1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Netflix Inc. 5 * Written by: John Baldwin <jhb@FreeBSD.org> 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 #include <sys/param.h> 30 #include <sys/endian.h> 31 #include <sys/event.h> 32 #include <sys/ktls.h> 33 #include <sys/socket.h> 34 #include <sys/sysctl.h> 35 #include <netinet/in.h> 36 #include <netinet/tcp.h> 37 #include <crypto/cryptodev.h> 38 #include <assert.h> 39 #include <err.h> 40 #include <fcntl.h> 41 #include <netdb.h> 42 #include <poll.h> 43 #include <stdbool.h> 44 #include <stdlib.h> 45 #include <atf-c.h> 46 47 #include <openssl/err.h> 48 #include <openssl/evp.h> 49 #include <openssl/hmac.h> 50 51 static void 52 require_ktls(void) 53 { 54 size_t len; 55 bool enable; 56 57 len = sizeof(enable); 58 if (sysctlbyname("kern.ipc.tls.enable", &enable, &len, NULL, 0) == -1) { 59 if (errno == ENOENT) 60 atf_tc_skip("kernel does not support TLS offload"); 61 atf_libc_error(errno, "Failed to read kern.ipc.tls.enable"); 62 } 63 64 if (!enable) 65 atf_tc_skip("Kernel TLS is disabled"); 66 } 67 68 #define ATF_REQUIRE_KTLS() require_ktls() 69 70 static void 71 check_tls_mode(const atf_tc_t *tc, int s, int sockopt) 72 { 73 if (atf_tc_get_config_var_as_bool_wd(tc, "ktls.require_ifnet", false)) { 74 socklen_t len; 75 int mode; 76 77 len = sizeof(mode); 78 if (getsockopt(s, IPPROTO_TCP, sockopt, &mode, &len) == -1) 79 atf_libc_error(errno, "Failed to fetch TLS mode"); 80 81 if (mode != TCP_TLS_MODE_IFNET) 82 atf_tc_skip("connection did not use ifnet TLS"); 83 } 84 85 if (atf_tc_get_config_var_as_bool_wd(tc, "ktls.require_toe", false)) { 86 socklen_t len; 87 int mode; 88 89 len = sizeof(mode); 90 if (getsockopt(s, IPPROTO_TCP, sockopt, &mode, &len) == -1) 91 atf_libc_error(errno, "Failed to fetch TLS mode"); 92 93 if (mode != TCP_TLS_MODE_TOE) 94 atf_tc_skip("connection did not use TOE TLS"); 95 } 96 } 97 98 static char 99 rdigit(void) 100 { 101 /* ASCII printable values between 0x20 and 0x7e */ 102 return (0x20 + random() % (0x7f - 0x20)); 103 } 104 105 static char * 106 alloc_buffer(size_t len) 107 { 108 char *buf; 109 size_t i; 110 111 if (len == 0) 112 return (NULL); 113 buf = malloc(len); 114 for (i = 0; i < len; i++) 115 buf[i] = rdigit(); 116 return (buf); 117 } 118 119 static bool 120 socketpair_tcp(int sv[2]) 121 { 122 struct pollfd pfd; 123 struct sockaddr_in sin; 124 socklen_t len; 125 int as, cs, ls; 126 127 ls = socket(PF_INET, SOCK_STREAM, 0); 128 if (ls == -1) { 129 warn("socket() for listen"); 130 return (false); 131 } 132 133 memset(&sin, 0, sizeof(sin)); 134 sin.sin_len = sizeof(sin); 135 sin.sin_family = AF_INET; 136 sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK); 137 if (bind(ls, (struct sockaddr *)&sin, sizeof(sin)) == -1) { 138 warn("bind"); 139 close(ls); 140 return (false); 141 } 142 143 if (listen(ls, 1) == -1) { 144 warn("listen"); 145 close(ls); 146 return (false); 147 } 148 149 len = sizeof(sin); 150 if (getsockname(ls, (struct sockaddr *)&sin, &len) == -1) { 151 warn("getsockname"); 152 close(ls); 153 return (false); 154 } 155 156 cs = socket(PF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0); 157 if (cs == -1) { 158 warn("socket() for connect"); 159 close(ls); 160 return (false); 161 } 162 163 if (connect(cs, (struct sockaddr *)&sin, sizeof(sin)) == -1) { 164 if (errno != EINPROGRESS) { 165 warn("connect"); 166 close(ls); 167 close(cs); 168 return (false); 169 } 170 } 171 172 as = accept4(ls, NULL, NULL, SOCK_NONBLOCK); 173 if (as == -1) { 174 warn("accept4"); 175 close(ls); 176 close(cs); 177 return (false); 178 } 179 180 close(ls); 181 182 pfd.fd = cs; 183 pfd.events = POLLOUT; 184 pfd.revents = 0; 185 ATF_REQUIRE(poll(&pfd, 1, INFTIM) == 1); 186 ATF_REQUIRE(pfd.revents == POLLOUT); 187 188 sv[0] = cs; 189 sv[1] = as; 190 return (true); 191 } 192 193 static bool 194 echo_socket(const atf_tc_t *tc, int sv[2]) 195 { 196 const char *cause, *host, *port; 197 struct addrinfo hints, *ai, *tofree; 198 int error, flags, s; 199 200 host = atf_tc_get_config_var(tc, "ktls.host"); 201 port = atf_tc_get_config_var_wd(tc, "ktls.port", "echo"); 202 memset(&hints, 0, sizeof(hints)); 203 hints.ai_family = AF_UNSPEC; 204 hints.ai_socktype = SOCK_STREAM; 205 hints.ai_protocol = IPPROTO_TCP; 206 error = getaddrinfo(host, port, &hints, &tofree); 207 if (error != 0) { 208 warnx("getaddrinfo(%s:%s) failed: %s", host, port, 209 gai_strerror(error)); 210 return (false); 211 } 212 213 cause = NULL; 214 for (ai = tofree; ai != NULL; ai = ai->ai_next) { 215 s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 216 if (s == -1) { 217 cause = "socket"; 218 error = errno; 219 continue; 220 } 221 222 if (connect(s, ai->ai_addr, ai->ai_addrlen) == -1) { 223 cause = "connect"; 224 error = errno; 225 close(s); 226 continue; 227 } 228 229 freeaddrinfo(tofree); 230 231 ATF_REQUIRE((flags = fcntl(s, F_GETFL)) != -1); 232 flags |= O_NONBLOCK; 233 ATF_REQUIRE(fcntl(s, F_SETFL, flags) != -1); 234 235 sv[0] = s; 236 sv[1] = s; 237 return (true); 238 } 239 240 warnc(error, "%s", cause); 241 freeaddrinfo(tofree); 242 return (false); 243 } 244 245 static bool 246 open_sockets(const atf_tc_t *tc, int sv[2]) 247 { 248 if (atf_tc_has_config_var(tc, "ktls.host")) 249 return (echo_socket(tc, sv)); 250 else 251 return (socketpair_tcp(sv)); 252 } 253 254 static void 255 close_sockets(int sv[2]) 256 { 257 if (sv[0] != sv[1]) 258 ATF_REQUIRE(close(sv[1]) == 0); 259 ATF_REQUIRE(close(sv[0]) == 0); 260 } 261 262 static void 263 fd_set_blocking(int fd) 264 { 265 int flags; 266 267 ATF_REQUIRE((flags = fcntl(fd, F_GETFL)) != -1); 268 flags &= ~O_NONBLOCK; 269 ATF_REQUIRE(fcntl(fd, F_SETFL, flags) != -1); 270 } 271 272 static bool 273 cbc_crypt(const EVP_CIPHER *cipher, const char *key, const char *iv, 274 const char *input, char *output, size_t size, int enc) 275 { 276 EVP_CIPHER_CTX *ctx; 277 int outl, total; 278 279 ctx = EVP_CIPHER_CTX_new(); 280 if (ctx == NULL) { 281 warnx("EVP_CIPHER_CTX_new failed: %s", 282 ERR_error_string(ERR_get_error(), NULL)); 283 return (false); 284 } 285 if (EVP_CipherInit_ex(ctx, cipher, NULL, (const u_char *)key, 286 (const u_char *)iv, enc) != 1) { 287 warnx("EVP_CipherInit_ex failed: %s", 288 ERR_error_string(ERR_get_error(), NULL)); 289 EVP_CIPHER_CTX_free(ctx); 290 return (false); 291 } 292 EVP_CIPHER_CTX_set_padding(ctx, 0); 293 if (EVP_CipherUpdate(ctx, (u_char *)output, &outl, 294 (const u_char *)input, size) != 1) { 295 warnx("EVP_CipherUpdate failed: %s", 296 ERR_error_string(ERR_get_error(), NULL)); 297 EVP_CIPHER_CTX_free(ctx); 298 return (false); 299 } 300 total = outl; 301 if (EVP_CipherFinal_ex(ctx, (u_char *)output + outl, &outl) != 1) { 302 warnx("EVP_CipherFinal_ex failed: %s", 303 ERR_error_string(ERR_get_error(), NULL)); 304 EVP_CIPHER_CTX_free(ctx); 305 return (false); 306 } 307 total += outl; 308 if ((size_t)total != size) { 309 warnx("decrypt size mismatch: %zu vs %d", size, total); 310 EVP_CIPHER_CTX_free(ctx); 311 return (false); 312 } 313 EVP_CIPHER_CTX_free(ctx); 314 return (true); 315 } 316 317 static bool 318 cbc_encrypt(const EVP_CIPHER *cipher, const char *key, const char *iv, 319 const char *input, char *output, size_t size) 320 { 321 return (cbc_crypt(cipher, key, iv, input, output, size, 1)); 322 } 323 324 static bool 325 cbc_decrypt(const EVP_CIPHER *cipher, const char *key, const char *iv, 326 const char *input, char *output, size_t size) 327 { 328 return (cbc_crypt(cipher, key, iv, input, output, size, 0)); 329 } 330 331 static bool 332 compute_hash(const EVP_MD *md, const void *key, size_t key_len, const void *aad, 333 size_t aad_len, const void *buffer, size_t len, void *digest, 334 u_int *digest_len) 335 { 336 HMAC_CTX *ctx; 337 338 ctx = HMAC_CTX_new(); 339 if (ctx == NULL) { 340 warnx("HMAC_CTX_new failed: %s", 341 ERR_error_string(ERR_get_error(), NULL)); 342 return (false); 343 } 344 if (HMAC_Init_ex(ctx, key, key_len, md, NULL) != 1) { 345 warnx("HMAC_Init_ex failed: %s", 346 ERR_error_string(ERR_get_error(), NULL)); 347 HMAC_CTX_free(ctx); 348 return (false); 349 } 350 if (HMAC_Update(ctx, aad, aad_len) != 1) { 351 warnx("HMAC_Update (aad) failed: %s", 352 ERR_error_string(ERR_get_error(), NULL)); 353 HMAC_CTX_free(ctx); 354 return (false); 355 } 356 if (HMAC_Update(ctx, buffer, len) != 1) { 357 warnx("HMAC_Update (payload) failed: %s", 358 ERR_error_string(ERR_get_error(), NULL)); 359 HMAC_CTX_free(ctx); 360 return (false); 361 } 362 if (HMAC_Final(ctx, digest, digest_len) != 1) { 363 warnx("HMAC_Final failed: %s", 364 ERR_error_string(ERR_get_error(), NULL)); 365 HMAC_CTX_free(ctx); 366 return (false); 367 } 368 HMAC_CTX_free(ctx); 369 return (true); 370 } 371 372 static bool 373 verify_hash(const EVP_MD *md, const void *key, size_t key_len, const void *aad, 374 size_t aad_len, const void *buffer, size_t len, const void *digest) 375 { 376 unsigned char digest2[EVP_MAX_MD_SIZE]; 377 u_int digest_len; 378 379 if (!compute_hash(md, key, key_len, aad, aad_len, buffer, len, digest2, 380 &digest_len)) 381 return (false); 382 if (memcmp(digest, digest2, digest_len) != 0) { 383 warnx("HMAC mismatch"); 384 return (false); 385 } 386 return (true); 387 } 388 389 static bool 390 aead_encrypt(const EVP_CIPHER *cipher, const char *key, const char *nonce, 391 const void *aad, size_t aad_len, const char *input, char *output, 392 size_t size, char *tag, size_t tag_len) 393 { 394 EVP_CIPHER_CTX *ctx; 395 int outl, total; 396 397 ctx = EVP_CIPHER_CTX_new(); 398 if (ctx == NULL) { 399 warnx("EVP_CIPHER_CTX_new failed: %s", 400 ERR_error_string(ERR_get_error(), NULL)); 401 return (false); 402 } 403 if (EVP_EncryptInit_ex(ctx, cipher, NULL, (const u_char *)key, 404 (const u_char *)nonce) != 1) { 405 warnx("EVP_EncryptInit_ex failed: %s", 406 ERR_error_string(ERR_get_error(), NULL)); 407 EVP_CIPHER_CTX_free(ctx); 408 return (false); 409 } 410 EVP_CIPHER_CTX_set_padding(ctx, 0); 411 if (aad != NULL) { 412 if (EVP_EncryptUpdate(ctx, NULL, &outl, (const u_char *)aad, 413 aad_len) != 1) { 414 warnx("EVP_EncryptUpdate for AAD failed: %s", 415 ERR_error_string(ERR_get_error(), NULL)); 416 EVP_CIPHER_CTX_free(ctx); 417 return (false); 418 } 419 } 420 if (EVP_EncryptUpdate(ctx, (u_char *)output, &outl, 421 (const u_char *)input, size) != 1) { 422 warnx("EVP_EncryptUpdate failed: %s", 423 ERR_error_string(ERR_get_error(), NULL)); 424 EVP_CIPHER_CTX_free(ctx); 425 return (false); 426 } 427 total = outl; 428 if (EVP_EncryptFinal_ex(ctx, (u_char *)output + outl, &outl) != 1) { 429 warnx("EVP_EncryptFinal_ex failed: %s", 430 ERR_error_string(ERR_get_error(), NULL)); 431 EVP_CIPHER_CTX_free(ctx); 432 return (false); 433 } 434 total += outl; 435 if ((size_t)total != size) { 436 warnx("encrypt size mismatch: %zu vs %d", size, total); 437 EVP_CIPHER_CTX_free(ctx); 438 return (false); 439 } 440 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, tag_len, tag) != 441 1) { 442 warnx("EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_GET_TAG) failed: %s", 443 ERR_error_string(ERR_get_error(), NULL)); 444 EVP_CIPHER_CTX_free(ctx); 445 return (false); 446 } 447 EVP_CIPHER_CTX_free(ctx); 448 return (true); 449 } 450 451 static bool 452 aead_decrypt(const EVP_CIPHER *cipher, const char *key, const char *nonce, 453 const void *aad, size_t aad_len, const char *input, char *output, 454 size_t size, const char *tag, size_t tag_len) 455 { 456 EVP_CIPHER_CTX *ctx; 457 int outl, total; 458 bool valid; 459 460 ctx = EVP_CIPHER_CTX_new(); 461 if (ctx == NULL) { 462 warnx("EVP_CIPHER_CTX_new failed: %s", 463 ERR_error_string(ERR_get_error(), NULL)); 464 return (false); 465 } 466 if (EVP_DecryptInit_ex(ctx, cipher, NULL, (const u_char *)key, 467 (const u_char *)nonce) != 1) { 468 warnx("EVP_DecryptInit_ex failed: %s", 469 ERR_error_string(ERR_get_error(), NULL)); 470 EVP_CIPHER_CTX_free(ctx); 471 return (false); 472 } 473 EVP_CIPHER_CTX_set_padding(ctx, 0); 474 if (aad != NULL) { 475 if (EVP_DecryptUpdate(ctx, NULL, &outl, (const u_char *)aad, 476 aad_len) != 1) { 477 warnx("EVP_DecryptUpdate for AAD failed: %s", 478 ERR_error_string(ERR_get_error(), NULL)); 479 EVP_CIPHER_CTX_free(ctx); 480 return (false); 481 } 482 } 483 if (EVP_DecryptUpdate(ctx, (u_char *)output, &outl, 484 (const u_char *)input, size) != 1) { 485 warnx("EVP_DecryptUpdate failed: %s", 486 ERR_error_string(ERR_get_error(), NULL)); 487 EVP_CIPHER_CTX_free(ctx); 488 return (false); 489 } 490 total = outl; 491 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, 492 __DECONST(char *, tag)) != 1) { 493 warnx("EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed: %s", 494 ERR_error_string(ERR_get_error(), NULL)); 495 EVP_CIPHER_CTX_free(ctx); 496 return (false); 497 } 498 valid = (EVP_DecryptFinal_ex(ctx, (u_char *)output + outl, &outl) == 1); 499 total += outl; 500 if ((size_t)total != size) { 501 warnx("decrypt size mismatch: %zu vs %d", size, total); 502 EVP_CIPHER_CTX_free(ctx); 503 return (false); 504 } 505 if (!valid) 506 warnx("tag mismatch"); 507 EVP_CIPHER_CTX_free(ctx); 508 return (valid); 509 } 510 511 static void 512 build_tls_enable(int cipher_alg, size_t cipher_key_len, int auth_alg, 513 int minor, uint64_t seqno, struct tls_enable *en) 514 { 515 u_int auth_key_len, iv_len; 516 517 memset(en, 0, sizeof(*en)); 518 519 switch (cipher_alg) { 520 case CRYPTO_AES_CBC: 521 if (minor == TLS_MINOR_VER_ZERO) 522 iv_len = AES_BLOCK_LEN; 523 else 524 iv_len = 0; 525 break; 526 case CRYPTO_AES_NIST_GCM_16: 527 if (minor == TLS_MINOR_VER_TWO) 528 iv_len = TLS_AEAD_GCM_LEN; 529 else 530 iv_len = TLS_1_3_GCM_IV_LEN; 531 break; 532 case CRYPTO_CHACHA20_POLY1305: 533 iv_len = TLS_CHACHA20_IV_LEN; 534 break; 535 default: 536 iv_len = 0; 537 break; 538 } 539 switch (auth_alg) { 540 case CRYPTO_SHA1_HMAC: 541 auth_key_len = SHA1_HASH_LEN; 542 break; 543 case CRYPTO_SHA2_256_HMAC: 544 auth_key_len = SHA2_256_HASH_LEN; 545 break; 546 case CRYPTO_SHA2_384_HMAC: 547 auth_key_len = SHA2_384_HASH_LEN; 548 break; 549 default: 550 auth_key_len = 0; 551 break; 552 } 553 en->cipher_key = alloc_buffer(cipher_key_len); 554 en->iv = alloc_buffer(iv_len); 555 en->auth_key = alloc_buffer(auth_key_len); 556 en->cipher_algorithm = cipher_alg; 557 en->cipher_key_len = cipher_key_len; 558 en->iv_len = iv_len; 559 en->auth_algorithm = auth_alg; 560 en->auth_key_len = auth_key_len; 561 en->tls_vmajor = TLS_MAJOR_VER_ONE; 562 en->tls_vminor = minor; 563 be64enc(en->rec_seq, seqno); 564 } 565 566 static void 567 free_tls_enable(struct tls_enable *en) 568 { 569 free(__DECONST(void *, en->cipher_key)); 570 free(__DECONST(void *, en->iv)); 571 free(__DECONST(void *, en->auth_key)); 572 } 573 574 static const EVP_CIPHER * 575 tls_EVP_CIPHER(const struct tls_enable *en) 576 { 577 switch (en->cipher_algorithm) { 578 case CRYPTO_AES_CBC: 579 switch (en->cipher_key_len) { 580 case 128 / 8: 581 return (EVP_aes_128_cbc()); 582 case 256 / 8: 583 return (EVP_aes_256_cbc()); 584 default: 585 return (NULL); 586 } 587 break; 588 case CRYPTO_AES_NIST_GCM_16: 589 switch (en->cipher_key_len) { 590 case 128 / 8: 591 return (EVP_aes_128_gcm()); 592 case 256 / 8: 593 return (EVP_aes_256_gcm()); 594 default: 595 return (NULL); 596 } 597 break; 598 case CRYPTO_CHACHA20_POLY1305: 599 return (EVP_chacha20_poly1305()); 600 default: 601 return (NULL); 602 } 603 } 604 605 static const EVP_MD * 606 tls_EVP_MD(const struct tls_enable *en) 607 { 608 switch (en->auth_algorithm) { 609 case CRYPTO_SHA1_HMAC: 610 return (EVP_sha1()); 611 case CRYPTO_SHA2_256_HMAC: 612 return (EVP_sha256()); 613 case CRYPTO_SHA2_384_HMAC: 614 return (EVP_sha384()); 615 default: 616 return (NULL); 617 } 618 } 619 620 static size_t 621 tls_header_len(struct tls_enable *en) 622 { 623 size_t len; 624 625 len = sizeof(struct tls_record_layer); 626 switch (en->cipher_algorithm) { 627 case CRYPTO_AES_CBC: 628 if (en->tls_vminor != TLS_MINOR_VER_ZERO) 629 len += AES_BLOCK_LEN; 630 return (len); 631 case CRYPTO_AES_NIST_GCM_16: 632 if (en->tls_vminor == TLS_MINOR_VER_TWO) 633 len += sizeof(uint64_t); 634 return (len); 635 case CRYPTO_CHACHA20_POLY1305: 636 return (len); 637 default: 638 return (0); 639 } 640 } 641 642 static size_t 643 tls_mac_len(struct tls_enable *en) 644 { 645 switch (en->cipher_algorithm) { 646 case CRYPTO_AES_CBC: 647 switch (en->auth_algorithm) { 648 case CRYPTO_SHA1_HMAC: 649 return (SHA1_HASH_LEN); 650 case CRYPTO_SHA2_256_HMAC: 651 return (SHA2_256_HASH_LEN); 652 case CRYPTO_SHA2_384_HMAC: 653 return (SHA2_384_HASH_LEN); 654 default: 655 return (0); 656 } 657 case CRYPTO_AES_NIST_GCM_16: 658 return (AES_GMAC_HASH_LEN); 659 case CRYPTO_CHACHA20_POLY1305: 660 return (POLY1305_HASH_LEN); 661 default: 662 return (0); 663 } 664 } 665 666 /* Includes maximum padding for MTE. */ 667 static size_t 668 tls_trailer_len(struct tls_enable *en) 669 { 670 size_t len; 671 672 len = tls_mac_len(en); 673 if (en->cipher_algorithm == CRYPTO_AES_CBC) 674 len += AES_BLOCK_LEN; 675 if (en->tls_vminor == TLS_MINOR_VER_THREE) 676 len++; 677 return (len); 678 } 679 680 /* Minimum valid record payload size for a given cipher suite. */ 681 static size_t 682 tls_minimum_record_payload(struct tls_enable *en) 683 { 684 size_t len; 685 686 len = tls_header_len(en); 687 if (en->cipher_algorithm == CRYPTO_AES_CBC) 688 len += roundup2(tls_mac_len(en) + 1, AES_BLOCK_LEN); 689 else 690 len += tls_mac_len(en); 691 if (en->tls_vminor == TLS_MINOR_VER_THREE) 692 len++; 693 return (len - sizeof(struct tls_record_layer)); 694 } 695 696 /* 'len' is the length of the payload application data. */ 697 static void 698 tls_mte_aad(struct tls_enable *en, size_t len, 699 const struct tls_record_layer *hdr, uint64_t seqno, struct tls_mac_data *ad) 700 { 701 ad->seq = htobe64(seqno); 702 ad->type = hdr->tls_type; 703 ad->tls_vmajor = hdr->tls_vmajor; 704 ad->tls_vminor = hdr->tls_vminor; 705 ad->tls_length = htons(len); 706 } 707 708 static void 709 tls_12_aead_aad(struct tls_enable *en, size_t len, 710 const struct tls_record_layer *hdr, uint64_t seqno, 711 struct tls_aead_data *ad) 712 { 713 ad->seq = htobe64(seqno); 714 ad->type = hdr->tls_type; 715 ad->tls_vmajor = hdr->tls_vmajor; 716 ad->tls_vminor = hdr->tls_vminor; 717 ad->tls_length = htons(len); 718 } 719 720 static void 721 tls_13_aad(struct tls_enable *en, const struct tls_record_layer *hdr, 722 uint64_t seqno, struct tls_aead_data_13 *ad) 723 { 724 ad->type = hdr->tls_type; 725 ad->tls_vmajor = hdr->tls_vmajor; 726 ad->tls_vminor = hdr->tls_vminor; 727 ad->tls_length = hdr->tls_length; 728 } 729 730 static void 731 tls_12_gcm_nonce(struct tls_enable *en, const struct tls_record_layer *hdr, 732 char *nonce) 733 { 734 memcpy(nonce, en->iv, TLS_AEAD_GCM_LEN); 735 memcpy(nonce + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t)); 736 } 737 738 static void 739 tls_13_nonce(struct tls_enable *en, uint64_t seqno, char *nonce) 740 { 741 static_assert(TLS_1_3_GCM_IV_LEN == TLS_CHACHA20_IV_LEN, 742 "TLS 1.3 nonce length mismatch"); 743 memcpy(nonce, en->iv, TLS_1_3_GCM_IV_LEN); 744 *(uint64_t *)(nonce + 4) ^= htobe64(seqno); 745 } 746 747 /* 748 * Decrypt a TLS record 'len' bytes long at 'src' and store the result at 749 * 'dst'. If the TLS record header length doesn't match or 'dst' doesn't 750 * have sufficient room ('avail'), fail the test. 751 */ 752 static size_t 753 decrypt_tls_aes_cbc_mte(struct tls_enable *en, uint64_t seqno, const void *src, 754 size_t len, void *dst, size_t avail, uint8_t *record_type) 755 { 756 const struct tls_record_layer *hdr; 757 struct tls_mac_data aad; 758 const char *iv; 759 char *buf; 760 size_t hdr_len, mac_len, payload_len; 761 int padding; 762 763 hdr = src; 764 hdr_len = tls_header_len(en); 765 mac_len = tls_mac_len(en); 766 ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE); 767 ATF_REQUIRE(hdr->tls_vminor == en->tls_vminor); 768 769 /* First, decrypt the outer payload into a temporary buffer. */ 770 payload_len = len - hdr_len; 771 buf = malloc(payload_len); 772 if (en->tls_vminor == TLS_MINOR_VER_ZERO) 773 iv = en->iv; 774 else 775 iv = (void *)(hdr + 1); 776 ATF_REQUIRE(cbc_decrypt(tls_EVP_CIPHER(en), en->cipher_key, iv, 777 (const u_char *)src + hdr_len, buf, payload_len)); 778 779 /* 780 * Copy the last encrypted block to use as the IV for the next 781 * record for TLS 1.0. 782 */ 783 if (en->tls_vminor == TLS_MINOR_VER_ZERO) 784 memcpy(__DECONST(uint8_t *, en->iv), (const u_char *)src + 785 (len - AES_BLOCK_LEN), AES_BLOCK_LEN); 786 787 /* 788 * Verify trailing padding and strip. 789 * 790 * The kernel always generates the smallest amount of padding. 791 */ 792 padding = buf[payload_len - 1] + 1; 793 ATF_REQUIRE(padding > 0 && padding <= AES_BLOCK_LEN); 794 ATF_REQUIRE(payload_len >= mac_len + padding); 795 payload_len -= padding; 796 797 /* Verify HMAC. */ 798 payload_len -= mac_len; 799 tls_mte_aad(en, payload_len, hdr, seqno, &aad); 800 ATF_REQUIRE(verify_hash(tls_EVP_MD(en), en->auth_key, en->auth_key_len, 801 &aad, sizeof(aad), buf, payload_len, buf + payload_len)); 802 803 ATF_REQUIRE(payload_len <= avail); 804 memcpy(dst, buf, payload_len); 805 *record_type = hdr->tls_type; 806 return (payload_len); 807 } 808 809 static size_t 810 decrypt_tls_12_aead(struct tls_enable *en, uint64_t seqno, const void *src, 811 size_t len, void *dst, uint8_t *record_type) 812 { 813 const struct tls_record_layer *hdr; 814 struct tls_aead_data aad; 815 char nonce[12]; 816 size_t hdr_len, mac_len, payload_len; 817 818 hdr = src; 819 820 hdr_len = tls_header_len(en); 821 mac_len = tls_mac_len(en); 822 payload_len = len - (hdr_len + mac_len); 823 ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE); 824 ATF_REQUIRE(hdr->tls_vminor == TLS_MINOR_VER_TWO); 825 826 tls_12_aead_aad(en, payload_len, hdr, seqno, &aad); 827 if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16) 828 tls_12_gcm_nonce(en, hdr, nonce); 829 else 830 tls_13_nonce(en, seqno, nonce); 831 832 ATF_REQUIRE(aead_decrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 833 &aad, sizeof(aad), (const char *)src + hdr_len, dst, payload_len, 834 (const char *)src + hdr_len + payload_len, mac_len)); 835 836 *record_type = hdr->tls_type; 837 return (payload_len); 838 } 839 840 static size_t 841 decrypt_tls_13_aead(struct tls_enable *en, uint64_t seqno, const void *src, 842 size_t len, void *dst, uint8_t *record_type) 843 { 844 const struct tls_record_layer *hdr; 845 struct tls_aead_data_13 aad; 846 char nonce[12]; 847 char *buf; 848 size_t hdr_len, mac_len, payload_len; 849 850 hdr = src; 851 852 hdr_len = tls_header_len(en); 853 mac_len = tls_mac_len(en); 854 payload_len = len - (hdr_len + mac_len); 855 ATF_REQUIRE(payload_len >= 1); 856 ATF_REQUIRE(hdr->tls_type == TLS_RLTYPE_APP); 857 ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE); 858 ATF_REQUIRE(hdr->tls_vminor == TLS_MINOR_VER_TWO); 859 860 tls_13_aad(en, hdr, seqno, &aad); 861 tls_13_nonce(en, seqno, nonce); 862 863 /* 864 * Have to use a temporary buffer for the output due to the 865 * record type as the last byte of the trailer. 866 */ 867 buf = malloc(payload_len); 868 869 ATF_REQUIRE(aead_decrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 870 &aad, sizeof(aad), (const char *)src + hdr_len, buf, payload_len, 871 (const char *)src + hdr_len + payload_len, mac_len)); 872 873 /* Trim record type. */ 874 *record_type = buf[payload_len - 1]; 875 payload_len--; 876 877 memcpy(dst, buf, payload_len); 878 free(buf); 879 880 return (payload_len); 881 } 882 883 static size_t 884 decrypt_tls_aead(struct tls_enable *en, uint64_t seqno, const void *src, 885 size_t len, void *dst, size_t avail, uint8_t *record_type) 886 { 887 const struct tls_record_layer *hdr; 888 size_t payload_len; 889 890 hdr = src; 891 ATF_REQUIRE(ntohs(hdr->tls_length) + sizeof(*hdr) == len); 892 893 payload_len = len - (tls_header_len(en) + tls_trailer_len(en)); 894 ATF_REQUIRE(payload_len <= avail); 895 896 if (en->tls_vminor == TLS_MINOR_VER_TWO) { 897 ATF_REQUIRE(decrypt_tls_12_aead(en, seqno, src, len, dst, 898 record_type) == payload_len); 899 } else { 900 ATF_REQUIRE(decrypt_tls_13_aead(en, seqno, src, len, dst, 901 record_type) == payload_len); 902 } 903 904 return (payload_len); 905 } 906 907 static size_t 908 decrypt_tls_record(struct tls_enable *en, uint64_t seqno, const void *src, 909 size_t len, void *dst, size_t avail, uint8_t *record_type) 910 { 911 if (en->cipher_algorithm == CRYPTO_AES_CBC) 912 return (decrypt_tls_aes_cbc_mte(en, seqno, src, len, dst, avail, 913 record_type)); 914 else 915 return (decrypt_tls_aead(en, seqno, src, len, dst, avail, 916 record_type)); 917 } 918 919 /* 920 * Encrypt a TLS record of type 'record_type' with payload 'len' bytes 921 * long at 'src' and store the result at 'dst'. If 'dst' doesn't have 922 * sufficient room ('avail'), fail the test. 'padding' is the amount 923 * of additional padding to include beyond any amount mandated by the 924 * cipher suite. 925 */ 926 static size_t 927 encrypt_tls_aes_cbc_mte(struct tls_enable *en, uint8_t record_type, 928 uint64_t seqno, const void *src, size_t len, void *dst, size_t avail, 929 size_t padding) 930 { 931 struct tls_record_layer *hdr; 932 struct tls_mac_data aad; 933 char *buf, *iv; 934 size_t hdr_len, mac_len, record_len; 935 u_int digest_len, i; 936 937 ATF_REQUIRE(padding % 16 == 0); 938 939 hdr = dst; 940 buf = dst; 941 942 hdr_len = tls_header_len(en); 943 mac_len = tls_mac_len(en); 944 padding += (AES_BLOCK_LEN - (len + mac_len) % AES_BLOCK_LEN); 945 ATF_REQUIRE(padding > 0 && padding <= 255); 946 947 record_len = hdr_len + len + mac_len + padding; 948 ATF_REQUIRE(record_len <= avail); 949 950 hdr->tls_type = record_type; 951 hdr->tls_vmajor = TLS_MAJOR_VER_ONE; 952 hdr->tls_vminor = en->tls_vminor; 953 hdr->tls_length = htons(record_len - sizeof(*hdr)); 954 iv = (char *)(hdr + 1); 955 for (i = 0; i < AES_BLOCK_LEN; i++) 956 iv[i] = rdigit(); 957 958 /* Copy plaintext to ciphertext region. */ 959 memcpy(buf + hdr_len, src, len); 960 961 /* Compute HMAC. */ 962 tls_mte_aad(en, len, hdr, seqno, &aad); 963 ATF_REQUIRE(compute_hash(tls_EVP_MD(en), en->auth_key, en->auth_key_len, 964 &aad, sizeof(aad), src, len, buf + hdr_len + len, &digest_len)); 965 ATF_REQUIRE(digest_len == mac_len); 966 967 /* Store padding. */ 968 for (i = 0; i < padding; i++) 969 buf[hdr_len + len + mac_len + i] = padding - 1; 970 971 /* Encrypt the record. */ 972 ATF_REQUIRE(cbc_encrypt(tls_EVP_CIPHER(en), en->cipher_key, iv, 973 buf + hdr_len, buf + hdr_len, len + mac_len + padding)); 974 975 return (record_len); 976 } 977 978 static size_t 979 encrypt_tls_12_aead(struct tls_enable *en, uint8_t record_type, uint64_t seqno, 980 const void *src, size_t len, void *dst) 981 { 982 struct tls_record_layer *hdr; 983 struct tls_aead_data aad; 984 char nonce[12]; 985 size_t hdr_len, mac_len, record_len; 986 987 hdr = dst; 988 989 hdr_len = tls_header_len(en); 990 mac_len = tls_mac_len(en); 991 record_len = hdr_len + len + mac_len; 992 993 hdr->tls_type = record_type; 994 hdr->tls_vmajor = TLS_MAJOR_VER_ONE; 995 hdr->tls_vminor = TLS_MINOR_VER_TWO; 996 hdr->tls_length = htons(record_len - sizeof(*hdr)); 997 if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16) 998 memcpy(hdr + 1, &seqno, sizeof(seqno)); 999 1000 tls_12_aead_aad(en, len, hdr, seqno, &aad); 1001 if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16) 1002 tls_12_gcm_nonce(en, hdr, nonce); 1003 else 1004 tls_13_nonce(en, seqno, nonce); 1005 1006 ATF_REQUIRE(aead_encrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 1007 &aad, sizeof(aad), src, (char *)dst + hdr_len, len, 1008 (char *)dst + hdr_len + len, mac_len)); 1009 1010 return (record_len); 1011 } 1012 1013 static size_t 1014 encrypt_tls_13_aead(struct tls_enable *en, uint8_t record_type, uint64_t seqno, 1015 const void *src, size_t len, void *dst, size_t padding) 1016 { 1017 struct tls_record_layer *hdr; 1018 struct tls_aead_data_13 aad; 1019 char nonce[12]; 1020 char *buf; 1021 size_t hdr_len, mac_len, record_len; 1022 1023 hdr = dst; 1024 1025 hdr_len = tls_header_len(en); 1026 mac_len = tls_mac_len(en); 1027 record_len = hdr_len + len + 1 + padding + mac_len; 1028 1029 hdr->tls_type = TLS_RLTYPE_APP; 1030 hdr->tls_vmajor = TLS_MAJOR_VER_ONE; 1031 hdr->tls_vminor = TLS_MINOR_VER_TWO; 1032 hdr->tls_length = htons(record_len - sizeof(*hdr)); 1033 1034 tls_13_aad(en, hdr, seqno, &aad); 1035 tls_13_nonce(en, seqno, nonce); 1036 1037 /* 1038 * Have to use a temporary buffer for the input so that the record 1039 * type can be appended. 1040 */ 1041 buf = malloc(len + 1 + padding); 1042 memcpy(buf, src, len); 1043 buf[len] = record_type; 1044 memset(buf + len + 1, 0, padding); 1045 1046 ATF_REQUIRE(aead_encrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 1047 &aad, sizeof(aad), buf, (char *)dst + hdr_len, len + 1 + padding, 1048 (char *)dst + hdr_len + len + 1 + padding, mac_len)); 1049 1050 free(buf); 1051 1052 return (record_len); 1053 } 1054 1055 static size_t 1056 encrypt_tls_aead(struct tls_enable *en, uint8_t record_type, uint64_t seqno, 1057 const void *src, size_t len, void *dst, size_t avail, size_t padding) 1058 { 1059 size_t record_len; 1060 1061 record_len = tls_header_len(en) + len + padding + tls_trailer_len(en); 1062 ATF_REQUIRE(record_len <= avail); 1063 1064 if (en->tls_vminor == TLS_MINOR_VER_TWO) { 1065 ATF_REQUIRE(padding == 0); 1066 ATF_REQUIRE(encrypt_tls_12_aead(en, record_type, seqno, src, 1067 len, dst) == record_len); 1068 } else 1069 ATF_REQUIRE(encrypt_tls_13_aead(en, record_type, seqno, src, 1070 len, dst, padding) == record_len); 1071 1072 return (record_len); 1073 } 1074 1075 static size_t 1076 encrypt_tls_record(struct tls_enable *en, uint8_t record_type, uint64_t seqno, 1077 const void *src, size_t len, void *dst, size_t avail, size_t padding) 1078 { 1079 if (en->cipher_algorithm == CRYPTO_AES_CBC) 1080 return (encrypt_tls_aes_cbc_mte(en, record_type, seqno, src, 1081 len, dst, avail, padding)); 1082 else 1083 return (encrypt_tls_aead(en, record_type, seqno, src, len, 1084 dst, avail, padding)); 1085 } 1086 1087 static void 1088 test_ktls_transmit_app_data(const atf_tc_t *tc, struct tls_enable *en, 1089 uint64_t seqno, size_t len) 1090 { 1091 struct kevent ev; 1092 struct tls_record_layer *hdr; 1093 char *plaintext, *decrypted, *outbuf; 1094 size_t decrypted_len, outbuf_len, outbuf_cap, record_len, written; 1095 ssize_t rv; 1096 int kq, sockets[2]; 1097 uint8_t record_type; 1098 1099 plaintext = alloc_buffer(len); 1100 decrypted = malloc(len); 1101 outbuf_cap = tls_header_len(en) + TLS_MAX_MSG_SIZE_V10_2 + 1102 tls_trailer_len(en); 1103 outbuf = malloc(outbuf_cap); 1104 hdr = (struct tls_record_layer *)outbuf; 1105 1106 ATF_REQUIRE((kq = kqueue()) != -1); 1107 1108 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1109 1110 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 1111 sizeof(*en)) == 0); 1112 check_tls_mode(tc, sockets[1], TCP_TXTLS_MODE); 1113 1114 EV_SET(&ev, sockets[0], EVFILT_READ, EV_ADD, 0, 0, NULL); 1115 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 1116 EV_SET(&ev, sockets[1], EVFILT_WRITE, EV_ADD, 0, 0, NULL); 1117 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 1118 1119 decrypted_len = 0; 1120 outbuf_len = 0; 1121 written = 0; 1122 1123 while (decrypted_len != len) { 1124 ATF_REQUIRE(kevent(kq, NULL, 0, &ev, 1, NULL) == 1); 1125 1126 switch (ev.filter) { 1127 case EVFILT_WRITE: 1128 /* Try to write any remaining data. */ 1129 rv = write(ev.ident, plaintext + written, 1130 len - written); 1131 ATF_REQUIRE_MSG(rv > 0, 1132 "failed to write to socket"); 1133 written += rv; 1134 if (written == len) { 1135 ev.flags = EV_DISABLE; 1136 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, 1137 NULL) == 0); 1138 } 1139 break; 1140 1141 case EVFILT_READ: 1142 ATF_REQUIRE((ev.flags & EV_EOF) == 0); 1143 1144 /* 1145 * Try to read data for the next TLS record 1146 * into outbuf. Start by reading the header 1147 * to determine how much additional data to 1148 * read. 1149 */ 1150 if (outbuf_len < sizeof(struct tls_record_layer)) { 1151 rv = read(ev.ident, outbuf + outbuf_len, 1152 sizeof(struct tls_record_layer) - 1153 outbuf_len); 1154 ATF_REQUIRE_MSG(rv > 0, 1155 "failed to read from socket"); 1156 outbuf_len += rv; 1157 } 1158 1159 if (outbuf_len < sizeof(struct tls_record_layer)) 1160 break; 1161 1162 record_len = sizeof(struct tls_record_layer) + 1163 ntohs(hdr->tls_length); 1164 ATF_REQUIRE(record_len <= outbuf_cap); 1165 ATF_REQUIRE(record_len > outbuf_len); 1166 rv = read(ev.ident, outbuf + outbuf_len, 1167 record_len - outbuf_len); 1168 if (rv == -1 && errno == EAGAIN) 1169 break; 1170 ATF_REQUIRE_MSG(rv > 0, "failed to read from socket"); 1171 1172 outbuf_len += rv; 1173 if (outbuf_len == record_len) { 1174 decrypted_len += decrypt_tls_record(en, seqno, 1175 outbuf, outbuf_len, 1176 decrypted + decrypted_len, 1177 len - decrypted_len, &record_type); 1178 ATF_REQUIRE(record_type == TLS_RLTYPE_APP); 1179 1180 seqno++; 1181 outbuf_len = 0; 1182 } 1183 break; 1184 } 1185 } 1186 1187 ATF_REQUIRE_MSG(written == decrypted_len, 1188 "read %zu decrypted bytes, but wrote %zu", decrypted_len, written); 1189 1190 ATF_REQUIRE(memcmp(plaintext, decrypted, len) == 0); 1191 1192 free(outbuf); 1193 free(decrypted); 1194 free(plaintext); 1195 1196 close_sockets(sockets); 1197 ATF_REQUIRE(close(kq) == 0); 1198 } 1199 1200 static void 1201 ktls_send_control_message(int fd, uint8_t type, void *data, size_t len) 1202 { 1203 struct msghdr msg; 1204 struct cmsghdr *cmsg; 1205 char cbuf[CMSG_SPACE(sizeof(type))]; 1206 struct iovec iov; 1207 1208 memset(&msg, 0, sizeof(msg)); 1209 1210 msg.msg_control = cbuf; 1211 msg.msg_controllen = sizeof(cbuf); 1212 cmsg = CMSG_FIRSTHDR(&msg); 1213 cmsg->cmsg_level = IPPROTO_TCP; 1214 cmsg->cmsg_type = TLS_SET_RECORD_TYPE; 1215 cmsg->cmsg_len = CMSG_LEN(sizeof(type)); 1216 *(uint8_t *)CMSG_DATA(cmsg) = type; 1217 1218 iov.iov_base = data; 1219 iov.iov_len = len; 1220 msg.msg_iov = &iov; 1221 msg.msg_iovlen = 1; 1222 1223 ATF_REQUIRE(sendmsg(fd, &msg, 0) == (ssize_t)len); 1224 } 1225 1226 static void 1227 test_ktls_transmit_control(const atf_tc_t *tc, struct tls_enable *en, 1228 uint64_t seqno, uint8_t type, size_t len) 1229 { 1230 struct tls_record_layer *hdr; 1231 char *plaintext, *decrypted, *outbuf; 1232 size_t outbuf_cap, payload_len, record_len; 1233 ssize_t rv; 1234 int sockets[2]; 1235 uint8_t record_type; 1236 1237 ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2); 1238 1239 plaintext = alloc_buffer(len); 1240 decrypted = malloc(len); 1241 outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en); 1242 outbuf = malloc(outbuf_cap); 1243 hdr = (struct tls_record_layer *)outbuf; 1244 1245 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1246 1247 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 1248 sizeof(*en)) == 0); 1249 check_tls_mode(tc, sockets[1], TCP_TXTLS_MODE); 1250 1251 fd_set_blocking(sockets[0]); 1252 fd_set_blocking(sockets[1]); 1253 1254 ktls_send_control_message(sockets[1], type, plaintext, len); 1255 1256 /* 1257 * First read the header to determine how much additional data 1258 * to read. 1259 */ 1260 rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer)); 1261 ATF_REQUIRE(rv == sizeof(struct tls_record_layer)); 1262 payload_len = ntohs(hdr->tls_length); 1263 record_len = payload_len + sizeof(struct tls_record_layer); 1264 ATF_REQUIRE(record_len <= outbuf_cap); 1265 rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer), 1266 payload_len); 1267 ATF_REQUIRE(rv == (ssize_t)payload_len); 1268 1269 rv = decrypt_tls_record(en, seqno, outbuf, record_len, decrypted, len, 1270 &record_type); 1271 1272 ATF_REQUIRE_MSG((ssize_t)len == rv, 1273 "read %zd decrypted bytes, but wrote %zu", rv, len); 1274 ATF_REQUIRE(record_type == type); 1275 1276 ATF_REQUIRE(memcmp(plaintext, decrypted, len) == 0); 1277 1278 free(outbuf); 1279 free(decrypted); 1280 free(plaintext); 1281 1282 close_sockets(sockets); 1283 } 1284 1285 static void 1286 test_ktls_transmit_empty_fragment(const atf_tc_t *tc, struct tls_enable *en, 1287 uint64_t seqno) 1288 { 1289 struct tls_record_layer *hdr; 1290 char *outbuf; 1291 size_t outbuf_cap, payload_len, record_len; 1292 ssize_t rv; 1293 int sockets[2]; 1294 uint8_t record_type; 1295 1296 outbuf_cap = tls_header_len(en) + tls_trailer_len(en); 1297 outbuf = malloc(outbuf_cap); 1298 hdr = (struct tls_record_layer *)outbuf; 1299 1300 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1301 1302 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 1303 sizeof(*en)) == 0); 1304 check_tls_mode(tc, sockets[1], TCP_TXTLS_MODE); 1305 1306 fd_set_blocking(sockets[0]); 1307 fd_set_blocking(sockets[1]); 1308 1309 /* 1310 * A write of zero bytes should send an empty fragment only for 1311 * TLS 1.0, otherwise an error should be raised. 1312 */ 1313 rv = write(sockets[1], NULL, 0); 1314 if (rv == 0) { 1315 ATF_REQUIRE(en->cipher_algorithm == CRYPTO_AES_CBC); 1316 ATF_REQUIRE(en->tls_vminor == TLS_MINOR_VER_ZERO); 1317 } else { 1318 ATF_REQUIRE(rv == -1); 1319 ATF_REQUIRE(errno == EINVAL); 1320 goto out; 1321 } 1322 1323 /* 1324 * First read the header to determine how much additional data 1325 * to read. 1326 */ 1327 rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer)); 1328 ATF_REQUIRE(rv == sizeof(struct tls_record_layer)); 1329 payload_len = ntohs(hdr->tls_length); 1330 record_len = payload_len + sizeof(struct tls_record_layer); 1331 ATF_REQUIRE(record_len <= outbuf_cap); 1332 rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer), 1333 payload_len); 1334 ATF_REQUIRE(rv == (ssize_t)payload_len); 1335 1336 rv = decrypt_tls_record(en, seqno, outbuf, record_len, NULL, 0, 1337 &record_type); 1338 1339 ATF_REQUIRE_MSG(rv == 0, 1340 "read %zd decrypted bytes for an empty fragment", rv); 1341 ATF_REQUIRE(record_type == TLS_RLTYPE_APP); 1342 1343 out: 1344 free(outbuf); 1345 1346 close_sockets(sockets); 1347 } 1348 1349 static size_t 1350 ktls_receive_tls_record(struct tls_enable *en, int fd, uint8_t record_type, 1351 void *data, size_t len) 1352 { 1353 struct msghdr msg; 1354 struct cmsghdr *cmsg; 1355 struct tls_get_record *tgr; 1356 char cbuf[CMSG_SPACE(sizeof(*tgr))]; 1357 struct iovec iov; 1358 ssize_t rv; 1359 1360 memset(&msg, 0, sizeof(msg)); 1361 1362 msg.msg_control = cbuf; 1363 msg.msg_controllen = sizeof(cbuf); 1364 1365 iov.iov_base = data; 1366 iov.iov_len = len; 1367 msg.msg_iov = &iov; 1368 msg.msg_iovlen = 1; 1369 1370 ATF_REQUIRE((rv = recvmsg(fd, &msg, 0)) > 0); 1371 1372 ATF_REQUIRE((msg.msg_flags & (MSG_EOR | MSG_CTRUNC)) == MSG_EOR); 1373 1374 cmsg = CMSG_FIRSTHDR(&msg); 1375 ATF_REQUIRE(cmsg != NULL); 1376 ATF_REQUIRE(cmsg->cmsg_level == IPPROTO_TCP); 1377 ATF_REQUIRE(cmsg->cmsg_type == TLS_GET_RECORD); 1378 ATF_REQUIRE(cmsg->cmsg_len == CMSG_LEN(sizeof(*tgr))); 1379 1380 tgr = (struct tls_get_record *)CMSG_DATA(cmsg); 1381 ATF_REQUIRE(tgr->tls_type == record_type); 1382 ATF_REQUIRE(tgr->tls_vmajor == en->tls_vmajor); 1383 /* XXX: Not sure if this is what OpenSSL expects? */ 1384 if (en->tls_vminor == TLS_MINOR_VER_THREE) 1385 ATF_REQUIRE(tgr->tls_vminor == TLS_MINOR_VER_TWO); 1386 else 1387 ATF_REQUIRE(tgr->tls_vminor == en->tls_vminor); 1388 ATF_REQUIRE(tgr->tls_length == htons(rv)); 1389 1390 return (rv); 1391 } 1392 1393 static void 1394 test_ktls_receive_app_data(const atf_tc_t *tc, struct tls_enable *en, 1395 uint64_t seqno, size_t len, size_t padding) 1396 { 1397 struct kevent ev; 1398 char *plaintext, *received, *outbuf; 1399 size_t outbuf_cap, outbuf_len, outbuf_sent, received_len, todo, written; 1400 ssize_t rv; 1401 int kq, sockets[2]; 1402 1403 plaintext = alloc_buffer(len); 1404 received = malloc(len); 1405 outbuf_cap = tls_header_len(en) + TLS_MAX_MSG_SIZE_V10_2 + 1406 tls_trailer_len(en); 1407 outbuf = malloc(outbuf_cap); 1408 1409 ATF_REQUIRE((kq = kqueue()) != -1); 1410 1411 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1412 1413 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 1414 sizeof(*en)) == 0); 1415 check_tls_mode(tc, sockets[0], TCP_RXTLS_MODE); 1416 1417 EV_SET(&ev, sockets[0], EVFILT_READ, EV_ADD, 0, 0, NULL); 1418 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 1419 EV_SET(&ev, sockets[1], EVFILT_WRITE, EV_ADD, 0, 0, NULL); 1420 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 1421 1422 received_len = 0; 1423 outbuf_len = 0; 1424 written = 0; 1425 1426 while (received_len != len) { 1427 ATF_REQUIRE(kevent(kq, NULL, 0, &ev, 1, NULL) == 1); 1428 1429 switch (ev.filter) { 1430 case EVFILT_WRITE: 1431 /* 1432 * Compose the next TLS record to send. 1433 */ 1434 if (outbuf_len == 0) { 1435 ATF_REQUIRE(written < len); 1436 todo = len - written; 1437 if (todo > TLS_MAX_MSG_SIZE_V10_2 - padding) 1438 todo = TLS_MAX_MSG_SIZE_V10_2 - padding; 1439 outbuf_len = encrypt_tls_record(en, 1440 TLS_RLTYPE_APP, seqno, plaintext + written, 1441 todo, outbuf, outbuf_cap, padding); 1442 outbuf_sent = 0; 1443 written += todo; 1444 seqno++; 1445 } 1446 1447 /* 1448 * Try to write the remainder of the current 1449 * TLS record. 1450 */ 1451 rv = write(ev.ident, outbuf + outbuf_sent, 1452 outbuf_len - outbuf_sent); 1453 ATF_REQUIRE_MSG(rv > 0, 1454 "failed to write to socket"); 1455 outbuf_sent += rv; 1456 if (outbuf_sent == outbuf_len) { 1457 outbuf_len = 0; 1458 if (written == len) { 1459 ev.flags = EV_DISABLE; 1460 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, 1461 NULL) == 0); 1462 } 1463 } 1464 break; 1465 1466 case EVFILT_READ: 1467 ATF_REQUIRE((ev.flags & EV_EOF) == 0); 1468 1469 rv = ktls_receive_tls_record(en, ev.ident, 1470 TLS_RLTYPE_APP, received + received_len, 1471 len - received_len); 1472 received_len += rv; 1473 break; 1474 } 1475 } 1476 1477 ATF_REQUIRE_MSG(written == received_len, 1478 "read %zu decrypted bytes, but wrote %zu", received_len, written); 1479 1480 ATF_REQUIRE(memcmp(plaintext, received, len) == 0); 1481 1482 free(outbuf); 1483 free(received); 1484 free(plaintext); 1485 1486 close_sockets(sockets); 1487 ATF_REQUIRE(close(kq) == 0); 1488 } 1489 1490 static void 1491 ktls_receive_tls_error(int fd, int expected_error) 1492 { 1493 struct msghdr msg; 1494 struct tls_get_record *tgr; 1495 char cbuf[CMSG_SPACE(sizeof(*tgr))]; 1496 char buf[64]; 1497 struct iovec iov; 1498 1499 memset(&msg, 0, sizeof(msg)); 1500 1501 msg.msg_control = cbuf; 1502 msg.msg_controllen = sizeof(cbuf); 1503 1504 iov.iov_base = buf; 1505 iov.iov_len = sizeof(buf); 1506 msg.msg_iov = &iov; 1507 msg.msg_iovlen = 1; 1508 1509 ATF_REQUIRE(recvmsg(fd, &msg, 0) == -1); 1510 if (expected_error != 0) 1511 ATF_REQUIRE(errno == expected_error); 1512 } 1513 1514 static void 1515 test_ktls_receive_corrupted_record(const atf_tc_t *tc, struct tls_enable *en, 1516 uint64_t seqno, size_t len, ssize_t offset) 1517 { 1518 char *plaintext, *outbuf; 1519 size_t outbuf_cap, outbuf_len; 1520 ssize_t rv; 1521 int sockets[2]; 1522 1523 ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2); 1524 1525 plaintext = alloc_buffer(len); 1526 outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en); 1527 outbuf = malloc(outbuf_cap); 1528 1529 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1530 1531 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 1532 sizeof(*en)) == 0); 1533 check_tls_mode(tc, sockets[0], TCP_RXTLS_MODE); 1534 1535 fd_set_blocking(sockets[0]); 1536 fd_set_blocking(sockets[1]); 1537 1538 outbuf_len = encrypt_tls_record(en, TLS_RLTYPE_APP, seqno, 1539 plaintext, len, outbuf, outbuf_cap, 0); 1540 1541 /* A negative offset is an offset from the end. */ 1542 if (offset < 0) 1543 offset += outbuf_len; 1544 outbuf[offset] ^= 0x01; 1545 1546 rv = write(sockets[1], outbuf, outbuf_len); 1547 ATF_REQUIRE(rv == (ssize_t)outbuf_len); 1548 1549 ktls_receive_tls_error(sockets[0], EBADMSG); 1550 1551 free(outbuf); 1552 free(plaintext); 1553 1554 close_sockets(sockets); 1555 } 1556 1557 static void 1558 test_ktls_receive_corrupted_iv(const atf_tc_t *tc, struct tls_enable *en, 1559 uint64_t seqno, size_t len) 1560 { 1561 ATF_REQUIRE(tls_header_len(en) > sizeof(struct tls_record_layer)); 1562 1563 /* Corrupt the first byte of the explicit IV after the header. */ 1564 test_ktls_receive_corrupted_record(tc, en, seqno, len, 1565 sizeof(struct tls_record_layer)); 1566 } 1567 1568 static void 1569 test_ktls_receive_corrupted_data(const atf_tc_t *tc, struct tls_enable *en, 1570 uint64_t seqno, size_t len) 1571 { 1572 ATF_REQUIRE(len > 0); 1573 1574 /* Corrupt the first ciphertext byte after the header. */ 1575 test_ktls_receive_corrupted_record(tc, en, seqno, len, 1576 tls_header_len(en)); 1577 } 1578 1579 static void 1580 test_ktls_receive_corrupted_mac(const atf_tc_t *tc, struct tls_enable *en, 1581 uint64_t seqno, size_t len) 1582 { 1583 size_t offset; 1584 1585 /* Corrupt the first byte of the MAC. */ 1586 if (en->cipher_algorithm == CRYPTO_AES_CBC) 1587 offset = tls_header_len(en) + len; 1588 else 1589 offset = -tls_mac_len(en); 1590 test_ktls_receive_corrupted_record(tc, en, seqno, len, offset); 1591 } 1592 1593 static void 1594 test_ktls_receive_corrupted_padding(const atf_tc_t *tc, struct tls_enable *en, 1595 uint64_t seqno, size_t len) 1596 { 1597 ATF_REQUIRE(en->cipher_algorithm == CRYPTO_AES_CBC); 1598 1599 /* Corrupt the last byte of the padding. */ 1600 test_ktls_receive_corrupted_record(tc, en, seqno, len, -1); 1601 } 1602 1603 static void 1604 test_ktls_receive_truncated_record(const atf_tc_t *tc, struct tls_enable *en, 1605 uint64_t seqno, size_t len) 1606 { 1607 char *plaintext, *outbuf; 1608 size_t outbuf_cap, outbuf_len; 1609 ssize_t rv; 1610 int sockets[2]; 1611 1612 ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2); 1613 1614 plaintext = alloc_buffer(len); 1615 outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en); 1616 outbuf = malloc(outbuf_cap); 1617 1618 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1619 1620 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 1621 sizeof(*en)) == 0); 1622 check_tls_mode(tc, sockets[0], TCP_RXTLS_MODE); 1623 1624 fd_set_blocking(sockets[0]); 1625 fd_set_blocking(sockets[1]); 1626 1627 outbuf_len = encrypt_tls_record(en, TLS_RLTYPE_APP, seqno, 1628 plaintext, len, outbuf, outbuf_cap, 0); 1629 1630 rv = write(sockets[1], outbuf, outbuf_len / 2); 1631 ATF_REQUIRE(rv == (ssize_t)(outbuf_len / 2)); 1632 1633 ATF_REQUIRE(shutdown(sockets[1], SHUT_WR) == 0); 1634 1635 ktls_receive_tls_error(sockets[0], EMSGSIZE); 1636 1637 free(outbuf); 1638 free(plaintext); 1639 1640 close_sockets(sockets); 1641 } 1642 1643 static void 1644 test_ktls_receive_bad_major(const atf_tc_t *tc, struct tls_enable *en, 1645 uint64_t seqno, size_t len) 1646 { 1647 struct tls_record_layer *hdr; 1648 char *plaintext, *outbuf; 1649 size_t outbuf_cap, outbuf_len; 1650 ssize_t rv; 1651 int sockets[2]; 1652 1653 ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2); 1654 1655 plaintext = alloc_buffer(len); 1656 outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en); 1657 outbuf = malloc(outbuf_cap); 1658 1659 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1660 1661 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 1662 sizeof(*en)) == 0); 1663 check_tls_mode(tc, sockets[0], TCP_RXTLS_MODE); 1664 1665 fd_set_blocking(sockets[0]); 1666 fd_set_blocking(sockets[1]); 1667 1668 outbuf_len = encrypt_tls_record(en, TLS_RLTYPE_APP, seqno, 1669 plaintext, len, outbuf, outbuf_cap, 0); 1670 1671 hdr = (void *)outbuf; 1672 hdr->tls_vmajor++; 1673 1674 rv = write(sockets[1], outbuf, outbuf_len); 1675 ATF_REQUIRE(rv == (ssize_t)outbuf_len); 1676 1677 ktls_receive_tls_error(sockets[0], EINVAL); 1678 1679 free(outbuf); 1680 free(plaintext); 1681 1682 close_sockets(sockets); 1683 } 1684 1685 static void 1686 test_ktls_receive_bad_minor(const atf_tc_t *tc, struct tls_enable *en, 1687 uint64_t seqno, size_t len) 1688 { 1689 struct tls_record_layer *hdr; 1690 char *plaintext, *outbuf; 1691 size_t outbuf_cap, outbuf_len; 1692 ssize_t rv; 1693 int sockets[2]; 1694 1695 ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2); 1696 1697 plaintext = alloc_buffer(len); 1698 outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en); 1699 outbuf = malloc(outbuf_cap); 1700 1701 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1702 1703 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 1704 sizeof(*en)) == 0); 1705 check_tls_mode(tc, sockets[0], TCP_RXTLS_MODE); 1706 1707 fd_set_blocking(sockets[0]); 1708 fd_set_blocking(sockets[1]); 1709 1710 outbuf_len = encrypt_tls_record(en, TLS_RLTYPE_APP, seqno, 1711 plaintext, len, outbuf, outbuf_cap, 0); 1712 1713 hdr = (void *)outbuf; 1714 hdr->tls_vminor++; 1715 1716 rv = write(sockets[1], outbuf, outbuf_len); 1717 ATF_REQUIRE(rv == (ssize_t)outbuf_len); 1718 1719 ktls_receive_tls_error(sockets[0], EINVAL); 1720 1721 free(outbuf); 1722 free(plaintext); 1723 1724 close_sockets(sockets); 1725 } 1726 1727 static void 1728 test_ktls_receive_bad_type(const atf_tc_t *tc, struct tls_enable *en, 1729 uint64_t seqno, size_t len) 1730 { 1731 struct tls_record_layer *hdr; 1732 char *plaintext, *outbuf; 1733 size_t outbuf_cap, outbuf_len; 1734 ssize_t rv; 1735 int sockets[2]; 1736 1737 ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2); 1738 ATF_REQUIRE(en->tls_vminor == TLS_MINOR_VER_THREE); 1739 1740 plaintext = alloc_buffer(len); 1741 outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en); 1742 outbuf = malloc(outbuf_cap); 1743 1744 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1745 1746 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 1747 sizeof(*en)) == 0); 1748 check_tls_mode(tc, sockets[0], TCP_RXTLS_MODE); 1749 1750 fd_set_blocking(sockets[0]); 1751 fd_set_blocking(sockets[1]); 1752 1753 outbuf_len = encrypt_tls_record(en, 0x21 /* Alert */, seqno, 1754 plaintext, len, outbuf, outbuf_cap, 0); 1755 1756 hdr = (void *)outbuf; 1757 hdr->tls_type = TLS_RLTYPE_APP + 1; 1758 1759 rv = write(sockets[1], outbuf, outbuf_len); 1760 ATF_REQUIRE(rv == (ssize_t)outbuf_len); 1761 1762 ktls_receive_tls_error(sockets[0], EINVAL); 1763 1764 free(outbuf); 1765 free(plaintext); 1766 1767 close_sockets(sockets); 1768 } 1769 1770 static void 1771 test_ktls_receive_bad_size(const atf_tc_t *tc, struct tls_enable *en, 1772 uint64_t seqno, size_t len) 1773 { 1774 struct tls_record_layer *hdr; 1775 char *outbuf; 1776 size_t outbuf_len; 1777 ssize_t rv; 1778 int sockets[2]; 1779 1780 outbuf_len = sizeof(*hdr) + len; 1781 outbuf = calloc(1, outbuf_len); 1782 1783 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1784 1785 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 1786 sizeof(*en)) == 0); 1787 check_tls_mode(tc, sockets[0], TCP_RXTLS_MODE); 1788 1789 fd_set_blocking(sockets[0]); 1790 fd_set_blocking(sockets[1]); 1791 1792 hdr = (void *)outbuf; 1793 hdr->tls_vmajor = en->tls_vmajor; 1794 if (en->tls_vminor == TLS_MINOR_VER_THREE) 1795 hdr->tls_vminor = TLS_MINOR_VER_TWO; 1796 else 1797 hdr->tls_vminor = en->tls_vminor; 1798 hdr->tls_type = TLS_RLTYPE_APP; 1799 hdr->tls_length = htons(len); 1800 1801 rv = write(sockets[1], outbuf, outbuf_len); 1802 ATF_REQUIRE(rv == (ssize_t)outbuf_len); 1803 1804 ATF_REQUIRE(shutdown(sockets[1], SHUT_WR) == 0); 1805 1806 ktls_receive_tls_error(sockets[0], EMSGSIZE); 1807 1808 free(outbuf); 1809 1810 close_sockets(sockets); 1811 } 1812 1813 #define TLS_10_TESTS(M) \ 1814 M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1815 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO) \ 1816 M(aes256_cbc_1_0_sha1, CRYPTO_AES_CBC, 256 / 8, \ 1817 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO) 1818 1819 #define TLS_13_TESTS(M) \ 1820 M(aes128_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1821 TLS_MINOR_VER_THREE) \ 1822 M(aes256_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \ 1823 TLS_MINOR_VER_THREE) \ 1824 M(chacha20_poly1305_1_3, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1825 TLS_MINOR_VER_THREE) 1826 1827 #define AES_CBC_NONZERO_TESTS(M) \ 1828 M(aes128_cbc_1_1_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1829 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ONE) \ 1830 M(aes256_cbc_1_1_sha1, CRYPTO_AES_CBC, 256 / 8, \ 1831 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ONE) \ 1832 M(aes128_cbc_1_2_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1833 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_TWO) \ 1834 M(aes256_cbc_1_2_sha1, CRYPTO_AES_CBC, 256 / 8, \ 1835 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_TWO) \ 1836 M(aes128_cbc_1_2_sha256, CRYPTO_AES_CBC, 128 / 8, \ 1837 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_TWO) \ 1838 M(aes256_cbc_1_2_sha256, CRYPTO_AES_CBC, 256 / 8, \ 1839 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_TWO) \ 1840 M(aes128_cbc_1_2_sha384, CRYPTO_AES_CBC, 128 / 8, \ 1841 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_TWO) \ 1842 M(aes256_cbc_1_2_sha384, CRYPTO_AES_CBC, 256 / 8, \ 1843 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_TWO) \ 1844 1845 #define AES_CBC_TESTS(M) \ 1846 TLS_10_TESTS(M) \ 1847 AES_CBC_NONZERO_TESTS(M) 1848 1849 #define AES_GCM_12_TESTS(M) \ 1850 M(aes128_gcm_1_2, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1851 TLS_MINOR_VER_TWO) \ 1852 M(aes256_gcm_1_2, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \ 1853 TLS_MINOR_VER_TWO) 1854 1855 #define AES_GCM_TESTS(M) \ 1856 AES_GCM_12_TESTS(M) \ 1857 M(aes128_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1858 TLS_MINOR_VER_THREE) \ 1859 M(aes256_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \ 1860 TLS_MINOR_VER_THREE) 1861 1862 #define CHACHA20_TESTS(M) \ 1863 M(chacha20_poly1305_1_2, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1864 TLS_MINOR_VER_TWO) \ 1865 M(chacha20_poly1305_1_3, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1866 TLS_MINOR_VER_THREE) 1867 1868 #define GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1869 auth_alg, minor, name, len) \ 1870 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_##name); \ 1871 ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc) \ 1872 { \ 1873 struct tls_enable en; \ 1874 uint64_t seqno; \ 1875 \ 1876 ATF_REQUIRE_KTLS(); \ 1877 seqno = random(); \ 1878 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1879 &en); \ 1880 test_ktls_transmit_app_data(tc, &en, seqno, len); \ 1881 free_tls_enable(&en); \ 1882 } 1883 1884 #define ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1885 auth_alg, minor, name) \ 1886 ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name); 1887 1888 #define GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1889 auth_alg, minor, name, type, len) \ 1890 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_##name); \ 1891 ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc) \ 1892 { \ 1893 struct tls_enable en; \ 1894 uint64_t seqno; \ 1895 \ 1896 ATF_REQUIRE_KTLS(); \ 1897 seqno = random(); \ 1898 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1899 &en); \ 1900 test_ktls_transmit_control(tc, &en, seqno, type, len); \ 1901 free_tls_enable(&en); \ 1902 } 1903 1904 #define ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1905 auth_alg, minor, name) \ 1906 ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name); 1907 1908 #define GEN_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \ 1909 key_size, auth_alg, minor) \ 1910 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_empty_fragment); \ 1911 ATF_TC_BODY(ktls_transmit_##cipher_name##_empty_fragment, tc) \ 1912 { \ 1913 struct tls_enable en; \ 1914 uint64_t seqno; \ 1915 \ 1916 ATF_REQUIRE_KTLS(); \ 1917 seqno = random(); \ 1918 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1919 &en); \ 1920 test_ktls_transmit_empty_fragment(tc, &en, seqno); \ 1921 free_tls_enable(&en); \ 1922 } 1923 1924 #define ADD_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \ 1925 key_size, auth_alg, minor) \ 1926 ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_empty_fragment); 1927 1928 #define GEN_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 1929 minor) \ 1930 GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1931 auth_alg, minor, short, 64) \ 1932 GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1933 auth_alg, minor, long, 64 * 1024) \ 1934 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1935 auth_alg, minor, control, 0x21 /* Alert */, 32) 1936 1937 #define ADD_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 1938 minor) \ 1939 ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1940 auth_alg, minor, short) \ 1941 ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1942 auth_alg, minor, long) \ 1943 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1944 auth_alg, minor, control) 1945 1946 /* 1947 * For each supported cipher suite, run three transmit tests: 1948 * 1949 * - a short test which sends 64 bytes of application data (likely as 1950 * a single TLS record) 1951 * 1952 * - a long test which sends 64KB of application data (split across 1953 * multiple TLS records) 1954 * 1955 * - a control test which sends a single record with a specific 1956 * content type via sendmsg() 1957 */ 1958 AES_CBC_TESTS(GEN_TRANSMIT_TESTS); 1959 AES_GCM_TESTS(GEN_TRANSMIT_TESTS); 1960 CHACHA20_TESTS(GEN_TRANSMIT_TESTS); 1961 1962 #define GEN_TRANSMIT_PADDING_TESTS(cipher_name, cipher_alg, key_size, \ 1963 auth_alg, minor) \ 1964 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1965 auth_alg, minor, padding_1, 0x21 /* Alert */, 1) \ 1966 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1967 auth_alg, minor, padding_2, 0x21 /* Alert */, 2) \ 1968 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1969 auth_alg, minor, padding_3, 0x21 /* Alert */, 3) \ 1970 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1971 auth_alg, minor, padding_4, 0x21 /* Alert */, 4) \ 1972 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1973 auth_alg, minor, padding_5, 0x21 /* Alert */, 5) \ 1974 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1975 auth_alg, minor, padding_6, 0x21 /* Alert */, 6) \ 1976 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1977 auth_alg, minor, padding_7, 0x21 /* Alert */, 7) \ 1978 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1979 auth_alg, minor, padding_8, 0x21 /* Alert */, 8) \ 1980 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1981 auth_alg, minor, padding_9, 0x21 /* Alert */, 9) \ 1982 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1983 auth_alg, minor, padding_10, 0x21 /* Alert */, 10) \ 1984 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1985 auth_alg, minor, padding_11, 0x21 /* Alert */, 11) \ 1986 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1987 auth_alg, minor, padding_12, 0x21 /* Alert */, 12) \ 1988 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1989 auth_alg, minor, padding_13, 0x21 /* Alert */, 13) \ 1990 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1991 auth_alg, minor, padding_14, 0x21 /* Alert */, 14) \ 1992 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1993 auth_alg, minor, padding_15, 0x21 /* Alert */, 15) \ 1994 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1995 auth_alg, minor, padding_16, 0x21 /* Alert */, 16) 1996 1997 #define ADD_TRANSMIT_PADDING_TESTS(cipher_name, cipher_alg, key_size, \ 1998 auth_alg, minor) \ 1999 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 2000 auth_alg, minor, padding_1) \ 2001 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 2002 auth_alg, minor, padding_2) \ 2003 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 2004 auth_alg, minor, padding_3) \ 2005 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 2006 auth_alg, minor, padding_4) \ 2007 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 2008 auth_alg, minor, padding_5) \ 2009 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 2010 auth_alg, minor, padding_6) \ 2011 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 2012 auth_alg, minor, padding_7) \ 2013 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 2014 auth_alg, minor, padding_8) \ 2015 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 2016 auth_alg, minor, padding_9) \ 2017 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 2018 auth_alg, minor, padding_10) \ 2019 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 2020 auth_alg, minor, padding_11) \ 2021 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 2022 auth_alg, minor, padding_12) \ 2023 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 2024 auth_alg, minor, padding_13) \ 2025 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 2026 auth_alg, minor, padding_14) \ 2027 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 2028 auth_alg, minor, padding_15) \ 2029 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 2030 auth_alg, minor, padding_16) 2031 2032 /* 2033 * For AES-CBC MTE cipher suites using padding, add tests of messages 2034 * with each possible padding size. Note that the padding_<N> tests 2035 * do not necessarily test <N> bytes of padding as the padding is a 2036 * function of the cipher suite's MAC length. However, cycling 2037 * through all of the payload sizes from 1 to 16 should exercise all 2038 * of the possible padding lengths for each suite. 2039 */ 2040 AES_CBC_TESTS(GEN_TRANSMIT_PADDING_TESTS); 2041 2042 /* 2043 * Test "empty fragments" which are TLS records with no payload that 2044 * OpenSSL can send for TLS 1.0 connections. 2045 */ 2046 AES_CBC_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); 2047 AES_GCM_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); 2048 CHACHA20_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); 2049 2050 static void 2051 test_ktls_invalid_transmit_cipher_suite(const atf_tc_t *tc, 2052 struct tls_enable *en) 2053 { 2054 int sockets[2]; 2055 2056 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 2057 2058 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 2059 sizeof(*en)) == -1); 2060 ATF_REQUIRE(errno == EINVAL); 2061 2062 close_sockets(sockets); 2063 } 2064 2065 #define GEN_INVALID_TRANSMIT_TEST(name, cipher_alg, key_size, auth_alg, \ 2066 minor) \ 2067 ATF_TC_WITHOUT_HEAD(ktls_transmit_invalid_##name); \ 2068 ATF_TC_BODY(ktls_transmit_invalid_##name, tc) \ 2069 { \ 2070 struct tls_enable en; \ 2071 uint64_t seqno; \ 2072 \ 2073 ATF_REQUIRE_KTLS(); \ 2074 seqno = random(); \ 2075 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 2076 &en); \ 2077 test_ktls_invalid_transmit_cipher_suite(tc, &en); \ 2078 free_tls_enable(&en); \ 2079 } 2080 2081 #define ADD_INVALID_TRANSMIT_TEST(name, cipher_alg, key_size, auth_alg, \ 2082 minor) \ 2083 ATF_TP_ADD_TC(tp, ktls_transmit_invalid_##name); 2084 2085 #define INVALID_CIPHER_SUITES(M) \ 2086 M(aes128_cbc_1_0_sha256, CRYPTO_AES_CBC, 128 / 8, \ 2087 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_ZERO) \ 2088 M(aes128_cbc_1_0_sha384, CRYPTO_AES_CBC, 128 / 8, \ 2089 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_ZERO) \ 2090 M(aes128_gcm_1_0, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 2091 TLS_MINOR_VER_ZERO) \ 2092 M(chacha20_poly1305_1_0, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 2093 TLS_MINOR_VER_ZERO) \ 2094 M(aes128_cbc_1_1_sha256, CRYPTO_AES_CBC, 128 / 8, \ 2095 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_ONE) \ 2096 M(aes128_cbc_1_1_sha384, CRYPTO_AES_CBC, 128 / 8, \ 2097 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_ONE) \ 2098 M(aes128_gcm_1_1, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 2099 TLS_MINOR_VER_ONE) \ 2100 M(chacha20_poly1305_1_1, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 2101 TLS_MINOR_VER_ONE) \ 2102 M(aes128_cbc_1_3_sha1, CRYPTO_AES_CBC, 128 / 8, \ 2103 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_THREE) \ 2104 M(aes128_cbc_1_3_sha256, CRYPTO_AES_CBC, 128 / 8, \ 2105 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_THREE) \ 2106 M(aes128_cbc_1_3_sha384, CRYPTO_AES_CBC, 128 / 8, \ 2107 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_THREE) 2108 2109 /* 2110 * Ensure that invalid cipher suites are rejected for transmit. 2111 */ 2112 INVALID_CIPHER_SUITES(GEN_INVALID_TRANSMIT_TEST); 2113 2114 #define GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2115 auth_alg, minor, name, len, padding) \ 2116 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_##name); \ 2117 ATF_TC_BODY(ktls_receive_##cipher_name##_##name, tc) \ 2118 { \ 2119 struct tls_enable en; \ 2120 uint64_t seqno; \ 2121 \ 2122 ATF_REQUIRE_KTLS(); \ 2123 seqno = random(); \ 2124 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 2125 &en); \ 2126 test_ktls_receive_app_data(tc, &en, seqno, len, padding); \ 2127 free_tls_enable(&en); \ 2128 } 2129 2130 #define ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2131 auth_alg, minor, name) \ 2132 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_##name); 2133 2134 #define GEN_RECEIVE_BAD_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2135 auth_alg, minor, len) \ 2136 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_bad_data); \ 2137 ATF_TC_BODY(ktls_receive_##cipher_name##_bad_data, tc) \ 2138 { \ 2139 struct tls_enable en; \ 2140 uint64_t seqno; \ 2141 \ 2142 ATF_REQUIRE_KTLS(); \ 2143 seqno = random(); \ 2144 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 2145 &en); \ 2146 test_ktls_receive_corrupted_data(tc, &en, seqno, len); \ 2147 free_tls_enable(&en); \ 2148 } 2149 2150 #define ADD_RECEIVE_BAD_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2151 auth_alg, minor) \ 2152 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_bad_data); 2153 2154 #define GEN_RECEIVE_BAD_MAC_TEST(cipher_name, cipher_alg, key_size, \ 2155 auth_alg, minor, len) \ 2156 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_bad_mac); \ 2157 ATF_TC_BODY(ktls_receive_##cipher_name##_bad_mac, tc) \ 2158 { \ 2159 struct tls_enable en; \ 2160 uint64_t seqno; \ 2161 \ 2162 ATF_REQUIRE_KTLS(); \ 2163 seqno = random(); \ 2164 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 2165 &en); \ 2166 test_ktls_receive_corrupted_mac(tc, &en, seqno, len); \ 2167 free_tls_enable(&en); \ 2168 } 2169 2170 #define ADD_RECEIVE_BAD_MAC_TEST(cipher_name, cipher_alg, key_size, \ 2171 auth_alg, minor) \ 2172 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_bad_mac); 2173 2174 #define GEN_RECEIVE_TRUNCATED_TEST(cipher_name, cipher_alg, key_size, \ 2175 auth_alg, minor, len) \ 2176 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_truncated_record); \ 2177 ATF_TC_BODY(ktls_receive_##cipher_name##_truncated_record, tc) \ 2178 { \ 2179 struct tls_enable en; \ 2180 uint64_t seqno; \ 2181 \ 2182 ATF_REQUIRE_KTLS(); \ 2183 seqno = random(); \ 2184 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 2185 &en); \ 2186 test_ktls_receive_truncated_record(tc, &en, seqno, len); \ 2187 free_tls_enable(&en); \ 2188 } 2189 2190 #define ADD_RECEIVE_TRUNCATED_TEST(cipher_name, cipher_alg, key_size, \ 2191 auth_alg, minor) \ 2192 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_truncated_record); 2193 2194 #define GEN_RECEIVE_BAD_MAJOR_TEST(cipher_name, cipher_alg, key_size, \ 2195 auth_alg, minor, len) \ 2196 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_bad_major); \ 2197 ATF_TC_BODY(ktls_receive_##cipher_name##_bad_major, tc) \ 2198 { \ 2199 struct tls_enable en; \ 2200 uint64_t seqno; \ 2201 \ 2202 ATF_REQUIRE_KTLS(); \ 2203 seqno = random(); \ 2204 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 2205 &en); \ 2206 test_ktls_receive_bad_major(tc, &en, seqno, len); \ 2207 free_tls_enable(&en); \ 2208 } 2209 2210 #define ADD_RECEIVE_BAD_MAJOR_TEST(cipher_name, cipher_alg, key_size, \ 2211 auth_alg, minor) \ 2212 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_bad_major); 2213 2214 #define GEN_RECEIVE_BAD_MINOR_TEST(cipher_name, cipher_alg, key_size, \ 2215 auth_alg, minor, len) \ 2216 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_bad_minor); \ 2217 ATF_TC_BODY(ktls_receive_##cipher_name##_bad_minor, tc) \ 2218 { \ 2219 struct tls_enable en; \ 2220 uint64_t seqno; \ 2221 \ 2222 ATF_REQUIRE_KTLS(); \ 2223 seqno = random(); \ 2224 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 2225 &en); \ 2226 test_ktls_receive_bad_minor(tc, &en, seqno, len); \ 2227 free_tls_enable(&en); \ 2228 } 2229 2230 #define ADD_RECEIVE_BAD_MINOR_TEST(cipher_name, cipher_alg, key_size, \ 2231 auth_alg, minor) \ 2232 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_bad_minor); 2233 2234 #define GEN_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \ 2235 auth_alg, minor, name, len) \ 2236 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_##name); \ 2237 ATF_TC_BODY(ktls_receive_##cipher_name##_##name, tc) \ 2238 { \ 2239 struct tls_enable en; \ 2240 uint64_t seqno; \ 2241 \ 2242 ATF_REQUIRE_KTLS(); \ 2243 seqno = random(); \ 2244 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 2245 &en); \ 2246 test_ktls_receive_bad_size(tc, &en, seqno, (len)); \ 2247 free_tls_enable(&en); \ 2248 } 2249 2250 #define ADD_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \ 2251 auth_alg, minor, name) \ 2252 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_##name); 2253 2254 #define GEN_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 2255 minor) \ 2256 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2257 auth_alg, minor, short, 64, 0) \ 2258 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2259 auth_alg, minor, long, 64 * 1024, 0) \ 2260 GEN_RECEIVE_BAD_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2261 auth_alg, minor, 64) \ 2262 GEN_RECEIVE_BAD_MAC_TEST(cipher_name, cipher_alg, key_size, \ 2263 auth_alg, minor, 64) \ 2264 GEN_RECEIVE_TRUNCATED_TEST(cipher_name, cipher_alg, key_size, \ 2265 auth_alg, minor, 64) \ 2266 GEN_RECEIVE_BAD_MAJOR_TEST(cipher_name, cipher_alg, key_size, \ 2267 auth_alg, minor, 64) \ 2268 GEN_RECEIVE_BAD_MINOR_TEST(cipher_name, cipher_alg, key_size, \ 2269 auth_alg, minor, 64) \ 2270 GEN_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \ 2271 auth_alg, minor, small_record, \ 2272 tls_minimum_record_payload(&en) - 1) \ 2273 GEN_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \ 2274 auth_alg, minor, oversized_record, \ 2275 TLS_MAX_MSG_SIZE_V10_2 * 2) 2276 2277 #define ADD_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 2278 minor) \ 2279 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2280 auth_alg, minor, short) \ 2281 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2282 auth_alg, minor, long) \ 2283 ADD_RECEIVE_BAD_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2284 auth_alg, minor) \ 2285 ADD_RECEIVE_BAD_MAC_TEST(cipher_name, cipher_alg, key_size, \ 2286 auth_alg, minor) \ 2287 ADD_RECEIVE_TRUNCATED_TEST(cipher_name, cipher_alg, key_size, \ 2288 auth_alg, minor) \ 2289 ADD_RECEIVE_BAD_MAJOR_TEST(cipher_name, cipher_alg, key_size, \ 2290 auth_alg, minor) \ 2291 ADD_RECEIVE_BAD_MINOR_TEST(cipher_name, cipher_alg, key_size, \ 2292 auth_alg, minor) \ 2293 ADD_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \ 2294 auth_alg, minor, small_record) \ 2295 ADD_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \ 2296 auth_alg, minor, oversized_record) 2297 2298 /* 2299 * For each supported cipher suite, run several receive tests: 2300 * 2301 * - a short test which sends 64 bytes of application data (likely as 2302 * a single TLS record) 2303 * 2304 * - a long test which sends 64KB of application data (split across 2305 * multiple TLS records) 2306 * 2307 * - a test with corrupted payload data in a single TLS record 2308 * 2309 * - a test with a corrupted MAC in a single TLS record 2310 * 2311 * - a test with a truncated TLS record 2312 * 2313 * - tests with invalid TLS major and minor versions 2314 * 2315 * - a tests with a record whose is one less than the smallest valid 2316 * size 2317 * 2318 * - a test with an oversized TLS record 2319 */ 2320 AES_CBC_NONZERO_TESTS(GEN_RECEIVE_TESTS); 2321 AES_GCM_TESTS(GEN_RECEIVE_TESTS); 2322 CHACHA20_TESTS(GEN_RECEIVE_TESTS); 2323 2324 #define GEN_RECEIVE_MTE_PADDING_TESTS(cipher_name, cipher_alg, \ 2325 key_size, auth_alg, minor) \ 2326 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2327 auth_alg, minor, padding_1, 1, 0) \ 2328 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2329 auth_alg, minor, padding_2, 2, 0) \ 2330 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2331 auth_alg, minor, padding_3, 3, 0) \ 2332 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2333 auth_alg, minor, padding_4, 4, 0) \ 2334 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2335 auth_alg, minor, padding_5, 5, 0) \ 2336 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2337 auth_alg, minor, padding_6, 6, 0) \ 2338 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2339 auth_alg, minor, padding_7, 7, 0) \ 2340 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2341 auth_alg, minor, padding_8, 8, 0) \ 2342 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2343 auth_alg, minor, padding_9, 9, 0) \ 2344 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2345 auth_alg, minor, padding_10, 10, 0) \ 2346 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2347 auth_alg, minor, padding_11, 11, 0) \ 2348 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2349 auth_alg, minor, padding_12, 12, 0) \ 2350 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2351 auth_alg, minor, padding_13, 13, 0) \ 2352 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2353 auth_alg, minor, padding_14, 14, 0) \ 2354 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2355 auth_alg, minor, padding_15, 15, 0) \ 2356 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2357 auth_alg, minor, padding_16, 16, 0) \ 2358 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2359 auth_alg, minor, padding_16_extra, 16, 16) \ 2360 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2361 auth_alg, minor, padding_32_extra, 16, 32) 2362 2363 #define ADD_RECEIVE_MTE_PADDING_TESTS(cipher_name, cipher_alg, \ 2364 key_size, auth_alg, minor) \ 2365 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2366 auth_alg, minor, padding_1) \ 2367 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2368 auth_alg, minor, padding_2) \ 2369 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2370 auth_alg, minor, padding_3) \ 2371 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2372 auth_alg, minor, padding_4) \ 2373 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2374 auth_alg, minor, padding_5) \ 2375 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2376 auth_alg, minor, padding_6) \ 2377 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2378 auth_alg, minor, padding_7) \ 2379 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2380 auth_alg, minor, padding_8) \ 2381 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2382 auth_alg, minor, padding_9) \ 2383 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2384 auth_alg, minor, padding_10) \ 2385 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2386 auth_alg, minor, padding_11) \ 2387 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2388 auth_alg, minor, padding_12) \ 2389 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2390 auth_alg, minor, padding_13) \ 2391 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2392 auth_alg, minor, padding_14) \ 2393 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2394 auth_alg, minor, padding_15) \ 2395 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2396 auth_alg, minor, padding_16) \ 2397 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2398 auth_alg, minor, padding_16_extra) \ 2399 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2400 auth_alg, minor, padding_32_extra) 2401 2402 #define GEN_RECEIVE_BAD_PADDING_TEST(cipher_name, cipher_alg, key_size, \ 2403 auth_alg, minor, len) \ 2404 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_bad_padding); \ 2405 ATF_TC_BODY(ktls_receive_##cipher_name##_bad_padding, tc) \ 2406 { \ 2407 struct tls_enable en; \ 2408 uint64_t seqno; \ 2409 \ 2410 ATF_REQUIRE_KTLS(); \ 2411 seqno = random(); \ 2412 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 2413 &en); \ 2414 test_ktls_receive_corrupted_padding(tc, &en, seqno, len); \ 2415 free_tls_enable(&en); \ 2416 } 2417 2418 #define ADD_RECEIVE_BAD_PADDING_TEST(cipher_name, cipher_alg, key_size, \ 2419 auth_alg, minor) \ 2420 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_bad_padding); 2421 2422 #define GEN_RECEIVE_MTE_TESTS(cipher_name, cipher_alg, key_size, \ 2423 auth_alg, minor) \ 2424 GEN_RECEIVE_MTE_PADDING_TESTS(cipher_name, cipher_alg, \ 2425 key_size, auth_alg, minor) \ 2426 GEN_RECEIVE_BAD_PADDING_TEST(cipher_name, cipher_alg, key_size, \ 2427 auth_alg, minor, 64) \ 2428 GEN_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \ 2429 auth_alg, minor, non_block_size, \ 2430 tls_minimum_record_payload(&en) + 1) 2431 2432 #define ADD_RECEIVE_MTE_TESTS(cipher_name, cipher_alg, key_size, \ 2433 auth_alg, minor) \ 2434 ADD_RECEIVE_MTE_PADDING_TESTS(cipher_name, cipher_alg, \ 2435 key_size, auth_alg, minor) \ 2436 ADD_RECEIVE_BAD_PADDING_TEST(cipher_name, cipher_alg, key_size, \ 2437 auth_alg, minor) \ 2438 ADD_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \ 2439 auth_alg, minor, non_block_size) 2440 2441 /* 2442 * For AES-CBC MTE cipher suites using padding, add tests of messages 2443 * with each possible padding size. Note that the padding_<N> tests 2444 * do not necessarily test <N> bytes of padding as the padding is a 2445 * function of the cipher suite's MAC length. However, cycling 2446 * through all of the payload sizes from 1 to 16 should exercise all 2447 * of the possible padding lengths for each suite. 2448 * 2449 * Two additional tests check for additional padding with an extra 2450 * 16 or 32 bytes beyond the normal padding. 2451 * 2452 * Another test checks for corrupted padding. 2453 * 2454 * Another test checks for a record whose payload is not a multiple of 2455 * the AES block size. 2456 */ 2457 AES_CBC_NONZERO_TESTS(GEN_RECEIVE_MTE_TESTS); 2458 2459 #define GEN_RECEIVE_BAD_IV_TEST(cipher_name, cipher_alg, key_size, \ 2460 auth_alg, minor) \ 2461 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_bad_iv); \ 2462 ATF_TC_BODY(ktls_receive_##cipher_name##_bad_iv, tc) \ 2463 { \ 2464 struct tls_enable en; \ 2465 uint64_t seqno; \ 2466 \ 2467 ATF_REQUIRE_KTLS(); \ 2468 seqno = random(); \ 2469 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 2470 &en); \ 2471 test_ktls_receive_corrupted_iv(tc, &en, seqno, 64); \ 2472 free_tls_enable(&en); \ 2473 } 2474 2475 #define ADD_RECEIVE_BAD_IV_TEST(cipher_name, cipher_alg, key_size, \ 2476 auth_alg, minor) \ 2477 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_bad_iv); 2478 2479 #define GEN_RECEIVE_EXPLICIT_IV_TESTS(cipher_name, cipher_alg, \ 2480 key_size, auth_alg, minor) \ 2481 GEN_RECEIVE_BAD_IV_TEST(cipher_name, cipher_alg, key_size, \ 2482 auth_alg, minor) \ 2483 GEN_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \ 2484 auth_alg, minor, short_header, \ 2485 sizeof(struct tls_record_layer) + 1) 2486 2487 #define ADD_RECEIVE_EXPLICIT_IV_TESTS(cipher_name, cipher_alg, \ 2488 key_size, auth_alg, minor) \ 2489 ADD_RECEIVE_BAD_IV_TEST(cipher_name, cipher_alg, key_size, \ 2490 auth_alg, minor) \ 2491 ADD_RECEIVE_BAD_SIZE_TEST(cipher_name, cipher_alg, key_size, \ 2492 auth_alg, minor, short_header) 2493 2494 /* 2495 * For cipher suites with an explicit IV, run a receive test where the 2496 * explicit IV has been corrupted. Also run a receive test that sends 2497 * a short record without a complete IV. 2498 */ 2499 AES_CBC_NONZERO_TESTS(GEN_RECEIVE_EXPLICIT_IV_TESTS); 2500 AES_GCM_12_TESTS(GEN_RECEIVE_EXPLICIT_IV_TESTS); 2501 2502 #define GEN_RECEIVE_BAD_TYPE_TEST(cipher_name, cipher_alg, key_size, \ 2503 auth_alg, minor, len) \ 2504 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_bad_type); \ 2505 ATF_TC_BODY(ktls_receive_##cipher_name##_bad_type, tc) \ 2506 { \ 2507 struct tls_enable en; \ 2508 uint64_t seqno; \ 2509 \ 2510 ATF_REQUIRE_KTLS(); \ 2511 seqno = random(); \ 2512 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 2513 &en); \ 2514 test_ktls_receive_bad_type(tc, &en, seqno, len); \ 2515 free_tls_enable(&en); \ 2516 } 2517 2518 #define ADD_RECEIVE_BAD_TYPE_TEST(cipher_name, cipher_alg, key_size, \ 2519 auth_alg, minor) \ 2520 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_bad_type); 2521 2522 #define GEN_RECEIVE_TLS13_TESTS(cipher_name, cipher_alg, key_size, \ 2523 auth_alg, minor) \ 2524 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2525 auth_alg, minor, short_padded, 64, 16) \ 2526 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2527 auth_alg, minor, long_padded, 64 * 1024, 15) \ 2528 GEN_RECEIVE_BAD_TYPE_TEST(cipher_name, cipher_alg, key_size, \ 2529 auth_alg, minor, 64) 2530 2531 #define ADD_RECEIVE_TLS13_TESTS(cipher_name, cipher_alg, key_size, \ 2532 auth_alg, minor) \ 2533 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2534 auth_alg, minor, short_padded) \ 2535 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 2536 auth_alg, minor, long_padded) \ 2537 ADD_RECEIVE_BAD_TYPE_TEST(cipher_name, cipher_alg, key_size, \ 2538 auth_alg, minor) 2539 2540 /* 2541 * For TLS 1.3 cipher suites, run two additional receive tests which 2542 * use add padding to each record. Also run a test that uses an 2543 * invalid "outer" record type. 2544 */ 2545 TLS_13_TESTS(GEN_RECEIVE_TLS13_TESTS); 2546 2547 static void 2548 test_ktls_invalid_receive_cipher_suite(const atf_tc_t *tc, 2549 struct tls_enable *en) 2550 { 2551 int sockets[2]; 2552 2553 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 2554 2555 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 2556 sizeof(*en)) == -1); 2557 ATF_REQUIRE(errno == EINVAL); 2558 2559 close_sockets(sockets); 2560 } 2561 2562 #define GEN_INVALID_RECEIVE_TEST(name, cipher_alg, key_size, auth_alg, \ 2563 minor) \ 2564 ATF_TC_WITHOUT_HEAD(ktls_receive_invalid_##name); \ 2565 ATF_TC_BODY(ktls_receive_invalid_##name, tc) \ 2566 { \ 2567 struct tls_enable en; \ 2568 uint64_t seqno; \ 2569 \ 2570 ATF_REQUIRE_KTLS(); \ 2571 seqno = random(); \ 2572 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 2573 &en); \ 2574 test_ktls_invalid_receive_cipher_suite(tc, &en); \ 2575 free_tls_enable(&en); \ 2576 } 2577 2578 #define ADD_INVALID_RECEIVE_TEST(name, cipher_alg, key_size, auth_alg, \ 2579 minor) \ 2580 ATF_TP_ADD_TC(tp, ktls_receive_invalid_##name); 2581 2582 /* 2583 * Ensure that invalid cipher suites are rejected for receive. 2584 */ 2585 INVALID_CIPHER_SUITES(GEN_INVALID_RECEIVE_TEST); 2586 2587 static void 2588 test_ktls_unsupported_receive_cipher_suite(const atf_tc_t *tc, 2589 struct tls_enable *en) 2590 { 2591 int sockets[2]; 2592 2593 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 2594 2595 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 2596 sizeof(*en)) == -1); 2597 ATF_REQUIRE(errno == EPROTONOSUPPORT); 2598 2599 close_sockets(sockets); 2600 } 2601 2602 #define GEN_UNSUPPORTED_RECEIVE_TEST(name, cipher_alg, key_size, \ 2603 auth_alg, minor) \ 2604 ATF_TC_WITHOUT_HEAD(ktls_receive_unsupported_##name); \ 2605 ATF_TC_BODY(ktls_receive_unsupported_##name, tc) \ 2606 { \ 2607 struct tls_enable en; \ 2608 uint64_t seqno; \ 2609 \ 2610 ATF_REQUIRE_KTLS(); \ 2611 seqno = random(); \ 2612 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 2613 &en); \ 2614 test_ktls_unsupported_receive_cipher_suite(tc, &en); \ 2615 free_tls_enable(&en); \ 2616 } 2617 2618 #define ADD_UNSUPPORTED_RECEIVE_TEST(name, cipher_alg, key_size, \ 2619 auth_alg, minor) \ 2620 ATF_TP_ADD_TC(tp, ktls_receive_unsupported_##name); 2621 2622 /* 2623 * Ensure that valid cipher suites not supported for receive are 2624 * rejected. 2625 */ 2626 TLS_10_TESTS(GEN_UNSUPPORTED_RECEIVE_TEST); 2627 2628 /* 2629 * Try to perform an invalid sendto(2) on a TXTLS-enabled socket, to exercise 2630 * KTLS error handling in the socket layer. 2631 */ 2632 ATF_TC_WITHOUT_HEAD(ktls_sendto_baddst); 2633 ATF_TC_BODY(ktls_sendto_baddst, tc) 2634 { 2635 char buf[32]; 2636 struct sockaddr_in dst; 2637 struct tls_enable en; 2638 ssize_t n; 2639 int s; 2640 2641 ATF_REQUIRE_KTLS(); 2642 2643 s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 2644 ATF_REQUIRE(s >= 0); 2645 2646 build_tls_enable(CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, 2647 TLS_MINOR_VER_THREE, (uint64_t)random(), &en); 2648 2649 ATF_REQUIRE(setsockopt(s, IPPROTO_TCP, TCP_TXTLS_ENABLE, &en, 2650 sizeof(en)) == 0); 2651 2652 memset(&dst, 0, sizeof(dst)); 2653 dst.sin_family = AF_INET; 2654 dst.sin_len = sizeof(dst); 2655 dst.sin_addr.s_addr = htonl(INADDR_BROADCAST); 2656 dst.sin_port = htons(12345); 2657 2658 memset(buf, 0, sizeof(buf)); 2659 n = sendto(s, buf, sizeof(buf), 0, (struct sockaddr *)&dst, 2660 sizeof(dst)); 2661 2662 /* Can't transmit to the broadcast address over TCP. */ 2663 ATF_REQUIRE_ERRNO(EACCES, n == -1); 2664 ATF_REQUIRE(close(s) == 0); 2665 } 2666 2667 ATF_TP_ADD_TCS(tp) 2668 { 2669 /* Transmit tests */ 2670 AES_CBC_TESTS(ADD_TRANSMIT_TESTS); 2671 AES_GCM_TESTS(ADD_TRANSMIT_TESTS); 2672 CHACHA20_TESTS(ADD_TRANSMIT_TESTS); 2673 AES_CBC_TESTS(ADD_TRANSMIT_PADDING_TESTS); 2674 AES_CBC_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); 2675 AES_GCM_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); 2676 CHACHA20_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); 2677 INVALID_CIPHER_SUITES(ADD_INVALID_TRANSMIT_TEST); 2678 2679 /* Receive tests */ 2680 TLS_10_TESTS(ADD_UNSUPPORTED_RECEIVE_TEST); 2681 AES_CBC_NONZERO_TESTS(ADD_RECEIVE_TESTS); 2682 AES_GCM_TESTS(ADD_RECEIVE_TESTS); 2683 CHACHA20_TESTS(ADD_RECEIVE_TESTS); 2684 AES_CBC_NONZERO_TESTS(ADD_RECEIVE_MTE_TESTS); 2685 AES_CBC_NONZERO_TESTS(ADD_RECEIVE_EXPLICIT_IV_TESTS); 2686 AES_GCM_12_TESTS(ADD_RECEIVE_EXPLICIT_IV_TESTS); 2687 TLS_13_TESTS(ADD_RECEIVE_TLS13_TESTS); 2688 INVALID_CIPHER_SUITES(ADD_INVALID_RECEIVE_TEST); 2689 2690 /* Miscellaneous */ 2691 ATF_TP_ADD_TC(tp, ktls_sendto_baddst); 2692 2693 return (atf_no_error()); 2694 } 2695