1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Netflix Inc. 5 * Written by: John Baldwin <jhb@FreeBSD.org> 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 */ 28 29 #include <sys/types.h> 30 #include <sys/endian.h> 31 #include <sys/event.h> 32 #include <sys/ktls.h> 33 #include <sys/socket.h> 34 #include <sys/sysctl.h> 35 #include <netinet/in.h> 36 #include <netinet/tcp.h> 37 #include <crypto/cryptodev.h> 38 #include <assert.h> 39 #include <err.h> 40 #include <fcntl.h> 41 #include <netdb.h> 42 #include <poll.h> 43 #include <stdbool.h> 44 #include <stdlib.h> 45 #include <atf-c.h> 46 47 #include <openssl/err.h> 48 #include <openssl/evp.h> 49 #include <openssl/hmac.h> 50 51 static void 52 require_ktls(void) 53 { 54 size_t len; 55 bool enable; 56 57 len = sizeof(enable); 58 if (sysctlbyname("kern.ipc.tls.enable", &enable, &len, NULL, 0) == -1) { 59 if (errno == ENOENT) 60 atf_tc_skip("kernel does not support TLS offload"); 61 atf_libc_error(errno, "Failed to read kern.ipc.tls.enable"); 62 } 63 64 if (!enable) 65 atf_tc_skip("Kernel TLS is disabled"); 66 } 67 68 #define ATF_REQUIRE_KTLS() require_ktls() 69 70 static void 71 check_tls_mode(const atf_tc_t *tc, int s, int sockopt) 72 { 73 if (atf_tc_get_config_var_as_bool_wd(tc, "ktls.require_ifnet", false)) { 74 socklen_t len; 75 int mode; 76 77 len = sizeof(mode); 78 if (getsockopt(s, IPPROTO_TCP, sockopt, &mode, &len) == -1) 79 atf_libc_error(errno, "Failed to fetch TLS mode"); 80 81 if (mode != TCP_TLS_MODE_IFNET) 82 atf_tc_skip("connection did not use ifnet TLS"); 83 } 84 85 if (atf_tc_get_config_var_as_bool_wd(tc, "ktls.require_toe", false)) { 86 socklen_t len; 87 int mode; 88 89 len = sizeof(mode); 90 if (getsockopt(s, IPPROTO_TCP, sockopt, &mode, &len) == -1) 91 atf_libc_error(errno, "Failed to fetch TLS mode"); 92 93 if (mode != TCP_TLS_MODE_TOE) 94 atf_tc_skip("connection did not use TOE TLS"); 95 } 96 } 97 98 static char 99 rdigit(void) 100 { 101 /* ASCII printable values between 0x20 and 0x7e */ 102 return (0x20 + random() % (0x7f - 0x20)); 103 } 104 105 static char * 106 alloc_buffer(size_t len) 107 { 108 char *buf; 109 size_t i; 110 111 if (len == 0) 112 return (NULL); 113 buf = malloc(len); 114 for (i = 0; i < len; i++) 115 buf[i] = rdigit(); 116 return (buf); 117 } 118 119 static bool 120 socketpair_tcp(int sv[2]) 121 { 122 struct pollfd pfd; 123 struct sockaddr_in sin; 124 socklen_t len; 125 int as, cs, ls; 126 127 ls = socket(PF_INET, SOCK_STREAM, 0); 128 if (ls == -1) { 129 warn("socket() for listen"); 130 return (false); 131 } 132 133 memset(&sin, 0, sizeof(sin)); 134 sin.sin_len = sizeof(sin); 135 sin.sin_family = AF_INET; 136 sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK); 137 if (bind(ls, (struct sockaddr *)&sin, sizeof(sin)) == -1) { 138 warn("bind"); 139 close(ls); 140 return (false); 141 } 142 143 if (listen(ls, 1) == -1) { 144 warn("listen"); 145 close(ls); 146 return (false); 147 } 148 149 len = sizeof(sin); 150 if (getsockname(ls, (struct sockaddr *)&sin, &len) == -1) { 151 warn("getsockname"); 152 close(ls); 153 return (false); 154 } 155 156 cs = socket(PF_INET, SOCK_STREAM | SOCK_NONBLOCK, 0); 157 if (cs == -1) { 158 warn("socket() for connect"); 159 close(ls); 160 return (false); 161 } 162 163 if (connect(cs, (struct sockaddr *)&sin, sizeof(sin)) == -1) { 164 if (errno != EINPROGRESS) { 165 warn("connect"); 166 close(ls); 167 close(cs); 168 return (false); 169 } 170 } 171 172 as = accept4(ls, NULL, NULL, SOCK_NONBLOCK); 173 if (as == -1) { 174 warn("accept4"); 175 close(ls); 176 close(cs); 177 return (false); 178 } 179 180 close(ls); 181 182 pfd.fd = cs; 183 pfd.events = POLLOUT; 184 pfd.revents = 0; 185 ATF_REQUIRE(poll(&pfd, 1, INFTIM) == 1); 186 ATF_REQUIRE(pfd.revents == POLLOUT); 187 188 sv[0] = cs; 189 sv[1] = as; 190 return (true); 191 } 192 193 static bool 194 echo_socket(const atf_tc_t *tc, int sv[2]) 195 { 196 const char *cause, *host, *port; 197 struct addrinfo hints, *ai, *tofree; 198 int error, flags, s; 199 200 host = atf_tc_get_config_var(tc, "ktls.host"); 201 port = atf_tc_get_config_var_wd(tc, "ktls.port", "echo"); 202 memset(&hints, 0, sizeof(hints)); 203 hints.ai_family = AF_UNSPEC; 204 hints.ai_socktype = SOCK_STREAM; 205 hints.ai_protocol = IPPROTO_TCP; 206 error = getaddrinfo(host, port, &hints, &tofree); 207 if (error != 0) { 208 warnx("getaddrinfo(%s:%s) failed: %s", host, port, 209 gai_strerror(error)); 210 return (false); 211 } 212 213 cause = NULL; 214 for (ai = tofree; ai != NULL; ai = ai->ai_next) { 215 s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 216 if (s == -1) { 217 cause = "socket"; 218 error = errno; 219 continue; 220 } 221 222 if (connect(s, ai->ai_addr, ai->ai_addrlen) == -1) { 223 cause = "connect"; 224 error = errno; 225 close(s); 226 continue; 227 } 228 229 freeaddrinfo(tofree); 230 231 ATF_REQUIRE((flags = fcntl(s, F_GETFL)) != -1); 232 flags |= O_NONBLOCK; 233 ATF_REQUIRE(fcntl(s, F_SETFL, flags) != -1); 234 235 sv[0] = s; 236 sv[1] = s; 237 return (true); 238 } 239 240 warnc(error, "%s", cause); 241 freeaddrinfo(tofree); 242 return (false); 243 } 244 245 static bool 246 open_sockets(const atf_tc_t *tc, int sv[2]) 247 { 248 if (atf_tc_has_config_var(tc, "ktls.host")) 249 return (echo_socket(tc, sv)); 250 else 251 return (socketpair_tcp(sv)); 252 } 253 254 static void 255 close_sockets(int sv[2]) 256 { 257 if (sv[0] != sv[1]) 258 ATF_REQUIRE(close(sv[1]) == 0); 259 ATF_REQUIRE(close(sv[0]) == 0); 260 } 261 262 static void 263 fd_set_blocking(int fd) 264 { 265 int flags; 266 267 ATF_REQUIRE((flags = fcntl(fd, F_GETFL)) != -1); 268 flags &= ~O_NONBLOCK; 269 ATF_REQUIRE(fcntl(fd, F_SETFL, flags) != -1); 270 } 271 272 static bool 273 cbc_decrypt(const EVP_CIPHER *cipher, const char *key, const char *iv, 274 const char *input, char *output, size_t size) 275 { 276 EVP_CIPHER_CTX *ctx; 277 int outl, total; 278 279 ctx = EVP_CIPHER_CTX_new(); 280 if (ctx == NULL) { 281 warnx("EVP_CIPHER_CTX_new failed: %s", 282 ERR_error_string(ERR_get_error(), NULL)); 283 return (false); 284 } 285 if (EVP_CipherInit_ex(ctx, cipher, NULL, (const u_char *)key, 286 (const u_char *)iv, 0) != 1) { 287 warnx("EVP_CipherInit_ex failed: %s", 288 ERR_error_string(ERR_get_error(), NULL)); 289 EVP_CIPHER_CTX_free(ctx); 290 return (false); 291 } 292 EVP_CIPHER_CTX_set_padding(ctx, 0); 293 if (EVP_CipherUpdate(ctx, (u_char *)output, &outl, 294 (const u_char *)input, size) != 1) { 295 warnx("EVP_CipherUpdate failed: %s", 296 ERR_error_string(ERR_get_error(), NULL)); 297 EVP_CIPHER_CTX_free(ctx); 298 return (false); 299 } 300 total = outl; 301 if (EVP_CipherFinal_ex(ctx, (u_char *)output + outl, &outl) != 1) { 302 warnx("EVP_CipherFinal_ex failed: %s", 303 ERR_error_string(ERR_get_error(), NULL)); 304 EVP_CIPHER_CTX_free(ctx); 305 return (false); 306 } 307 total += outl; 308 if ((size_t)total != size) { 309 warnx("decrypt size mismatch: %zu vs %d", size, total); 310 EVP_CIPHER_CTX_free(ctx); 311 return (false); 312 } 313 EVP_CIPHER_CTX_free(ctx); 314 return (true); 315 } 316 317 static bool 318 verify_hash(const EVP_MD *md, const void *key, size_t key_len, const void *aad, 319 size_t aad_len, const void *buffer, size_t len, const void *digest) 320 { 321 HMAC_CTX *ctx; 322 unsigned char digest2[EVP_MAX_MD_SIZE]; 323 u_int digest_len; 324 325 ctx = HMAC_CTX_new(); 326 if (ctx == NULL) { 327 warnx("HMAC_CTX_new failed: %s", 328 ERR_error_string(ERR_get_error(), NULL)); 329 return (false); 330 } 331 if (HMAC_Init_ex(ctx, key, key_len, md, NULL) != 1) { 332 warnx("HMAC_Init_ex failed: %s", 333 ERR_error_string(ERR_get_error(), NULL)); 334 HMAC_CTX_free(ctx); 335 return (false); 336 } 337 if (HMAC_Update(ctx, aad, aad_len) != 1) { 338 warnx("HMAC_Update (aad) failed: %s", 339 ERR_error_string(ERR_get_error(), NULL)); 340 HMAC_CTX_free(ctx); 341 return (false); 342 } 343 if (HMAC_Update(ctx, buffer, len) != 1) { 344 warnx("HMAC_Update (payload) failed: %s", 345 ERR_error_string(ERR_get_error(), NULL)); 346 HMAC_CTX_free(ctx); 347 return (false); 348 } 349 if (HMAC_Final(ctx, digest2, &digest_len) != 1) { 350 warnx("HMAC_Final failed: %s", 351 ERR_error_string(ERR_get_error(), NULL)); 352 HMAC_CTX_free(ctx); 353 return (false); 354 } 355 HMAC_CTX_free(ctx); 356 if (memcmp(digest, digest2, digest_len) != 0) { 357 warnx("HMAC mismatch"); 358 return (false); 359 } 360 return (true); 361 } 362 363 static bool 364 aead_encrypt(const EVP_CIPHER *cipher, const char *key, const char *nonce, 365 const void *aad, size_t aad_len, const char *input, char *output, 366 size_t size, char *tag, size_t tag_len) 367 { 368 EVP_CIPHER_CTX *ctx; 369 int outl, total; 370 371 ctx = EVP_CIPHER_CTX_new(); 372 if (ctx == NULL) { 373 warnx("EVP_CIPHER_CTX_new failed: %s", 374 ERR_error_string(ERR_get_error(), NULL)); 375 return (false); 376 } 377 if (EVP_EncryptInit_ex(ctx, cipher, NULL, (const u_char *)key, 378 (const u_char *)nonce) != 1) { 379 warnx("EVP_EncryptInit_ex failed: %s", 380 ERR_error_string(ERR_get_error(), NULL)); 381 EVP_CIPHER_CTX_free(ctx); 382 return (false); 383 } 384 EVP_CIPHER_CTX_set_padding(ctx, 0); 385 if (aad != NULL) { 386 if (EVP_EncryptUpdate(ctx, NULL, &outl, (const u_char *)aad, 387 aad_len) != 1) { 388 warnx("EVP_EncryptUpdate for AAD failed: %s", 389 ERR_error_string(ERR_get_error(), NULL)); 390 EVP_CIPHER_CTX_free(ctx); 391 return (false); 392 } 393 } 394 if (EVP_EncryptUpdate(ctx, (u_char *)output, &outl, 395 (const u_char *)input, size) != 1) { 396 warnx("EVP_EncryptUpdate failed: %s", 397 ERR_error_string(ERR_get_error(), NULL)); 398 EVP_CIPHER_CTX_free(ctx); 399 return (false); 400 } 401 total = outl; 402 if (EVP_EncryptFinal_ex(ctx, (u_char *)output + outl, &outl) != 1) { 403 warnx("EVP_EncryptFinal_ex failed: %s", 404 ERR_error_string(ERR_get_error(), NULL)); 405 EVP_CIPHER_CTX_free(ctx); 406 return (false); 407 } 408 total += outl; 409 if ((size_t)total != size) { 410 warnx("encrypt size mismatch: %zu vs %d", size, total); 411 EVP_CIPHER_CTX_free(ctx); 412 return (false); 413 } 414 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, tag_len, tag) != 415 1) { 416 warnx("EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_GET_TAG) failed: %s", 417 ERR_error_string(ERR_get_error(), NULL)); 418 EVP_CIPHER_CTX_free(ctx); 419 return (false); 420 } 421 EVP_CIPHER_CTX_free(ctx); 422 return (true); 423 } 424 425 static bool 426 aead_decrypt(const EVP_CIPHER *cipher, const char *key, const char *nonce, 427 const void *aad, size_t aad_len, const char *input, char *output, 428 size_t size, const char *tag, size_t tag_len) 429 { 430 EVP_CIPHER_CTX *ctx; 431 int outl, total; 432 bool valid; 433 434 ctx = EVP_CIPHER_CTX_new(); 435 if (ctx == NULL) { 436 warnx("EVP_CIPHER_CTX_new failed: %s", 437 ERR_error_string(ERR_get_error(), NULL)); 438 return (false); 439 } 440 if (EVP_DecryptInit_ex(ctx, cipher, NULL, (const u_char *)key, 441 (const u_char *)nonce) != 1) { 442 warnx("EVP_DecryptInit_ex failed: %s", 443 ERR_error_string(ERR_get_error(), NULL)); 444 EVP_CIPHER_CTX_free(ctx); 445 return (false); 446 } 447 EVP_CIPHER_CTX_set_padding(ctx, 0); 448 if (aad != NULL) { 449 if (EVP_DecryptUpdate(ctx, NULL, &outl, (const u_char *)aad, 450 aad_len) != 1) { 451 warnx("EVP_DecryptUpdate for AAD failed: %s", 452 ERR_error_string(ERR_get_error(), NULL)); 453 EVP_CIPHER_CTX_free(ctx); 454 return (false); 455 } 456 } 457 if (EVP_DecryptUpdate(ctx, (u_char *)output, &outl, 458 (const u_char *)input, size) != 1) { 459 warnx("EVP_DecryptUpdate failed: %s", 460 ERR_error_string(ERR_get_error(), NULL)); 461 EVP_CIPHER_CTX_free(ctx); 462 return (false); 463 } 464 total = outl; 465 if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, 466 __DECONST(char *, tag)) != 1) { 467 warnx("EVP_CIPHER_CTX_ctrl(EVP_CTRL_AEAD_SET_TAG) failed: %s", 468 ERR_error_string(ERR_get_error(), NULL)); 469 EVP_CIPHER_CTX_free(ctx); 470 return (false); 471 } 472 valid = (EVP_DecryptFinal_ex(ctx, (u_char *)output + outl, &outl) == 1); 473 total += outl; 474 if ((size_t)total != size) { 475 warnx("decrypt size mismatch: %zu vs %d", size, total); 476 EVP_CIPHER_CTX_free(ctx); 477 return (false); 478 } 479 if (!valid) 480 warnx("tag mismatch"); 481 EVP_CIPHER_CTX_free(ctx); 482 return (valid); 483 } 484 485 static void 486 build_tls_enable(int cipher_alg, size_t cipher_key_len, int auth_alg, 487 int minor, uint64_t seqno, struct tls_enable *en) 488 { 489 u_int auth_key_len, iv_len; 490 491 memset(en, 0, sizeof(*en)); 492 493 switch (cipher_alg) { 494 case CRYPTO_AES_CBC: 495 if (minor == TLS_MINOR_VER_ZERO) 496 iv_len = AES_BLOCK_LEN; 497 else 498 iv_len = 0; 499 break; 500 case CRYPTO_AES_NIST_GCM_16: 501 if (minor == TLS_MINOR_VER_TWO) 502 iv_len = TLS_AEAD_GCM_LEN; 503 else 504 iv_len = TLS_1_3_GCM_IV_LEN; 505 break; 506 case CRYPTO_CHACHA20_POLY1305: 507 iv_len = TLS_CHACHA20_IV_LEN; 508 break; 509 default: 510 iv_len = 0; 511 break; 512 } 513 switch (auth_alg) { 514 case CRYPTO_SHA1_HMAC: 515 auth_key_len = SHA1_HASH_LEN; 516 break; 517 case CRYPTO_SHA2_256_HMAC: 518 auth_key_len = SHA2_256_HASH_LEN; 519 break; 520 case CRYPTO_SHA2_384_HMAC: 521 auth_key_len = SHA2_384_HASH_LEN; 522 break; 523 default: 524 auth_key_len = 0; 525 break; 526 } 527 en->cipher_key = alloc_buffer(cipher_key_len); 528 en->iv = alloc_buffer(iv_len); 529 en->auth_key = alloc_buffer(auth_key_len); 530 en->cipher_algorithm = cipher_alg; 531 en->cipher_key_len = cipher_key_len; 532 en->iv_len = iv_len; 533 en->auth_algorithm = auth_alg; 534 en->auth_key_len = auth_key_len; 535 en->tls_vmajor = TLS_MAJOR_VER_ONE; 536 en->tls_vminor = minor; 537 be64enc(en->rec_seq, seqno); 538 } 539 540 static void 541 free_tls_enable(struct tls_enable *en) 542 { 543 free(__DECONST(void *, en->cipher_key)); 544 free(__DECONST(void *, en->iv)); 545 free(__DECONST(void *, en->auth_key)); 546 } 547 548 static const EVP_CIPHER * 549 tls_EVP_CIPHER(const struct tls_enable *en) 550 { 551 switch (en->cipher_algorithm) { 552 case CRYPTO_AES_CBC: 553 switch (en->cipher_key_len) { 554 case 128 / 8: 555 return (EVP_aes_128_cbc()); 556 case 256 / 8: 557 return (EVP_aes_256_cbc()); 558 default: 559 return (NULL); 560 } 561 break; 562 case CRYPTO_AES_NIST_GCM_16: 563 switch (en->cipher_key_len) { 564 case 128 / 8: 565 return (EVP_aes_128_gcm()); 566 case 256 / 8: 567 return (EVP_aes_256_gcm()); 568 default: 569 return (NULL); 570 } 571 break; 572 case CRYPTO_CHACHA20_POLY1305: 573 return (EVP_chacha20_poly1305()); 574 default: 575 return (NULL); 576 } 577 } 578 579 static const EVP_MD * 580 tls_EVP_MD(const struct tls_enable *en) 581 { 582 switch (en->auth_algorithm) { 583 case CRYPTO_SHA1_HMAC: 584 return (EVP_sha1()); 585 case CRYPTO_SHA2_256_HMAC: 586 return (EVP_sha256()); 587 case CRYPTO_SHA2_384_HMAC: 588 return (EVP_sha384()); 589 default: 590 return (NULL); 591 } 592 } 593 594 static size_t 595 tls_header_len(struct tls_enable *en) 596 { 597 size_t len; 598 599 len = sizeof(struct tls_record_layer); 600 switch (en->cipher_algorithm) { 601 case CRYPTO_AES_CBC: 602 if (en->tls_vminor != TLS_MINOR_VER_ZERO) 603 len += AES_BLOCK_LEN; 604 return (len); 605 case CRYPTO_AES_NIST_GCM_16: 606 if (en->tls_vminor == TLS_MINOR_VER_TWO) 607 len += sizeof(uint64_t); 608 return (len); 609 case CRYPTO_CHACHA20_POLY1305: 610 return (len); 611 default: 612 return (0); 613 } 614 } 615 616 static size_t 617 tls_mac_len(struct tls_enable *en) 618 { 619 switch (en->cipher_algorithm) { 620 case CRYPTO_AES_CBC: 621 switch (en->auth_algorithm) { 622 case CRYPTO_SHA1_HMAC: 623 return (SHA1_HASH_LEN); 624 case CRYPTO_SHA2_256_HMAC: 625 return (SHA2_256_HASH_LEN); 626 case CRYPTO_SHA2_384_HMAC: 627 return (SHA2_384_HASH_LEN); 628 default: 629 return (0); 630 } 631 case CRYPTO_AES_NIST_GCM_16: 632 return (AES_GMAC_HASH_LEN); 633 case CRYPTO_CHACHA20_POLY1305: 634 return (POLY1305_HASH_LEN); 635 default: 636 return (0); 637 } 638 } 639 640 /* Includes maximum padding for MTE. */ 641 static size_t 642 tls_trailer_len(struct tls_enable *en) 643 { 644 size_t len; 645 646 len = tls_mac_len(en); 647 if (en->cipher_algorithm == CRYPTO_AES_CBC) 648 len += AES_BLOCK_LEN; 649 if (en->tls_vminor == TLS_MINOR_VER_THREE) 650 len++; 651 return (len); 652 } 653 654 /* 'len' is the length of the payload application data. */ 655 static void 656 tls_mte_aad(struct tls_enable *en, size_t len, 657 const struct tls_record_layer *hdr, uint64_t seqno, struct tls_mac_data *ad) 658 { 659 ad->seq = htobe64(seqno); 660 ad->type = hdr->tls_type; 661 ad->tls_vmajor = hdr->tls_vmajor; 662 ad->tls_vminor = hdr->tls_vminor; 663 ad->tls_length = htons(len); 664 } 665 666 static void 667 tls_12_aead_aad(struct tls_enable *en, size_t len, 668 const struct tls_record_layer *hdr, uint64_t seqno, 669 struct tls_aead_data *ad) 670 { 671 ad->seq = htobe64(seqno); 672 ad->type = hdr->tls_type; 673 ad->tls_vmajor = hdr->tls_vmajor; 674 ad->tls_vminor = hdr->tls_vminor; 675 ad->tls_length = htons(len); 676 } 677 678 static void 679 tls_13_aad(struct tls_enable *en, const struct tls_record_layer *hdr, 680 uint64_t seqno, struct tls_aead_data_13 *ad) 681 { 682 ad->type = hdr->tls_type; 683 ad->tls_vmajor = hdr->tls_vmajor; 684 ad->tls_vminor = hdr->tls_vminor; 685 ad->tls_length = hdr->tls_length; 686 } 687 688 static void 689 tls_12_gcm_nonce(struct tls_enable *en, const struct tls_record_layer *hdr, 690 char *nonce) 691 { 692 memcpy(nonce, en->iv, TLS_AEAD_GCM_LEN); 693 memcpy(nonce + TLS_AEAD_GCM_LEN, hdr + 1, sizeof(uint64_t)); 694 } 695 696 static void 697 tls_13_nonce(struct tls_enable *en, uint64_t seqno, char *nonce) 698 { 699 static_assert(TLS_1_3_GCM_IV_LEN == TLS_CHACHA20_IV_LEN, 700 "TLS 1.3 nonce length mismatch"); 701 memcpy(nonce, en->iv, TLS_1_3_GCM_IV_LEN); 702 *(uint64_t *)(nonce + 4) ^= htobe64(seqno); 703 } 704 705 /* 706 * Decrypt a TLS record 'len' bytes long at 'src' and store the result at 707 * 'dst'. If the TLS record header length doesn't match or 'dst' doesn't 708 * have sufficient room ('avail'), fail the test. 709 */ 710 static size_t 711 decrypt_tls_aes_cbc_mte(struct tls_enable *en, uint64_t seqno, const void *src, 712 size_t len, void *dst, size_t avail, uint8_t *record_type) 713 { 714 const struct tls_record_layer *hdr; 715 struct tls_mac_data aad; 716 const char *iv; 717 char *buf; 718 size_t hdr_len, mac_len, payload_len; 719 int padding; 720 721 hdr = src; 722 hdr_len = tls_header_len(en); 723 mac_len = tls_mac_len(en); 724 ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE); 725 ATF_REQUIRE(hdr->tls_vminor == en->tls_vminor); 726 727 /* First, decrypt the outer payload into a temporary buffer. */ 728 payload_len = len - hdr_len; 729 buf = malloc(payload_len); 730 if (en->tls_vminor == TLS_MINOR_VER_ZERO) 731 iv = en->iv; 732 else 733 iv = (void *)(hdr + 1); 734 ATF_REQUIRE(cbc_decrypt(tls_EVP_CIPHER(en), en->cipher_key, iv, 735 (const u_char *)src + hdr_len, buf, payload_len)); 736 737 /* 738 * Copy the last encrypted block to use as the IV for the next 739 * record for TLS 1.0. 740 */ 741 if (en->tls_vminor == TLS_MINOR_VER_ZERO) 742 memcpy(__DECONST(uint8_t *, en->iv), (const u_char *)src + 743 (len - AES_BLOCK_LEN), AES_BLOCK_LEN); 744 745 /* 746 * Verify trailing padding and strip. 747 * 748 * The kernel always generates the smallest amount of padding. 749 */ 750 padding = buf[payload_len - 1] + 1; 751 ATF_REQUIRE(padding > 0 && padding <= AES_BLOCK_LEN); 752 ATF_REQUIRE(payload_len >= mac_len + padding); 753 payload_len -= padding; 754 755 /* Verify HMAC. */ 756 payload_len -= mac_len; 757 tls_mte_aad(en, payload_len, hdr, seqno, &aad); 758 ATF_REQUIRE(verify_hash(tls_EVP_MD(en), en->auth_key, en->auth_key_len, 759 &aad, sizeof(aad), buf, payload_len, buf + payload_len)); 760 761 ATF_REQUIRE(payload_len <= avail); 762 memcpy(dst, buf, payload_len); 763 *record_type = hdr->tls_type; 764 return (payload_len); 765 } 766 767 static size_t 768 decrypt_tls_12_aead(struct tls_enable *en, uint64_t seqno, const void *src, 769 size_t len, void *dst, uint8_t *record_type) 770 { 771 const struct tls_record_layer *hdr; 772 struct tls_aead_data aad; 773 char nonce[12]; 774 size_t hdr_len, mac_len, payload_len; 775 776 hdr = src; 777 778 hdr_len = tls_header_len(en); 779 mac_len = tls_mac_len(en); 780 payload_len = len - (hdr_len + mac_len); 781 ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE); 782 ATF_REQUIRE(hdr->tls_vminor == TLS_MINOR_VER_TWO); 783 784 tls_12_aead_aad(en, payload_len, hdr, seqno, &aad); 785 if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16) 786 tls_12_gcm_nonce(en, hdr, nonce); 787 else 788 tls_13_nonce(en, seqno, nonce); 789 790 ATF_REQUIRE(aead_decrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 791 &aad, sizeof(aad), (const char *)src + hdr_len, dst, payload_len, 792 (const char *)src + hdr_len + payload_len, mac_len)); 793 794 *record_type = hdr->tls_type; 795 return (payload_len); 796 } 797 798 static size_t 799 decrypt_tls_13_aead(struct tls_enable *en, uint64_t seqno, const void *src, 800 size_t len, void *dst, uint8_t *record_type) 801 { 802 const struct tls_record_layer *hdr; 803 struct tls_aead_data_13 aad; 804 char nonce[12]; 805 char *buf; 806 size_t hdr_len, mac_len, payload_len; 807 808 hdr = src; 809 810 hdr_len = tls_header_len(en); 811 mac_len = tls_mac_len(en); 812 payload_len = len - (hdr_len + mac_len); 813 ATF_REQUIRE(payload_len >= 1); 814 ATF_REQUIRE(hdr->tls_type == TLS_RLTYPE_APP); 815 ATF_REQUIRE(hdr->tls_vmajor == TLS_MAJOR_VER_ONE); 816 ATF_REQUIRE(hdr->tls_vminor == TLS_MINOR_VER_TWO); 817 818 tls_13_aad(en, hdr, seqno, &aad); 819 tls_13_nonce(en, seqno, nonce); 820 821 /* 822 * Have to use a temporary buffer for the output due to the 823 * record type as the last byte of the trailer. 824 */ 825 buf = malloc(payload_len); 826 827 ATF_REQUIRE(aead_decrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 828 &aad, sizeof(aad), (const char *)src + hdr_len, buf, payload_len, 829 (const char *)src + hdr_len + payload_len, mac_len)); 830 831 /* Trim record type. */ 832 *record_type = buf[payload_len - 1]; 833 payload_len--; 834 835 memcpy(dst, buf, payload_len); 836 free(buf); 837 838 return (payload_len); 839 } 840 841 static size_t 842 decrypt_tls_aead(struct tls_enable *en, uint64_t seqno, const void *src, 843 size_t len, void *dst, size_t avail, uint8_t *record_type) 844 { 845 const struct tls_record_layer *hdr; 846 size_t payload_len; 847 848 hdr = src; 849 ATF_REQUIRE(ntohs(hdr->tls_length) + sizeof(*hdr) == len); 850 851 payload_len = len - (tls_header_len(en) + tls_trailer_len(en)); 852 ATF_REQUIRE(payload_len <= avail); 853 854 if (en->tls_vminor == TLS_MINOR_VER_TWO) { 855 ATF_REQUIRE(decrypt_tls_12_aead(en, seqno, src, len, dst, 856 record_type) == payload_len); 857 } else { 858 ATF_REQUIRE(decrypt_tls_13_aead(en, seqno, src, len, dst, 859 record_type) == payload_len); 860 } 861 862 return (payload_len); 863 } 864 865 static size_t 866 decrypt_tls_record(struct tls_enable *en, uint64_t seqno, const void *src, 867 size_t len, void *dst, size_t avail, uint8_t *record_type) 868 { 869 if (en->cipher_algorithm == CRYPTO_AES_CBC) 870 return (decrypt_tls_aes_cbc_mte(en, seqno, src, len, dst, avail, 871 record_type)); 872 else 873 return (decrypt_tls_aead(en, seqno, src, len, dst, avail, 874 record_type)); 875 } 876 877 /* 878 * Encrypt a TLS record of type 'record_type' with payload 'len' bytes 879 * long at 'src' and store the result at 'dst'. If 'dst' doesn't have 880 * sufficient room ('avail'), fail the test. 881 */ 882 static size_t 883 encrypt_tls_12_aead(struct tls_enable *en, uint8_t record_type, uint64_t seqno, 884 const void *src, size_t len, void *dst) 885 { 886 struct tls_record_layer *hdr; 887 struct tls_aead_data aad; 888 char nonce[12]; 889 size_t hdr_len, mac_len, record_len; 890 891 hdr = dst; 892 893 hdr_len = tls_header_len(en); 894 mac_len = tls_mac_len(en); 895 record_len = hdr_len + len + mac_len; 896 897 hdr->tls_type = record_type; 898 hdr->tls_vmajor = TLS_MAJOR_VER_ONE; 899 hdr->tls_vminor = TLS_MINOR_VER_TWO; 900 hdr->tls_length = htons(record_len - sizeof(*hdr)); 901 if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16) 902 memcpy(hdr + 1, &seqno, sizeof(seqno)); 903 904 tls_12_aead_aad(en, len, hdr, seqno, &aad); 905 if (en->cipher_algorithm == CRYPTO_AES_NIST_GCM_16) 906 tls_12_gcm_nonce(en, hdr, nonce); 907 else 908 tls_13_nonce(en, seqno, nonce); 909 910 ATF_REQUIRE(aead_encrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 911 &aad, sizeof(aad), src, (char *)dst + hdr_len, len, 912 (char *)dst + hdr_len + len, mac_len)); 913 914 return (record_len); 915 } 916 917 static size_t 918 encrypt_tls_13_aead(struct tls_enable *en, uint8_t record_type, uint64_t seqno, 919 const void *src, size_t len, void *dst, size_t padding) 920 { 921 struct tls_record_layer *hdr; 922 struct tls_aead_data_13 aad; 923 char nonce[12]; 924 char *buf; 925 size_t hdr_len, mac_len, record_len; 926 927 hdr = dst; 928 929 hdr_len = tls_header_len(en); 930 mac_len = tls_mac_len(en); 931 record_len = hdr_len + len + 1 + padding + mac_len; 932 933 hdr->tls_type = TLS_RLTYPE_APP; 934 hdr->tls_vmajor = TLS_MAJOR_VER_ONE; 935 hdr->tls_vminor = TLS_MINOR_VER_TWO; 936 hdr->tls_length = htons(record_len - sizeof(*hdr)); 937 938 tls_13_aad(en, hdr, seqno, &aad); 939 tls_13_nonce(en, seqno, nonce); 940 941 /* 942 * Have to use a temporary buffer for the input so that the record 943 * type can be appended. 944 */ 945 buf = malloc(len + 1 + padding); 946 memcpy(buf, src, len); 947 buf[len] = record_type; 948 memset(buf + len + 1, 0, padding); 949 950 ATF_REQUIRE(aead_encrypt(tls_EVP_CIPHER(en), en->cipher_key, nonce, 951 &aad, sizeof(aad), buf, (char *)dst + hdr_len, len + 1 + padding, 952 (char *)dst + hdr_len + len + 1 + padding, mac_len)); 953 954 free(buf); 955 956 return (record_len); 957 } 958 959 static size_t 960 encrypt_tls_aead(struct tls_enable *en, uint8_t record_type, uint64_t seqno, 961 const void *src, size_t len, void *dst, size_t avail, size_t padding) 962 { 963 size_t record_len; 964 965 record_len = tls_header_len(en) + len + padding + tls_trailer_len(en); 966 ATF_REQUIRE(record_len <= avail); 967 968 if (en->tls_vminor == TLS_MINOR_VER_TWO) { 969 ATF_REQUIRE(padding == 0); 970 ATF_REQUIRE(encrypt_tls_12_aead(en, record_type, seqno, src, 971 len, dst) == record_len); 972 } else 973 ATF_REQUIRE(encrypt_tls_13_aead(en, record_type, seqno, src, 974 len, dst, padding) == record_len); 975 976 return (record_len); 977 } 978 979 static size_t 980 encrypt_tls_record(struct tls_enable *en, uint8_t record_type, uint64_t seqno, 981 const void *src, size_t len, void *dst, size_t avail, size_t padding) 982 { 983 return (encrypt_tls_aead(en, record_type, seqno, src, len, dst, avail, 984 padding)); 985 } 986 987 static void 988 test_ktls_transmit_app_data(const atf_tc_t *tc, struct tls_enable *en, 989 uint64_t seqno, size_t len) 990 { 991 struct kevent ev; 992 struct tls_record_layer *hdr; 993 char *plaintext, *decrypted, *outbuf; 994 size_t decrypted_len, outbuf_len, outbuf_cap, record_len, written; 995 ssize_t rv; 996 int kq, sockets[2]; 997 uint8_t record_type; 998 999 plaintext = alloc_buffer(len); 1000 decrypted = malloc(len); 1001 outbuf_cap = tls_header_len(en) + TLS_MAX_MSG_SIZE_V10_2 + 1002 tls_trailer_len(en); 1003 outbuf = malloc(outbuf_cap); 1004 hdr = (struct tls_record_layer *)outbuf; 1005 1006 ATF_REQUIRE((kq = kqueue()) != -1); 1007 1008 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1009 1010 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 1011 sizeof(*en)) == 0); 1012 check_tls_mode(tc, sockets[1], TCP_TXTLS_MODE); 1013 1014 EV_SET(&ev, sockets[0], EVFILT_READ, EV_ADD, 0, 0, NULL); 1015 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 1016 EV_SET(&ev, sockets[1], EVFILT_WRITE, EV_ADD, 0, 0, NULL); 1017 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 1018 1019 decrypted_len = 0; 1020 outbuf_len = 0; 1021 written = 0; 1022 1023 while (decrypted_len != len) { 1024 ATF_REQUIRE(kevent(kq, NULL, 0, &ev, 1, NULL) == 1); 1025 1026 switch (ev.filter) { 1027 case EVFILT_WRITE: 1028 /* Try to write any remaining data. */ 1029 rv = write(ev.ident, plaintext + written, 1030 len - written); 1031 ATF_REQUIRE_MSG(rv > 0, 1032 "failed to write to socket"); 1033 written += rv; 1034 if (written == len) { 1035 ev.flags = EV_DISABLE; 1036 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, 1037 NULL) == 0); 1038 } 1039 break; 1040 1041 case EVFILT_READ: 1042 ATF_REQUIRE((ev.flags & EV_EOF) == 0); 1043 1044 /* 1045 * Try to read data for the next TLS record 1046 * into outbuf. Start by reading the header 1047 * to determine how much additional data to 1048 * read. 1049 */ 1050 if (outbuf_len < sizeof(struct tls_record_layer)) { 1051 rv = read(ev.ident, outbuf + outbuf_len, 1052 sizeof(struct tls_record_layer) - 1053 outbuf_len); 1054 ATF_REQUIRE_MSG(rv > 0, 1055 "failed to read from socket"); 1056 outbuf_len += rv; 1057 } 1058 1059 if (outbuf_len < sizeof(struct tls_record_layer)) 1060 break; 1061 1062 record_len = sizeof(struct tls_record_layer) + 1063 ntohs(hdr->tls_length); 1064 ATF_REQUIRE(record_len <= outbuf_cap); 1065 ATF_REQUIRE(record_len > outbuf_len); 1066 rv = read(ev.ident, outbuf + outbuf_len, 1067 record_len - outbuf_len); 1068 if (rv == -1 && errno == EAGAIN) 1069 break; 1070 ATF_REQUIRE_MSG(rv > 0, "failed to read from socket"); 1071 1072 outbuf_len += rv; 1073 if (outbuf_len == record_len) { 1074 decrypted_len += decrypt_tls_record(en, seqno, 1075 outbuf, outbuf_len, 1076 decrypted + decrypted_len, 1077 len - decrypted_len, &record_type); 1078 ATF_REQUIRE(record_type == TLS_RLTYPE_APP); 1079 1080 seqno++; 1081 outbuf_len = 0; 1082 } 1083 break; 1084 } 1085 } 1086 1087 ATF_REQUIRE_MSG(written == decrypted_len, 1088 "read %zu decrypted bytes, but wrote %zu", decrypted_len, written); 1089 1090 ATF_REQUIRE(memcmp(plaintext, decrypted, len) == 0); 1091 1092 free(outbuf); 1093 free(decrypted); 1094 free(plaintext); 1095 1096 close_sockets(sockets); 1097 ATF_REQUIRE(close(kq) == 0); 1098 } 1099 1100 static void 1101 ktls_send_control_message(int fd, uint8_t type, void *data, size_t len) 1102 { 1103 struct msghdr msg; 1104 struct cmsghdr *cmsg; 1105 char cbuf[CMSG_SPACE(sizeof(type))]; 1106 struct iovec iov; 1107 1108 memset(&msg, 0, sizeof(msg)); 1109 1110 msg.msg_control = cbuf; 1111 msg.msg_controllen = sizeof(cbuf); 1112 cmsg = CMSG_FIRSTHDR(&msg); 1113 cmsg->cmsg_level = IPPROTO_TCP; 1114 cmsg->cmsg_type = TLS_SET_RECORD_TYPE; 1115 cmsg->cmsg_len = CMSG_LEN(sizeof(type)); 1116 *(uint8_t *)CMSG_DATA(cmsg) = type; 1117 1118 iov.iov_base = data; 1119 iov.iov_len = len; 1120 msg.msg_iov = &iov; 1121 msg.msg_iovlen = 1; 1122 1123 ATF_REQUIRE(sendmsg(fd, &msg, 0) == (ssize_t)len); 1124 } 1125 1126 static void 1127 test_ktls_transmit_control(const atf_tc_t *tc, struct tls_enable *en, 1128 uint64_t seqno, uint8_t type, size_t len) 1129 { 1130 struct tls_record_layer *hdr; 1131 char *plaintext, *decrypted, *outbuf; 1132 size_t outbuf_cap, payload_len, record_len; 1133 ssize_t rv; 1134 int sockets[2]; 1135 uint8_t record_type; 1136 1137 ATF_REQUIRE(len <= TLS_MAX_MSG_SIZE_V10_2); 1138 1139 plaintext = alloc_buffer(len); 1140 decrypted = malloc(len); 1141 outbuf_cap = tls_header_len(en) + len + tls_trailer_len(en); 1142 outbuf = malloc(outbuf_cap); 1143 hdr = (struct tls_record_layer *)outbuf; 1144 1145 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1146 1147 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 1148 sizeof(*en)) == 0); 1149 check_tls_mode(tc, sockets[1], TCP_TXTLS_MODE); 1150 1151 fd_set_blocking(sockets[0]); 1152 fd_set_blocking(sockets[1]); 1153 1154 ktls_send_control_message(sockets[1], type, plaintext, len); 1155 1156 /* 1157 * First read the header to determine how much additional data 1158 * to read. 1159 */ 1160 rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer)); 1161 ATF_REQUIRE(rv == sizeof(struct tls_record_layer)); 1162 payload_len = ntohs(hdr->tls_length); 1163 record_len = payload_len + sizeof(struct tls_record_layer); 1164 ATF_REQUIRE(record_len <= outbuf_cap); 1165 rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer), 1166 payload_len); 1167 ATF_REQUIRE(rv == (ssize_t)payload_len); 1168 1169 rv = decrypt_tls_record(en, seqno, outbuf, record_len, decrypted, len, 1170 &record_type); 1171 1172 ATF_REQUIRE_MSG((ssize_t)len == rv, 1173 "read %zd decrypted bytes, but wrote %zu", rv, len); 1174 ATF_REQUIRE(record_type == type); 1175 1176 ATF_REQUIRE(memcmp(plaintext, decrypted, len) == 0); 1177 1178 free(outbuf); 1179 free(decrypted); 1180 free(plaintext); 1181 1182 close_sockets(sockets); 1183 } 1184 1185 static void 1186 test_ktls_transmit_empty_fragment(const atf_tc_t *tc, struct tls_enable *en, 1187 uint64_t seqno) 1188 { 1189 struct tls_record_layer *hdr; 1190 char *outbuf; 1191 size_t outbuf_cap, payload_len, record_len; 1192 ssize_t rv; 1193 int sockets[2]; 1194 uint8_t record_type; 1195 1196 outbuf_cap = tls_header_len(en) + tls_trailer_len(en); 1197 outbuf = malloc(outbuf_cap); 1198 hdr = (struct tls_record_layer *)outbuf; 1199 1200 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1201 1202 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 1203 sizeof(*en)) == 0); 1204 check_tls_mode(tc, sockets[1], TCP_TXTLS_MODE); 1205 1206 fd_set_blocking(sockets[0]); 1207 fd_set_blocking(sockets[1]); 1208 1209 /* 1210 * A write of zero bytes should send an empty fragment only for 1211 * TLS 1.0, otherwise an error should be raised. 1212 */ 1213 rv = write(sockets[1], NULL, 0); 1214 if (rv == 0) { 1215 ATF_REQUIRE(en->cipher_algorithm == CRYPTO_AES_CBC); 1216 ATF_REQUIRE(en->tls_vminor == TLS_MINOR_VER_ZERO); 1217 } else { 1218 ATF_REQUIRE(rv == -1); 1219 ATF_REQUIRE(errno == EINVAL); 1220 goto out; 1221 } 1222 1223 /* 1224 * First read the header to determine how much additional data 1225 * to read. 1226 */ 1227 rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer)); 1228 ATF_REQUIRE(rv == sizeof(struct tls_record_layer)); 1229 payload_len = ntohs(hdr->tls_length); 1230 record_len = payload_len + sizeof(struct tls_record_layer); 1231 ATF_REQUIRE(record_len <= outbuf_cap); 1232 rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer), 1233 payload_len); 1234 ATF_REQUIRE(rv == (ssize_t)payload_len); 1235 1236 rv = decrypt_tls_record(en, seqno, outbuf, record_len, NULL, 0, 1237 &record_type); 1238 1239 ATF_REQUIRE_MSG(rv == 0, 1240 "read %zd decrypted bytes for an empty fragment", rv); 1241 ATF_REQUIRE(record_type == TLS_RLTYPE_APP); 1242 1243 out: 1244 free(outbuf); 1245 1246 close_sockets(sockets); 1247 } 1248 1249 static size_t 1250 ktls_receive_tls_record(struct tls_enable *en, int fd, uint8_t record_type, 1251 void *data, size_t len) 1252 { 1253 struct msghdr msg; 1254 struct cmsghdr *cmsg; 1255 struct tls_get_record *tgr; 1256 char cbuf[CMSG_SPACE(sizeof(*tgr))]; 1257 struct iovec iov; 1258 ssize_t rv; 1259 1260 memset(&msg, 0, sizeof(msg)); 1261 1262 msg.msg_control = cbuf; 1263 msg.msg_controllen = sizeof(cbuf); 1264 1265 iov.iov_base = data; 1266 iov.iov_len = len; 1267 msg.msg_iov = &iov; 1268 msg.msg_iovlen = 1; 1269 1270 ATF_REQUIRE((rv = recvmsg(fd, &msg, 0)) > 0); 1271 1272 ATF_REQUIRE((msg.msg_flags & (MSG_EOR | MSG_CTRUNC)) == MSG_EOR); 1273 1274 cmsg = CMSG_FIRSTHDR(&msg); 1275 ATF_REQUIRE(cmsg != NULL); 1276 ATF_REQUIRE(cmsg->cmsg_level == IPPROTO_TCP); 1277 ATF_REQUIRE(cmsg->cmsg_type == TLS_GET_RECORD); 1278 ATF_REQUIRE(cmsg->cmsg_len == CMSG_LEN(sizeof(*tgr))); 1279 1280 tgr = (struct tls_get_record *)CMSG_DATA(cmsg); 1281 ATF_REQUIRE(tgr->tls_type == record_type); 1282 ATF_REQUIRE(tgr->tls_vmajor == en->tls_vmajor); 1283 /* XXX: Not sure if this is what OpenSSL expects? */ 1284 if (en->tls_vminor == TLS_MINOR_VER_THREE) 1285 ATF_REQUIRE(tgr->tls_vminor == TLS_MINOR_VER_TWO); 1286 else 1287 ATF_REQUIRE(tgr->tls_vminor == en->tls_vminor); 1288 ATF_REQUIRE(tgr->tls_length == htons(rv)); 1289 1290 return (rv); 1291 } 1292 1293 static void 1294 test_ktls_receive_app_data(const atf_tc_t *tc, struct tls_enable *en, 1295 uint64_t seqno, size_t len, size_t padding) 1296 { 1297 struct kevent ev; 1298 char *plaintext, *received, *outbuf; 1299 size_t outbuf_cap, outbuf_len, outbuf_sent, received_len, todo, written; 1300 ssize_t rv; 1301 int kq, sockets[2]; 1302 1303 plaintext = alloc_buffer(len); 1304 received = malloc(len); 1305 outbuf_cap = tls_header_len(en) + TLS_MAX_MSG_SIZE_V10_2 + 1306 tls_trailer_len(en); 1307 outbuf = malloc(outbuf_cap); 1308 1309 ATF_REQUIRE((kq = kqueue()) != -1); 1310 1311 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1312 1313 ATF_REQUIRE(setsockopt(sockets[0], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 1314 sizeof(*en)) == 0); 1315 check_tls_mode(tc, sockets[0], TCP_RXTLS_MODE); 1316 1317 EV_SET(&ev, sockets[0], EVFILT_READ, EV_ADD, 0, 0, NULL); 1318 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 1319 EV_SET(&ev, sockets[1], EVFILT_WRITE, EV_ADD, 0, 0, NULL); 1320 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, NULL) == 0); 1321 1322 received_len = 0; 1323 outbuf_len = 0; 1324 written = 0; 1325 1326 while (received_len != len) { 1327 ATF_REQUIRE(kevent(kq, NULL, 0, &ev, 1, NULL) == 1); 1328 1329 switch (ev.filter) { 1330 case EVFILT_WRITE: 1331 /* 1332 * Compose the next TLS record to send. 1333 */ 1334 if (outbuf_len == 0) { 1335 ATF_REQUIRE(written < len); 1336 todo = len - written; 1337 if (todo > TLS_MAX_MSG_SIZE_V10_2 - padding) 1338 todo = TLS_MAX_MSG_SIZE_V10_2 - padding; 1339 outbuf_len = encrypt_tls_record(en, 1340 TLS_RLTYPE_APP, seqno, plaintext + written, 1341 todo, outbuf, outbuf_cap, padding); 1342 outbuf_sent = 0; 1343 written += todo; 1344 seqno++; 1345 } 1346 1347 /* 1348 * Try to write the remainder of the current 1349 * TLS record. 1350 */ 1351 rv = write(ev.ident, outbuf + outbuf_sent, 1352 outbuf_len - outbuf_sent); 1353 ATF_REQUIRE_MSG(rv > 0, 1354 "failed to write to socket"); 1355 outbuf_sent += rv; 1356 if (outbuf_sent == outbuf_len) { 1357 outbuf_len = 0; 1358 if (written == len) { 1359 ev.flags = EV_DISABLE; 1360 ATF_REQUIRE(kevent(kq, &ev, 1, NULL, 0, 1361 NULL) == 0); 1362 } 1363 } 1364 break; 1365 1366 case EVFILT_READ: 1367 ATF_REQUIRE((ev.flags & EV_EOF) == 0); 1368 1369 rv = ktls_receive_tls_record(en, ev.ident, 1370 TLS_RLTYPE_APP, received + received_len, 1371 len - received_len); 1372 received_len += rv; 1373 break; 1374 } 1375 } 1376 1377 ATF_REQUIRE_MSG(written == received_len, 1378 "read %zu decrypted bytes, but wrote %zu", received_len, written); 1379 1380 ATF_REQUIRE(memcmp(plaintext, received, len) == 0); 1381 1382 free(outbuf); 1383 free(received); 1384 free(plaintext); 1385 1386 close_sockets(sockets); 1387 ATF_REQUIRE(close(kq) == 0); 1388 } 1389 1390 #define TLS_10_TESTS(M) \ 1391 M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1392 CRYPTO_SHA1_HMAC) \ 1393 M(aes256_cbc_1_0_sha1, CRYPTO_AES_CBC, 256 / 8, \ 1394 CRYPTO_SHA1_HMAC) 1395 1396 #define TLS_13_TESTS(M) \ 1397 M(aes128_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1398 TLS_MINOR_VER_THREE) \ 1399 M(aes256_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \ 1400 TLS_MINOR_VER_THREE) \ 1401 M(chacha20_poly1305_1_3, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1402 TLS_MINOR_VER_THREE) 1403 1404 #define AES_CBC_TESTS(M) \ 1405 M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1406 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO) \ 1407 M(aes256_cbc_1_0_sha1, CRYPTO_AES_CBC, 256 / 8, \ 1408 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO) \ 1409 M(aes128_cbc_1_1_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1410 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ONE) \ 1411 M(aes256_cbc_1_1_sha1, CRYPTO_AES_CBC, 256 / 8, \ 1412 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ONE) \ 1413 M(aes128_cbc_1_2_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1414 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_TWO) \ 1415 M(aes256_cbc_1_2_sha1, CRYPTO_AES_CBC, 256 / 8, \ 1416 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_TWO) \ 1417 M(aes128_cbc_1_2_sha256, CRYPTO_AES_CBC, 128 / 8, \ 1418 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_TWO) \ 1419 M(aes256_cbc_1_2_sha256, CRYPTO_AES_CBC, 256 / 8, \ 1420 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_TWO) \ 1421 M(aes128_cbc_1_2_sha384, CRYPTO_AES_CBC, 128 / 8, \ 1422 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_TWO) \ 1423 M(aes256_cbc_1_2_sha384, CRYPTO_AES_CBC, 256 / 8, \ 1424 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_TWO) \ 1425 1426 #define AES_GCM_TESTS(M) \ 1427 M(aes128_gcm_1_2, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1428 TLS_MINOR_VER_TWO) \ 1429 M(aes256_gcm_1_2, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \ 1430 TLS_MINOR_VER_TWO) \ 1431 M(aes128_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1432 TLS_MINOR_VER_THREE) \ 1433 M(aes256_gcm_1_3, CRYPTO_AES_NIST_GCM_16, 256 / 8, 0, \ 1434 TLS_MINOR_VER_THREE) 1435 1436 #define CHACHA20_TESTS(M) \ 1437 M(chacha20_poly1305_1_2, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1438 TLS_MINOR_VER_TWO) \ 1439 M(chacha20_poly1305_1_3, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1440 TLS_MINOR_VER_THREE) 1441 1442 #define GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1443 auth_alg, minor, name, len) \ 1444 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_##name); \ 1445 ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc) \ 1446 { \ 1447 struct tls_enable en; \ 1448 uint64_t seqno; \ 1449 \ 1450 ATF_REQUIRE_KTLS(); \ 1451 seqno = random(); \ 1452 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1453 &en); \ 1454 test_ktls_transmit_app_data(tc, &en, seqno, len); \ 1455 free_tls_enable(&en); \ 1456 } 1457 1458 #define ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1459 auth_alg, minor, name) \ 1460 ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name); 1461 1462 #define GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1463 auth_alg, minor, name, type, len) \ 1464 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_##name); \ 1465 ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc) \ 1466 { \ 1467 struct tls_enable en; \ 1468 uint64_t seqno; \ 1469 \ 1470 ATF_REQUIRE_KTLS(); \ 1471 seqno = random(); \ 1472 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1473 &en); \ 1474 test_ktls_transmit_control(tc, &en, seqno, type, len); \ 1475 free_tls_enable(&en); \ 1476 } 1477 1478 #define ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1479 auth_alg, minor, name) \ 1480 ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name); 1481 1482 #define GEN_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \ 1483 key_size, auth_alg, minor) \ 1484 ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_empty_fragment); \ 1485 ATF_TC_BODY(ktls_transmit_##cipher_name##_empty_fragment, tc) \ 1486 { \ 1487 struct tls_enable en; \ 1488 uint64_t seqno; \ 1489 \ 1490 ATF_REQUIRE_KTLS(); \ 1491 seqno = random(); \ 1492 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1493 &en); \ 1494 test_ktls_transmit_empty_fragment(tc, &en, seqno); \ 1495 free_tls_enable(&en); \ 1496 } 1497 1498 #define ADD_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \ 1499 key_size, auth_alg, minor) \ 1500 ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_empty_fragment); 1501 1502 #define GEN_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 1503 minor) \ 1504 GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1505 auth_alg, minor, short, 64) \ 1506 GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1507 auth_alg, minor, long, 64 * 1024) \ 1508 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1509 auth_alg, minor, control, 0x21 /* Alert */, 32) 1510 1511 #define ADD_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 1512 minor) \ 1513 ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1514 auth_alg, minor, short) \ 1515 ADD_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1516 auth_alg, minor, long) \ 1517 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1518 auth_alg, minor, control) 1519 1520 /* 1521 * For each supported cipher suite, run three transmit tests: 1522 * 1523 * - a short test which sends 64 bytes of application data (likely as 1524 * a single TLS record) 1525 * 1526 * - a long test which sends 64KB of application data (split across 1527 * multiple TLS records) 1528 * 1529 * - a control test which sends a single record with a specific 1530 * content type via sendmsg() 1531 */ 1532 AES_CBC_TESTS(GEN_TRANSMIT_TESTS); 1533 AES_GCM_TESTS(GEN_TRANSMIT_TESTS); 1534 CHACHA20_TESTS(GEN_TRANSMIT_TESTS); 1535 1536 #define GEN_TRANSMIT_PADDING_TESTS(cipher_name, cipher_alg, key_size, \ 1537 auth_alg, minor) \ 1538 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1539 auth_alg, minor, padding_1, 0x21 /* Alert */, 1) \ 1540 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1541 auth_alg, minor, padding_2, 0x21 /* Alert */, 2) \ 1542 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1543 auth_alg, minor, padding_3, 0x21 /* Alert */, 3) \ 1544 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1545 auth_alg, minor, padding_4, 0x21 /* Alert */, 4) \ 1546 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1547 auth_alg, minor, padding_5, 0x21 /* Alert */, 5) \ 1548 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1549 auth_alg, minor, padding_6, 0x21 /* Alert */, 6) \ 1550 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1551 auth_alg, minor, padding_7, 0x21 /* Alert */, 7) \ 1552 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1553 auth_alg, minor, padding_8, 0x21 /* Alert */, 8) \ 1554 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1555 auth_alg, minor, padding_9, 0x21 /* Alert */, 9) \ 1556 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1557 auth_alg, minor, padding_10, 0x21 /* Alert */, 10) \ 1558 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1559 auth_alg, minor, padding_11, 0x21 /* Alert */, 11) \ 1560 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1561 auth_alg, minor, padding_12, 0x21 /* Alert */, 12) \ 1562 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1563 auth_alg, minor, padding_13, 0x21 /* Alert */, 13) \ 1564 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1565 auth_alg, minor, padding_14, 0x21 /* Alert */, 14) \ 1566 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1567 auth_alg, minor, padding_15, 0x21 /* Alert */, 15) \ 1568 GEN_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1569 auth_alg, minor, padding_16, 0x21 /* Alert */, 16) 1570 1571 #define ADD_TRANSMIT_PADDING_TESTS(cipher_name, cipher_alg, key_size, \ 1572 auth_alg, minor) \ 1573 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1574 auth_alg, minor, padding_1) \ 1575 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1576 auth_alg, minor, padding_2) \ 1577 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1578 auth_alg, minor, padding_3) \ 1579 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1580 auth_alg, minor, padding_4) \ 1581 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1582 auth_alg, minor, padding_5) \ 1583 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1584 auth_alg, minor, padding_6) \ 1585 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1586 auth_alg, minor, padding_7) \ 1587 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1588 auth_alg, minor, padding_8) \ 1589 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1590 auth_alg, minor, padding_9) \ 1591 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1592 auth_alg, minor, padding_10) \ 1593 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1594 auth_alg, minor, padding_11) \ 1595 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1596 auth_alg, minor, padding_12) \ 1597 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1598 auth_alg, minor, padding_13) \ 1599 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1600 auth_alg, minor, padding_14) \ 1601 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1602 auth_alg, minor, padding_15) \ 1603 ADD_TRANSMIT_CONTROL_TEST(cipher_name, cipher_alg, key_size, \ 1604 auth_alg, minor, padding_16) 1605 1606 /* 1607 * For AES-CBC MTE cipher suites using padding, add tests of messages 1608 * with each possible padding size. Note that the padding_<N> tests 1609 * do not necessarily test <N> bytes of padding as the padding is a 1610 * function of the cipher suite's MAC length. However, cycling 1611 * through all of the payload sizes from 1 to 16 should exercise all 1612 * of the possible padding lengths for each suite. 1613 */ 1614 AES_CBC_TESTS(GEN_TRANSMIT_PADDING_TESTS); 1615 1616 /* 1617 * Test "empty fragments" which are TLS records with no payload that 1618 * OpenSSL can send for TLS 1.0 connections. 1619 */ 1620 AES_CBC_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); 1621 AES_GCM_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); 1622 CHACHA20_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); 1623 1624 static void 1625 test_ktls_invalid_transmit_cipher_suite(const atf_tc_t *tc, 1626 struct tls_enable *en) 1627 { 1628 int sockets[2]; 1629 1630 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1631 1632 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, 1633 sizeof(*en)) == -1); 1634 ATF_REQUIRE(errno == EINVAL); 1635 1636 close_sockets(sockets); 1637 } 1638 1639 #define GEN_INVALID_TRANSMIT_TEST(name, cipher_alg, key_size, auth_alg, \ 1640 minor) \ 1641 ATF_TC_WITHOUT_HEAD(ktls_transmit_invalid_##name); \ 1642 ATF_TC_BODY(ktls_transmit_invalid_##name, tc) \ 1643 { \ 1644 struct tls_enable en; \ 1645 uint64_t seqno; \ 1646 \ 1647 ATF_REQUIRE_KTLS(); \ 1648 seqno = random(); \ 1649 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1650 &en); \ 1651 test_ktls_invalid_transmit_cipher_suite(tc, &en); \ 1652 free_tls_enable(&en); \ 1653 } 1654 1655 #define ADD_INVALID_TRANSMIT_TEST(name, cipher_alg, key_size, auth_alg, \ 1656 minor) \ 1657 ATF_TP_ADD_TC(tp, ktls_transmit_invalid_##name); 1658 1659 #define INVALID_CIPHER_SUITES(M) \ 1660 M(aes128_cbc_1_0_sha256, CRYPTO_AES_CBC, 128 / 8, \ 1661 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_ZERO) \ 1662 M(aes128_cbc_1_0_sha384, CRYPTO_AES_CBC, 128 / 8, \ 1663 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_ZERO) \ 1664 M(aes128_gcm_1_0, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1665 TLS_MINOR_VER_ZERO) \ 1666 M(chacha20_poly1305_1_0, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1667 TLS_MINOR_VER_ZERO) \ 1668 M(aes128_cbc_1_1_sha256, CRYPTO_AES_CBC, 128 / 8, \ 1669 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_ONE) \ 1670 M(aes128_cbc_1_1_sha384, CRYPTO_AES_CBC, 128 / 8, \ 1671 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_ONE) \ 1672 M(aes128_gcm_1_1, CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, \ 1673 TLS_MINOR_VER_ONE) \ 1674 M(chacha20_poly1305_1_1, CRYPTO_CHACHA20_POLY1305, 256 / 8, 0, \ 1675 TLS_MINOR_VER_ONE) \ 1676 M(aes128_cbc_1_3_sha1, CRYPTO_AES_CBC, 128 / 8, \ 1677 CRYPTO_SHA1_HMAC, TLS_MINOR_VER_THREE) \ 1678 M(aes128_cbc_1_3_sha256, CRYPTO_AES_CBC, 128 / 8, \ 1679 CRYPTO_SHA2_256_HMAC, TLS_MINOR_VER_THREE) \ 1680 M(aes128_cbc_1_3_sha384, CRYPTO_AES_CBC, 128 / 8, \ 1681 CRYPTO_SHA2_384_HMAC, TLS_MINOR_VER_THREE) 1682 1683 /* 1684 * Ensure that invalid cipher suites are rejected for transmit. 1685 */ 1686 INVALID_CIPHER_SUITES(GEN_INVALID_TRANSMIT_TEST); 1687 1688 #define GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1689 auth_alg, minor, name, len, padding) \ 1690 ATF_TC_WITHOUT_HEAD(ktls_receive_##cipher_name##_##name); \ 1691 ATF_TC_BODY(ktls_receive_##cipher_name##_##name, tc) \ 1692 { \ 1693 struct tls_enable en; \ 1694 uint64_t seqno; \ 1695 \ 1696 ATF_REQUIRE_KTLS(); \ 1697 seqno = random(); \ 1698 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1699 &en); \ 1700 test_ktls_receive_app_data(tc, &en, seqno, len, padding); \ 1701 free_tls_enable(&en); \ 1702 } 1703 1704 #define ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1705 auth_alg, minor, name) \ 1706 ATF_TP_ADD_TC(tp, ktls_receive_##cipher_name##_##name); 1707 1708 #define GEN_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 1709 minor) \ 1710 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1711 auth_alg, minor, short, 64, 0) \ 1712 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1713 auth_alg, minor, long, 64 * 1024, 0) 1714 1715 #define ADD_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ 1716 minor) \ 1717 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1718 auth_alg, minor, short) \ 1719 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1720 auth_alg, minor, long) 1721 1722 /* 1723 * For each supported cipher suite, run two receive tests: 1724 * 1725 * - a short test which sends 64 bytes of application data (likely as 1726 * a single TLS record) 1727 * 1728 * - a long test which sends 64KB of application data (split across 1729 * multiple TLS records) 1730 * 1731 * Note that receive is currently only supported for TLS 1.2 AEAD 1732 * cipher suites. 1733 */ 1734 AES_GCM_TESTS(GEN_RECEIVE_TESTS); 1735 CHACHA20_TESTS(GEN_RECEIVE_TESTS); 1736 1737 #define GEN_PADDING_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, \ 1738 auth_alg, minor) \ 1739 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1740 auth_alg, minor, short_padded, 64, 16) \ 1741 GEN_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1742 auth_alg, minor, long_padded, 64 * 1024, 15) 1743 1744 #define ADD_PADDING_RECEIVE_TESTS(cipher_name, cipher_alg, key_size, \ 1745 auth_alg, minor) \ 1746 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1747 auth_alg, minor, short_padded) \ 1748 ADD_RECEIVE_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ 1749 auth_alg, minor, long_padded) 1750 1751 /* 1752 * For TLS 1.3 cipher suites, run two additional receive tests which 1753 * use add padding to each record. 1754 */ 1755 TLS_13_TESTS(GEN_PADDING_RECEIVE_TESTS); 1756 1757 static void 1758 test_ktls_invalid_receive_cipher_suite(const atf_tc_t *tc, 1759 struct tls_enable *en) 1760 { 1761 int sockets[2]; 1762 1763 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1764 1765 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 1766 sizeof(*en)) == -1); 1767 ATF_REQUIRE(errno == EINVAL); 1768 1769 close_sockets(sockets); 1770 } 1771 1772 #define GEN_INVALID_RECEIVE_TEST(name, cipher_alg, key_size, auth_alg, \ 1773 minor) \ 1774 ATF_TC_WITHOUT_HEAD(ktls_receive_invalid_##name); \ 1775 ATF_TC_BODY(ktls_receive_invalid_##name, tc) \ 1776 { \ 1777 struct tls_enable en; \ 1778 uint64_t seqno; \ 1779 \ 1780 ATF_REQUIRE_KTLS(); \ 1781 seqno = random(); \ 1782 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1783 &en); \ 1784 test_ktls_invalid_receive_cipher_suite(tc, &en); \ 1785 free_tls_enable(&en); \ 1786 } 1787 1788 #define ADD_INVALID_RECEIVE_TEST(name, cipher_alg, key_size, auth_alg, \ 1789 minor) \ 1790 ATF_TP_ADD_TC(tp, ktls_receive_invalid_##name); 1791 1792 /* 1793 * Ensure that invalid cipher suites are rejected for receive. 1794 */ 1795 INVALID_CIPHER_SUITES(GEN_INVALID_RECEIVE_TEST); 1796 1797 static void 1798 test_ktls_unsupported_receive_cipher_suite(const atf_tc_t *tc, 1799 struct tls_enable *en) 1800 { 1801 int sockets[2]; 1802 1803 ATF_REQUIRE_MSG(open_sockets(tc, sockets), "failed to create sockets"); 1804 1805 ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_RXTLS_ENABLE, en, 1806 sizeof(*en)) == -1); 1807 ATF_REQUIRE(errno == EPROTONOSUPPORT); 1808 1809 close_sockets(sockets); 1810 } 1811 1812 #define GEN_UNSUPPORTED_RECEIVE_TEST(name, cipher_alg, key_size, \ 1813 auth_alg, minor) \ 1814 ATF_TC_WITHOUT_HEAD(ktls_receive_unsupported_##name); \ 1815 ATF_TC_BODY(ktls_receive_unsupported_##name, tc) \ 1816 { \ 1817 struct tls_enable en; \ 1818 uint64_t seqno; \ 1819 \ 1820 ATF_REQUIRE_KTLS(); \ 1821 seqno = random(); \ 1822 build_tls_enable(cipher_alg, key_size, auth_alg, minor, seqno, \ 1823 &en); \ 1824 test_ktls_unsupported_receive_cipher_suite(tc, &en); \ 1825 free_tls_enable(&en); \ 1826 } 1827 1828 #define ADD_UNSUPPORTED_RECEIVE_TEST(name, cipher_alg, key_size, \ 1829 auth_alg, minor) \ 1830 ATF_TP_ADD_TC(tp, ktls_receive_unsupported_##name); 1831 1832 /* 1833 * Ensure that valid cipher suites not supported for receive are 1834 * rejected. 1835 */ 1836 AES_CBC_TESTS(GEN_UNSUPPORTED_RECEIVE_TEST); 1837 1838 /* 1839 * Try to perform an invalid sendto(2) on a TXTLS-enabled socket, to exercise 1840 * KTLS error handling in the socket layer. 1841 */ 1842 ATF_TC_WITHOUT_HEAD(ktls_sendto_baddst); 1843 ATF_TC_BODY(ktls_sendto_baddst, tc) 1844 { 1845 char buf[32]; 1846 struct sockaddr_in dst; 1847 struct tls_enable en; 1848 ssize_t n; 1849 int s; 1850 1851 ATF_REQUIRE_KTLS(); 1852 1853 s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 1854 ATF_REQUIRE(s >= 0); 1855 1856 build_tls_enable(CRYPTO_AES_NIST_GCM_16, 128 / 8, 0, 1857 TLS_MINOR_VER_THREE, (uint64_t)random(), &en); 1858 1859 ATF_REQUIRE(setsockopt(s, IPPROTO_TCP, TCP_TXTLS_ENABLE, &en, 1860 sizeof(en)) == 0); 1861 1862 memset(&dst, 0, sizeof(dst)); 1863 dst.sin_family = AF_INET; 1864 dst.sin_len = sizeof(dst); 1865 dst.sin_addr.s_addr = htonl(INADDR_BROADCAST); 1866 dst.sin_port = htons(12345); 1867 1868 memset(buf, 0, sizeof(buf)); 1869 n = sendto(s, buf, sizeof(buf), 0, (struct sockaddr *)&dst, 1870 sizeof(dst)); 1871 1872 /* Can't transmit to the broadcast address over TCP. */ 1873 ATF_REQUIRE_ERRNO(EACCES, n == -1); 1874 ATF_REQUIRE(close(s) == 0); 1875 } 1876 1877 ATF_TP_ADD_TCS(tp) 1878 { 1879 /* Transmit tests */ 1880 AES_CBC_TESTS(ADD_TRANSMIT_TESTS); 1881 AES_GCM_TESTS(ADD_TRANSMIT_TESTS); 1882 CHACHA20_TESTS(ADD_TRANSMIT_TESTS); 1883 AES_CBC_TESTS(ADD_TRANSMIT_PADDING_TESTS); 1884 AES_CBC_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); 1885 AES_GCM_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); 1886 CHACHA20_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); 1887 INVALID_CIPHER_SUITES(ADD_INVALID_TRANSMIT_TEST); 1888 1889 /* Receive tests */ 1890 AES_CBC_TESTS(ADD_UNSUPPORTED_RECEIVE_TEST); 1891 AES_GCM_TESTS(ADD_RECEIVE_TESTS); 1892 CHACHA20_TESTS(ADD_RECEIVE_TESTS); 1893 TLS_13_TESTS(ADD_PADDING_RECEIVE_TESTS); 1894 INVALID_CIPHER_SUITES(ADD_INVALID_RECEIVE_TEST); 1895 1896 /* Miscellaneous */ 1897 ATF_TP_ADD_TC(tp, ktls_sendto_baddst); 1898 1899 return (atf_no_error()); 1900 } 1901