1a8e1175bSopenharmony_ci/* BEGIN_HEADER */ 2a8e1175bSopenharmony_ci/* Testing of mbedtls_ssl_decrypt_buf() specifically, focusing on negative 3a8e1175bSopenharmony_ci * testing (using malformed inputs). */ 4a8e1175bSopenharmony_ci 5a8e1175bSopenharmony_ci#include <mbedtls/ssl.h> 6a8e1175bSopenharmony_ci#include <ssl_misc.h> 7a8e1175bSopenharmony_ci#include <test/ssl_helpers.h> 8a8e1175bSopenharmony_ci 9a8e1175bSopenharmony_ci/* END_HEADER */ 10a8e1175bSopenharmony_ci 11a8e1175bSopenharmony_ci/* BEGIN_DEPENDENCIES 12a8e1175bSopenharmony_ci * depends_on:MBEDTLS_SSL_TLS_C 13a8e1175bSopenharmony_ci * END_DEPENDENCIES 14a8e1175bSopenharmony_ci */ 15a8e1175bSopenharmony_ci 16a8e1175bSopenharmony_ci/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CIPHER_NULL_CIPHER */ 17a8e1175bSopenharmony_civoid ssl_decrypt_null(int hash_id) 18a8e1175bSopenharmony_ci{ 19a8e1175bSopenharmony_ci mbedtls_ssl_transform transform_in, transform_out; 20a8e1175bSopenharmony_ci mbedtls_ssl_transform_init(&transform_in); 21a8e1175bSopenharmony_ci mbedtls_ssl_transform_init(&transform_out); 22a8e1175bSopenharmony_ci const mbedtls_ssl_protocol_version version = MBEDTLS_SSL_VERSION_TLS1_2; 23a8e1175bSopenharmony_ci const mbedtls_cipher_type_t cipher_type = MBEDTLS_CIPHER_NULL; 24a8e1175bSopenharmony_ci mbedtls_record rec_good = { 25a8e1175bSopenharmony_ci .ctr = { 0 }, 26a8e1175bSopenharmony_ci .type = MBEDTLS_SSL_MSG_APPLICATION_DATA, 27a8e1175bSopenharmony_ci .ver = { 0, 0 }, /* Will be set by a function call below */ 28a8e1175bSopenharmony_ci .buf = NULL, 29a8e1175bSopenharmony_ci .buf_len = 0, 30a8e1175bSopenharmony_ci .data_offset = 0, 31a8e1175bSopenharmony_ci .data_len = 0, 32a8e1175bSopenharmony_ci#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 33a8e1175bSopenharmony_ci .cid_len = 0, 34a8e1175bSopenharmony_ci .cid = { 0 }, 35a8e1175bSopenharmony_ci#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 36a8e1175bSopenharmony_ci }; 37a8e1175bSopenharmony_ci mbedtls_ssl_write_version(rec_good.ver, 38a8e1175bSopenharmony_ci MBEDTLS_SSL_TRANSPORT_STREAM, 39a8e1175bSopenharmony_ci version); 40a8e1175bSopenharmony_ci const char sample_plaintext[3] = "ABC"; 41a8e1175bSopenharmony_ci mbedtls_ssl_context ssl; 42a8e1175bSopenharmony_ci mbedtls_ssl_init(&ssl); 43a8e1175bSopenharmony_ci uint8_t *buf = NULL; 44a8e1175bSopenharmony_ci 45a8e1175bSopenharmony_ci MD_OR_USE_PSA_INIT(); 46a8e1175bSopenharmony_ci 47a8e1175bSopenharmony_ci TEST_EQUAL(mbedtls_test_ssl_build_transforms(&transform_in, &transform_out, 48a8e1175bSopenharmony_ci cipher_type, hash_id, 0, 0, 49a8e1175bSopenharmony_ci version, 50a8e1175bSopenharmony_ci 0, 0), 0); 51a8e1175bSopenharmony_ci 52a8e1175bSopenharmony_ci const size_t plaintext_length = sizeof(sample_plaintext); 53a8e1175bSopenharmony_ci rec_good.buf_len = plaintext_length + transform_in.maclen; 54a8e1175bSopenharmony_ci rec_good.data_len = plaintext_length; 55a8e1175bSopenharmony_ci TEST_CALLOC(rec_good.buf, rec_good.buf_len); 56a8e1175bSopenharmony_ci memcpy(rec_good.buf, sample_plaintext, plaintext_length); 57a8e1175bSopenharmony_ci TEST_EQUAL(mbedtls_test_ssl_prepare_record_mac(&rec_good, 58a8e1175bSopenharmony_ci &transform_out), 0); 59a8e1175bSopenharmony_ci 60a8e1175bSopenharmony_ci /* Good case */ 61a8e1175bSopenharmony_ci mbedtls_record rec = rec_good; 62a8e1175bSopenharmony_ci TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec), 0); 63a8e1175bSopenharmony_ci 64a8e1175bSopenharmony_ci /* Change any one byte of the plaintext or MAC. The MAC will be wrong. */ 65a8e1175bSopenharmony_ci TEST_CALLOC(buf, rec.buf_len); 66a8e1175bSopenharmony_ci for (size_t i = 0; i < rec.buf_len; i++) { 67a8e1175bSopenharmony_ci mbedtls_test_set_step(i); 68a8e1175bSopenharmony_ci rec = rec_good; 69a8e1175bSopenharmony_ci rec.buf = buf; 70a8e1175bSopenharmony_ci memcpy(buf, rec_good.buf, rec.buf_len); 71a8e1175bSopenharmony_ci buf[i] ^= 1; 72a8e1175bSopenharmony_ci TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec), 73a8e1175bSopenharmony_ci MBEDTLS_ERR_SSL_INVALID_MAC); 74a8e1175bSopenharmony_ci } 75a8e1175bSopenharmony_ci mbedtls_free(buf); 76a8e1175bSopenharmony_ci buf = NULL; 77a8e1175bSopenharmony_ci 78a8e1175bSopenharmony_ci /* Shorter input buffer. Either the MAC will be wrong, or there isn't 79a8e1175bSopenharmony_ci * enough room for a MAC. */ 80a8e1175bSopenharmony_ci for (size_t n = 1; n < rec.buf_len; n++) { 81a8e1175bSopenharmony_ci mbedtls_test_set_step(n); 82a8e1175bSopenharmony_ci rec = rec_good; 83a8e1175bSopenharmony_ci TEST_CALLOC(buf, n); 84a8e1175bSopenharmony_ci rec.buf = buf; 85a8e1175bSopenharmony_ci rec.buf_len = n; 86a8e1175bSopenharmony_ci rec.data_len = n; 87a8e1175bSopenharmony_ci memcpy(buf, rec_good.buf, n); 88a8e1175bSopenharmony_ci TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec), 89a8e1175bSopenharmony_ci MBEDTLS_ERR_SSL_INVALID_MAC); 90a8e1175bSopenharmony_ci mbedtls_free(buf); 91a8e1175bSopenharmony_ci buf = NULL; 92a8e1175bSopenharmony_ci } 93a8e1175bSopenharmony_ci 94a8e1175bSopenharmony_ci /* For robustness, check a 0-length buffer (non-null, then null). 95a8e1175bSopenharmony_ci * This should not reach mbedtls_ssl_decrypt_buf() as used in the library, 96a8e1175bSopenharmony_ci * so the exact error doesn't matter, but we don't want a crash. */ 97a8e1175bSopenharmony_ci { 98a8e1175bSopenharmony_ci const uint8_t buf1[1] = { 'a' }; 99a8e1175bSopenharmony_ci rec = rec_good; 100a8e1175bSopenharmony_ci /* We won't write to buf1[0] since it's out of range, so we can cast 101a8e1175bSopenharmony_ci * the const away. */ 102a8e1175bSopenharmony_ci rec.buf = (uint8_t *) buf1; 103a8e1175bSopenharmony_ci rec.buf_len = 0; 104a8e1175bSopenharmony_ci TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec), 105a8e1175bSopenharmony_ci MBEDTLS_ERR_SSL_INTERNAL_ERROR); 106a8e1175bSopenharmony_ci } 107a8e1175bSopenharmony_ci rec = rec_good; 108a8e1175bSopenharmony_ci rec.buf = NULL; 109a8e1175bSopenharmony_ci rec.buf_len = 0; 110a8e1175bSopenharmony_ci TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec), 111a8e1175bSopenharmony_ci MBEDTLS_ERR_SSL_INTERNAL_ERROR); 112a8e1175bSopenharmony_ci 113a8e1175bSopenharmony_ciexit: 114a8e1175bSopenharmony_ci mbedtls_ssl_transform_free(&transform_in); 115a8e1175bSopenharmony_ci mbedtls_ssl_transform_free(&transform_out); 116a8e1175bSopenharmony_ci mbedtls_free(rec_good.buf); 117a8e1175bSopenharmony_ci mbedtls_ssl_free(&ssl); 118a8e1175bSopenharmony_ci mbedtls_free(buf); 119a8e1175bSopenharmony_ci MD_OR_USE_PSA_DONE(); 120a8e1175bSopenharmony_ci} 121a8e1175bSopenharmony_ci/* END_CASE */ 122a8e1175bSopenharmony_ci 123a8e1175bSopenharmony_ci/* BEGIN_CASE depends_on:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2 */ 124a8e1175bSopenharmony_civoid ssl_decrypt_non_etm_cbc(int cipher_type, int hash_id, int trunc_hmac, 125a8e1175bSopenharmony_ci int length_selector) 126a8e1175bSopenharmony_ci{ 127a8e1175bSopenharmony_ci /* 128a8e1175bSopenharmony_ci * Test record decryption for CBC without EtM, focused on the verification 129a8e1175bSopenharmony_ci * of padding and MAC. 130a8e1175bSopenharmony_ci * 131a8e1175bSopenharmony_ci * Actually depends on TLS 1.2 and either AES, ARIA or Camellia, but since 132a8e1175bSopenharmony_ci * the test framework doesn't support alternation in dependency statements, 133a8e1175bSopenharmony_ci * just depend on AES. 134a8e1175bSopenharmony_ci * 135a8e1175bSopenharmony_ci * The length_selector argument is interpreted as follows: 136a8e1175bSopenharmony_ci * - if it's -1, the plaintext length is 0 and minimal padding is applied 137a8e1175bSopenharmony_ci * - if it's -2, the plaintext length is 0 and maximal padding is applied 138a8e1175bSopenharmony_ci * - otherwise it must be in [0, 255] and is padding_length from RFC 5246: 139a8e1175bSopenharmony_ci * it's the length of the rest of the padding, that is, excluding the 140a8e1175bSopenharmony_ci * byte that encodes the length. The minimal non-zero plaintext length 141a8e1175bSopenharmony_ci * that gives this padding_length is automatically selected. 142a8e1175bSopenharmony_ci */ 143a8e1175bSopenharmony_ci mbedtls_ssl_context ssl; /* ONLY for debugging */ 144a8e1175bSopenharmony_ci mbedtls_ssl_transform t0, t1; 145a8e1175bSopenharmony_ci mbedtls_record rec, rec_save; 146a8e1175bSopenharmony_ci unsigned char *buf = NULL, *buf_save = NULL; 147a8e1175bSopenharmony_ci size_t buflen, olen = 0; 148a8e1175bSopenharmony_ci size_t plaintext_len, block_size, i; 149a8e1175bSopenharmony_ci unsigned char padlen; /* excluding the padding_length byte */ 150a8e1175bSopenharmony_ci int exp_ret; 151a8e1175bSopenharmony_ci int ret; 152a8e1175bSopenharmony_ci const unsigned char pad_max_len = 255; /* Per the standard */ 153a8e1175bSopenharmony_ci 154a8e1175bSopenharmony_ci mbedtls_ssl_init(&ssl); 155a8e1175bSopenharmony_ci mbedtls_ssl_transform_init(&t0); 156a8e1175bSopenharmony_ci mbedtls_ssl_transform_init(&t1); 157a8e1175bSopenharmony_ci MD_OR_USE_PSA_INIT(); 158a8e1175bSopenharmony_ci 159a8e1175bSopenharmony_ci /* Set up transforms with dummy keys */ 160a8e1175bSopenharmony_ci ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id, 161a8e1175bSopenharmony_ci 0, trunc_hmac, 162a8e1175bSopenharmony_ci MBEDTLS_SSL_VERSION_TLS1_2, 163a8e1175bSopenharmony_ci 0, 0); 164a8e1175bSopenharmony_ci 165a8e1175bSopenharmony_ci TEST_ASSERT(ret == 0); 166a8e1175bSopenharmony_ci 167a8e1175bSopenharmony_ci /* Determine padding/plaintext length */ 168a8e1175bSopenharmony_ci TEST_ASSERT(length_selector >= -2 && length_selector <= 255); 169a8e1175bSopenharmony_ci block_size = t0.ivlen; 170a8e1175bSopenharmony_ci if (length_selector < 0) { 171a8e1175bSopenharmony_ci plaintext_len = 0; 172a8e1175bSopenharmony_ci 173a8e1175bSopenharmony_ci /* Minimal padding 174a8e1175bSopenharmony_ci * The +1 is for the padding_length byte, not counted in padlen. */ 175a8e1175bSopenharmony_ci padlen = block_size - (t0.maclen + 1) % block_size; 176a8e1175bSopenharmony_ci 177a8e1175bSopenharmony_ci /* Maximal padding? */ 178a8e1175bSopenharmony_ci if (length_selector == -2) { 179a8e1175bSopenharmony_ci padlen += block_size * ((pad_max_len - padlen) / block_size); 180a8e1175bSopenharmony_ci } 181a8e1175bSopenharmony_ci } else { 182a8e1175bSopenharmony_ci padlen = length_selector; 183a8e1175bSopenharmony_ci 184a8e1175bSopenharmony_ci /* Minimal non-zero plaintext_length giving desired padding. 185a8e1175bSopenharmony_ci * The +1 is for the padding_length byte, not counted in padlen. */ 186a8e1175bSopenharmony_ci plaintext_len = block_size - (padlen + t0.maclen + 1) % block_size; 187a8e1175bSopenharmony_ci } 188a8e1175bSopenharmony_ci 189a8e1175bSopenharmony_ci /* Prepare a buffer for record data */ 190a8e1175bSopenharmony_ci buflen = block_size 191a8e1175bSopenharmony_ci + plaintext_len 192a8e1175bSopenharmony_ci + t0.maclen 193a8e1175bSopenharmony_ci + padlen + 1; 194a8e1175bSopenharmony_ci TEST_CALLOC(buf, buflen); 195a8e1175bSopenharmony_ci TEST_CALLOC(buf_save, buflen); 196a8e1175bSopenharmony_ci 197a8e1175bSopenharmony_ci /* Prepare a dummy record header */ 198a8e1175bSopenharmony_ci memset(rec.ctr, 0, sizeof(rec.ctr)); 199a8e1175bSopenharmony_ci rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA; 200a8e1175bSopenharmony_ci mbedtls_ssl_write_version(rec.ver, MBEDTLS_SSL_TRANSPORT_STREAM, 201a8e1175bSopenharmony_ci MBEDTLS_SSL_VERSION_TLS1_2); 202a8e1175bSopenharmony_ci#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 203a8e1175bSopenharmony_ci rec.cid_len = 0; 204a8e1175bSopenharmony_ci#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 205a8e1175bSopenharmony_ci 206a8e1175bSopenharmony_ci /* Prepare dummy record content */ 207a8e1175bSopenharmony_ci rec.buf = buf; 208a8e1175bSopenharmony_ci rec.buf_len = buflen; 209a8e1175bSopenharmony_ci rec.data_offset = block_size; 210a8e1175bSopenharmony_ci rec.data_len = plaintext_len; 211a8e1175bSopenharmony_ci memset(rec.buf + rec.data_offset, 42, rec.data_len); 212a8e1175bSopenharmony_ci 213a8e1175bSopenharmony_ci /* Set dummy IV */ 214a8e1175bSopenharmony_ci memset(t0.iv_enc, 0x55, t0.ivlen); 215a8e1175bSopenharmony_ci memcpy(rec.buf, t0.iv_enc, t0.ivlen); 216a8e1175bSopenharmony_ci 217a8e1175bSopenharmony_ci /* 218a8e1175bSopenharmony_ci * Prepare a pre-encryption record (with MAC and padding), and save it. 219a8e1175bSopenharmony_ci */ 220a8e1175bSopenharmony_ci TEST_EQUAL(0, mbedtls_test_ssl_prepare_record_mac(&rec, &t0)); 221a8e1175bSopenharmony_ci 222a8e1175bSopenharmony_ci /* Pad */ 223a8e1175bSopenharmony_ci memset(rec.buf + rec.data_offset + rec.data_len, padlen, padlen + 1); 224a8e1175bSopenharmony_ci rec.data_len += padlen + 1; 225a8e1175bSopenharmony_ci 226a8e1175bSopenharmony_ci /* Save correct pre-encryption record */ 227a8e1175bSopenharmony_ci rec_save = rec; 228a8e1175bSopenharmony_ci rec_save.buf = buf_save; 229a8e1175bSopenharmony_ci memcpy(buf_save, buf, buflen); 230a8e1175bSopenharmony_ci 231a8e1175bSopenharmony_ci /* 232a8e1175bSopenharmony_ci * Encrypt and decrypt the correct record, expecting success 233a8e1175bSopenharmony_ci */ 234a8e1175bSopenharmony_ci TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper( 235a8e1175bSopenharmony_ci &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset, 236a8e1175bSopenharmony_ci rec.data_len, rec.buf + rec.data_offset, &olen)); 237a8e1175bSopenharmony_ci rec.data_offset -= t0.ivlen; 238a8e1175bSopenharmony_ci rec.data_len += t0.ivlen; 239a8e1175bSopenharmony_ci 240a8e1175bSopenharmony_ci TEST_EQUAL(0, mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec)); 241a8e1175bSopenharmony_ci 242a8e1175bSopenharmony_ci /* 243a8e1175bSopenharmony_ci * Modify each byte of the pre-encryption record before encrypting and 244a8e1175bSopenharmony_ci * decrypting it, expecting failure every time. 245a8e1175bSopenharmony_ci */ 246a8e1175bSopenharmony_ci for (i = block_size; i < buflen; i++) { 247a8e1175bSopenharmony_ci mbedtls_test_set_step(i); 248a8e1175bSopenharmony_ci 249a8e1175bSopenharmony_ci /* Restore correct pre-encryption record */ 250a8e1175bSopenharmony_ci rec = rec_save; 251a8e1175bSopenharmony_ci rec.buf = buf; 252a8e1175bSopenharmony_ci memcpy(buf, buf_save, buflen); 253a8e1175bSopenharmony_ci 254a8e1175bSopenharmony_ci /* Corrupt one byte of the data (could be plaintext, MAC or padding) */ 255a8e1175bSopenharmony_ci rec.buf[i] ^= 0x01; 256a8e1175bSopenharmony_ci 257a8e1175bSopenharmony_ci /* Encrypt */ 258a8e1175bSopenharmony_ci TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper( 259a8e1175bSopenharmony_ci &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset, 260a8e1175bSopenharmony_ci rec.data_len, rec.buf + rec.data_offset, &olen)); 261a8e1175bSopenharmony_ci rec.data_offset -= t0.ivlen; 262a8e1175bSopenharmony_ci rec.data_len += t0.ivlen; 263a8e1175bSopenharmony_ci 264a8e1175bSopenharmony_ci /* Decrypt and expect failure */ 265a8e1175bSopenharmony_ci TEST_EQUAL(MBEDTLS_ERR_SSL_INVALID_MAC, 266a8e1175bSopenharmony_ci mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec)); 267a8e1175bSopenharmony_ci } 268a8e1175bSopenharmony_ci 269a8e1175bSopenharmony_ci /* 270a8e1175bSopenharmony_ci * Use larger values of the padding bytes - with small buffers, this tests 271a8e1175bSopenharmony_ci * the case where the announced padlen would be larger than the buffer 272a8e1175bSopenharmony_ci * (and before that, than the buffer minus the size of the MAC), to make 273a8e1175bSopenharmony_ci * sure our padding checking code does not perform any out-of-bounds reads 274a8e1175bSopenharmony_ci * in this case. (With larger buffers, ie when the plaintext is long or 275a8e1175bSopenharmony_ci * maximal length padding is used, this is less relevant but still doesn't 276a8e1175bSopenharmony_ci * hurt to test.) 277a8e1175bSopenharmony_ci * 278a8e1175bSopenharmony_ci * (Start the loop with correct padding, just to double-check that record 279a8e1175bSopenharmony_ci * saving did work, and that we're overwriting the correct bytes.) 280a8e1175bSopenharmony_ci */ 281a8e1175bSopenharmony_ci for (i = padlen; i <= pad_max_len; i++) { 282a8e1175bSopenharmony_ci mbedtls_test_set_step(i); 283a8e1175bSopenharmony_ci 284a8e1175bSopenharmony_ci /* Restore correct pre-encryption record */ 285a8e1175bSopenharmony_ci rec = rec_save; 286a8e1175bSopenharmony_ci rec.buf = buf; 287a8e1175bSopenharmony_ci memcpy(buf, buf_save, buflen); 288a8e1175bSopenharmony_ci 289a8e1175bSopenharmony_ci /* Set padding bytes to new value */ 290a8e1175bSopenharmony_ci memset(buf + buflen - padlen - 1, i, padlen + 1); 291a8e1175bSopenharmony_ci 292a8e1175bSopenharmony_ci /* Encrypt */ 293a8e1175bSopenharmony_ci TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper( 294a8e1175bSopenharmony_ci &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset, 295a8e1175bSopenharmony_ci rec.data_len, rec.buf + rec.data_offset, &olen)); 296a8e1175bSopenharmony_ci rec.data_offset -= t0.ivlen; 297a8e1175bSopenharmony_ci rec.data_len += t0.ivlen; 298a8e1175bSopenharmony_ci 299a8e1175bSopenharmony_ci /* Decrypt and expect failure except the first time */ 300a8e1175bSopenharmony_ci exp_ret = (i == padlen) ? 0 : MBEDTLS_ERR_SSL_INVALID_MAC; 301a8e1175bSopenharmony_ci TEST_EQUAL(exp_ret, mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec)); 302a8e1175bSopenharmony_ci } 303a8e1175bSopenharmony_ci 304a8e1175bSopenharmony_ciexit: 305a8e1175bSopenharmony_ci mbedtls_ssl_free(&ssl); 306a8e1175bSopenharmony_ci mbedtls_ssl_transform_free(&t0); 307a8e1175bSopenharmony_ci mbedtls_ssl_transform_free(&t1); 308a8e1175bSopenharmony_ci mbedtls_free(buf); 309a8e1175bSopenharmony_ci mbedtls_free(buf_save); 310a8e1175bSopenharmony_ci MD_OR_USE_PSA_DONE(); 311a8e1175bSopenharmony_ci} 312a8e1175bSopenharmony_ci/* END_CASE */ 313