NULL, SOCK_NONBLOCK); 144 if (as == -1) { 145 warn("accept4"); 146 close(ls); 147 close(cs); 148 return (false); 149 } 150 151 close(ls); 152 153 pfd.fd = cs; 154 pfd.events = POLLOUT; 155 pfd.revents = 0; 156 ATF_REQUIRE(poll(&pfd, 1, INFTIM) == 1); 157 ATF_REQUIRE(pfd.revents == POLLOUT); 158 159 sv[0] = cs; 160 sv[1] = as; 161 return (true); 162 } 163 164 static void 165 close_sockets(int sv[2]) 166 { 167 ATF_REQUIRE(close(sv[1]) == 0); 168 ATF_REQUIRE(close(sv[0]) == 0); 169 } 170 171 static void 172 fd_set_blocking(int fd) 173 { 174 int flags; 175 176 ATF_REQUIRE((flags = fcntl(fd, F_GETFL)) != -1); 177 flags &= ~O_NONBLOCK; 178 ATF_REQUIRE(fcntl(fd, F_SETFL, flags) != -1); 179 } 180 181 static bool 182 cbc_decrypt(const EVP_CIPHER *cipher, const char *key, const char *iv, 183 const char *input, char *output, size_t size) 184 { 185 EVP_CIPHER_CTX *ctx; 186 int outl, total; 187 188 ctx = EVP_CIPHER_CTX_new(); 189 if (ctx == NULL) { 190 warnx("EVP_CIPHER_CTX_new failed: %s", 191 ERR_error_string(ERR_get_error(), NULL)); 192 return (false); 193 } 194 if (EVP_CipherInit_ex(ctx, cipher, NULL, (const u_char *)key, 195 (const u_char *)iv, 0) != 1) { 196 warnx("EVP_CipherInit_ex failed: %s", 197 ERR_error_string(ERR_get_error(), NULL)); 198 EVP_CIPHER_CTX_free(ctx); 199 return (false); 200 } 201 EVP_CIPHER_CTX_set_padding(ctx, 0); 202 if (EVP_CipherUpdate(ctx, (u_char *)output, &outl, 203 (const u_char *)input, size) != 1) { 204 warnx("EVP_CipherUpdate failed: %s", 205 ERR_error_string(ERR_get_error(), NULL)); 206 EVP_CIPHER_CTX_free(ctx); 207 return (false); 208 } 209 total = outl; 210 if (EVP_CipherFinal_ex(ctx, (u_char *)output + outl, &outl) != 1) { 211 warnx("EVP_CipherFinal_ex failed: %s", 212 ERR_error_string(ERR_get_error(), NULL)); 213 EVP_CIPHER_CTX_free(ctx); 214 return (false); 215 } 216 total += outl; 217 if ((size_t)total != size) { 218 warnx("decrypt size mismatch: %zu vs %d", size, total); 219 EVP_CIPHER_CTX_free(ctx); 220 return (false); 221 } 222 EVP_CIPHER_CTX_free(ctx); 223 return (true); 224 } 225 226 static bool 227 verify_hash(const EVP_MD *md, const void *key, size_t key_len, const void *aad, 228 size_t aad_len, const void *buffer, size_t len, const void *digest) 229 { 230 HMAC_CTX *ctx; 231 unsigned char digest2[EVP_MAX_MD_SIZE]; 232 u_int digest_len; 233 234 ctx = HMAC_CTX_new(); 235 if (ctx == NULL) { 236 warnx("HMAC_CTX_new failed: %s", 237 ERR_error_string(ERR_get_error(), NULL)); 238 return (false); 239 } 240 if (HMAC_Init_ex(ctx, key, key_len, md, NULL) != 1) { 241 warnx("HMAC_Init_ex failed: %s", 242 ERR_error_string(ERR_get_error(), NULL)); 243 HMAC_CTX_free(ctx); 244 return (false); 245 } 246 if (HMAC_Update(ctx, aad, aad_len) != 1) { 247 warnx("HMAC_Update (aad) failed: %s", 248 ERR_error_string(ERR_get_error(), NULL)); 249 HMAC_CTX_free(ctx); 250 return (false); 251 } 252 if (HMAC_Update(ctx, buffer, len) != 1) { 253 warnx("HMAC_Update (payload) failed: %s", 254 ERR_error_string(ERR_get_error(), NULL)); 255 HMAC_CTX_free(ctx); 256 return (false); 257 } 258 if (HMAC_Final(ctx, digest2, &digest_len) != 1) { 259 warnx("HMAC_Final failed: %s", 260 ERR_error_string(ERR_get_error(), NULL)); 261 HMAC_CTX_free(ctx); 262 return (false); 263 } 264 HMAC_CTX_free(ctx); 265 if (memcmp(digest, digest2, digest_len) != 0) { 266 warnx("HMAC mismatch"); 267 return (false); 268 } 269 return (true); 270 } 271 272 static bool 273 aead_encrypt(const EVP_CIPHER *cipher, const char *key, const char *nonce, 274 const void *aad, size_t aad_len, const char *input, char *output, 275 size_t size, char *tag, size_t tag_len) 276 { 277 EVP_CIPHER_CTX *ctx; 278 int outl, total; 279 280 ctx = EVP_CIPHER_CTX_new(); 281 if (ctx == NULL) { 282 warnx("EVP_CIPHER_CTX_new failed: %s", 283 ERR_error_string(ERR_get_error(), NULL)); 284 return (false); 285 } 286 if (EVP_EncryptInit_ex(ctx, cipher, NULL, (const u_char *)key, 287 (const u_char *)nonce) != 1) { 288 warnx("EVP_EncryptInit_ex failed: %s", 289 ERR_error_string(ERR_get_error(), NULL)); 290 EVP_CIPHER_CTX_free(ctx); 291 return (false); 292 } 293 EVP_CIPHER_CTX_set_padding(ctx, 0); 294 if (aad != NULL) { 295 if (EVP_EncryptUpdate(ctx, NULL, &outl, (const u_char *)aad, 296 aad_len) != 1) { 297 warnx("EVP_EncryptUpdate for AAD failed: %s", 298 ERR_error_string(ERR_get_error(), NULL)); 299 EVP_CIPHER_CTX_free(ctx); 300 return (false); 301 } 302 } 303 if (EVP_EncryptUpdate(ctx, (u_char *)output, &outl, 304 (const u_char *)input, size) != 1) { 305 warnx("EVP_EncryptUpdate failed: %s", 306 ERR_error_string(ERR_get_error(), NULL)); 307 EVP_CIPHER_CTX_free(ctx); 308 return (false); 309 } 310 total = outl; 311 if (EVP_EncryptFinal_ex(ctx, (u_char *)output + outl, &outl) != 1) { 312 warnx("EVP_EncryptFinal_ex failed: %s", 313 ERR_error_string(ERR_get_error(), NULL)); 314 EVP_CIPHER_CTX_free(ctx); 315 return (false); 316 } 317 total += outl; 318 if ((size_t)total != size) { 319 warnx("encrypt size mismatch: %zu vs %d", size, total); 320 EVP_CIPHER_CTX_free(ctx); 321 return (false); 322 } 323 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, tag_len, tag) != 324 1) { 325 warnx("EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_GET_TAG) failed: %s", 326 ERR_error_string(ERR_get_error(), NULL)); 327 EVP_CIPHER_CTX_free(ctx); 328 return (false); 329 } 330 EVP_CIPHER_CTX_free(ctx); 331 return (true); 332 } 333 334 static bool 335 aead_decrypt(const EVP_CIPHER *cipher, const char *key, const char *nonce, 336 const void *aad, size_t aad_len, const char *input, char *output, 337 size_t size, const char *tag, size_t tag_len) 338 { 339 EVP_CIPHER_CTX *ctx; 340 int outl, total; 341 bool valid; 342 343 ctx = EVP_CIPHER_CTX_new(); 344 if (ctx == NULL) { 345 warnx("EVP_CIPHER_CTX_new failed: %s", 346 ERR_error_string(ERR_get_error(), NULL)); 347 return (false); 348 } 349 if (EVP_DecryptInit_ex(ctx, cipher, NULL, (const u_char *)key, 350 (const u_char *)nonce) != 1) { 351 warnx("EVP_DecryptInit_ex failed: %s", 352 ERR_error_string(ERR_get_error(), NULL)); 353 EVP_CIPHER_CTX_free(ctx); 354 return (false); 355 } 356 EVP_CIPHER_CTX_set_padding(ctx, 0); 357 if (aad != NULL) { 358 if (EVP_DecryptUpdate(ctx, NULL, &outl, (const u_char *)aad, 359 aad_len) != 1) { 360 warnx("EVP_DecryptUpdate for AAD failed: %s", 361 ERR_error_string(ERR_get_error(), NULL)); 362 EVP_CIPHER_CTX_free(ctx); 363 return (false); 364 } 365 } 366 if (EVP_DecryptUpdate(ctx, (u_char *)output, &outl, 367 (const u_char *)input, size) != 1) { 368 warnx("EVP_DecryptUpdate failed: %s", 369 ERR_error_string(ERR_get_error(), NULL)); 370 EVP_CIPHER_CTX_free(ctx); 371 return (false); 372 } 373 total = outl; 374 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, 375 __DECONST(char *, tag)) != 1) { 376 warnx("EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed: %s", 377 ERR_error_string(ERR_get_error(), NULL)); 378 EVP_CIPHER_CTX_free(ctx); 379 return (false); 380 } 381 valid = (EVP_DecryptFinal_ex(ctx, (u_char *)output + outl, &outl) == 1); 382 total += outl; 383 if ((size_t)total != size) { 384 warnx("decrypt size mismatch: %zu vs %d", size, total); 385 EVP_CIPHER_CTX_free(ctx); 386 return (false); 387 } 388 if (!valid) 389 warnx("tag mismatch"); 390 EVP_CIPHER_CTX_free(ctx); 391 return (valid); 392 } 393 394 static void 395 build_tls_enable(int cipher_alg, size_t cipher_key_len, int auth_alg, 396 int minor, uint64_t seqno, struct tls_enable *en) 397 { 398 u_int auth_key_len, iv_len; 399 400 memset(en, 0, sizeof(*en)); 401 402 switch (cipher_alg) { 403 case CRYPTO_AES_CBC: 404 if (minor == TLS_MINOR_VER_ZERO) 405 iv_len = AES_BLOCK_LEN; 406 else 407 iv_len = 0; 408 break; 409 case CRYPTO_AES_NIST_GCM_16: 410 if (minor == TLS_MINOR_VER_TWO) 411 iv_len = TLS_AEAD_GCM_LEN; 412 else 413 iv_len = TLS_1_3_GCM_IV_LEN; 414 break; 415 case CRYPTO_CHACHA20_POLY1305: 416 iv_len = TLS_CHACHA20_IV_LEN; 417 break; 418 default: 419 iv_len = 0; 420 break; 421 } 422 switch (auth_alg) { 423 case CRYPTO_SHA1_HMAC: 424 auth_key_len = SHA1_HASH_LEN; 425 break; 426 case CRYPTO_SHA2_256_HMAC: 427 auth_key_len = SHA2_256_HASH_LEN; 428 break; 429 case CRYPTO_SHA2_384_HMAC: 430 auth_key_len = SHA2_384_HASH_LEN; 431 break; 432 default: 433 auth_key_len = 0; 434 break; 435 } 436 en->cipher_key = alloc_buffer(cipher_key_len); 437 en->iv = alloc_buffer(iv_len); 438 en->auth_key = alloc_buffer(auth_key_len); 439 en->cipher_algorithm = cipher_alg; 440 en->cipher_key_len = cipher_key_len; 441 en->iv_len = iv_len; 442 en->auth_algorithm = auth_alg; 443 en->auth_key_len = auth_key_len; 444 en->tls_vmajor = TLS_MAJOR_VER_ONE; 445 en->tls_vminor = minor; 446 be64enc(en->rec_seq, seqno); 447 } 448 449 static void 450 free_tls_enable(struct tls_enable *en) 451 { 452 free(__DECONST(void *, en->cipher_key)); 453 free(__DECONST(void *, en->iv)); 454 free(__DECONST(void *, en->auth_key)); 455 } 456 457 static const EVP_CIPHER * 458 tls_EVP_CIPHER(const struct tls_enable *en) 459 { 460 switch (en->cipher_algorithm) { 461 case CRYPTO_AES_CBC: 462 switch (en->cipher_key_len) { 463 case 128 / 8: 464 return (EVP_aes_128_cbc()); 465 case 256 / 8: 466 return (EVP_aes_256_cbc()); 467 default: 468 return (NULL); 469 } 470 break; 471 case CRYPTO_AES_NIST_GCM_16: 472 switch (en->cipher_key_len) { 473 case 128 / 8: 474 return (EVP_aes_128_gcm()); 475 case 256 / 8: 476 return (EVP_aes_256_gcm()); 477 default: 478 return (NULL); 479 } 480 break; 481 case CRYPTO_CHACHA20_POLY1305: 482 return (EVP_chacha20_poly1305()); 483 default: 484 return (NULL); 485 } 486 } 487 488 static const EVP_MD * 489 tls_EVP_MD(const struct tls_enable *en) 490 { 491 switch (en->auth_algorithm) { 492 case CRYPTO_SHA1_HMAC: 493 return (EVP_sha1()); 494 case CRYPTO_SHA2_256_HMAC: 495 return (EVP_sha256()); 496 case CRYPTO_SHA2_384_HMAC: 497 return (EVP_sha384()); 498 default: 499 return (NULL); 500 } 501 } 502 503 static size_t 504 tls_header_len(struct tls_enable *en) 505 { 506 size_t len; 507 508 len = sizeof(struct tls_record_layer); 509 switch (en->cipher_algorithm) { 510 case CRYPTO_AES_CBC: 511 if (en->tls_vminor != TLS_MINOR_VER_ZERO) 512 len += AES_BLOCK_LEN; 513 return (len); 514 case CRYPTO_AES_NIST_GCM_16: 515 if (en->tls_vminor == TLS_MINOR_VER_TWO) 516 len += sizeof(uint64_t); 517 return (len); 518 case CRYPTO_CHACHA20_POLY1305: 519 return (len); 520 default: 521 return (0); 522 } 523 } 524 525 static size_t 526 tls_mac_len(struct tls_enable *en) 527 { 528 switch (en->cipher_algorithm) { 529 case CRYPTO_AES_CBC: 530 switch (en->auth_algorithm) { 531 case CRYPTO_SHA1_HMAC: 532 return (SHA1_HASH_LEN); 533 case CRYPTO_SHA2_256_HMAC: 534 return (SHA2_256_HASH_LEN); 535 case CRYPTO_SHA2_384_HMAC: 536 return (SHA2_384_HASH_LEN); 537 default: 538 return (0); 539 } 540 case CRYPTO_AES_NIST_GCM_16: 541 return (AES_GMAC_HASH_LEN); 542 case CRYPTO_CHACHA20_POLY1305: 543 return (POLY1305_HASH_LEN); 544 default: 545 return (0); 546 } 547 } 548 549 /* Includes maximum padding for MTE. */ 550 static size_t 551 tls_trailer_len(struct tls_enable *en) 552 { 553 size_t len; 554 555 len = tls_mac_len(en); 556 if (en->cipher_algorithm == CRYPTO_AES_CBC) 557 len += AES_BLOCK_LEN; 558 if (en->tls_vminor == TLS_MINOR_VER_THREE) 559 len++; 560 return (len); 561 } 562 563 /* 'len' is the length of the payload application data. */ 564 static void 565 tls_mte_aad(struct tls_enable *en, size_t len, 566 const struct tls_record_layer *hdr, uint64_t seqno, struct tls_mac_data *ad) 567 { 568 ad->seq = htobe64(seqno); 569 ad->type = hdr->tls_type; 570 ad->tls_vmajor = hdr->tls_vmajor; 571 ad->tls_vminor = hdr->tls_vminor; 572 ad->tls_length = htons(len); 573 } 574 575 static void 576 tls_12_aead_aad(struct tls_enable *en, size_t len, 577 const struct tls_record_layer *hdr, uint64_t seqno, 578 struct tls_aead_data *ad) 579 { 580 ad->seq = htobe64(seqno); 581 ad->type = hdr->tls_type; 582 ad->tls_vmajor = hdr->tls_vmajor; 583 ad->tls_vminor = hdr->tls_vminor; 584 ad->tls_length = htons(len); 585 } 586 587 static void 588 tls_13_aad(struct tls_enable *en, const struct tls_record_layer *hdr, 589 uint64_t seqno, struct tls_aead_data_13 *ad) 590 { 591 ad->type = hdr->tls_type; 592 ad->tls_vmajor = hdr->tls_vmajor; 593 ad->tls_vminor = hdr->tls_vminor; 594 ad->tls_length = hdr->tls_length; 595 } 596 597 static void 598 tls_12_gcm_nonce(struct tls_enable *en, const struct tls_record_layer *hdr, 599 char *nonce) 600 { 601 memcpy(nonce, en->iv, TLS_AEAD_GCM_LEN); 602 memcpy(nonce + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t)); 603 } 604 605 static void 606 tls_13_nonce(struct tls_enable *en, uint64_t seqno, char *nonce) 607 { 608 static_assert(TLS_1_3_GCM_IV_LEN == TLS_CHACHA20_IV_LEN, 609 "TLS 1.3 nonce length mismatch"); 610 memcpy(nonce, en->iv, TLS_1_3_GCM_IV_LEN); 611 *(uint64_t *)(nonce + 4) ^= htobe64(seqno); 612 } 613 614 /* 615 * Decrypt a TLS record 'len' bytes long at 'src' and store the result at 616 * 'dst'. If the TLS record header length doesn't match or 'dst' doesn't 617 * have sufficient room ('avail'), fail the test. 618 */ 619 static size_t 620 decrypt_tls_aes_cbc_mte(struct tls_enable *en, uint64_t seqno, const void *src, 621 size_t len, void *dst, size_t avail, uint8_t *record_type) 622 { 623 const struct tls_record_layer *hdr; 624 struct tls_mac_data aad; 625 const char *iv; 626 char *buf; 627 size_t hdr_len, mac_len, payload_len; 628 int padding; 629 630 hdr = src; 631 hdr_len = tls_header_len(en); 632 mac_len = tls_mac_len(en); 633 ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE); 634 ATF_REQUIRE(hdr->tls_vminor == en->tls_vminor); 635 636 /* First, decrypt the outer payload into a temporary buffer. */ 637 payload_len = len - hdr_len; 638 buf = malloc(payload_len); 639 if (en->tls_vminor == TLS_MINOR_VER_ZERO) 640 iv = en->iv; 641 else 642 iv = (void *)(hdr + 1); 643 ATF_REQUIRE(cbc_decrypt(tls_EVP_CIPHER(en), en->cipher_key, iv, 644 (const u_char *)src + hdr_len, buf, payload_len)); 645 646 /* 647 * Copy the last encrypted block to use as the IV for the next 648 * record for TLS 1.0. 649 */ 650 if (en->tls_vminor == TLS_MINOR_VER_ZERO) 651 memcpy(__DECONST(uint8_t *, en->iv), (const u_char *)src + 652 (len - AES_BLOCK_LEN), AES_BLOCK_LEN); 653 654 /* 655 * Verify trailing padding and strip. 656 * 657 * The kernel always generates the smallest amount of padding. 658 */ 659 padding = buf[payload_len - 1] + 1; 660 ATF_REQUIRE(padding > 0 && padding <= AES_BLOCK_LEN); 661 ATF_REQUIRE(payload_len >= mac_len + padding); 662 payload_len -= padding; 663 664 /* Verify HMAC. */ 665 payload_len -= mac_len; 666 tls_mte_aad(en, payload_len, hdr, seqno, &aad); 667 ATF_REQUIRE(verify_hash(tls_EVP_MD(en), en->auth_key, en->auth_key_len, 668 &aad, sizeof(aad), buf, payload_len, buf + payload_len)); 669 670 ATF_REQUIRE(payload_len <= avail); 671 memcpy(dst, buf, payload_len); 672 *record_type = hdr->tls_type; 673 return (payload_len); 674 } 675 676 static size_t 677 decrypt_tls_12_aead(struct tls_enable *en, uint64_t seqno, const void *src, 678 size_t len, void *dst, uint8_t *record_type) 679 { 680 const struct tls_record_layer *hdr; 681 struct tls_aead_data aad; 682 char nonce[12]; 683 size_t hdr_len, mac_len, payload_len; 684 685 hdr = src; 686 687 hdr_len = tls_header_len(en); 688 mac_len = tls_mac_len(en); 689 payload_len = len - (hdr_len + mac_len); 690 ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE); 691 ATF_REQUIRE(hdr->tls_vminor == TLS_MINOR_VER_TWO); 692 693 tls_12_aead_aad(en, payload_len, hdr, seqno, &aad); 694 if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16) 695 tls_12_gcm_nonce(en, hdr, nonce); 696 else 697 tls_13_nonce(en, seqno, nonce); 698 699 ATF_REQUIRE(aead_decrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 700 &aad, sizeof(aad), (const char *)src + hdr_len, dst, payload_len, 701 (const char *)src + hdr_len + payload_len, mac_len)); 702 703 *record_type = hdr->tls_type; 704 return (payload_len); 705 } 706 707 static size_t 708 decrypt_tls_13_aead(struct tls_enable *en, uint64_t seqno, const void *src, 709 size_t len, void *dst, uint8_t *record_type) 710 { 711 const struct tls_record_layer *hdr; 712 struct tls_aead_data_13 aad; 713 char nonce[12]; 714 char *buf; 715 size_t hdr_len, mac_len, payload_len; 716 717 hdr = src; 718 719 hdr_len = tls_header_len(en); 720 mac_len = tls_mac_len(en); 721 payload_len = len - (hdr_len + mac_len); 722 ATF_REQUIRE(payload_len >= 1); 723 ATF_REQUIRE(hdr->tls_type == TLS_RLTYPE_APP); 724 ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE); 725 ATF_REQUIRE(hdr->tls_vminor == TLS_MINOR_VER_TWO); 726 727 tls_13_aad(en, hdr, seqno, &aad); 728 tls_13_nonce(en, seqno, nonce); 729 730 /* 731 * Have to use a temporary buffer for the output due to the 732 * record type as the last byte of the trailer. 733 */ 734 buf = malloc(payload_len); 735 736 ATF_REQUIRE(aead_decrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 737 &aad, sizeof(aad), (const char *)src + hdr_len, buf, payload_len, 738 (const char *)src + hdr_len + payload_len, mac_len)); 739 740 /* Trim record type. */ 741 *record_type = buf[payload_len - 1]; 742 payload_len--; 743 744 memcpy(dst, buf, payload_len); 745 free(buf); 746 747 return (payload_len); 748 } 749 750 static size_t 751 decrypt_tls_aead(struct tls_enable *en, uint64_t seqno, const void *src, 752 size_t len, void *dst, size_t avail, uint8_t *record_type) 753 { 754 const struct tls_record_layer *hdr; 755 size_t payload_len; 756 757 hdr = src; 758 ATF_REQUIRE(ntohs(hdr->tls_length) + sizeof(*hdr) == len); 759 760 payload_len = len - (tls_header_len(en) + tls_trailer_len(en)); 761 ATF_REQUIRE(payload_len <= avail); 762 763 if (en->tls_vminor == TLS_MINOR_VER_TWO) { 764 ATF_REQUIRE(decrypt_tls_12_aead(en, seqno, src, len, dst, 765 record_type) == payload_len); 766 } else { 767 ATF_REQUIRE(decrypt_tls_13_aead(en, seqno, src, len, dst, 768 record_type) == payload_len); 769 } 770 771 return (payload_len); 772 } 773 774 static size_t 775 decrypt_tls_record(struct tls_enable *en, uint64_t seqno, const void *src, 776 size_t len, void *dst, size_t avail, uint8_t *record_type) 777 { 778 if (en->cipher_algorithm == CRYPTO_AES_CBC) 779 return (decrypt_tls_aes_cbc_mte(en, seqno, src, len, dst, avail, 780 record_type)); 781 else 782 return (decrypt_tls_aead(en, seqno, src, len, dst, avail, 783 record_type)); 784 } 785 786 /* 787 * Encrypt a TLS record of type 'record_type' with payload 'len' bytes 788 * long at 'src' and store the result at 'dst'. If 'dst' doesn't have 789 * sufficient room ('avail'), fail the test. 790 */ 791 static size_t 792 encrypt_tls_12_aead(struct tls_enable *en, uint8_t record_type, uint64_t seqno, 793 const void *src, size_t len, void *dst) 794 { 795 struct tls_record_layer *hdr; 796 struct tls_aead_data aad; 797 char nonce[12]; 798 size_t hdr_len, mac_len, record_len; 799 800 hdr = dst; 801 802 hdr_len = tls_header_len(en); 803 mac_len = tls_mac_len(en); 804 record_len = hdr_len + len + mac_len; 805 806 hdr->tls_type = record_type; 807 hdr->tls_vmajor = TLS_MAJOR_VER_ONE; 808 hdr->tls_vminor = TLS_MINOR_VER_TWO; 809 hdr->tls_length = htons(record_len - sizeof(*hdr)); 810 if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16) 811 memcpy(hdr + 1, &seqno, sizeof(seqno)); 812 813 tls_12_aead_aad(en, len, hdr, seqno, &aad); 814 if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16) 815 tls_12_gcm_nonce(en, hdr, nonce); 816 else 817 tls_13_nonce(en, seqno, nonce); 818 819 ATF_REQUIRE(aead_encrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 820 &aad, sizeof(aad), src, (char *)dst + hdr_len, len, 821 (char *)dst + hdr_len + len, mac_len)); 822 823 return (record_len); 824 } 825 826 static size_t 827 encrypt_tls_13_aead(struct tls_enable *en, uint8_t record_type, uint64_t seqno, 828 const void *src, size_t len, void *dst, size_t padding) 829 { 830 struct tls_record_layer *hdr; 831 struct tls_aead_data_13 aad; 832 char nonce[12]; 833 char *buf; 834 size_t hdr_len, mac_len, record_len; 835 836 hdr = dst; 837 838 hdr_len = tls_header_len(en); 839 mac_len = tls_mac_len(en); 840 record_len = hdr_len + len + 1 + padding + mac_len; 841 842 hdr->tls_type = TLS_RLTYPE_APP; 843 hdr->tls_vmajor = TLS_MAJOR_VER_ONE; 844 hdr->tls_vminor = TLS_MINOR_VER_TWO; 845 hdr->tls_length = htons(record_len - sizeof(*hdr)); 846 847 tls_13_aad(en, hdr, seqno, &aad); 848 tls_13_nonce(en, seqno, nonce); 849 850 /* 851 * Have to use a temporary buffer for the input so that the record 852 * type can be appended. 853 */ 854 buf = malloc(len + 1 + padding); 855 memcpy(buf, src, len); 856 buf[len] = record_type; 857 memset(buf + len + 1, 0, padding); 858 859 ATF_REQUIRE(aead_encrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 860 &aad, sizeof(aad), buf, (char *)dst + hdr_len, len + 1 + padding, 861 (char *)dst + hdr_len + len + 1 + padding, mac_len)); 862 863 free(buf); 864 865 return (record_len); 866 } 867 868 static size_t 869 encrypt_tls_aead(struct tls_enable *en, uint8_t record_type, uint64_t seqno, 870 const void *src, size_t len, void *dst, size_t avail, size_t padding) 871 { 872 size_t record_len; 873 874 record_len = tls_header_len(en) + len + padding + tls_trailer_len(en); 875 ATF_REQUIRE(record_len <= avail); 876 877 if (en->tls_vminor == TLS_MINOR_VER_TWO) { 878 ATF_REQUIRE(padding == 0); 879 ATF_REQUIRE(encrypt_tls_12_aead(en, record_type, seqno, src, 880 len, dst) == record_len); 881 } else 882 ATF_REQUIRE(encrypt_tls_13_aead(en, record_type, seqno, src, 883 len, dst, padding) == record_len); 884 885 return (record_len); 886 } 887 888 static size_t 889 encrypt_tls_record(struct tls_enable *en, uint8_t record_type, uint64_t seqno, 890 const void *src, size_t len, void *dst, size_t avail, size_t padding) 891 { 892 return (encrypt_tls_aead(en, record_type, seqno, src, len, dst, avail, 893 padding)); 894 } 895 896 static void 897 test_ktls_transmit_app_data(struct tls_enable *en, uint64_t seqno, size_t len) 898 { 899 struct kevent ev; 900 struct tls_record_layer *hdr; 901 char *plaintext, *decrypted, *outbuf; 902 size_t decrypted_len, outbuf_len, outbuf_cap, record_len, written; 903 ssize_t rv; 904 int kq, sockets[2]; 905 uint8_t record_type; 906 907 plaintext = alloc_buffer(len); 908 decrypted = malloc(len); 909 outbuf_cap = tls_header_len(en) + TLS_MAX_MSG_SIZE_V10_2 + 910 tls_trailer_len(en); 911 outbuf = malloc(outbuf_cap); 912 hdr = (struct tls_record_layer *)outbuf; 913 914 ATF_REQUIRE((kq = kqueue()) != -1); 915 916 ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); 917 918 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 919 sizeof(*en)) == 0); 920 921 EV_SET(&ev, sockets[0], EVFILT_READ, EV_ADD, 0, 0, NULL); 922 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 923 EV_SET(&ev, sockets[1], EVFILT_WRITE, EV_ADD, 0, 0, NULL); 924 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 925 926 decrypted_len = 0; 927 outbuf_len = 0; 928 written = 0; 929 930 while (decrypted_len != len) { 931 ATF_REQUIRE(kevent(kq, NULL, 0, &ev, 1, NULL) == 1); 932 933 switch (ev.filter) { 934 case EVFILT_WRITE: 935 /* Try to write any remaining data. */ 936 rv = write(ev.ident, plaintext + written, 937 len - written); 938 ATF_REQUIRE_MSG(rv > 0, 939 "failed to write to socket"); 940 written += rv; 941 if (written == len) { 942 ev.flags = EV_DISABLE; 943 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, 944 NULL) == 0); 945 } 946 break; 947 948 case EVFILT_READ: 949 ATF_REQUIRE((ev.flags & EV_EOF) == 0); 950 951 /* 952 * Try to read data for the next TLS record 953 * into outbuf. Start by reading the header 954 * to determine how much additional data to 955 * read. 956 */ 957 if (outbuf_len < sizeof(struct tls_record_layer)) { 958 rv = read(ev.ident, outbuf + outbuf_len, 959 sizeof(struct tls_record_layer) - 960 outbuf_len); 961 ATF_REQUIRE_MSG(rv > 0, 962 "failed to read from socket"); 963 outbuf_len += rv; 964 } 965 966 if (outbuf_len < sizeof(struct tls_record_layer)) 967 break; 968 969 record_len = sizeof(struct tls_record_layer) + 970 ntohs(hdr->tls_length); 971 ATF_REQUIRE(record_len <= outbuf_cap); 972 ATF_REQUIRE(record_len > outbuf_len); 973 rv = read(ev.ident, outbuf + outbuf_len, 974 record_len - outbuf_len); 975 if (rv == -1 && errno == EAGAIN) 976 break; 977 ATF_REQUIRE_MSG(rv > 0, "failed to read from socket"); 978 979 outbuf_len += rv; 980 if (outbuf_len == record_len) { 981 decrypted_len += decrypt_tls_record(en, seqno, 982 outbuf, outbuf_len, 983 decrypted + decrypted_len, 984 len - decrypted_len, &record_type); 985 ATF_REQUIRE(record_type == TLS_RLTYPE_APP); 986 987 seqno++; 988 outbuf_len = 0; 989 } 990 break; 991 } 992 } 993 994 ATF_REQUIRE_MSG(written == decrypted_len, 995 "read %zu decrypted bytes, but wrote %zu", decrypted_len, written); 996 997 ATF_REQUIRE(memcmp(plaintext, decrypted, len) == 0); 998 999 free(outbuf); 1000 free(decrypted); 1001 free(plaintext); 1002 1003 close_sockets(sockets); 1004 ATF_REQUIRE(close(kq) == 0); 1005 } 1006 1007 static void 1008 ktls_send_control_message(int fd, uint8_t type, void *data, size_t len) 1009 { 1010 struct msghdr msg; 1011 struct cmsghdr *cmsg; 1012 char cbuf[CMSG_SPACE(sizeof(type))]; 1013 struct iovec iov; 1014 1015 memset(&msg, 0, sizeof(msg)); 1016 1017 msg.msg_control = cbuf; 1018 msg.msg_controllen = sizeof(cbuf); 1019 cmsg = CMSG_FIRSTHDR(&msg); 1020 cmsg->cmsg_level = IPPROTO_TCP; 1021 cmsg->cmsg_type = TLS_SET_RECORD_TYPE; 1022 cmsg->cmsg_len = CMSG_LEN(sizeof(type)); 1023 *(uint8_t *)CMSG_DATA(cmsg) = type; 1024 1025 iov.iov_base = data; 1026 iov.iov_len = len; 1027 msg.msg_iov = &iov; 1028 msg.msg_iovlen = 1; 1029 1030 ATF_REQUIRE(sendmsg(fd, &msg, 0) == (ssize_t)len); 1031 } 1032 1033 static void 1034 test_ktls_transmit_control(struct tls_enable *en, uint64_t seqno, uint8_t type, 1035 size_t len) 1036 { 1037 struct tls_record_layer *hdr; 1038 char *plaintext, *decrypted, *outbuf; 1039 size_t outbuf_cap, payload_len, record_len; 1040 ssize_t rv; 1041 int sockets[2]; 1042 uint8_t record_type; 1043 1044 ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2); 1045 1046 plaintext = alloc_buffer(len); 1047 decrypted = malloc(len); 1048 outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en); 1049 outbuf = malloc(outbuf_cap); 1050 hdr = (struct tls_record_layer *)outbuf; 1051 1052 ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); 1053 1054 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 1055 sizeof(*en)) == 0); 1056 1057 fd_set_blocking(sockets[0]); 1058 fd_set_blocking(sockets[1]); 1059 1060 ktls_send_control_message(sockets[1], type, plaintext, len); 1061 1062 /* 1063 * First read the header to determine how much additional data 1064 * to read. 1065 */ 1066 rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer)); 1067 ATF_REQUIRE(rv == sizeof(struct tls_record_layer)); 1068 payload_len = ntohs(hdr->tls_length); 1069 record_len = payload_len + sizeof(struct tls_record_layer); 1070 ATF_REQUIRE(record_len <= outbuf_cap); 1071 rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer), 1072 payload_len); 1073 ATF_REQUIRE(rv == (ssize_t)payload_len); 1074 1075 rv = decrypt_tls_record(en, seqno, outbuf, record_len, decrypted, len, 1076 &record_type); 1077 1078 ATF_REQUIRE_MSG((ssize_t)len == rv, 1079 "read %zd decrypted bytes, but wrote %zu", rv, len); 1080 ATF_REQUIRE(record_type == type); 1081 1082 ATF_REQUIRE(memcmp(plaintext, decrypted, len) == 0); 1083 1084 free(outbuf); 1085 free(decrypted); 1086 free(plaintext); 1087 1088 close_sockets(sockets); 1089 } 1090 1091 static void 1092 test_ktls_transmit_empty_fragment(struct tls_enable *en, uint64_t seqno) 1093 { 1094 struct tls_record_layer *hdr; 1095 char *outbuf; 1096 size_t outbuf_cap, payload_len, record_len; 1097 ssize_t rv; 1098 int sockets[2]; 1099 uint8_t record_type; 1100 1101 outbuf_cap = tls_header_len(en) + tls_trailer_len(en); 1102 outbuf = malloc(outbuf_cap); 1103 hdr = (struct tls_record_layer *)outbuf; 1104 1105 ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); 1106 1107 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 1108 sizeof(*en)) == 0); 1109 1110 fd_set_blocking(sockets[0]); 1111 fd_set_blocking(sockets[1]); 1112 1113 /* 1114 * A write of zero bytes should send an empty fragment only for 1115 * TLS 1.0, otherwise an error should be raised. 1116 */ 1117 rv = write(sockets[1], NULL, 0); 1118 if (rv == 0) { 1119 ATF_REQUIRE(en->cipher_algorithm == CRYPTO_AES_CBC); 1120 ATF_REQUIRE(en->tls_vminor == TLS_MINOR_VER_ZERO); 1121 } else { 1122 ATF_REQUIRE(rv == -1); 1123 ATF_REQUIRE(errno == EINVAL); 1124 goto out; 1125 } 1126 1127 /* 1128 * First read the header to determine how much additional data 1129 * to read. 1130 */ 1131 rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer)); 1132 ATF_REQUIRE(rv == sizeof(struct tls_record_layer)); 1133 payload_len = ntohs(hdr->tls_length); 1134 record_len = payload_len + sizeof(struct tls_record_layer); 1135 ATF_REQUIRE(record_len <= outbuf_cap); 1136 rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer), 1137 payload_len); 1138 ATF_REQUIRE(rv == (ssize_t)payload_len); 1139 1140 rv = decrypt_tls_record(en, seqno, outbuf, record_len, NULL, 0, 1141 &record_type); 1142 1143 ATF_REQUIRE_MSG(rv == 0, 1144 "read %zd decrypted bytes for an empty fragment", rv); 1145 ATF_REQUIRE(record_type == TLS_RLTYPE_APP); 1146 1147 out: 1148 free(outbuf); 1149 1150 close_sockets(sockets); 1151 } 1152 1153 static size_t 1154 ktls_receive_tls_record(struct tls_enable *en, int fd, uint8_t record_type, 1155 void *data, size_t len) 1156 { 1157 struct msghdr msg; 1158 struct cmsghdr *cmsg; 1159 struct tls_get_record *tgr; 1160 char cbuf[CMSG_SPACE(sizeof(*tgr))]; 1161 struct iovec iov; 1162 ssize_t rv; 1163 1164 memset(&msg, 0, sizeof(msg)); 1165 1166 msg.msg_control = cbuf; 1167 msg.msg_controllen = sizeof(cbuf); 1168 1169 iov.iov_base = data; 1170 iov.iov_len = len; 1171 msg.msg_iov = &iov; 1172 msg.msg_iovlen = 1; 1173 1174 ATF_REQUIRE((rv = recvmsg(fd, &msg, 0)) > 0); 1175 1176 ATF_REQUIRE((msg.msg_flags & (MSG_EOR | MSG_CTRUNC)) == MSG_EOR); 1177 1178 cmsg = CMSG_FIRSTHDR(&msg); 1179 ATF_REQUIRE(cmsg != NULL); 1180 ATF_REQUIRE(cmsg->cmsg_level == IPPROTO_TCP); 1181 ATF_REQUIRE(cmsg->cmsg_type == TLS_GET_RECORD); 1182 ATF_REQUIRE(cmsg->cmsg_len == CMSG_LEN(sizeof(*tgr))); 1183 1184 tgr = (struct tls_get_record *)CMSG_DATA(cmsg); 1185 ATF_REQUIRE(tgr->tls_type == record_type); 1186 ATF_REQUIRE(tgr->tls_vmajor == en->tls_vmajor); 1187 /* XXX: Not sure if this is what OpenSSL expects? */ 1188 if (en->tls_vminor == TLS_MINOR_VER_THREE) 1189 ATF_REQUIRE(tgr->tls_vminor == TLS_MINOR_VER_TWO); 1190 else 1191 ATF_REQUIRE(tgr->tls_vminor == en->tls_vminor); 1192 ATF_REQUIRE(tgr->tls_length == htons(rv)); 1193 1194 return (rv); 1195 } 1196 1197 static void 1198 test_ktls_receive_app_data(struct tls_enable *en, uint64_t seqno, size_t len, 1199 size_t padding) 1200 { 1201 struct kevent ev; 1202 char *plaintext, *received, *outbuf; 1203 size_t outbuf_cap, outbuf_len, outbuf_sent, received_len, todo, written; 1204 ssize_t rv; 1205 int kq, sockets[2]; 1206 1207 plaintext = alloc_buffer(len); 1208 received = malloc(len); 1209 outbuf_cap = tls_header_len(en) + TLS_MAX_MSG_SIZE_V10_2 + 1210 tls_trailer_len(en); 1211 outbuf = malloc(outbuf_cap); 1212 1213 ATF_REQUIRE((kq = kqueue()) != -1); 1214 1215 ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); 1216 1217 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 1218 sizeof(*en)) == 0); 1219 1220 EV_SET(&ev, sockets[0], EVFILT_READ, EV_ADD, 0, 0, NULL); 1221 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 1222 EV_SET(&ev, sockets[1], EVFILT_WRITE, EV_ADD, 0, 0, NULL); 1223 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 1224 1225 received_len = 0; 1226 outbuf_len = 0; 1227 written = 0; 1228 1229 while (received_len != len) { 1230 ATF_REQUIRE(kevent(kq, NULL, 0, &ev, 1, NULL) == 1); 1231 1232 switch (ev.filter) { 1233 case EVFILT_WRITE: 1234 /* 1235 * Compose the next TLS record to send. 1236 */ 1237 if (outbuf_len == 0) { 1238 ATF_REQUIRE(written < len); 1239 todo = len - written; 1240 if (todo > TLS_MAX_MSG_SIZE_V10_2 - padding) 1241 todo = TLS_MAX_MSG_SIZE_V10_2 - padding; 1242 outbuf_len = encrypt_tls_record(en, 1243 TLS_RLTYPE_APP, seqno, plaintext + written, 1244 todo, outbuf, outbuf_cap, padding); 1245 outbuf_sent = 0; 1246 written += todo; 1247 seqno++; 1248 } 1249 1250 /* 1251 * Try to write the remainder of the current 1252 * TLS record. 1253 */ 1254 rv = write(ev.ident, outbuf + outbuf_sent, 1255 outbuf_len - outbuf_sent); 1256 ATF_REQUIRE_MSG(rv > 0, 1257 "failed to write to socket"); 1258 outbuf_sent += rv; 1259 if (outbuf_sent == outbuf_len) { 1260 outbuf_len = 0; 1261 if (written == len) { 1262 ev.flags = EV_DISABLE; 1263 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, 1264 NULL) == 0); 1265 } 1266 } 1267 break; 1268 1269 case EVFILT_READ: 1270 ATF_REQUIRE((ev.flags & EV_EOF) == 0); 1271 1272 rv = ktls_receive_tls_record(en, ev.ident, 1273 TLS_RLTYPE_APP, received + received_len, 1274 len - received_len); 1275 received_len += rv; 1276 break; 1277 } 1278 } 1279 1280 ATF_REQUIRE_MSG(written == received_len, 1281 "read %zu decrypted bytes, but wrote %zu", received_len, written); 1282 1283 ATF_REQUIRE(memcmp(plaintext, received, len) == 0); 1284 1285 free(outbuf); 1286 free(received); 1287 free(plaintext); 1288 1289 close_sockets(sockets); 1290 ATF_REQUIRE(close(kq) == 0); 1291 } 1292 1293 #define TLS_10_TESTS(M) \ 1294 M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1295 CRYPTO_SHA1_HMAC) \ 1296 M(aes256_cbc_1_0_sha1, CRYPTO_AES_CBC, 256 / 8, \ 1297 CRYPTO_SHA1_HMAC) 1298 1299 #define TLS_13_TESTS(M) \ 1300 M(aes128_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1301 TLS_MINOR_VER_THREE) \ 1302 M(aes256_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \ 1303 TLS_MINOR_VER_THREE) \ 1304 M(chacha20_poly1305_1_3, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1305 TLS_MINOR_VER_THREE) 1306 1307 #define AES_CBC_TESTS(M) \ 1308 M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1309 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO) \ 1310 M(aes256_cbc_1_0_sha1, CRYPTO_AES_CBC, 256 / 8, \ 1311 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO) \ 1312 M(aes128_cbc_1_1_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1313 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ONE) \ 1314 M(aes256_cbc_1_1_sha1, CRYPTO_AES_CBC, 256 / 8, \ 1315 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ONE) \ 1316 M(aes128_cbc_1_2_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1317 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_TWO) \ 1318 M(aes256_cbc_1_2_sha1, CRYPTO_AES_CBC, 256 / 8, \ 1319 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_TWO) \ 1320 M(aes128_cbc_1_2_sha256, CRYPTO_AES_CBC, 128 / 8, \ 1321 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_TWO) \ 1322 M(aes256_cbc_1_2_sha256, CRYPTO_AES_CBC, 256 / 8, \ 1323 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_TWO) \ 1324 M(aes128_cbc_1_2_sha384, CRYPTO_AES_CBC, 128 / 8, \ 1325 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_TWO) \ 1326 M(aes256_cbc_1_2_sha384, CRYPTO_AES_CBC, 256 / 8, \ 1327 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_TWO) \ 1328 1329 #define AES_GCM_TESTS(M) \ 1330 M(aes128_gcm_1_2, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1331 TLS_MINOR_VER_TWO) \ 1332 M(aes256_gcm_1_2, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \ 1333 TLS_MINOR_VER_TWO) \ 1334 M(aes128_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1335 TLS_MINOR_VER_THREE) \ 1336 M(aes256_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \ 1337 TLS_MINOR_VER_THREE) 1338 1339 #define CHACHA20_TESTS(M) \ 1340 M(chacha20_poly1305_1_2, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1341 TLS_MINOR_VER_TWO) \ 1342 M(chacha20_poly1305_1_3, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1343 TLS_MINOR_VER_THREE) 1344 1345 #define GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1346 auth_alg, minor, name, len) \ 1347 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_##name); \ 1348 ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc) \ 1349 { \ 1350 struct tls_enable en; \ 1351 uint64_t seqno; \ 1352 \ 1353 ATF_REQUIRE_KTLS(); \ 1354 seqno = random(); \ 1355 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1356 &en); \ 1357 test_ktls_transmit_app_data(&en, seqno, len); \ 1358 free_tls_enable(&en); \ 1359 } 1360 1361 #define ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1362 auth_alg, minor, name) \ 1363 ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name); 1364 1365 #define GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1366 auth_alg, minor, name, type, len) \ 1367 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_##name); \ 1368 ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc) \ 1369 { \ 1370 struct tls_enable en; \ 1371 uint64_t seqno; \ 1372 \ 1373 ATF_REQUIRE_KTLS(); \ 1374 seqno = random(); \ 1375 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1376 &en); \ 1377 test_ktls_transmit_control(&en, seqno, type, len); \ 1378 free_tls_enable(&en); \ 1379 } 1380 1381 #define ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1382 auth_alg, minor, name) \ 1383 ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name); 1384 1385 #define GEN_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \ 1386 key_size, auth_alg, minor) \ 1387 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_empty_fragment); \ 1388 ATF_TC_BODY(ktls_transmit_##cipher_name##_empty_fragment, tc) \ 1389 { \ 1390 struct tls_enable en; \ 1391 uint64_t seqno; \ 1392 \ 1393 ATF_REQUIRE_KTLS(); \ 1394 seqno = random(); \ 1395 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1396 &en); \ 1397 test_ktls_transmit_empty_fragment(&en, seqno); \ 1398 free_tls_enable(&en); \ 1399 } 1400 1401 #define ADD_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \ 1402 key_size, auth_alg, minor) \ 1403 ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_empty_fragment); 1404 1405 #define GEN_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 1406 minor) \ 1407 GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1408 auth_alg, minor, short, 64) \ 1409 GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1410 auth_alg, minor, long, 64 * 1024) \ 1411 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1412 auth_alg, minor, control, 0x21 /* Alert */, 32) 1413 1414 #define ADD_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 1415 minor) \ 1416 ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1417 auth_alg, minor, short) \ 1418 ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1419 auth_alg, minor, long) \ 1420 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1421 auth_alg, minor, control) 1422 1423 /* 1424 * For each supported cipher suite, run three transmit tests: 1425 * 1426 * - a short test which sends 64 bytes of application data (likely as 1427 * a single TLS record) 1428 * 1429 * - a long test which sends 64KB of application data (split across 1430 * multiple TLS records) 1431 * 1432 * - a control test which sends a single record with a specific 1433 * content type via sendmsg() 1434 */ 1435 AES_CBC_TESTS(GEN_TRANSMIT_TESTS); 1436 AES_GCM_TESTS(GEN_TRANSMIT_TESTS); 1437 CHACHA20_TESTS(GEN_TRANSMIT_TESTS); 1438 1439 #define GEN_TRANSMIT_PADDING_TESTS(cipher_name, cipher_alg, key_size, \ 1440 auth_alg, minor) \ 1441 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1442 auth_alg, minor, padding_1, 0x21 /* Alert */, 1) \ 1443 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1444 auth_alg, minor, padding_2, 0x21 /* Alert */, 2) \ 1445 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1446 auth_alg, minor, padding_3, 0x21 /* Alert */, 3) \ 1447 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1448 auth_alg, minor, padding_4, 0x21 /* Alert */, 4) \ 1449 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1450 auth_alg, minor, padding_5, 0x21 /* Alert */, 5) \ 1451 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1452 auth_alg, minor, padding_6, 0x21 /* Alert */, 6) \ 1453 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1454 auth_alg, minor, padding_7, 0x21 /* Alert */, 7) \ 1455 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1456 auth_alg, minor, padding_8, 0x21 /* Alert */, 8) \ 1457 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1458 auth_alg, minor, padding_9, 0x21 /* Alert */, 9) \ 1459 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1460 auth_alg, minor, padding_10, 0x21 /* Alert */, 10) \ 1461 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1462 auth_alg, minor, padding_11, 0x21 /* Alert */, 11) \ 1463 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1464 auth_alg, minor, padding_12, 0x21 /* Alert */, 12) \ 1465 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1466 auth_alg, minor, padding_13, 0x21 /* Alert */, 13) \ 1467 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1468 auth_alg, minor, padding_14, 0x21 /* Alert */, 14) \ 1469 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1470 auth_alg, minor, padding_15, 0x21 /* Alert */, 15) \ 1471 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1472 auth_alg, minor, padding_16, 0x21 /* Alert */, 16) 1473 1474 #define ADD_TRANSMIT_PADDING_TESTS(cipher_name, cipher_alg, key_size, \ 1475 auth_alg, minor) \ 1476 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1477 auth_alg, minor, padding_1) \ 1478 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1479 auth_alg, minor, padding_2) \ 1480 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1481 auth_alg, minor, padding_3) \ 1482 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1483 auth_alg, minor, padding_4) \ 1484 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1485 auth_alg, minor, padding_5) \ 1486 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1487 auth_alg, minor, padding_6) \ 1488 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1489 auth_alg, minor, padding_7) \ 1490 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1491 auth_alg, minor, padding_8) \ 1492 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1493 auth_alg, minor, padding_9) \ 1494 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1495 auth_alg, minor, padding_10) \ 1496 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1497 auth_alg, minor, padding_11) \ 1498 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1499 auth_alg, minor, padding_12) \ 1500 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1501 auth_alg, minor, padding_13) \ 1502 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1503 auth_alg, minor, padding_14) \ 1504 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1505 auth_alg, minor, padding_15) \ 1506 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1507 auth_alg, minor, padding_16) 1508 1509 /* 1510 * For AES-CBC MTE cipher suites using padding, add tests of messages 1511 * with each possible padding size. Note that the padding_<N> tests 1512 * do not necessarily test <N> bytes of padding as the padding is a 1513 * function of the cipher suite's MAC length. However, cycling 1514 * through all of the payload sizes from 1 to 16 should exercise all 1515 * of the possible padding lengths for each suite. 1516 */ 1517 AES_CBC_TESTS(GEN_TRANSMIT_PADDING_TESTS); 1518 1519 /* 1520 * Test "empty fragments" which are TLS records with no payload that 1521 * OpenSSL can send for TLS 1.0 connections. 1522 */ 1523 AES_CBC_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); 1524 AES_GCM_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); 1525 CHACHA20_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); 1526 1527 static void 1528 test_ktls_invalid_transmit_cipher_suite(struct tls_enable *en) 1529 { 1530 int sockets[2]; 1531 1532 ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); 1533 1534 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 1535 sizeof(*en)) == -1); 1536 ATF_REQUIRE(errno == EINVAL); 1537 1538 close_sockets(sockets); 1539 } 1540 1541 #define GEN_INVALID_TRANSMIT_TEST(name, cipher_alg, key_size, auth_alg, \ 1542 minor) \ 1543 ATF_TC_WITHOUT_HEAD(ktls_transmit_invalid_##name); \ 1544 ATF_TC_BODY(ktls_transmit_invalid_##name, tc) \ 1545 { \ 1546 struct tls_enable en; \ 1547 uint64_t seqno; \ 1548 \ 1549 ATF_REQUIRE_KTLS(); \ 1550 seqno = random(); \ 1551 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1552 &en); \ 1553 test_ktls_invalid_transmit_cipher_suite(&en); \ 1554 free_tls_enable(&en); \ 1555 } 1556 1557 #define ADD_INVALID_TRANSMIT_TEST(name, cipher_alg, key_size, auth_alg, \ 1558 minor) \ 1559 ATF_TP_ADD_TC(tp, ktls_transmit_invalid_##name); 1560 1561 #define INVALID_CIPHER_SUITES(M) \ 1562 M(aes128_cbc_1_0_sha256, CRYPTO_AES_CBC, 128 / 8, \ 1563 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_ZERO) \ 1564 M(aes128_cbc_1_0_sha384, CRYPTO_AES_CBC, 128 / 8, \ 1565 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_ZERO) \ 1566 M(aes128_gcm_1_0, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1567 TLS_MINOR_VER_ZERO) \ 1568 M(chacha20_poly1305_1_0, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1569 TLS_MINOR_VER_ZERO) \ 1570 M(aes128_cbc_1_1_sha256, CRYPTO_AES_CBC, 128 / 8, \ 1571 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_ONE) \ 1572 M(aes128_cbc_1_1_sha384, CRYPTO_AES_CBC, 128 / 8, \ 1573 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_ONE) \ 1574 M(aes128_gcm_1_1, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1575 TLS_MINOR_VER_ONE) \ 1576 M(chacha20_poly1305_1_1, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1577 TLS_MINOR_VER_ONE) \ 1578 M(aes128_cbc_1_3_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1579 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_THREE) \ 1580 M(aes128_cbc_1_3_sha256, CRYPTO_AES_CBC, 128 / 8, \ 1581 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_THREE) \ 1582 M(aes128_cbc_1_3_sha384, CRYPTO_AES_CBC, 128 / 8, \ 1583 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_THREE) 1584 1585 /* 1586 * Ensure that invalid cipher suites are rejected for transmit. 1587 */ 1588 INVALID_CIPHER_SUITES(GEN_INVALID_TRANSMIT_TEST); 1589 1590 #define GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1591 auth_alg, minor, name, len, padding) \ 1592 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_##name); \ 1593 ATF_TC_BODY(ktls_receive_##cipher_name##_##name, tc) \ 1594 { \ 1595 struct tls_enable en; \ 1596 uint64_t seqno; \ 1597 \ 1598 ATF_REQUIRE_KTLS(); \ 1599 seqno = random(); \ 1600 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1601 &en); \ 1602 test_ktls_receive_app_data(&en, seqno, len, padding); \ 1603 free_tls_enable(&en); \ 1604 } 1605 1606 #define ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1607 auth_alg, minor, name) \ 1608 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_##name); 1609 1610 #define GEN_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 1611 minor) \ 1612 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1613 auth_alg, minor, short, 64, 0) \ 1614 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1615 auth_alg, minor, long, 64 * 1024, 0) 1616 1617 #define ADD_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 1618 minor) \ 1619 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1620 auth_alg, minor, short) \ 1621 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1622 auth_alg, minor, long) 1623 1624 /* 1625 * For each supported cipher suite, run two receive tests: 1626 * 1627 * - a short test which sends 64 bytes of application data (likely as 1628 * a single TLS record) 1629 * 1630 * - a long test which sends 64KB of application data (split across 1631 * multiple TLS records) 1632 * 1633 * Note that receive is currently only supported for TLS 1.2 AEAD 1634 * cipher suites. 1635 */ 1636 AES_GCM_TESTS(GEN_RECEIVE_TESTS); 1637 CHACHA20_TESTS(GEN_RECEIVE_TESTS); 1638 1639 #define GEN_PADDING_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, \ 1640 auth_alg, minor) \ 1641 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1642 auth_alg, minor, short_padded, 64, 16) \ 1643 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1644 auth_alg, minor, long_padded, 64 * 1024, 15) 1645 1646 #define ADD_PADDING_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, \ 1647 auth_alg, minor) \ 1648 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1649 auth_alg, minor, short_padded) \ 1650 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1651 auth_alg, minor, long_padded) 1652 1653 /* 1654 * For TLS 1.3 cipher suites, run two additional receive tests which 1655 * use add padding to each record. 1656 */ 1657 TLS_13_TESTS(GEN_PADDING_RECEIVE_TESTS); 1658 1659 static void 1660 test_ktls_invalid_receive_cipher_suite(struct tls_enable *en) 1661 { 1662 int sockets[2]; 1663 1664 ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); 1665 1666 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 1667 sizeof(*en)) == -1); 1668 ATF_REQUIRE(errno == EINVAL); 1669 1670 close_sockets(sockets); 1671 } 1672 1673 #define GEN_INVALID_RECEIVE_TEST(name, cipher_alg, key_size, auth_alg, \ 1674 minor) \ 1675 ATF_TC_WITHOUT_HEAD(ktls_receive_invalid_##name); \ 1676 ATF_TC_BODY(ktls_receive_invalid_##name, tc) \ 1677 { \ 1678 struct tls_enable en; \ 1679 uint64_t seqno; \ 1680 \ 1681 ATF_REQUIRE_KTLS(); \ 1682 seqno = random(); \ 1683 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1684 &en); \ 1685 test_ktls_invalid_receive_cipher_suite(&en); \ 1686 free_tls_enable(&en); \ 1687 } 1688 1689 #define ADD_INVALID_RECEIVE_TEST(name, cipher_alg, key_size, auth_alg, \ 1690 minor) \ 1691 ATF_TP_ADD_TC(tp, ktls_receive_invalid_##name); 1692 1693 /* 1694 * Ensure that invalid cipher suites are rejected for receive. 1695 */ 1696 INVALID_CIPHER_SUITES(GEN_INVALID_RECEIVE_TEST); 1697 1698 static void 1699 test_ktls_unsupported_receive_cipher_suite(struct tls_enable *en) 1700 { 1701 int sockets[2]; 1702 1703 ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); 1704 1705 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 1706 sizeof(*en)) == -1); 1707 ATF_REQUIRE(errno == EPROTONOSUPPORT); 1708 1709 close_sockets(sockets); 1710 } 1711 1712 #define GEN_UNSUPPORTED_RECEIVE_TEST(name, cipher_alg, key_size, \ 1713 auth_alg, minor) \ 1714 ATF_TC_WITHOUT_HEAD(ktls_receive_unsupported_##name); \ 1715 ATF_TC_BODY(ktls_receive_unsupported_##name, tc) \ 1716 { \ 1717 struct tls_enable en; \ 1718 uint64_t seqno; \ 1719 \ 1720 ATF_REQUIRE_KTLS(); \ 1721 seqno = random(); \ 1722 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1723 &en); \ 1724 test_ktls_unsupported_receive_cipher_suite(&en); \ 1725 free_tls_enable(&en); \ 1726 } 1727 1728 #define ADD_UNSUPPORTED_RECEIVE_TEST(name, cipher_alg, key_size, \ 1729 auth_alg, minor) \ 1730 ATF_TP_ADD_TC(tp, ktls_receive_unsupported_##name); 1731 1732 /* 1733 * Ensure that valid cipher suites not supported for receive are 1734 * rejected. 1735 */ 1736 AES_CBC_TESTS(GEN_UNSUPPORTED_RECEIVE_TEST); 1737 1738 /* 1739 * Try to perform an invalid sendto(2) on a TXTLS-enabled socket, to exercise 1740 * KTLS error handling in the socket layer. 1741 */ 1742 ATF_TC_WITHOUT_HEAD(ktls_sendto_baddst); 1743 ATF_TC_BODY(ktls_sendto_baddst, tc) 1744 { 1745 char buf[32]; 1746 struct sockaddr_in dst; 1747 struct tls_enable en; 1748 ssize_t n; 1749 int s; 1750 1751 ATF_REQUIRE_KTLS(); 1752 1753 s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 1754 ATF_REQUIRE(s >= 0); 1755 1756 build_tls_enable(CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, 1757 TLS_MINOR_VER_THREE, (uint64_t)random(), &en); 1758 1759 ATF_REQUIRE(setsockopt(s, IPPROTO_TCP, TCP_TXTLS_ENABLE, &en, 1760 sizeof(en)) == 0); 1761 1762 memset(&dst, 0, sizeof(dst)); 1763 dst.sin_family = AF_INET; 1764 dst.sin_len = sizeof(dst); 1765 dst.sin_addr.s_addr = htonl(INADDR_BROADCAST); 1766 dst.sin_port = htons(12345); 1767 1768 memset(buf, 0, sizeof(buf)); 1769 n = sendto(s, buf, sizeof(buf), 0, (struct sockaddr *)&dst, 1770 sizeof(dst)); 1771 1772 /* Can't transmit to the broadcast address over TCP. */ 1773 ATF_REQUIRE_ERRNO(EACCES, n == -1); 1774 ATF_REQUIRE(close(s) == 0); 1775 } 1776 1777 ATF_TP_ADD_TCS(tp) 1778 { 1779 /* Transmit tests */ 1780 AES_CBC_TESTS(ADD_TRANSMIT_TESTS); 1781 AES_GCM_TESTS(ADD_TRANSMIT_TESTS); 1782 CHACHA20_TESTS(ADD_TRANSMIT_TESTS); 1783 AES_CBC_TESTS(ADD_TRANSMIT_PADDING_TESTS); 1784 AES_CBC_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); 1785 AES_GCM_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); 1786 CHACHA20_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); 1787 INVALID_CIPHER_SUITES(ADD_INVALID_TRANSMIT_TEST); 1788 1789 /* Receive tests */ 1790 AES_CBC_TESTS(ADD_UNSUPPORTED_RECEIVE_TEST); 1791 AES_GCM_TESTS(ADD_RECEIVE_TESTS); 1792 CHACHA20_TESTS(ADD_RECEIVE_TESTS); 1793 TLS_13_TESTS(ADD_PADDING_RECEIVE_TESTS); 1794 INVALID_CIPHER_SUITES(ADD_INVALID_RECEIVE_TEST); 1795 1796 /* Miscellaneous */ 1797 ATF_TP_ADD_TC(tp, ktls_sendto_baddst); 1798 1799 return (atf_no_error()); 1800 } 1801