xref: /freebsd/tests/sys/kern/ktls_test.c (revision 4f0c9b76cf75724ef0b9c59bb8c182be24361d7c)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2021 Netflix Inc.
5  * Written by: John Baldwin <jhb@FreeBSD.org>
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26  * SUCH DAMAGE.
27  */
28 
29 #include <sys/types.h>
30 #include <sys/endian.h>
31 #include <sys/event.h>
32 #include <sys/ktls.h>
33 #include <sys/socket.h>
34 #include <sys/sysctl.h>
35 #include <netinet/in.h>
36 #include <netinet/tcp.h>
37 #include <crypto/cryptodev.h>
38 #include <assert.h>
39 #include <err.h>
40 #include <fcntl.h>
41 #include <netdb.h>
42 #include <poll.h>
43 #include <stdbool.h>
44 #include <stdlib.h>
45 #include <atf-c.h>
46 
47 #include <openssl/err.h>
48 #include <openssl/evp.h>
49 #include <openssl/hmac.h>
50 
51 static void
52 require_ktls(void)
53 {
54 	size_t len;
55 	bool enable;
56 
57 	len = sizeof(enable);
58 	if (sysctlbyname("kern.ipc.tls.enable", &enable, &len, NULL, 0) == -1) {
59 		if (errno == ENOENT)
60 			atf_tc_skip("kernel does not support TLS offload");
61 		atf_libc_error(errno, "Failed to read kern.ipc.tls.enable");
62 	}
63 
64 	if (!enable)
65 		atf_tc_skip("Kernel TLS is disabled");
66 }
67 
68 #define	ATF_REQUIRE_KTLS()	require_ktls()
69 
70 static void
71 check_tls_mode(const atf_tc_t *tc, int s, int sockopt)
72 {
73 	if (atf_tc_get_config_var_as_bool_wd(tc, "ktls.require_ifnet", false)) {
74 		socklen_t len;
75 		int mode;
76 
77 		len = sizeof(mode);
78 		if (getsockopt(s, IPPROTO_TCP, sockopt, &mode, &len) == -1)
79 			atf_libc_error(errno, "Failed to fetch TLS mode");
80 
81 		if (mode != TCP_TLS_MODE_IFNET)
82 			atf_tc_skip("connection did not use ifnet TLS");
83 	}
84 
85 	if (atf_tc_get_config_var_as_bool_wd(tc, "ktls.require_toe", false)) {
86 		socklen_t len;
87 		int mode;
88 
89 		len = sizeof(mode);
90 		if (getsockopt(s, IPPROTO_TCP, sockopt, &mode, &len) == -1)
91 			atf_libc_error(errno, "Failed to fetch TLS mode");
92 
93 		if (mode != TCP_TLS_MODE_TOE)
94 			atf_tc_skip("connection did not use TOE TLS");
95 	}
96 }
97 
98 static char
99 rdigit(void)
100 {
101 	/* ASCII printable values between 0x20 and 0x7e */
102 	return (0x20 + random() % (0x7f - 0x20));
103 }
104 
105 static char *
106 alloc_buffer(size_t len)
107 {
108 	char *buf;
109 	size_t i;
110 
111 	if (len == 0)
112 		return (NULL);
113 	buf = malloc(len);
114 	for (i = 0; i < len; i++)
115 		buf[i] = rdigit();
116 	return (buf);
117 }
118 
119 static bool
120 socketpair_tcp(int sv[2])
121 {
122 	struct pollfd pfd;
123 	struct sockaddr_in sin;
124 	socklen_t len;
125 	int as, cs, ls;
126 
127 	ls = socket(PF_INET, SOCK_STREAM, 0);
128 	if (ls == -1) {
129 		warn("socket() for listen");
130 		return (false);
131 	}
132 
133 	memset(&sin, 0, sizeof(sin));
134 	sin.sin_len = sizeof(sin);
135 	sin.sin_family = AF_INET;
136 	sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
137 	if (bind(ls, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
138 		warn("bind");
139 		close(ls);
140 		return (false);
141 	}
142 
143 	if (listen(ls, 1) == -1) {
144 		warn("listen");
145 		close(ls);
146 		return (false);
147 	}
148 
149 	len = sizeof(sin);
150 	if (getsockname(ls, (struct sockaddr *)&sin, &len) == -1) {
151 		warn("getsockname");
152 		close(ls);
153 		return (false);
154 	}
155 
156 	cs = socket(PF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0);
157 	if (cs == -1) {
158 		warn("socket() for connect");
159 		close(ls);
160 		return (false);
161 	}
162 
163 	if (connect(cs, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
164 		if (errno != EINPROGRESS) {
165 			warn("connect");
166 			close(ls);
167 			close(cs);
168 			return (false);
169 		}
170 	}
171 
172 	as = accept4(ls, NULL, NULL, SOCK_NONBLOCK);
173 	if (as == -1) {
174 		warn("accept4");
175 		close(ls);
176 		close(cs);
177 		return (false);
178 	}
179 
180 	close(ls);
181 
182 	pfd.fd = cs;
183 	pfd.events = POLLOUT;
184 	pfd.revents = 0;
185 	ATF_REQUIRE(poll(&pfd, 1, INFTIM) == 1);
186 	ATF_REQUIRE(pfd.revents == POLLOUT);
187 
188 	sv[0] = cs;
189 	sv[1] = as;
190 	return (true);
191 }
192 
193 static bool
194 echo_socket(const atf_tc_t *tc, int sv[2])
195 {
196 	const char *cause, *host, *port;
197 	struct addrinfo hints, *ai, *tofree;
198 	int error, flags, s;
199 
200 	host = atf_tc_get_config_var(tc, "ktls.host");
201 	port = atf_tc_get_config_var_wd(tc, "ktls.port", "echo");
202 	memset(&hints, 0, sizeof(hints));
203 	hints.ai_family = AF_UNSPEC;
204 	hints.ai_socktype = SOCK_STREAM;
205 	hints.ai_protocol = IPPROTO_TCP;
206 	error = getaddrinfo(host, port, &hints, &tofree);
207 	if (error != 0) {
208 		warnx("getaddrinfo(%s:%s) failed: %s", host, port,
209 		    gai_strerror(error));
210 		return (false);
211 	}
212 
213 	cause = NULL;
214 	for (ai = tofree; ai != NULL; ai = ai->ai_next) {
215 		s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
216 		if (s == -1) {
217 			cause = "socket";
218 			error = errno;
219 			continue;
220 		}
221 
222 		if (connect(s, ai->ai_addr, ai->ai_addrlen) == -1) {
223 			cause = "connect";
224 			error = errno;
225 			close(s);
226 			continue;
227 		}
228 
229 		freeaddrinfo(tofree);
230 
231 		ATF_REQUIRE((flags = fcntl(s, F_GETFL)) != -1);
232 		flags |= O_NONBLOCK;
233 		ATF_REQUIRE(fcntl(s, F_SETFL, flags) != -1);
234 
235 		sv[0] = s;
236 		sv[1] = s;
237 		return (true);
238 	}
239 
240 	warnc(error, "%s", cause);
241 	freeaddrinfo(tofree);
242 	return (false);
243 }
244 
245 static bool
246 open_sockets(const atf_tc_t *tc, int sv[2])
247 {
248 	if (atf_tc_has_config_var(tc, "ktls.host"))
249 		return (echo_socket(tc, sv));
250 	else
251 		return (socketpair_tcp(sv));
252 }
253 
254 static void
255 close_sockets(int sv[2])
256 {
257 	if (sv[0] != sv[1])
258 		ATF_REQUIRE(close(sv[1]) == 0);
259 	ATF_REQUIRE(close(sv[0]) == 0);
260 }
261 
262 static void
263 fd_set_blocking(int fd)
264 {
265 	int flags;
266 
267 	ATF_REQUIRE((flags = fcntl(fd, F_GETFL)) != -1);
268 	flags &= ~O_NONBLOCK;
269 	ATF_REQUIRE(fcntl(fd, F_SETFL, flags) != -1);
270 }
271 
272 static bool
273 cbc_decrypt(const EVP_CIPHER *cipher, const char *key, const char *iv,
274     const char *input, char *output, size_t size)
275 {
276 	EVP_CIPHER_CTX *ctx;
277 	int outl, total;
278 
279 	ctx = EVP_CIPHER_CTX_new();
280 	if (ctx == NULL) {
281 		warnx("EVP_CIPHER_CTX_new failed: %s",
282 		    ERR_error_string(ERR_get_error(), NULL));
283 		return (false);
284 	}
285 	if (EVP_CipherInit_ex(ctx, cipher, NULL, (const u_char *)key,
286 	    (const u_char *)iv, 0) != 1) {
287 		warnx("EVP_CipherInit_ex failed: %s",
288 		    ERR_error_string(ERR_get_error(), NULL));
289 		EVP_CIPHER_CTX_free(ctx);
290 		return (false);
291 	}
292 	EVP_CIPHER_CTX_set_padding(ctx, 0);
293 	if (EVP_CipherUpdate(ctx, (u_char *)output, &outl,
294 	    (const u_char *)input, size) != 1) {
295 		warnx("EVP_CipherUpdate failed: %s",
296 		    ERR_error_string(ERR_get_error(), NULL));
297 		EVP_CIPHER_CTX_free(ctx);
298 		return (false);
299 	}
300 	total = outl;
301 	if (EVP_CipherFinal_ex(ctx, (u_char *)output + outl, &outl) != 1) {
302 		warnx("EVP_CipherFinal_ex failed: %s",
303 		    ERR_error_string(ERR_get_error(), NULL));
304 		EVP_CIPHER_CTX_free(ctx);
305 		return (false);
306 	}
307 	total += outl;
308 	if ((size_t)total != size) {
309 		warnx("decrypt size mismatch: %zu vs %d", size, total);
310 		EVP_CIPHER_CTX_free(ctx);
311 		return (false);
312 	}
313 	EVP_CIPHER_CTX_free(ctx);
314 	return (true);
315 }
316 
317 static bool
318 verify_hash(const EVP_MD *md, const void *key, size_t key_len, const void *aad,
319     size_t aad_len, const void *buffer, size_t len, const void *digest)
320 {
321 	HMAC_CTX *ctx;
322 	unsigned char digest2[EVP_MAX_MD_SIZE];
323 	u_int digest_len;
324 
325 	ctx = HMAC_CTX_new();
326 	if (ctx == NULL) {
327 		warnx("HMAC_CTX_new failed: %s",
328 		    ERR_error_string(ERR_get_error(), NULL));
329 		return (false);
330 	}
331 	if (HMAC_Init_ex(ctx, key, key_len, md, NULL) != 1) {
332 		warnx("HMAC_Init_ex failed: %s",
333 		    ERR_error_string(ERR_get_error(), NULL));
334 		HMAC_CTX_free(ctx);
335 		return (false);
336 	}
337 	if (HMAC_Update(ctx, aad, aad_len) != 1) {
338 		warnx("HMAC_Update (aad) failed: %s",
339 		    ERR_error_string(ERR_get_error(), NULL));
340 		HMAC_CTX_free(ctx);
341 		return (false);
342 	}
343 	if (HMAC_Update(ctx, buffer, len) != 1) {
344 		warnx("HMAC_Update (payload) failed: %s",
345 		    ERR_error_string(ERR_get_error(), NULL));
346 		HMAC_CTX_free(ctx);
347 		return (false);
348 	}
349 	if (HMAC_Final(ctx, digest2, &digest_len) != 1) {
350 		warnx("HMAC_Final failed: %s",
351 		    ERR_error_string(ERR_get_error(), NULL));
352 		HMAC_CTX_free(ctx);
353 		return (false);
354 	}
355 	HMAC_CTX_free(ctx);
356 	if (memcmp(digest, digest2, digest_len) != 0) {
357 		warnx("HMAC mismatch");
358 		return (false);
359 	}
360 	return (true);
361 }
362 
363 static bool
364 aead_encrypt(const EVP_CIPHER *cipher, const char *key, const char *nonce,
365     const void *aad, size_t aad_len, const char *input, char *output,
366     size_t size, char *tag, size_t tag_len)
367 {
368 	EVP_CIPHER_CTX *ctx;
369 	int outl, total;
370 
371 	ctx = EVP_CIPHER_CTX_new();
372 	if (ctx == NULL) {
373 		warnx("EVP_CIPHER_CTX_new failed: %s",
374 		    ERR_error_string(ERR_get_error(), NULL));
375 		return (false);
376 	}
377 	if (EVP_EncryptInit_ex(ctx, cipher, NULL, (const u_char *)key,
378 	    (const u_char *)nonce) != 1) {
379 		warnx("EVP_EncryptInit_ex failed: %s",
380 		    ERR_error_string(ERR_get_error(), NULL));
381 		EVP_CIPHER_CTX_free(ctx);
382 		return (false);
383 	}
384 	EVP_CIPHER_CTX_set_padding(ctx, 0);
385 	if (aad != NULL) {
386 		if (EVP_EncryptUpdate(ctx, NULL, &outl, (const u_char *)aad,
387 		    aad_len) != 1) {
388 			warnx("EVP_EncryptUpdate for AAD failed: %s",
389 			    ERR_error_string(ERR_get_error(), NULL));
390 			EVP_CIPHER_CTX_free(ctx);
391 			return (false);
392 		}
393 	}
394 	if (EVP_EncryptUpdate(ctx, (u_char *)output, &outl,
395 	    (const u_char *)input, size) != 1) {
396 		warnx("EVP_EncryptUpdate failed: %s",
397 		    ERR_error_string(ERR_get_error(), NULL));
398 		EVP_CIPHER_CTX_free(ctx);
399 		return (false);
400 	}
401 	total = outl;
402 	if (EVP_EncryptFinal_ex(ctx, (u_char *)output + outl, &outl) != 1) {
403 		warnx("EVP_EncryptFinal_ex failed: %s",
404 		    ERR_error_string(ERR_get_error(), NULL));
405 		EVP_CIPHER_CTX_free(ctx);
406 		return (false);
407 	}
408 	total += outl;
409 	if ((size_t)total != size) {
410 		warnx("encrypt size mismatch: %zu vs %d", size, total);
411 		EVP_CIPHER_CTX_free(ctx);
412 		return (false);
413 	}
414 	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, tag_len, tag) !=
415 	    1) {
416 		warnx("EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_GET_TAG) failed: %s",
417 		    ERR_error_string(ERR_get_error(), NULL));
418 		EVP_CIPHER_CTX_free(ctx);
419 		return (false);
420 	}
421 	EVP_CIPHER_CTX_free(ctx);
422 	return (true);
423 }
424 
425 static bool
426 aead_decrypt(const EVP_CIPHER *cipher, const char *key, const char *nonce,
427     const void *aad, size_t aad_len, const char *input, char *output,
428     size_t size, const char *tag, size_t tag_len)
429 {
430 	EVP_CIPHER_CTX *ctx;
431 	int outl, total;
432 	bool valid;
433 
434 	ctx = EVP_CIPHER_CTX_new();
435 	if (ctx == NULL) {
436 		warnx("EVP_CIPHER_CTX_new failed: %s",
437 		    ERR_error_string(ERR_get_error(), NULL));
438 		return (false);
439 	}
440 	if (EVP_DecryptInit_ex(ctx, cipher, NULL, (const u_char *)key,
441 	    (const u_char *)nonce) != 1) {
442 		warnx("EVP_DecryptInit_ex failed: %s",
443 		    ERR_error_string(ERR_get_error(), NULL));
444 		EVP_CIPHER_CTX_free(ctx);
445 		return (false);
446 	}
447 	EVP_CIPHER_CTX_set_padding(ctx, 0);
448 	if (aad != NULL) {
449 		if (EVP_DecryptUpdate(ctx, NULL, &outl, (const u_char *)aad,
450 		    aad_len) != 1) {
451 			warnx("EVP_DecryptUpdate for AAD failed: %s",
452 			    ERR_error_string(ERR_get_error(), NULL));
453 			EVP_CIPHER_CTX_free(ctx);
454 			return (false);
455 		}
456 	}
457 	if (EVP_DecryptUpdate(ctx, (u_char *)output, &outl,
458 	    (const u_char *)input, size) != 1) {
459 		warnx("EVP_DecryptUpdate failed: %s",
460 		    ERR_error_string(ERR_get_error(), NULL));
461 		EVP_CIPHER_CTX_free(ctx);
462 		return (false);
463 	}
464 	total = outl;
465 	if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len,
466 	    __DECONST(char *, tag)) != 1) {
467 		warnx("EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed: %s",
468 		    ERR_error_string(ERR_get_error(), NULL));
469 		EVP_CIPHER_CTX_free(ctx);
470 		return (false);
471 	}
472 	valid = (EVP_DecryptFinal_ex(ctx, (u_char *)output + outl, &outl) == 1);
473 	total += outl;
474 	if ((size_t)total != size) {
475 		warnx("decrypt size mismatch: %zu vs %d", size, total);
476 		EVP_CIPHER_CTX_free(ctx);
477 		return (false);
478 	}
479 	if (!valid)
480 		warnx("tag mismatch");
481 	EVP_CIPHER_CTX_free(ctx);
482 	return (valid);
483 }
484 
485 static void
486 build_tls_enable(int cipher_alg, size_t cipher_key_len, int auth_alg,
487     int minor, uint64_t seqno, struct tls_enable *en)
488 {
489 	u_int auth_key_len, iv_len;
490 
491 	memset(en, 0, sizeof(*en));
492 
493 	switch (cipher_alg) {
494 	case CRYPTO_AES_CBC:
495 		if (minor == TLS_MINOR_VER_ZERO)
496 			iv_len = AES_BLOCK_LEN;
497 		else
498 			iv_len = 0;
499 		break;
500 	case CRYPTO_AES_NIST_GCM_16:
501 		if (minor == TLS_MINOR_VER_TWO)
502 			iv_len = TLS_AEAD_GCM_LEN;
503 		else
504 			iv_len = TLS_1_3_GCM_IV_LEN;
505 		break;
506 	case CRYPTO_CHACHA20_POLY1305:
507 		iv_len = TLS_CHACHA20_IV_LEN;
508 		break;
509 	default:
510 		iv_len = 0;
511 		break;
512 	}
513 	switch (auth_alg) {
514 	case CRYPTO_SHA1_HMAC:
515 		auth_key_len = SHA1_HASH_LEN;
516 		break;
517 	case CRYPTO_SHA2_256_HMAC:
518 		auth_key_len = SHA2_256_HASH_LEN;
519 		break;
520 	case CRYPTO_SHA2_384_HMAC:
521 		auth_key_len = SHA2_384_HASH_LEN;
522 		break;
523 	default:
524 		auth_key_len = 0;
525 		break;
526 	}
527 	en->cipher_key = alloc_buffer(cipher_key_len);
528 	en->iv = alloc_buffer(iv_len);
529 	en->auth_key = alloc_buffer(auth_key_len);
530 	en->cipher_algorithm = cipher_alg;
531 	en->cipher_key_len = cipher_key_len;
532 	en->iv_len = iv_len;
533 	en->auth_algorithm = auth_alg;
534 	en->auth_key_len = auth_key_len;
535 	en->tls_vmajor = TLS_MAJOR_VER_ONE;
536 	en->tls_vminor = minor;
537 	be64enc(en->rec_seq, seqno);
538 }
539 
540 static void
541 free_tls_enable(struct tls_enable *en)
542 {
543 	free(__DECONST(void *, en->cipher_key));
544 	free(__DECONST(void *, en->iv));
545 	free(__DECONST(void *, en->auth_key));
546 }
547 
548 static const EVP_CIPHER *
549 tls_EVP_CIPHER(const struct tls_enable *en)
550 {
551 	switch (en->cipher_algorithm) {
552 	case CRYPTO_AES_CBC:
553 		switch (en->cipher_key_len) {
554 		case 128 / 8:
555 			return (EVP_aes_128_cbc());
556 		case 256 / 8:
557 			return (EVP_aes_256_cbc());
558 		default:
559 			return (NULL);
560 		}
561 		break;
562 	case CRYPTO_AES_NIST_GCM_16:
563 		switch (en->cipher_key_len) {
564 		case 128 / 8:
565 			return (EVP_aes_128_gcm());
566 		case 256 / 8:
567 			return (EVP_aes_256_gcm());
568 		default:
569 			return (NULL);
570 		}
571 		break;
572 	case CRYPTO_CHACHA20_POLY1305:
573 		return (EVP_chacha20_poly1305());
574 	default:
575 		return (NULL);
576 	}
577 }
578 
579 static const EVP_MD *
580 tls_EVP_MD(const struct tls_enable *en)
581 {
582 	switch (en->auth_algorithm) {
583 	case CRYPTO_SHA1_HMAC:
584 		return (EVP_sha1());
585 	case CRYPTO_SHA2_256_HMAC:
586 		return (EVP_sha256());
587 	case CRYPTO_SHA2_384_HMAC:
588 		return (EVP_sha384());
589 	default:
590 		return (NULL);
591 	}
592 }
593 
594 static size_t
595 tls_header_len(struct tls_enable *en)
596 {
597 	size_t len;
598 
599 	len = sizeof(struct tls_record_layer);
600 	switch (en->cipher_algorithm) {
601 	case CRYPTO_AES_CBC:
602 		if (en->tls_vminor != TLS_MINOR_VER_ZERO)
603 			len += AES_BLOCK_LEN;
604 		return (len);
605 	case CRYPTO_AES_NIST_GCM_16:
606 		if (en->tls_vminor == TLS_MINOR_VER_TWO)
607 			len += sizeof(uint64_t);
608 		return (len);
609 	case CRYPTO_CHACHA20_POLY1305:
610 		return (len);
611 	default:
612 		return (0);
613 	}
614 }
615 
616 static size_t
617 tls_mac_len(struct tls_enable *en)
618 {
619 	switch (en->cipher_algorithm) {
620 	case CRYPTO_AES_CBC:
621 		switch (en->auth_algorithm) {
622 		case CRYPTO_SHA1_HMAC:
623 			return (SHA1_HASH_LEN);
624 		case CRYPTO_SHA2_256_HMAC:
625 			return (SHA2_256_HASH_LEN);
626 		case CRYPTO_SHA2_384_HMAC:
627 			return (SHA2_384_HASH_LEN);
628 		default:
629 			return (0);
630 		}
631 	case CRYPTO_AES_NIST_GCM_16:
632 		return (AES_GMAC_HASH_LEN);
633 	case CRYPTO_CHACHA20_POLY1305:
634 		return (POLY1305_HASH_LEN);
635 	default:
636 		return (0);
637 	}
638 }
639 
640 /* Includes maximum padding for MTE. */
641 static size_t
642 tls_trailer_len(struct tls_enable *en)
643 {
644 	size_t len;
645 
646 	len = tls_mac_len(en);
647 	if (en->cipher_algorithm == CRYPTO_AES_CBC)
648 		len += AES_BLOCK_LEN;
649 	if (en->tls_vminor == TLS_MINOR_VER_THREE)
650 		len++;
651 	return (len);
652 }
653 
654 /* 'len' is the length of the payload application data. */
655 static void
656 tls_mte_aad(struct tls_enable *en, size_t len,
657     const struct tls_record_layer *hdr, uint64_t seqno, struct tls_mac_data *ad)
658 {
659 	ad->seq = htobe64(seqno);
660 	ad->type = hdr->tls_type;
661 	ad->tls_vmajor = hdr->tls_vmajor;
662 	ad->tls_vminor = hdr->tls_vminor;
663 	ad->tls_length = htons(len);
664 }
665 
666 static void
667 tls_12_aead_aad(struct tls_enable *en, size_t len,
668     const struct tls_record_layer *hdr, uint64_t seqno,
669     struct tls_aead_data *ad)
670 {
671 	ad->seq = htobe64(seqno);
672 	ad->type = hdr->tls_type;
673 	ad->tls_vmajor = hdr->tls_vmajor;
674 	ad->tls_vminor = hdr->tls_vminor;
675 	ad->tls_length = htons(len);
676 }
677 
678 static void
679 tls_13_aad(struct tls_enable *en, const struct tls_record_layer *hdr,
680     uint64_t seqno, struct tls_aead_data_13 *ad)
681 {
682 	ad->type = hdr->tls_type;
683 	ad->tls_vmajor = hdr->tls_vmajor;
684 	ad->tls_vminor = hdr->tls_vminor;
685 	ad->tls_length = hdr->tls_length;
686 }
687 
688 static void
689 tls_12_gcm_nonce(struct tls_enable *en, const struct tls_record_layer *hdr,
690     char *nonce)
691 {
692 	memcpy(nonce, en->iv, TLS_AEAD_GCM_LEN);
693 	memcpy(nonce + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t));
694 }
695 
696 static void
697 tls_13_nonce(struct tls_enable *en, uint64_t seqno, char *nonce)
698 {
699 	static_assert(TLS_1_3_GCM_IV_LEN == TLS_CHACHA20_IV_LEN,
700 	    "TLS 1.3 nonce length mismatch");
701 	memcpy(nonce, en->iv, TLS_1_3_GCM_IV_LEN);
702 	*(uint64_t *)(nonce + 4) ^= htobe64(seqno);
703 }
704 
705 /*
706  * Decrypt a TLS record 'len' bytes long at 'src' and store the result at
707  * 'dst'.  If the TLS record header length doesn't match or 'dst' doesn't
708  * have sufficient room ('avail'), fail the test.
709  */
710 static size_t
711 decrypt_tls_aes_cbc_mte(struct tls_enable *en, uint64_t seqno, const void *src,
712     size_t len, void *dst, size_t avail, uint8_t *record_type)
713 {
714 	const struct tls_record_layer *hdr;
715 	struct tls_mac_data aad;
716 	const char *iv;
717 	char *buf;
718 	size_t hdr_len, mac_len, payload_len;
719 	int padding;
720 
721 	hdr = src;
722 	hdr_len = tls_header_len(en);
723 	mac_len = tls_mac_len(en);
724 	ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE);
725 	ATF_REQUIRE(hdr->tls_vminor == en->tls_vminor);
726 
727 	/* First, decrypt the outer payload into a temporary buffer. */
728 	payload_len = len - hdr_len;
729 	buf = malloc(payload_len);
730 	if (en->tls_vminor == TLS_MINOR_VER_ZERO)
731 		iv = en->iv;
732 	else
733 		iv = (void *)(hdr + 1);
734 	ATF_REQUIRE(cbc_decrypt(tls_EVP_CIPHER(en), en->cipher_key, iv,
735 	    (const u_char *)src + hdr_len, buf, payload_len));
736 
737 	/*
738 	 * Copy the last encrypted block to use as the IV for the next
739 	 * record for TLS 1.0.
740 	 */
741 	if (en->tls_vminor == TLS_MINOR_VER_ZERO)
742 		memcpy(__DECONST(uint8_t *, en->iv), (const u_char *)src +
743 		    (len - AES_BLOCK_LEN), AES_BLOCK_LEN);
744 
745 	/*
746 	 * Verify trailing padding and strip.
747 	 *
748 	 * The kernel always generates the smallest amount of padding.
749 	 */
750 	padding = buf[payload_len - 1] + 1;
751 	ATF_REQUIRE(padding > 0 && padding <= AES_BLOCK_LEN);
752 	ATF_REQUIRE(payload_len >= mac_len + padding);
753 	payload_len -= padding;
754 
755 	/* Verify HMAC. */
756 	payload_len -= mac_len;
757 	tls_mte_aad(en, payload_len, hdr, seqno, &aad);
758 	ATF_REQUIRE(verify_hash(tls_EVP_MD(en), en->auth_key, en->auth_key_len,
759 	    &aad, sizeof(aad), buf, payload_len, buf + payload_len));
760 
761 	ATF_REQUIRE(payload_len <= avail);
762 	memcpy(dst, buf, payload_len);
763 	*record_type = hdr->tls_type;
764 	return (payload_len);
765 }
766 
767 static size_t
768 decrypt_tls_12_aead(struct tls_enable *en, uint64_t seqno, const void *src,
769     size_t len, void *dst, uint8_t *record_type)
770 {
771 	const struct tls_record_layer *hdr;
772 	struct tls_aead_data aad;
773 	char nonce[12];
774 	size_t hdr_len, mac_len, payload_len;
775 
776 	hdr = src;
777 
778 	hdr_len = tls_header_len(en);
779 	mac_len = tls_mac_len(en);
780 	payload_len = len - (hdr_len + mac_len);
781 	ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE);
782 	ATF_REQUIRE(hdr->tls_vminor == TLS_MINOR_VER_TWO);
783 
784 	tls_12_aead_aad(en, payload_len, hdr, seqno, &aad);
785 	if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16)
786 		tls_12_gcm_nonce(en, hdr, nonce);
787 	else
788 		tls_13_nonce(en, seqno, nonce);
789 
790 	ATF_REQUIRE(aead_decrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce,
791 	    &aad, sizeof(aad), (const char *)src + hdr_len, dst, payload_len,
792 	    (const char *)src + hdr_len + payload_len, mac_len));
793 
794 	*record_type = hdr->tls_type;
795 	return (payload_len);
796 }
797 
798 static size_t
799 decrypt_tls_13_aead(struct tls_enable *en, uint64_t seqno, const void *src,
800     size_t len, void *dst, uint8_t *record_type)
801 {
802 	const struct tls_record_layer *hdr;
803 	struct tls_aead_data_13 aad;
804 	char nonce[12];
805 	char *buf;
806 	size_t hdr_len, mac_len, payload_len;
807 
808 	hdr = src;
809 
810 	hdr_len = tls_header_len(en);
811 	mac_len = tls_mac_len(en);
812 	payload_len = len - (hdr_len + mac_len);
813 	ATF_REQUIRE(payload_len >= 1);
814 	ATF_REQUIRE(hdr->tls_type == TLS_RLTYPE_APP);
815 	ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE);
816 	ATF_REQUIRE(hdr->tls_vminor == TLS_MINOR_VER_TWO);
817 
818 	tls_13_aad(en, hdr, seqno, &aad);
819 	tls_13_nonce(en, seqno, nonce);
820 
821 	/*
822 	 * Have to use a temporary buffer for the output due to the
823 	 * record type as the last byte of the trailer.
824 	 */
825 	buf = malloc(payload_len);
826 
827 	ATF_REQUIRE(aead_decrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce,
828 	    &aad, sizeof(aad), (const char *)src + hdr_len, buf, payload_len,
829 	    (const char *)src + hdr_len + payload_len, mac_len));
830 
831 	/* Trim record type. */
832 	*record_type = buf[payload_len - 1];
833 	payload_len--;
834 
835 	memcpy(dst, buf, payload_len);
836 	free(buf);
837 
838 	return (payload_len);
839 }
840 
841 static size_t
842 decrypt_tls_aead(struct tls_enable *en, uint64_t seqno, const void *src,
843     size_t len, void *dst, size_t avail, uint8_t *record_type)
844 {
845 	const struct tls_record_layer *hdr;
846 	size_t payload_len;
847 
848 	hdr = src;
849 	ATF_REQUIRE(ntohs(hdr->tls_length) + sizeof(*hdr) == len);
850 
851 	payload_len = len - (tls_header_len(en) + tls_trailer_len(en));
852 	ATF_REQUIRE(payload_len <= avail);
853 
854 	if (en->tls_vminor == TLS_MINOR_VER_TWO) {
855 		ATF_REQUIRE(decrypt_tls_12_aead(en, seqno, src, len, dst,
856 		    record_type) == payload_len);
857 	} else {
858 		ATF_REQUIRE(decrypt_tls_13_aead(en, seqno, src, len, dst,
859 		    record_type) == payload_len);
860 	}
861 
862 	return (payload_len);
863 }
864 
865 static size_t
866 decrypt_tls_record(struct tls_enable *en, uint64_t seqno, const void *src,
867     size_t len, void *dst, size_t avail, uint8_t *record_type)
868 {
869 	if (en->cipher_algorithm == CRYPTO_AES_CBC)
870 		return (decrypt_tls_aes_cbc_mte(en, seqno, src, len, dst, avail,
871 		    record_type));
872 	else
873 		return (decrypt_tls_aead(en, seqno, src, len, dst, avail,
874 		    record_type));
875 }
876 
877 /*
878  * Encrypt a TLS record of type 'record_type' with payload 'len' bytes
879  * long at 'src' and store the result at 'dst'.  If 'dst' doesn't have
880  * sufficient room ('avail'), fail the test.
881  */
882 static size_t
883 encrypt_tls_12_aead(struct tls_enable *en, uint8_t record_type, uint64_t seqno,
884     const void *src, size_t len, void *dst)
885 {
886 	struct tls_record_layer *hdr;
887 	struct tls_aead_data aad;
888 	char nonce[12];
889 	size_t hdr_len, mac_len, record_len;
890 
891 	hdr = dst;
892 
893 	hdr_len = tls_header_len(en);
894 	mac_len = tls_mac_len(en);
895 	record_len = hdr_len + len + mac_len;
896 
897 	hdr->tls_type = record_type;
898 	hdr->tls_vmajor = TLS_MAJOR_VER_ONE;
899 	hdr->tls_vminor = TLS_MINOR_VER_TWO;
900 	hdr->tls_length = htons(record_len - sizeof(*hdr));
901 	if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16)
902 		memcpy(hdr + 1, &seqno, sizeof(seqno));
903 
904 	tls_12_aead_aad(en, len, hdr, seqno, &aad);
905 	if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16)
906 		tls_12_gcm_nonce(en, hdr, nonce);
907 	else
908 		tls_13_nonce(en, seqno, nonce);
909 
910 	ATF_REQUIRE(aead_encrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce,
911 	    &aad, sizeof(aad), src, (char *)dst + hdr_len, len,
912 	    (char *)dst + hdr_len + len, mac_len));
913 
914 	return (record_len);
915 }
916 
917 static size_t
918 encrypt_tls_13_aead(struct tls_enable *en, uint8_t record_type, uint64_t seqno,
919     const void *src, size_t len, void *dst, size_t padding)
920 {
921 	struct tls_record_layer *hdr;
922 	struct tls_aead_data_13 aad;
923 	char nonce[12];
924 	char *buf;
925 	size_t hdr_len, mac_len, record_len;
926 
927 	hdr = dst;
928 
929 	hdr_len = tls_header_len(en);
930 	mac_len = tls_mac_len(en);
931 	record_len = hdr_len + len + 1 + padding + mac_len;
932 
933 	hdr->tls_type = TLS_RLTYPE_APP;
934 	hdr->tls_vmajor = TLS_MAJOR_VER_ONE;
935 	hdr->tls_vminor = TLS_MINOR_VER_TWO;
936 	hdr->tls_length = htons(record_len - sizeof(*hdr));
937 
938 	tls_13_aad(en, hdr, seqno, &aad);
939 	tls_13_nonce(en, seqno, nonce);
940 
941 	/*
942 	 * Have to use a temporary buffer for the input so that the record
943 	 * type can be appended.
944 	 */
945 	buf = malloc(len + 1 + padding);
946 	memcpy(buf, src, len);
947 	buf[len] = record_type;
948 	memset(buf + len + 1, 0, padding);
949 
950 	ATF_REQUIRE(aead_encrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce,
951 	    &aad, sizeof(aad), buf, (char *)dst + hdr_len, len + 1 + padding,
952 	    (char *)dst + hdr_len + len + 1 + padding, mac_len));
953 
954 	free(buf);
955 
956 	return (record_len);
957 }
958 
959 static size_t
960 encrypt_tls_aead(struct tls_enable *en, uint8_t record_type, uint64_t seqno,
961     const void *src, size_t len, void *dst, size_t avail, size_t padding)
962 {
963 	size_t record_len;
964 
965 	record_len = tls_header_len(en) + len + padding + tls_trailer_len(en);
966 	ATF_REQUIRE(record_len <= avail);
967 
968 	if (en->tls_vminor == TLS_MINOR_VER_TWO) {
969 		ATF_REQUIRE(padding == 0);
970 		ATF_REQUIRE(encrypt_tls_12_aead(en, record_type, seqno, src,
971 		    len, dst) == record_len);
972 	} else
973 		ATF_REQUIRE(encrypt_tls_13_aead(en, record_type, seqno, src,
974 		    len, dst, padding) == record_len);
975 
976 	return (record_len);
977 }
978 
979 static size_t
980 encrypt_tls_record(struct tls_enable *en, uint8_t record_type, uint64_t seqno,
981     const void *src, size_t len, void *dst, size_t avail, size_t padding)
982 {
983 	return (encrypt_tls_aead(en, record_type, seqno, src, len, dst, avail,
984 	    padding));
985 }
986 
987 static void
988 test_ktls_transmit_app_data(const atf_tc_t *tc, struct tls_enable *en,
989     uint64_t seqno, size_t len)
990 {
991 	struct kevent ev;
992 	struct tls_record_layer *hdr;
993 	char *plaintext, *decrypted, *outbuf;
994 	size_t decrypted_len, outbuf_len, outbuf_cap, record_len, written;
995 	ssize_t rv;
996 	int kq, sockets[2];
997 	uint8_t record_type;
998 
999 	plaintext = alloc_buffer(len);
1000 	decrypted = malloc(len);
1001 	outbuf_cap = tls_header_len(en) + TLS_MAX_MSG_SIZE_V10_2 +
1002 	    tls_trailer_len(en);
1003 	outbuf = malloc(outbuf_cap);
1004 	hdr = (struct tls_record_layer *)outbuf;
1005 
1006 	ATF_REQUIRE((kq = kqueue()) != -1);
1007 
1008 	ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1009 
1010 	ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en,
1011 	    sizeof(*en)) == 0);
1012 	check_tls_mode(tc, sockets[1], TCP_TXTLS_MODE);
1013 
1014 	EV_SET(&ev, sockets[0], EVFILT_READ, EV_ADD, 0, 0, NULL);
1015 	ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0);
1016 	EV_SET(&ev, sockets[1], EVFILT_WRITE, EV_ADD, 0, 0, NULL);
1017 	ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0);
1018 
1019 	decrypted_len = 0;
1020 	outbuf_len = 0;
1021 	written = 0;
1022 
1023 	while (decrypted_len != len) {
1024 		ATF_REQUIRE(kevent(kq, NULL, 0, &ev, 1, NULL) == 1);
1025 
1026 		switch (ev.filter) {
1027 		case EVFILT_WRITE:
1028 			/* Try to write any remaining data. */
1029 			rv = write(ev.ident, plaintext + written,
1030 			    len - written);
1031 			ATF_REQUIRE_MSG(rv > 0,
1032 			    "failed to write to socket");
1033 			written += rv;
1034 			if (written == len) {
1035 				ev.flags = EV_DISABLE;
1036 				ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0,
1037 				    NULL) == 0);
1038 			}
1039 			break;
1040 
1041 		case EVFILT_READ:
1042 			ATF_REQUIRE((ev.flags & EV_EOF) == 0);
1043 
1044 			/*
1045 			 * Try to read data for the next TLS record
1046 			 * into outbuf.  Start by reading the header
1047 			 * to determine how much additional data to
1048 			 * read.
1049 			 */
1050 			if (outbuf_len < sizeof(struct tls_record_layer)) {
1051 				rv = read(ev.ident, outbuf + outbuf_len,
1052 				    sizeof(struct tls_record_layer) -
1053 				    outbuf_len);
1054 				ATF_REQUIRE_MSG(rv > 0,
1055 				    "failed to read from socket");
1056 				outbuf_len += rv;
1057 			}
1058 
1059 			if (outbuf_len < sizeof(struct tls_record_layer))
1060 				break;
1061 
1062 			record_len = sizeof(struct tls_record_layer) +
1063 			    ntohs(hdr->tls_length);
1064 			ATF_REQUIRE(record_len <= outbuf_cap);
1065 			ATF_REQUIRE(record_len > outbuf_len);
1066 			rv = read(ev.ident, outbuf + outbuf_len,
1067 			    record_len - outbuf_len);
1068 			if (rv == -1 && errno == EAGAIN)
1069 				break;
1070 			ATF_REQUIRE_MSG(rv > 0, "failed to read from socket");
1071 
1072 			outbuf_len += rv;
1073 			if (outbuf_len == record_len) {
1074 				decrypted_len += decrypt_tls_record(en, seqno,
1075 				    outbuf, outbuf_len,
1076 				    decrypted + decrypted_len,
1077 				    len - decrypted_len, &record_type);
1078 				ATF_REQUIRE(record_type == TLS_RLTYPE_APP);
1079 
1080 				seqno++;
1081 				outbuf_len = 0;
1082 			}
1083 			break;
1084 		}
1085 	}
1086 
1087 	ATF_REQUIRE_MSG(written == decrypted_len,
1088 	    "read %zu decrypted bytes, but wrote %zu", decrypted_len, written);
1089 
1090 	ATF_REQUIRE(memcmp(plaintext, decrypted, len) == 0);
1091 
1092 	free(outbuf);
1093 	free(decrypted);
1094 	free(plaintext);
1095 
1096 	close_sockets(sockets);
1097 	ATF_REQUIRE(close(kq) == 0);
1098 }
1099 
1100 static void
1101 ktls_send_control_message(int fd, uint8_t type, void *data, size_t len)
1102 {
1103 	struct msghdr msg;
1104 	struct cmsghdr *cmsg;
1105 	char cbuf[CMSG_SPACE(sizeof(type))];
1106 	struct iovec iov;
1107 
1108 	memset(&msg, 0, sizeof(msg));
1109 
1110 	msg.msg_control = cbuf;
1111 	msg.msg_controllen = sizeof(cbuf);
1112 	cmsg = CMSG_FIRSTHDR(&msg);
1113 	cmsg->cmsg_level = IPPROTO_TCP;
1114 	cmsg->cmsg_type = TLS_SET_RECORD_TYPE;
1115 	cmsg->cmsg_len = CMSG_LEN(sizeof(type));
1116 	*(uint8_t *)CMSG_DATA(cmsg) = type;
1117 
1118 	iov.iov_base = data;
1119 	iov.iov_len = len;
1120 	msg.msg_iov = &iov;
1121 	msg.msg_iovlen = 1;
1122 
1123 	ATF_REQUIRE(sendmsg(fd, &msg, 0) == (ssize_t)len);
1124 }
1125 
1126 static void
1127 test_ktls_transmit_control(const atf_tc_t *tc, struct tls_enable *en,
1128     uint64_t seqno, uint8_t type, size_t len)
1129 {
1130 	struct tls_record_layer *hdr;
1131 	char *plaintext, *decrypted, *outbuf;
1132 	size_t outbuf_cap, payload_len, record_len;
1133 	ssize_t rv;
1134 	int sockets[2];
1135 	uint8_t record_type;
1136 
1137 	ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2);
1138 
1139 	plaintext = alloc_buffer(len);
1140 	decrypted = malloc(len);
1141 	outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en);
1142 	outbuf = malloc(outbuf_cap);
1143 	hdr = (struct tls_record_layer *)outbuf;
1144 
1145 	ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1146 
1147 	ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en,
1148 	    sizeof(*en)) == 0);
1149 	check_tls_mode(tc, sockets[1], TCP_TXTLS_MODE);
1150 
1151 	fd_set_blocking(sockets[0]);
1152 	fd_set_blocking(sockets[1]);
1153 
1154 	ktls_send_control_message(sockets[1], type, plaintext, len);
1155 
1156 	/*
1157 	 * First read the header to determine how much additional data
1158 	 * to read.
1159 	 */
1160 	rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer));
1161 	ATF_REQUIRE(rv == sizeof(struct tls_record_layer));
1162 	payload_len = ntohs(hdr->tls_length);
1163 	record_len = payload_len + sizeof(struct tls_record_layer);
1164 	ATF_REQUIRE(record_len <= outbuf_cap);
1165 	rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer),
1166 	    payload_len);
1167 	ATF_REQUIRE(rv == (ssize_t)payload_len);
1168 
1169 	rv = decrypt_tls_record(en, seqno, outbuf, record_len, decrypted, len,
1170 	    &record_type);
1171 
1172 	ATF_REQUIRE_MSG((ssize_t)len == rv,
1173 	    "read %zd decrypted bytes, but wrote %zu", rv, len);
1174 	ATF_REQUIRE(record_type == type);
1175 
1176 	ATF_REQUIRE(memcmp(plaintext, decrypted, len) == 0);
1177 
1178 	free(outbuf);
1179 	free(decrypted);
1180 	free(plaintext);
1181 
1182 	close_sockets(sockets);
1183 }
1184 
1185 static void
1186 test_ktls_transmit_empty_fragment(const atf_tc_t *tc, struct tls_enable *en,
1187     uint64_t seqno)
1188 {
1189 	struct tls_record_layer *hdr;
1190 	char *outbuf;
1191 	size_t outbuf_cap, payload_len, record_len;
1192 	ssize_t rv;
1193 	int sockets[2];
1194 	uint8_t record_type;
1195 
1196 	outbuf_cap = tls_header_len(en) + tls_trailer_len(en);
1197 	outbuf = malloc(outbuf_cap);
1198 	hdr = (struct tls_record_layer *)outbuf;
1199 
1200 	ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1201 
1202 	ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en,
1203 	    sizeof(*en)) == 0);
1204 	check_tls_mode(tc, sockets[1], TCP_TXTLS_MODE);
1205 
1206 	fd_set_blocking(sockets[0]);
1207 	fd_set_blocking(sockets[1]);
1208 
1209 	/*
1210 	 * A write of zero bytes should send an empty fragment only for
1211 	 * TLS 1.0, otherwise an error should be raised.
1212 	 */
1213 	rv = write(sockets[1], NULL, 0);
1214 	if (rv == 0) {
1215 		ATF_REQUIRE(en->cipher_algorithm == CRYPTO_AES_CBC);
1216 		ATF_REQUIRE(en->tls_vminor == TLS_MINOR_VER_ZERO);
1217 	} else {
1218 		ATF_REQUIRE(rv == -1);
1219 		ATF_REQUIRE(errno == EINVAL);
1220 		goto out;
1221 	}
1222 
1223 	/*
1224 	 * First read the header to determine how much additional data
1225 	 * to read.
1226 	 */
1227 	rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer));
1228 	ATF_REQUIRE(rv == sizeof(struct tls_record_layer));
1229 	payload_len = ntohs(hdr->tls_length);
1230 	record_len = payload_len + sizeof(struct tls_record_layer);
1231 	ATF_REQUIRE(record_len <= outbuf_cap);
1232 	rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer),
1233 	    payload_len);
1234 	ATF_REQUIRE(rv == (ssize_t)payload_len);
1235 
1236 	rv = decrypt_tls_record(en, seqno, outbuf, record_len, NULL, 0,
1237 	    &record_type);
1238 
1239 	ATF_REQUIRE_MSG(rv == 0,
1240 	    "read %zd decrypted bytes for an empty fragment", rv);
1241 	ATF_REQUIRE(record_type == TLS_RLTYPE_APP);
1242 
1243 out:
1244 	free(outbuf);
1245 
1246 	close_sockets(sockets);
1247 }
1248 
1249 static size_t
1250 ktls_receive_tls_record(struct tls_enable *en, int fd, uint8_t record_type,
1251     void *data, size_t len)
1252 {
1253 	struct msghdr msg;
1254 	struct cmsghdr *cmsg;
1255 	struct tls_get_record *tgr;
1256 	char cbuf[CMSG_SPACE(sizeof(*tgr))];
1257 	struct iovec iov;
1258 	ssize_t rv;
1259 
1260 	memset(&msg, 0, sizeof(msg));
1261 
1262 	msg.msg_control = cbuf;
1263 	msg.msg_controllen = sizeof(cbuf);
1264 
1265 	iov.iov_base = data;
1266 	iov.iov_len = len;
1267 	msg.msg_iov = &iov;
1268 	msg.msg_iovlen = 1;
1269 
1270 	ATF_REQUIRE((rv = recvmsg(fd, &msg, 0)) > 0);
1271 
1272 	ATF_REQUIRE((msg.msg_flags & (MSG_EOR | MSG_CTRUNC)) == MSG_EOR);
1273 
1274 	cmsg = CMSG_FIRSTHDR(&msg);
1275 	ATF_REQUIRE(cmsg != NULL);
1276 	ATF_REQUIRE(cmsg->cmsg_level == IPPROTO_TCP);
1277 	ATF_REQUIRE(cmsg->cmsg_type == TLS_GET_RECORD);
1278 	ATF_REQUIRE(cmsg->cmsg_len == CMSG_LEN(sizeof(*tgr)));
1279 
1280 	tgr = (struct tls_get_record *)CMSG_DATA(cmsg);
1281 	ATF_REQUIRE(tgr->tls_type == record_type);
1282 	ATF_REQUIRE(tgr->tls_vmajor == en->tls_vmajor);
1283 	/* XXX: Not sure if this is what OpenSSL expects? */
1284 	if (en->tls_vminor == TLS_MINOR_VER_THREE)
1285 		ATF_REQUIRE(tgr->tls_vminor == TLS_MINOR_VER_TWO);
1286 	else
1287 		ATF_REQUIRE(tgr->tls_vminor == en->tls_vminor);
1288 	ATF_REQUIRE(tgr->tls_length == htons(rv));
1289 
1290 	return (rv);
1291 }
1292 
1293 static void
1294 test_ktls_receive_app_data(const atf_tc_t *tc, struct tls_enable *en,
1295     uint64_t seqno, size_t len, size_t padding)
1296 {
1297 	struct kevent ev;
1298 	char *plaintext, *received, *outbuf;
1299 	size_t outbuf_cap, outbuf_len, outbuf_sent, received_len, todo, written;
1300 	ssize_t rv;
1301 	int kq, sockets[2];
1302 
1303 	plaintext = alloc_buffer(len);
1304 	received = malloc(len);
1305 	outbuf_cap = tls_header_len(en) + TLS_MAX_MSG_SIZE_V10_2 +
1306 	    tls_trailer_len(en);
1307 	outbuf = malloc(outbuf_cap);
1308 
1309 	ATF_REQUIRE((kq = kqueue()) != -1);
1310 
1311 	ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1312 
1313 	ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en,
1314 	    sizeof(*en)) == 0);
1315 	check_tls_mode(tc, sockets[0], TCP_RXTLS_MODE);
1316 
1317 	EV_SET(&ev, sockets[0], EVFILT_READ, EV_ADD, 0, 0, NULL);
1318 	ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0);
1319 	EV_SET(&ev, sockets[1], EVFILT_WRITE, EV_ADD, 0, 0, NULL);
1320 	ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0);
1321 
1322 	received_len = 0;
1323 	outbuf_len = 0;
1324 	written = 0;
1325 
1326 	while (received_len != len) {
1327 		ATF_REQUIRE(kevent(kq, NULL, 0, &ev, 1, NULL) == 1);
1328 
1329 		switch (ev.filter) {
1330 		case EVFILT_WRITE:
1331 			/*
1332 			 * Compose the next TLS record to send.
1333 			 */
1334 			if (outbuf_len == 0) {
1335 				ATF_REQUIRE(written < len);
1336 				todo = len - written;
1337 				if (todo > TLS_MAX_MSG_SIZE_V10_2 - padding)
1338 					todo = TLS_MAX_MSG_SIZE_V10_2 - padding;
1339 				outbuf_len = encrypt_tls_record(en,
1340 				    TLS_RLTYPE_APP, seqno, plaintext + written,
1341 				    todo, outbuf, outbuf_cap, padding);
1342 				outbuf_sent = 0;
1343 				written += todo;
1344 				seqno++;
1345 			}
1346 
1347 			/*
1348 			 * Try to write the remainder of the current
1349 			 * TLS record.
1350 			 */
1351 			rv = write(ev.ident, outbuf + outbuf_sent,
1352 			    outbuf_len - outbuf_sent);
1353 			ATF_REQUIRE_MSG(rv > 0,
1354 			    "failed to write to socket");
1355 			outbuf_sent += rv;
1356 			if (outbuf_sent == outbuf_len) {
1357 				outbuf_len = 0;
1358 				if (written == len) {
1359 					ev.flags = EV_DISABLE;
1360 					ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0,
1361 					    NULL) == 0);
1362 				}
1363 			}
1364 			break;
1365 
1366 		case EVFILT_READ:
1367 			ATF_REQUIRE((ev.flags & EV_EOF) == 0);
1368 
1369 			rv = ktls_receive_tls_record(en, ev.ident,
1370 			    TLS_RLTYPE_APP, received + received_len,
1371 			    len - received_len);
1372 			received_len += rv;
1373 			break;
1374 		}
1375 	}
1376 
1377 	ATF_REQUIRE_MSG(written == received_len,
1378 	    "read %zu decrypted bytes, but wrote %zu", received_len, written);
1379 
1380 	ATF_REQUIRE(memcmp(plaintext, received, len) == 0);
1381 
1382 	free(outbuf);
1383 	free(received);
1384 	free(plaintext);
1385 
1386 	close_sockets(sockets);
1387 	ATF_REQUIRE(close(kq) == 0);
1388 }
1389 
1390 #define	TLS_10_TESTS(M)							\
1391 	M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8,			\
1392 	    CRYPTO_SHA1_HMAC)						\
1393 	M(aes256_cbc_1_0_sha1, CRYPTO_AES_CBC, 256 / 8,			\
1394 	    CRYPTO_SHA1_HMAC)
1395 
1396 #define	TLS_13_TESTS(M)							\
1397 	M(aes128_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0,		\
1398 	    TLS_MINOR_VER_THREE)					\
1399 	M(aes256_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0,		\
1400 	    TLS_MINOR_VER_THREE)					\
1401 	M(chacha20_poly1305_1_3, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0,	\
1402 	    TLS_MINOR_VER_THREE)
1403 
1404 #define	AES_CBC_TESTS(M)						\
1405 	M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8,			\
1406 	    CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO)			\
1407 	M(aes256_cbc_1_0_sha1, CRYPTO_AES_CBC, 256 / 8,			\
1408 	    CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO)			\
1409 	M(aes128_cbc_1_1_sha1, CRYPTO_AES_CBC, 128 / 8,			\
1410 	    CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ONE)			\
1411 	M(aes256_cbc_1_1_sha1, CRYPTO_AES_CBC, 256 / 8,			\
1412 	    CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ONE)			\
1413 	M(aes128_cbc_1_2_sha1, CRYPTO_AES_CBC, 128 / 8,			\
1414 	    CRYPTO_SHA1_HMAC, TLS_MINOR_VER_TWO)			\
1415 	M(aes256_cbc_1_2_sha1, CRYPTO_AES_CBC, 256 / 8,			\
1416 	    CRYPTO_SHA1_HMAC, TLS_MINOR_VER_TWO)			\
1417 	M(aes128_cbc_1_2_sha256, CRYPTO_AES_CBC, 128 / 8,		\
1418 	    CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_TWO)			\
1419 	M(aes256_cbc_1_2_sha256, CRYPTO_AES_CBC, 256 / 8,		\
1420 	    CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_TWO)			\
1421 	M(aes128_cbc_1_2_sha384, CRYPTO_AES_CBC, 128 / 8,		\
1422 	    CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_TWO)			\
1423 	M(aes256_cbc_1_2_sha384, CRYPTO_AES_CBC, 256 / 8,		\
1424 	    CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_TWO)			\
1425 
1426 #define AES_GCM_TESTS(M)						\
1427 	M(aes128_gcm_1_2, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0,		\
1428 	    TLS_MINOR_VER_TWO)						\
1429 	M(aes256_gcm_1_2, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0,		\
1430 	    TLS_MINOR_VER_TWO)						\
1431 	M(aes128_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0,		\
1432 	    TLS_MINOR_VER_THREE)					\
1433 	M(aes256_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0,		\
1434 	    TLS_MINOR_VER_THREE)
1435 
1436 #define CHACHA20_TESTS(M)						\
1437 	M(chacha20_poly1305_1_2, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0,	\
1438 	    TLS_MINOR_VER_TWO)						\
1439 	M(chacha20_poly1305_1_3, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0,	\
1440 	    TLS_MINOR_VER_THREE)
1441 
1442 #define GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1443 	    auth_alg, minor, name, len)					\
1444 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_##name);		\
1445 ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc)			\
1446 {									\
1447 	struct tls_enable en;						\
1448 	uint64_t seqno;							\
1449 									\
1450 	ATF_REQUIRE_KTLS();						\
1451 	seqno = random();						\
1452 	build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno,	\
1453 	    &en);							\
1454 	test_ktls_transmit_app_data(tc, &en, seqno, len);		\
1455 	free_tls_enable(&en);						\
1456 }
1457 
1458 #define ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1459 	    auth_alg, minor, name)					\
1460 	ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name);
1461 
1462 #define GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1463 	    auth_alg, minor, name, type, len)				\
1464 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_##name);		\
1465 ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc)			\
1466 {									\
1467 	struct tls_enable en;						\
1468 	uint64_t seqno;							\
1469 									\
1470 	ATF_REQUIRE_KTLS();						\
1471 	seqno = random();						\
1472 	build_tls_enable(cipher_alg, key_size, auth_alg, minor,	seqno,	\
1473 	    &en);							\
1474 	test_ktls_transmit_control(tc, &en, seqno, type, len);		\
1475 	free_tls_enable(&en);						\
1476 }
1477 
1478 #define ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1479 	    auth_alg, minor, name)					\
1480 	ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name);
1481 
1482 #define GEN_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg,	\
1483 	    key_size, auth_alg, minor)					\
1484 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_empty_fragment);	\
1485 ATF_TC_BODY(ktls_transmit_##cipher_name##_empty_fragment, tc)		\
1486 {									\
1487 	struct tls_enable en;						\
1488 	uint64_t seqno;							\
1489 									\
1490 	ATF_REQUIRE_KTLS();						\
1491 	seqno = random();						\
1492 	build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno,	\
1493 	    &en);							\
1494 	test_ktls_transmit_empty_fragment(tc, &en, seqno);		\
1495 	free_tls_enable(&en);						\
1496 }
1497 
1498 #define ADD_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg,	\
1499 	    key_size, auth_alg, minor)					\
1500 	ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_empty_fragment);
1501 
1502 #define GEN_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg,	\
1503 	    minor)							\
1504 	GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1505 	    auth_alg, minor, short, 64)					\
1506 	GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1507 	    auth_alg, minor, long, 64 * 1024)				\
1508 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1509 	    auth_alg, minor, control, 0x21 /* Alert */, 32)
1510 
1511 #define ADD_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg,	\
1512 	    minor)							\
1513 	ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1514 	    auth_alg, minor, short)					\
1515 	ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1516 	    auth_alg, minor, long)					\
1517 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1518 	    auth_alg, minor, control)
1519 
1520 /*
1521  * For each supported cipher suite, run three transmit tests:
1522  *
1523  * - a short test which sends 64 bytes of application data (likely as
1524  *   a single TLS record)
1525  *
1526  * - a long test which sends 64KB of application data (split across
1527  *   multiple TLS records)
1528  *
1529  * - a control test which sends a single record with a specific
1530  *   content type via sendmsg()
1531  */
1532 AES_CBC_TESTS(GEN_TRANSMIT_TESTS);
1533 AES_GCM_TESTS(GEN_TRANSMIT_TESTS);
1534 CHACHA20_TESTS(GEN_TRANSMIT_TESTS);
1535 
1536 #define GEN_TRANSMIT_PADDING_TESTS(cipher_name, cipher_alg, key_size,	\
1537 	    auth_alg, minor)						\
1538 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1539 	    auth_alg, minor, padding_1, 0x21 /* Alert */, 1)		\
1540 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1541 	    auth_alg, minor, padding_2, 0x21 /* Alert */, 2)		\
1542 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1543 	    auth_alg, minor, padding_3, 0x21 /* Alert */, 3)		\
1544 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1545 	    auth_alg, minor, padding_4, 0x21 /* Alert */, 4)		\
1546 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1547 	    auth_alg, minor, padding_5, 0x21 /* Alert */, 5)		\
1548 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1549 	    auth_alg, minor, padding_6, 0x21 /* Alert */, 6)		\
1550 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1551 	    auth_alg, minor, padding_7, 0x21 /* Alert */, 7)		\
1552 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1553 	    auth_alg, minor, padding_8, 0x21 /* Alert */, 8)		\
1554 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1555 	    auth_alg, minor, padding_9, 0x21 /* Alert */, 9)		\
1556 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1557 	    auth_alg, minor, padding_10, 0x21 /* Alert */, 10)		\
1558 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1559 	    auth_alg, minor, padding_11, 0x21 /* Alert */, 11)		\
1560 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1561 	    auth_alg, minor, padding_12, 0x21 /* Alert */, 12)		\
1562 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1563 	    auth_alg, minor, padding_13, 0x21 /* Alert */, 13)		\
1564 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1565 	    auth_alg, minor, padding_14, 0x21 /* Alert */, 14)		\
1566 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1567 	    auth_alg, minor, padding_15, 0x21 /* Alert */, 15)		\
1568 	GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1569 	    auth_alg, minor, padding_16, 0x21 /* Alert */, 16)
1570 
1571 #define ADD_TRANSMIT_PADDING_TESTS(cipher_name, cipher_alg, key_size,	\
1572 	    auth_alg, minor)						\
1573 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1574 	    auth_alg, minor, padding_1)					\
1575 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1576 	    auth_alg, minor, padding_2)					\
1577 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1578 	    auth_alg, minor, padding_3)					\
1579 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1580 	    auth_alg, minor, padding_4)					\
1581 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1582 	    auth_alg, minor, padding_5)					\
1583 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1584 	    auth_alg, minor, padding_6)					\
1585 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1586 	    auth_alg, minor, padding_7)					\
1587 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1588 	    auth_alg, minor, padding_8)					\
1589 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1590 	    auth_alg, minor, padding_9)					\
1591 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1592 	    auth_alg, minor, padding_10)				\
1593 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1594 	    auth_alg, minor, padding_11)				\
1595 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1596 	    auth_alg, minor, padding_12)				\
1597 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1598 	    auth_alg, minor, padding_13)				\
1599 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1600 	    auth_alg, minor, padding_14)				\
1601 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1602 	    auth_alg, minor, padding_15)				\
1603 	ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size,	\
1604 	    auth_alg, minor, padding_16)
1605 
1606 /*
1607  * For AES-CBC MTE cipher suites using padding, add tests of messages
1608  * with each possible padding size.  Note that the padding_<N> tests
1609  * do not necessarily test <N> bytes of padding as the padding is a
1610  * function of the cipher suite's MAC length.  However, cycling
1611  * through all of the payload sizes from 1 to 16 should exercise all
1612  * of the possible padding lengths for each suite.
1613  */
1614 AES_CBC_TESTS(GEN_TRANSMIT_PADDING_TESTS);
1615 
1616 /*
1617  * Test "empty fragments" which are TLS records with no payload that
1618  * OpenSSL can send for TLS 1.0 connections.
1619  */
1620 AES_CBC_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST);
1621 AES_GCM_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST);
1622 CHACHA20_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST);
1623 
1624 static void
1625 test_ktls_invalid_transmit_cipher_suite(const atf_tc_t *tc,
1626     struct tls_enable *en)
1627 {
1628 	int sockets[2];
1629 
1630 	ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1631 
1632 	ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en,
1633 	    sizeof(*en)) == -1);
1634 	ATF_REQUIRE(errno == EINVAL);
1635 
1636 	close_sockets(sockets);
1637 }
1638 
1639 #define GEN_INVALID_TRANSMIT_TEST(name, cipher_alg, key_size, auth_alg,	\
1640 	    minor)							\
1641 ATF_TC_WITHOUT_HEAD(ktls_transmit_invalid_##name);			\
1642 ATF_TC_BODY(ktls_transmit_invalid_##name, tc)				\
1643 {									\
1644 	struct tls_enable en;						\
1645 	uint64_t seqno;							\
1646 									\
1647 	ATF_REQUIRE_KTLS();						\
1648 	seqno = random();						\
1649 	build_tls_enable(cipher_alg, key_size, auth_alg, minor,	seqno,	\
1650 	    &en);							\
1651 	test_ktls_invalid_transmit_cipher_suite(tc, &en);		\
1652 	free_tls_enable(&en);						\
1653 }
1654 
1655 #define ADD_INVALID_TRANSMIT_TEST(name, cipher_alg, key_size, auth_alg, \
1656 	    minor)							\
1657 	ATF_TP_ADD_TC(tp, ktls_transmit_invalid_##name);
1658 
1659 #define	INVALID_CIPHER_SUITES(M)					\
1660 	M(aes128_cbc_1_0_sha256, CRYPTO_AES_CBC, 128 / 8,		\
1661 	    CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_ZERO)			\
1662 	M(aes128_cbc_1_0_sha384, CRYPTO_AES_CBC, 128 / 8,		\
1663 	    CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_ZERO)			\
1664 	M(aes128_gcm_1_0, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0,		\
1665 	    TLS_MINOR_VER_ZERO)						\
1666 	M(chacha20_poly1305_1_0, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0,	\
1667 	    TLS_MINOR_VER_ZERO)						\
1668 	M(aes128_cbc_1_1_sha256, CRYPTO_AES_CBC, 128 / 8,		\
1669 	    CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_ONE)			\
1670 	M(aes128_cbc_1_1_sha384, CRYPTO_AES_CBC, 128 / 8,		\
1671 	    CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_ONE)			\
1672 	M(aes128_gcm_1_1, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0,		\
1673 	    TLS_MINOR_VER_ONE)						\
1674 	M(chacha20_poly1305_1_1, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0,	\
1675 	    TLS_MINOR_VER_ONE)						\
1676 	M(aes128_cbc_1_3_sha1, CRYPTO_AES_CBC, 128 / 8,			\
1677 	    CRYPTO_SHA1_HMAC, TLS_MINOR_VER_THREE)			\
1678 	M(aes128_cbc_1_3_sha256, CRYPTO_AES_CBC, 128 / 8,		\
1679 	    CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_THREE)			\
1680 	M(aes128_cbc_1_3_sha384, CRYPTO_AES_CBC, 128 / 8,		\
1681 	    CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_THREE)
1682 
1683 /*
1684  * Ensure that invalid cipher suites are rejected for transmit.
1685  */
1686 INVALID_CIPHER_SUITES(GEN_INVALID_TRANSMIT_TEST);
1687 
1688 #define GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1689 	    auth_alg, minor, name, len, padding)			\
1690 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_##name);		\
1691 ATF_TC_BODY(ktls_receive_##cipher_name##_##name, tc)			\
1692 {									\
1693 	struct tls_enable en;						\
1694 	uint64_t seqno;							\
1695 									\
1696 	ATF_REQUIRE_KTLS();						\
1697 	seqno = random();						\
1698 	build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno,	\
1699 	    &en);							\
1700 	test_ktls_receive_app_data(tc, &en, seqno, len, padding);	\
1701 	free_tls_enable(&en);						\
1702 }
1703 
1704 #define ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1705 	    auth_alg, minor, name)					\
1706 	ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_##name);
1707 
1708 #define GEN_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, auth_alg,	\
1709 	    minor)							\
1710 	GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1711 	    auth_alg, minor, short, 64, 0)				\
1712 	GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1713 	    auth_alg, minor, long, 64 * 1024, 0)
1714 
1715 #define ADD_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, auth_alg,	\
1716 	    minor)							\
1717 	ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1718 	    auth_alg, minor, short)					\
1719 	ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1720 	    auth_alg, minor, long)
1721 
1722 /*
1723  * For each supported cipher suite, run two receive tests:
1724  *
1725  * - a short test which sends 64 bytes of application data (likely as
1726  *   a single TLS record)
1727  *
1728  * - a long test which sends 64KB of application data (split across
1729  *   multiple TLS records)
1730  *
1731  * Note that receive is currently only supported for TLS 1.2 AEAD
1732  * cipher suites.
1733  */
1734 AES_GCM_TESTS(GEN_RECEIVE_TESTS);
1735 CHACHA20_TESTS(GEN_RECEIVE_TESTS);
1736 
1737 #define GEN_PADDING_RECEIVE_TESTS(cipher_name, cipher_alg, key_size,	\
1738 	    auth_alg, minor)						\
1739 	GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1740 	    auth_alg, minor, short_padded, 64, 16)			\
1741 	GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1742 	    auth_alg, minor, long_padded, 64 * 1024, 15)
1743 
1744 #define ADD_PADDING_RECEIVE_TESTS(cipher_name, cipher_alg, key_size,	\
1745 	    auth_alg, minor)						\
1746 	ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1747 	    auth_alg, minor, short_padded)				\
1748 	ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
1749 	    auth_alg, minor, long_padded)
1750 
1751 /*
1752  * For TLS 1.3 cipher suites, run two additional receive tests which
1753  * use add padding to each record.
1754  */
1755 TLS_13_TESTS(GEN_PADDING_RECEIVE_TESTS);
1756 
1757 static void
1758 test_ktls_invalid_receive_cipher_suite(const atf_tc_t *tc,
1759     struct tls_enable *en)
1760 {
1761 	int sockets[2];
1762 
1763 	ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1764 
1765 	ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_RXTLS_ENABLE, en,
1766 	    sizeof(*en)) == -1);
1767 	ATF_REQUIRE(errno == EINVAL);
1768 
1769 	close_sockets(sockets);
1770 }
1771 
1772 #define GEN_INVALID_RECEIVE_TEST(name, cipher_alg, key_size, auth_alg,	\
1773 	    minor)							\
1774 ATF_TC_WITHOUT_HEAD(ktls_receive_invalid_##name);			\
1775 ATF_TC_BODY(ktls_receive_invalid_##name, tc)				\
1776 {									\
1777 	struct tls_enable en;						\
1778 	uint64_t seqno;							\
1779 									\
1780 	ATF_REQUIRE_KTLS();						\
1781 	seqno = random();						\
1782 	build_tls_enable(cipher_alg, key_size, auth_alg, minor,	seqno,	\
1783 	    &en);							\
1784 	test_ktls_invalid_receive_cipher_suite(tc, &en);		\
1785 	free_tls_enable(&en);						\
1786 }
1787 
1788 #define ADD_INVALID_RECEIVE_TEST(name, cipher_alg, key_size, auth_alg,	\
1789 	    minor)							\
1790 	ATF_TP_ADD_TC(tp, ktls_receive_invalid_##name);
1791 
1792 /*
1793  * Ensure that invalid cipher suites are rejected for receive.
1794  */
1795 INVALID_CIPHER_SUITES(GEN_INVALID_RECEIVE_TEST);
1796 
1797 static void
1798 test_ktls_unsupported_receive_cipher_suite(const atf_tc_t *tc,
1799     struct tls_enable *en)
1800 {
1801 	int sockets[2];
1802 
1803 	ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets");
1804 
1805 	ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_RXTLS_ENABLE, en,
1806 	    sizeof(*en)) == -1);
1807 	ATF_REQUIRE(errno == EPROTONOSUPPORT);
1808 
1809 	close_sockets(sockets);
1810 }
1811 
1812 #define GEN_UNSUPPORTED_RECEIVE_TEST(name, cipher_alg, key_size,	\
1813 	    auth_alg, minor)						\
1814 ATF_TC_WITHOUT_HEAD(ktls_receive_unsupported_##name);			\
1815 ATF_TC_BODY(ktls_receive_unsupported_##name, tc)			\
1816 {									\
1817 	struct tls_enable en;						\
1818 	uint64_t seqno;							\
1819 									\
1820 	ATF_REQUIRE_KTLS();						\
1821 	seqno = random();						\
1822 	build_tls_enable(cipher_alg, key_size, auth_alg, minor,	seqno,	\
1823 	    &en);							\
1824 	test_ktls_unsupported_receive_cipher_suite(tc, &en);		\
1825 	free_tls_enable(&en);						\
1826 }
1827 
1828 #define ADD_UNSUPPORTED_RECEIVE_TEST(name, cipher_alg, key_size,	\
1829 	    auth_alg, minor)						\
1830 	ATF_TP_ADD_TC(tp, ktls_receive_unsupported_##name);
1831 
1832 /*
1833  * Ensure that valid cipher suites not supported for receive are
1834  * rejected.
1835  */
1836 AES_CBC_TESTS(GEN_UNSUPPORTED_RECEIVE_TEST);
1837 
1838 /*
1839  * Try to perform an invalid sendto(2) on a TXTLS-enabled socket, to exercise
1840  * KTLS error handling in the socket layer.
1841  */
1842 ATF_TC_WITHOUT_HEAD(ktls_sendto_baddst);
1843 ATF_TC_BODY(ktls_sendto_baddst, tc)
1844 {
1845 	char buf[32];
1846 	struct sockaddr_in dst;
1847 	struct tls_enable en;
1848 	ssize_t n;
1849 	int s;
1850 
1851 	ATF_REQUIRE_KTLS();
1852 
1853 	s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
1854 	ATF_REQUIRE(s >= 0);
1855 
1856 	build_tls_enable(CRYPTO_AES_NIST_GCM_16, 128 / 8, 0,
1857 	    TLS_MINOR_VER_THREE, (uint64_t)random(), &en);
1858 
1859 	ATF_REQUIRE(setsockopt(s, IPPROTO_TCP, TCP_TXTLS_ENABLE, &en,
1860 	    sizeof(en)) == 0);
1861 
1862 	memset(&dst, 0, sizeof(dst));
1863 	dst.sin_family = AF_INET;
1864 	dst.sin_len = sizeof(dst);
1865 	dst.sin_addr.s_addr = htonl(INADDR_BROADCAST);
1866 	dst.sin_port = htons(12345);
1867 
1868 	memset(buf, 0, sizeof(buf));
1869 	n = sendto(s, buf, sizeof(buf), 0, (struct sockaddr *)&dst,
1870 	    sizeof(dst));
1871 
1872 	/* Can't transmit to the broadcast address over TCP. */
1873 	ATF_REQUIRE_ERRNO(EACCES, n == -1);
1874 	ATF_REQUIRE(close(s) == 0);
1875 }
1876 
1877 ATF_TP_ADD_TCS(tp)
1878 {
1879 	/* Transmit tests */
1880 	AES_CBC_TESTS(ADD_TRANSMIT_TESTS);
1881 	AES_GCM_TESTS(ADD_TRANSMIT_TESTS);
1882 	CHACHA20_TESTS(ADD_TRANSMIT_TESTS);
1883 	AES_CBC_TESTS(ADD_TRANSMIT_PADDING_TESTS);
1884 	AES_CBC_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST);
1885 	AES_GCM_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST);
1886 	CHACHA20_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST);
1887 	INVALID_CIPHER_SUITES(ADD_INVALID_TRANSMIT_TEST);
1888 
1889 	/* Receive tests */
1890 	AES_CBC_TESTS(ADD_UNSUPPORTED_RECEIVE_TEST);
1891 	AES_GCM_TESTS(ADD_RECEIVE_TESTS);
1892 	CHACHA20_TESTS(ADD_RECEIVE_TESTS);
1893 	TLS_13_TESTS(ADD_PADDING_RECEIVE_TESTS);
1894 	INVALID_CIPHER_SUITES(ADD_INVALID_RECEIVE_TEST);
1895 
1896 	/* Miscellaneous */
1897 	ATF_TP_ADD_TC(tp, ktls_sendto_baddst);
1898 
1899 	return (atf_no_error());
1900 }
1901