Gitiles
Code Review Sign In
git01.mediatek.com / filogic / uboot / 0344c602eadc0802776b65ff90f0a02c856cf53c / . / tests / suites / test_suite_ssl.function
blob: 67d97e47ce99ca23c309456a4f55bbeb8b42ddd4 [file] [log] [blame]
Tom Rini0344c602024-10-08 13:56:50 -0600[diff] [blame^]1/* BEGIN_HEADER */
2#include <ssl_misc.h>
3#include <mbedtls/timing.h>
4#include <mbedtls/debug.h>
5#include <mbedtls/pk.h>
6#include <ssl_tls13_keys.h>
7#include <ssl_tls13_invasive.h>
8#include <test/ssl_helpers.h>
9
10#include <constant_time_internal.h>
11#include <test/constant_flow.h>
12
13#define SSL_MESSAGE_QUEUE_INIT { NULL, 0, 0, 0 }
14
15/* Mnemonics for the early data test scenarios */
16#define TEST_EARLY_DATA_ACCEPTED 0
17#define TEST_EARLY_DATA_NO_INDICATION_SENT 1
18#define TEST_EARLY_DATA_SERVER_REJECTS 2
19#define TEST_EARLY_DATA_HRR 3
20#define TEST_EARLY_DATA_SAME_ALPN 4
21#define TEST_EARLY_DATA_DIFF_ALPN 5
22#define TEST_EARLY_DATA_NO_INITIAL_ALPN 6
23#define TEST_EARLY_DATA_NO_LATER_ALPN 7
24
25#if (!defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \
26 defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) && \
27 defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_DEBUG_C) && \
28 defined(MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE) && \
29 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) && \
30 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) && \
31 defined(MBEDTLS_MD_CAN_SHA256) && \
32 defined(MBEDTLS_ECP_HAVE_SECP256R1) && defined(MBEDTLS_ECP_HAVE_SECP384R1) && \
33 defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) && defined(MBEDTLS_SSL_SESSION_TICKETS)
34/*
35 * Test function to write early data for negative tests where
36 * mbedtls_ssl_write_early_data() cannot be used.
37 */
38static int write_early_data(mbedtls_ssl_context *ssl,
39 unsigned char *buf, size_t len)
40{
41 int ret = mbedtls_ssl_get_max_out_record_payload(ssl);
42
43 TEST_ASSERT(ret > 0);
44 TEST_LE_U(len, (size_t) ret);
45
46 ret = mbedtls_ssl_flush_output(ssl);
47 TEST_EQUAL(ret, 0);
48 TEST_EQUAL(ssl->out_left, 0);
49
50 ssl->out_msglen = len;
51 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
52 if (len > 0) {
53 memcpy(ssl->out_msg, buf, len);
54 }
55
56 ret = mbedtls_ssl_write_record(ssl, 1);
57 TEST_EQUAL(ret, 0);
58
59 ret = len;
60
61exit:
62 return ret;
63}
64#endif
65
66/* END_HEADER */
67
68/* BEGIN_DEPENDENCIES
69 * depends_on:MBEDTLS_SSL_TLS_C
70 * END_DEPENDENCIES
71 */
72
73/* BEGIN_CASE */
74void test_callback_buffer_sanity()
75{
76 enum { MSGLEN = 10 };
77 mbedtls_test_ssl_buffer buf;
78 mbedtls_test_ssl_buffer_init(&buf);
79 unsigned char input[MSGLEN];
80 unsigned char output[MSGLEN];
81
82 USE_PSA_INIT();
83 memset(input, 0, sizeof(input));
84
85 /* Make sure calling put and get on NULL buffer results in error. */
86 TEST_ASSERT(mbedtls_test_ssl_buffer_put(NULL, input, sizeof(input))
87 == -1);
88 TEST_ASSERT(mbedtls_test_ssl_buffer_get(NULL, output, sizeof(output))
89 == -1);
90 TEST_ASSERT(mbedtls_test_ssl_buffer_put(NULL, NULL, sizeof(input))
91 == -1);
92
93 TEST_ASSERT(mbedtls_test_ssl_buffer_put(NULL, NULL, 0) == -1);
94 TEST_ASSERT(mbedtls_test_ssl_buffer_get(NULL, NULL, 0) == -1);
95
96 /* Make sure calling put and get on a buffer that hasn't been set up results
97 * in error. */
98 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, sizeof(input))
99 == -1);
100 TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, output, sizeof(output))
101 == -1);
102 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, NULL, sizeof(input))
103 == -1);
104
105 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, NULL, 0) == -1);
106 TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, NULL, 0) == -1);
107
108 /* Make sure calling put and get on NULL input only results in
109 * error if the length is not zero, and that a NULL output is valid for data
110 * dropping.
111 */
112
113 TEST_ASSERT(mbedtls_test_ssl_buffer_setup(&buf, sizeof(input)) == 0);
114
115 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, NULL, sizeof(input))
116 == -1);
117 TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, NULL, sizeof(output))
118 == 0);
119 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, NULL, 0) == 0);
120 TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, NULL, 0) == 0);
121
122 /* Make sure calling put several times in the row is safe */
123
124 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, sizeof(input))
125 == sizeof(input));
126 TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, output, 2) == 2);
127 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, 1) == 1);
128 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, 2) == 1);
129 TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, 2) == 0);
130
131
132exit:
133 mbedtls_test_ssl_buffer_free(&buf);
134 USE_PSA_DONE();
135}
136/* END_CASE */
137
138/*
139 * Test if the implementation of `mbedtls_test_ssl_buffer` related functions is
140 * correct and works as expected.
141 *
142 * That is
143 * - If we try to put in \p put1 bytes then we can put in \p put1_ret bytes.
144 * - Afterwards if we try to get \p get1 bytes then we can get \get1_ret bytes.
145 * - Next, if we try to put in \p put1 bytes then we can put in \p put1_ret
146 * bytes.
147 * - Afterwards if we try to get \p get1 bytes then we can get \get1_ret bytes.
148 * - All of the bytes we got match the bytes we put in in a FIFO manner.
149 */
150
151/* BEGIN_CASE */
152void test_callback_buffer(int size, int put1, int put1_ret,
153 int get1, int get1_ret, int put2, int put2_ret,
154 int get2, int get2_ret)
155{
156 enum { ROUNDS = 2 };
157 size_t put[ROUNDS];
158 int put_ret[ROUNDS];
159 size_t get[ROUNDS];
160 int get_ret[ROUNDS];
161 mbedtls_test_ssl_buffer buf;
162 unsigned char *input = NULL;
163 size_t input_len;
164 unsigned char *output = NULL;
165 size_t output_len;
166 size_t i, j, written, read;
167
168 mbedtls_test_ssl_buffer_init(&buf);
169 USE_PSA_INIT();
170 TEST_ASSERT(mbedtls_test_ssl_buffer_setup(&buf, size) == 0);
171
172 /* Check the sanity of input parameters and initialise local variables. That
173 * is, ensure that the amount of data is not negative and that we are not
174 * expecting more to put or get than we actually asked for. */
175 TEST_ASSERT(put1 >= 0);
176 put[0] = put1;
177 put_ret[0] = put1_ret;
178 TEST_ASSERT(put1_ret <= put1);
179 TEST_ASSERT(put2 >= 0);
180 put[1] = put2;
181 put_ret[1] = put2_ret;
182 TEST_ASSERT(put2_ret <= put2);
183
184 TEST_ASSERT(get1 >= 0);
185 get[0] = get1;
186 get_ret[0] = get1_ret;
187 TEST_ASSERT(get1_ret <= get1);
188 TEST_ASSERT(get2 >= 0);
189 get[1] = get2;
190 get_ret[1] = get2_ret;
191 TEST_ASSERT(get2_ret <= get2);
192
193 input_len = 0;
194 /* Calculate actual input and output lengths */
195 for (j = 0; j < ROUNDS; j++) {
196 if (put_ret[j] > 0) {
197 input_len += put_ret[j];
198 }
199 }
200 /* In order to always have a valid pointer we always allocate at least 1
201 * byte. */
202 if (input_len == 0) {
203 input_len = 1;
204 }
205 TEST_CALLOC(input, input_len);
206
207 output_len = 0;
208 for (j = 0; j < ROUNDS; j++) {
209 if (get_ret[j] > 0) {
210 output_len += get_ret[j];
211 }
212 }
213 TEST_ASSERT(output_len <= input_len);
214 /* In order to always have a valid pointer we always allocate at least 1
215 * byte. */
216 if (output_len == 0) {
217 output_len = 1;
218 }
219 TEST_CALLOC(output, output_len);
220
221 /* Fill up the buffer with structured data so that unwanted changes
222 * can be detected */
223 for (i = 0; i < input_len; i++) {
224 input[i] = i & 0xFF;
225 }
226
227 written = read = 0;
228 for (j = 0; j < ROUNDS; j++) {
229 TEST_ASSERT(put_ret[j] == mbedtls_test_ssl_buffer_put(&buf,
230 input + written, put[j]));
231 written += put_ret[j];
232 TEST_ASSERT(get_ret[j] == mbedtls_test_ssl_buffer_get(&buf,
233 output + read, get[j]));
234 read += get_ret[j];
235 TEST_ASSERT(read <= written);
236 if (get_ret[j] > 0) {
237 TEST_ASSERT(memcmp(output + read - get_ret[j],
238 input + read - get_ret[j], get_ret[j])
239 == 0);
240 }
241 }
242
243exit:
244 mbedtls_free(input);
245 mbedtls_free(output);
246 mbedtls_test_ssl_buffer_free(&buf);
247 USE_PSA_DONE();
248}
249/* END_CASE */
250
251/*
252 * Test if the implementation of `mbedtls_test_mock_socket` related
253 * I/O functions is correct and works as expected on unconnected sockets.
254 */
255
256/* BEGIN_CASE */
257void ssl_mock_sanity()
258{
259 enum { MSGLEN = 105 };
260 unsigned char message[MSGLEN] = { 0 };
261 unsigned char received[MSGLEN] = { 0 };
262 mbedtls_test_mock_socket socket;
263
264 mbedtls_test_mock_socket_init(&socket);
265 USE_PSA_INIT();
266 TEST_ASSERT(mbedtls_test_mock_tcp_send_b(&socket, message, MSGLEN) < 0);
267 mbedtls_test_mock_socket_close(&socket);
268 mbedtls_test_mock_socket_init(&socket);
269 TEST_ASSERT(mbedtls_test_mock_tcp_recv_b(&socket, received, MSGLEN) < 0);
270 mbedtls_test_mock_socket_close(&socket);
271
272 mbedtls_test_mock_socket_init(&socket);
273 TEST_ASSERT(mbedtls_test_mock_tcp_send_nb(&socket, message, MSGLEN) < 0);
274 mbedtls_test_mock_socket_close(&socket);
275 mbedtls_test_mock_socket_init(&socket);
276 TEST_ASSERT(mbedtls_test_mock_tcp_recv_nb(&socket, received, MSGLEN) < 0);
277 mbedtls_test_mock_socket_close(&socket);
278
279exit:
280 mbedtls_test_mock_socket_close(&socket);
281 USE_PSA_DONE();
282}
283/* END_CASE */
284
285/*
286 * Test if the implementation of `mbedtls_test_mock_socket` related functions
287 * can send a single message from the client to the server.
288 */
289
290/* BEGIN_CASE */
291void ssl_mock_tcp(int blocking)
292{
293 enum { MSGLEN = 105 };
294 enum { BUFLEN = MSGLEN / 5 };
295 unsigned char message[MSGLEN];
296 unsigned char received[MSGLEN];
297 mbedtls_test_mock_socket client;
298 mbedtls_test_mock_socket server;
299 size_t written, read;
300 int send_ret, recv_ret;
301 mbedtls_ssl_send_t *send;
302 mbedtls_ssl_recv_t *recv;
303 unsigned i;
304
305 if (blocking == 0) {
306 send = mbedtls_test_mock_tcp_send_nb;
307 recv = mbedtls_test_mock_tcp_recv_nb;
308 } else {
309 send = mbedtls_test_mock_tcp_send_b;
310 recv = mbedtls_test_mock_tcp_recv_b;
311 }
312
313 mbedtls_test_mock_socket_init(&client);
314 mbedtls_test_mock_socket_init(&server);
315 USE_PSA_INIT();
316
317 /* Fill up the buffer with structured data so that unwanted changes
318 * can be detected */
319 for (i = 0; i < MSGLEN; i++) {
320 message[i] = i & 0xFF;
321 }
322
323 /* Make sure that sending a message takes a few iterations. */
324 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
325 BUFLEN));
326
327 /* Send the message to the server */
328 send_ret = recv_ret = 1;
329 written = read = 0;
330 while (send_ret != 0 || recv_ret != 0) {
331 send_ret = send(&client, message + written, MSGLEN - written);
332
333 TEST_ASSERT(send_ret >= 0);
334 TEST_ASSERT(send_ret <= BUFLEN);
335 written += send_ret;
336
337 /* If the buffer is full we can test blocking and non-blocking send */
338 if (send_ret == BUFLEN) {
339 int blocking_ret = send(&client, message, 1);
340 if (blocking) {
341 TEST_ASSERT(blocking_ret == 0);
342 } else {
343 TEST_ASSERT(blocking_ret == MBEDTLS_ERR_SSL_WANT_WRITE);
344 }
345 }
346
347 recv_ret = recv(&server, received + read, MSGLEN - read);
348
349 /* The result depends on whether any data was sent */
350 if (send_ret > 0) {
351 TEST_ASSERT(recv_ret > 0);
352 TEST_ASSERT(recv_ret <= BUFLEN);
353 read += recv_ret;
354 } else if (blocking) {
355 TEST_ASSERT(recv_ret == 0);
356 } else {
357 TEST_ASSERT(recv_ret == MBEDTLS_ERR_SSL_WANT_READ);
358 recv_ret = 0;
359 }
360
361 /* If the buffer is empty we can test blocking and non-blocking read */
362 if (recv_ret == BUFLEN) {
363 int blocking_ret = recv(&server, received, 1);
364 if (blocking) {
365 TEST_ASSERT(blocking_ret == 0);
366 } else {
367 TEST_ASSERT(blocking_ret == MBEDTLS_ERR_SSL_WANT_READ);
368 }
369 }
370 }
371 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
372
373exit:
374 mbedtls_test_mock_socket_close(&client);
375 mbedtls_test_mock_socket_close(&server);
376 USE_PSA_DONE();
377}
378/* END_CASE */
379
380/*
381 * Test if the implementation of `mbedtls_test_mock_socket` related functions
382 * can send messages in both direction at the same time (with the I/O calls
383 * interleaving).
384 */
385
386/* BEGIN_CASE */
387void ssl_mock_tcp_interleaving(int blocking)
388{
389 enum { ROUNDS = 2 };
390 enum { MSGLEN = 105 };
391 enum { BUFLEN = MSGLEN / 5 };
392 unsigned char message[ROUNDS][MSGLEN];
393 unsigned char received[ROUNDS][MSGLEN];
394 mbedtls_test_mock_socket client;
395 mbedtls_test_mock_socket server;
396 size_t written[ROUNDS];
397 size_t read[ROUNDS];
398 int send_ret[ROUNDS];
399 int recv_ret[ROUNDS];
400 unsigned i, j, progress;
401 mbedtls_ssl_send_t *send;
402 mbedtls_ssl_recv_t *recv;
403
404 if (blocking == 0) {
405 send = mbedtls_test_mock_tcp_send_nb;
406 recv = mbedtls_test_mock_tcp_recv_nb;
407 } else {
408 send = mbedtls_test_mock_tcp_send_b;
409 recv = mbedtls_test_mock_tcp_recv_b;
410 }
411
412 mbedtls_test_mock_socket_init(&client);
413 mbedtls_test_mock_socket_init(&server);
414 USE_PSA_INIT();
415
416 /* Fill up the buffers with structured data so that unwanted changes
417 * can be detected */
418 for (i = 0; i < ROUNDS; i++) {
419 for (j = 0; j < MSGLEN; j++) {
420 message[i][j] = (i * MSGLEN + j) & 0xFF;
421 }
422 }
423
424 /* Make sure that sending a message takes a few iterations. */
425 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
426 BUFLEN));
427
428 /* Send the message from both sides, interleaving. */
429 progress = 1;
430 for (i = 0; i < ROUNDS; i++) {
431 written[i] = 0;
432 read[i] = 0;
433 }
434 /* This loop does not stop as long as there was a successful write or read
435 * of at least one byte on either side. */
436 while (progress != 0) {
437 mbedtls_test_mock_socket *socket;
438
439 for (i = 0; i < ROUNDS; i++) {
440 /* First sending is from the client */
441 socket = (i % 2 == 0) ? (&client) : (&server);
442
443 send_ret[i] = send(socket, message[i] + written[i],
444 MSGLEN - written[i]);
445 TEST_ASSERT(send_ret[i] >= 0);
446 TEST_ASSERT(send_ret[i] <= BUFLEN);
447 written[i] += send_ret[i];
448
449 /* If the buffer is full we can test blocking and non-blocking
450 * send */
451 if (send_ret[i] == BUFLEN) {
452 int blocking_ret = send(socket, message[i], 1);
453 if (blocking) {
454 TEST_ASSERT(blocking_ret == 0);
455 } else {
456 TEST_ASSERT(blocking_ret == MBEDTLS_ERR_SSL_WANT_WRITE);
457 }
458 }
459 }
460
461 for (i = 0; i < ROUNDS; i++) {
462 /* First receiving is from the server */
463 socket = (i % 2 == 0) ? (&server) : (&client);
464
465 recv_ret[i] = recv(socket, received[i] + read[i],
466 MSGLEN - read[i]);
467
468 /* The result depends on whether any data was sent */
469 if (send_ret[i] > 0) {
470 TEST_ASSERT(recv_ret[i] > 0);
471 TEST_ASSERT(recv_ret[i] <= BUFLEN);
472 read[i] += recv_ret[i];
473 } else if (blocking) {
474 TEST_ASSERT(recv_ret[i] == 0);
475 } else {
476 TEST_ASSERT(recv_ret[i] == MBEDTLS_ERR_SSL_WANT_READ);
477 recv_ret[i] = 0;
478 }
479
480 /* If the buffer is empty we can test blocking and non-blocking
481 * read */
482 if (recv_ret[i] == BUFLEN) {
483 int blocking_ret = recv(socket, received[i], 1);
484 if (blocking) {
485 TEST_ASSERT(blocking_ret == 0);
486 } else {
487 TEST_ASSERT(blocking_ret == MBEDTLS_ERR_SSL_WANT_READ);
488 }
489 }
490 }
491
492 progress = 0;
493 for (i = 0; i < ROUNDS; i++) {
494 progress += send_ret[i] + recv_ret[i];
495 }
496 }
497
498 for (i = 0; i < ROUNDS; i++) {
499 TEST_ASSERT(memcmp(message[i], received[i], MSGLEN) == 0);
500 }
501
502exit:
503 mbedtls_test_mock_socket_close(&client);
504 mbedtls_test_mock_socket_close(&server);
505 USE_PSA_DONE();
506}
507/* END_CASE */
508
509/* BEGIN_CASE */
510void ssl_message_queue_sanity()
511{
512 mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT;
513
514 USE_PSA_INIT();
515 /* Trying to push/pull to an empty queue */
516 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(NULL, 1)
517 == MBEDTLS_TEST_ERROR_ARG_NULL);
518 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(NULL, 1)
519 == MBEDTLS_TEST_ERROR_ARG_NULL);
520
521 TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0);
522 TEST_ASSERT(queue.capacity == 3);
523 TEST_ASSERT(queue.num == 0);
524
525exit:
526 mbedtls_test_ssl_message_queue_free(&queue);
527 USE_PSA_DONE();
528}
529/* END_CASE */
530
531/* BEGIN_CASE */
532void ssl_message_queue_basic()
533{
534 mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT;
535
536 USE_PSA_INIT();
537 TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0);
538
539 /* Sanity test - 3 pushes and 3 pops with sufficient space */
540 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1);
541 TEST_ASSERT(queue.capacity == 3);
542 TEST_ASSERT(queue.num == 1);
543 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1);
544 TEST_ASSERT(queue.capacity == 3);
545 TEST_ASSERT(queue.num == 2);
546 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 2) == 2);
547 TEST_ASSERT(queue.capacity == 3);
548 TEST_ASSERT(queue.num == 3);
549
550 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1);
551 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1);
552 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 2) == 2);
553
554exit:
555 mbedtls_test_ssl_message_queue_free(&queue);
556 USE_PSA_DONE();
557}
558/* END_CASE */
559
560/* BEGIN_CASE */
561void ssl_message_queue_overflow_underflow()
562{
563 mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT;
564
565 USE_PSA_INIT();
566 TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0);
567
568 /* 4 pushes (last one with an error), 4 pops (last one with an error) */
569 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1);
570 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1);
571 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 2) == 2);
572 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 3)
573 == MBEDTLS_ERR_SSL_WANT_WRITE);
574
575 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1);
576 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1);
577 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 2) == 2);
578
579 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1)
580 == MBEDTLS_ERR_SSL_WANT_READ);
581
582exit:
583 mbedtls_test_ssl_message_queue_free(&queue);
584 USE_PSA_DONE();
585}
586/* END_CASE */
587
588/* BEGIN_CASE */
589void ssl_message_queue_interleaved()
590{
591 mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT;
592
593 USE_PSA_INIT();
594 TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 3) == 0);
595
596 /* Interleaved test - [2 pushes, 1 pop] twice, and then two pops
597 * (to wrap around the buffer) */
598 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1);
599 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 1) == 1);
600
601 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1);
602
603 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 2) == 2);
604 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 3) == 3);
605
606 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 1) == 1);
607 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 2) == 2);
608
609 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 5) == 5);
610 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, 8) == 8);
611
612 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 3) == 3);
613
614 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 5) == 5);
615
616 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, 8) == 8);
617
618exit:
619 mbedtls_test_ssl_message_queue_free(&queue);
620 USE_PSA_DONE();
621}
622/* END_CASE */
623
624/* BEGIN_CASE */
625void ssl_message_queue_insufficient_buffer()
626{
627 mbedtls_test_ssl_message_queue queue = SSL_MESSAGE_QUEUE_INIT;
628 size_t message_len = 10;
629 size_t buffer_len = 5;
630
631 USE_PSA_INIT();
632 TEST_ASSERT(mbedtls_test_ssl_message_queue_setup(&queue, 1) == 0);
633
634 /* Popping without a sufficient buffer */
635 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&queue, message_len)
636 == (int) message_len);
637 TEST_ASSERT(mbedtls_test_ssl_message_queue_pop_info(&queue, buffer_len)
638 == (int) buffer_len);
639exit:
640 mbedtls_test_ssl_message_queue_free(&queue);
641 USE_PSA_DONE();
642}
643/* END_CASE */
644
645/* BEGIN_CASE */
646void ssl_message_mock_uninitialized()
647{
648 enum { MSGLEN = 10 };
649 unsigned char message[MSGLEN] = { 0 }, received[MSGLEN];
650 mbedtls_test_mock_socket client, server;
651 mbedtls_test_ssl_message_queue server_queue, client_queue;
652 mbedtls_test_message_socket_context server_context, client_context;
653 mbedtls_test_message_socket_init(&server_context);
654 mbedtls_test_message_socket_init(&client_context);
655
656 USE_PSA_INIT();
657 /* Send with a NULL context */
658 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(NULL, message, MSGLEN)
659 == MBEDTLS_TEST_ERROR_CONTEXT_ERROR);
660
661 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(NULL, message, MSGLEN)
662 == MBEDTLS_TEST_ERROR_CONTEXT_ERROR);
663
664 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
665 &client_queue, 1,
666 &server,
667 &server_context) == 0);
668
669 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue,
670 &server_queue, 1,
671 &client,
672 &client_context) == 0);
673
674 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
675 MSGLEN)
676 == MBEDTLS_TEST_ERROR_SEND_FAILED);
677
678 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
679 MSGLEN)
680 == MBEDTLS_ERR_SSL_WANT_READ);
681
682 /* Push directly to a queue to later simulate a disconnected behavior */
683 TEST_ASSERT(mbedtls_test_ssl_message_queue_push_info(&server_queue,
684 MSGLEN)
685 == MSGLEN);
686
687 /* Test if there's an error when trying to read from a disconnected
688 * socket */
689 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
690 MSGLEN)
691 == MBEDTLS_TEST_ERROR_RECV_FAILED);
692exit:
693 mbedtls_test_message_socket_close(&server_context);
694 mbedtls_test_message_socket_close(&client_context);
695 USE_PSA_DONE();
696}
697/* END_CASE */
698
699/* BEGIN_CASE */
700void ssl_message_mock_basic()
701{
702 enum { MSGLEN = 10 };
703 unsigned char message[MSGLEN], received[MSGLEN];
704 mbedtls_test_mock_socket client, server;
705 unsigned i;
706 mbedtls_test_ssl_message_queue server_queue, client_queue;
707 mbedtls_test_message_socket_context server_context, client_context;
708
709 mbedtls_test_message_socket_init(&server_context);
710 mbedtls_test_message_socket_init(&client_context);
711 USE_PSA_INIT();
712
713 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
714 &client_queue, 1,
715 &server,
716 &server_context) == 0);
717
718 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue,
719 &server_queue, 1,
720 &client,
721 &client_context) == 0);
722
723 /* Fill up the buffer with structured data so that unwanted changes
724 * can be detected */
725 for (i = 0; i < MSGLEN; i++) {
726 message[i] = i & 0xFF;
727 }
728 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
729 MSGLEN));
730
731 /* Send the message to the server */
732 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
733 MSGLEN) == MSGLEN);
734
735 /* Read from the server */
736 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
737 MSGLEN)
738 == MSGLEN);
739
740 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
741 memset(received, 0, MSGLEN);
742
743 /* Send the message to the client */
744 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&server_context, message,
745 MSGLEN)
746 == MSGLEN);
747
748 /* Read from the client */
749 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&client_context, received,
750 MSGLEN)
751 == MSGLEN);
752 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
753
754exit:
755 mbedtls_test_message_socket_close(&server_context);
756 mbedtls_test_message_socket_close(&client_context);
757 USE_PSA_DONE();
758}
759/* END_CASE */
760
761/* BEGIN_CASE */
762void ssl_message_mock_queue_overflow_underflow()
763{
764 enum { MSGLEN = 10 };
765 unsigned char message[MSGLEN], received[MSGLEN];
766 mbedtls_test_mock_socket client, server;
767 unsigned i;
768 mbedtls_test_ssl_message_queue server_queue, client_queue;
769 mbedtls_test_message_socket_context server_context, client_context;
770
771 mbedtls_test_message_socket_init(&server_context);
772 mbedtls_test_message_socket_init(&client_context);
773 USE_PSA_INIT();
774
775 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
776 &client_queue, 2,
777 &server,
778 &server_context) == 0);
779
780 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue,
781 &server_queue, 2,
782 &client,
783 &client_context) == 0);
784
785 /* Fill up the buffer with structured data so that unwanted changes
786 * can be detected */
787 for (i = 0; i < MSGLEN; i++) {
788 message[i] = i & 0xFF;
789 }
790 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
791 MSGLEN*2));
792
793 /* Send three message to the server, last one with an error */
794 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
795 MSGLEN - 1)
796 == MSGLEN - 1);
797
798 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
799 MSGLEN)
800 == MSGLEN);
801
802 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
803 MSGLEN)
804 == MBEDTLS_ERR_SSL_WANT_WRITE);
805
806 /* Read three messages from the server, last one with an error */
807 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
808 MSGLEN - 1)
809 == MSGLEN - 1);
810
811 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
812 MSGLEN)
813 == MSGLEN);
814
815 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
816
817 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
818 MSGLEN)
819 == MBEDTLS_ERR_SSL_WANT_READ);
820
821exit:
822 mbedtls_test_message_socket_close(&server_context);
823 mbedtls_test_message_socket_close(&client_context);
824 USE_PSA_DONE();
825}
826/* END_CASE */
827
828/* BEGIN_CASE */
829void ssl_message_mock_socket_overflow()
830{
831 enum { MSGLEN = 10 };
832 unsigned char message[MSGLEN], received[MSGLEN];
833 mbedtls_test_mock_socket client, server;
834 unsigned i;
835 mbedtls_test_ssl_message_queue server_queue, client_queue;
836 mbedtls_test_message_socket_context server_context, client_context;
837
838 mbedtls_test_message_socket_init(&server_context);
839 mbedtls_test_message_socket_init(&client_context);
840 USE_PSA_INIT();
841
842 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
843 &client_queue, 2,
844 &server,
845 &server_context) == 0);
846
847 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue,
848 &server_queue, 2,
849 &client,
850 &client_context) == 0);
851
852 /* Fill up the buffer with structured data so that unwanted changes
853 * can be detected */
854 for (i = 0; i < MSGLEN; i++) {
855 message[i] = i & 0xFF;
856 }
857 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
858 MSGLEN));
859
860 /* Send two message to the server, second one with an error */
861 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
862 MSGLEN)
863 == MSGLEN);
864
865 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
866 MSGLEN)
867 == MBEDTLS_TEST_ERROR_SEND_FAILED);
868
869 /* Read the only message from the server */
870 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
871 MSGLEN)
872 == MSGLEN);
873
874 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
875
876exit:
877 mbedtls_test_message_socket_close(&server_context);
878 mbedtls_test_message_socket_close(&client_context);
879 USE_PSA_DONE();
880}
881/* END_CASE */
882
883/* BEGIN_CASE */
884void ssl_message_mock_truncated()
885{
886 enum { MSGLEN = 10 };
887 unsigned char message[MSGLEN], received[MSGLEN];
888 mbedtls_test_mock_socket client, server;
889 unsigned i;
890 mbedtls_test_ssl_message_queue server_queue, client_queue;
891 mbedtls_test_message_socket_context server_context, client_context;
892
893 mbedtls_test_message_socket_init(&server_context);
894 mbedtls_test_message_socket_init(&client_context);
895 USE_PSA_INIT();
896
897 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
898 &client_queue, 2,
899 &server,
900 &server_context) == 0);
901
902 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue,
903 &server_queue, 2,
904 &client,
905 &client_context) == 0);
906
907 memset(received, 0, MSGLEN);
908 /* Fill up the buffer with structured data so that unwanted changes
909 * can be detected */
910 for (i = 0; i < MSGLEN; i++) {
911 message[i] = i & 0xFF;
912 }
913 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
914 2 * MSGLEN));
915
916 /* Send two messages to the server, the second one small enough to fit in the
917 * receiver's buffer. */
918 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
919 MSGLEN)
920 == MSGLEN);
921 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
922 MSGLEN / 2)
923 == MSGLEN / 2);
924 /* Read a truncated message from the server */
925 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
926 MSGLEN/2)
927 == MSGLEN/2);
928
929 /* Test that the first half of the message is valid, and second one isn't */
930 TEST_ASSERT(memcmp(message, received, MSGLEN/2) == 0);
931 TEST_ASSERT(memcmp(message + MSGLEN/2, received + MSGLEN/2, MSGLEN/2)
932 != 0);
933 memset(received, 0, MSGLEN);
934
935 /* Read a full message from the server */
936 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
937 MSGLEN/2)
938 == MSGLEN / 2);
939
940 /* Test that the first half of the message is valid */
941 TEST_ASSERT(memcmp(message, received, MSGLEN/2) == 0);
942
943exit:
944 mbedtls_test_message_socket_close(&server_context);
945 mbedtls_test_message_socket_close(&client_context);
946 USE_PSA_DONE();
947}
948/* END_CASE */
949
950/* BEGIN_CASE */
951void ssl_message_mock_socket_read_error()
952{
953 enum { MSGLEN = 10 };
954 unsigned char message[MSGLEN], received[MSGLEN];
955 mbedtls_test_mock_socket client, server;
956 unsigned i;
957 mbedtls_test_ssl_message_queue server_queue, client_queue;
958 mbedtls_test_message_socket_context server_context, client_context;
959
960 mbedtls_test_message_socket_init(&server_context);
961 mbedtls_test_message_socket_init(&client_context);
962 USE_PSA_INIT();
963
964 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
965 &client_queue, 1,
966 &server,
967 &server_context) == 0);
968
969 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue,
970 &server_queue, 1,
971 &client,
972 &client_context) == 0);
973
974 /* Fill up the buffer with structured data so that unwanted changes
975 * can be detected */
976 for (i = 0; i < MSGLEN; i++) {
977 message[i] = i & 0xFF;
978 }
979 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
980 MSGLEN));
981
982 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
983 MSGLEN)
984 == MSGLEN);
985
986 /* Force a read error by disconnecting the socket by hand */
987 server.status = 0;
988 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
989 MSGLEN)
990 == MBEDTLS_TEST_ERROR_RECV_FAILED);
991 /* Return to a valid state */
992 server.status = MBEDTLS_MOCK_SOCKET_CONNECTED;
993
994 memset(received, 0, sizeof(received));
995
996 /* Test that even though the server tried to read once disconnected, the
997 * continuity is preserved */
998 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
999 MSGLEN)
1000 == MSGLEN);
1001
1002 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
1003
1004exit:
1005 mbedtls_test_message_socket_close(&server_context);
1006 mbedtls_test_message_socket_close(&client_context);
1007 USE_PSA_DONE();
1008}
1009/* END_CASE */
1010
1011/* BEGIN_CASE */
1012void ssl_message_mock_interleaved_one_way()
1013{
1014 enum { MSGLEN = 10 };
1015 unsigned char message[MSGLEN], received[MSGLEN];
1016 mbedtls_test_mock_socket client, server;
1017 unsigned i;
1018 mbedtls_test_ssl_message_queue server_queue, client_queue;
1019 mbedtls_test_message_socket_context server_context, client_context;
1020
1021 mbedtls_test_message_socket_init(&server_context);
1022 mbedtls_test_message_socket_init(&client_context);
1023 USE_PSA_INIT();
1024
1025 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
1026 &client_queue, 3,
1027 &server,
1028 &server_context) == 0);
1029
1030 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue,
1031 &server_queue, 3,
1032 &client,
1033 &client_context) == 0);
1034
1035 /* Fill up the buffer with structured data so that unwanted changes
1036 * can be detected */
1037 for (i = 0; i < MSGLEN; i++) {
1038 message[i] = i & 0xFF;
1039 }
1040 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
1041 MSGLEN*3));
1042
1043 /* Interleaved test - [2 sends, 1 read] twice, and then two reads
1044 * (to wrap around the buffer) */
1045 for (i = 0; i < 2; i++) {
1046 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
1047 MSGLEN) == MSGLEN);
1048
1049 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
1050 MSGLEN) == MSGLEN);
1051
1052 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
1053 MSGLEN) == MSGLEN);
1054 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
1055 memset(received, 0, sizeof(received));
1056 }
1057
1058 for (i = 0; i < 2; i++) {
1059 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
1060 MSGLEN) == MSGLEN);
1061
1062 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
1063 }
1064 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
1065 MSGLEN)
1066 == MBEDTLS_ERR_SSL_WANT_READ);
1067exit:
1068 mbedtls_test_message_socket_close(&server_context);
1069 mbedtls_test_message_socket_close(&client_context);
1070 USE_PSA_DONE();
1071}
1072/* END_CASE */
1073
1074/* BEGIN_CASE */
1075void ssl_message_mock_interleaved_two_ways()
1076{
1077 enum { MSGLEN = 10 };
1078 unsigned char message[MSGLEN], received[MSGLEN];
1079 mbedtls_test_mock_socket client, server;
1080 unsigned i;
1081 mbedtls_test_ssl_message_queue server_queue, client_queue;
1082 mbedtls_test_message_socket_context server_context, client_context;
1083
1084 mbedtls_test_message_socket_init(&server_context);
1085 mbedtls_test_message_socket_init(&client_context);
1086 USE_PSA_INIT();
1087
1088 TEST_ASSERT(mbedtls_test_message_socket_setup(&server_queue,
1089 &client_queue, 3,
1090 &server,
1091 &server_context) == 0);
1092
1093 TEST_ASSERT(mbedtls_test_message_socket_setup(&client_queue,
1094 &server_queue, 3,
1095 &client,
1096 &client_context) == 0);
1097
1098 /* Fill up the buffer with structured data so that unwanted changes
1099 * can be detected */
1100 for (i = 0; i < MSGLEN; i++) {
1101 message[i] = i & 0xFF;
1102 }
1103 TEST_ASSERT(0 == mbedtls_test_mock_socket_connect(&client, &server,
1104 MSGLEN*3));
1105
1106 /* Interleaved test - [2 sends, 1 read] twice, both ways, and then two reads
1107 * (to wrap around the buffer) both ways. */
1108 for (i = 0; i < 2; i++) {
1109 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
1110 MSGLEN) == MSGLEN);
1111
1112 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&client_context, message,
1113 MSGLEN) == MSGLEN);
1114
1115 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&server_context, message,
1116 MSGLEN) == MSGLEN);
1117
1118 TEST_ASSERT(mbedtls_test_mock_tcp_send_msg(&server_context, message,
1119 MSGLEN) == MSGLEN);
1120
1121 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
1122 MSGLEN) == MSGLEN);
1123
1124 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
1125
1126 memset(received, 0, sizeof(received));
1127
1128 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&client_context, received,
1129 MSGLEN) == MSGLEN);
1130
1131 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
1132
1133 memset(received, 0, sizeof(received));
1134 }
1135
1136 for (i = 0; i < 2; i++) {
1137 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
1138 MSGLEN) == MSGLEN);
1139
1140 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
1141 memset(received, 0, sizeof(received));
1142
1143 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&client_context, received,
1144 MSGLEN) == MSGLEN);
1145
1146 TEST_ASSERT(memcmp(message, received, MSGLEN) == 0);
1147 memset(received, 0, sizeof(received));
1148 }
1149
1150 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&server_context, received,
1151 MSGLEN)
1152 == MBEDTLS_ERR_SSL_WANT_READ);
1153
1154 TEST_ASSERT(mbedtls_test_mock_tcp_recv_msg(&client_context, received,
1155 MSGLEN)
1156 == MBEDTLS_ERR_SSL_WANT_READ);
1157exit:
1158 mbedtls_test_message_socket_close(&server_context);
1159 mbedtls_test_message_socket_close(&client_context);
1160 USE_PSA_DONE();
1161}
1162/* END_CASE */
1163
1164/* BEGIN_CASE depends_on:MBEDTLS_SSL_DTLS_ANTI_REPLAY */
1165void ssl_dtls_replay(data_t *prevs, data_t *new, int ret)
1166{
1167 uint32_t len = 0;
1168 mbedtls_ssl_context ssl;
1169 mbedtls_ssl_config conf;
1170
1171 mbedtls_ssl_init(&ssl);
1172 mbedtls_ssl_config_init(&conf);
1173 MD_OR_USE_PSA_INIT();
1174
1175 TEST_ASSERT(mbedtls_ssl_config_defaults(&conf,
1176 MBEDTLS_SSL_IS_CLIENT,
1177 MBEDTLS_SSL_TRANSPORT_DATAGRAM,
1178 MBEDTLS_SSL_PRESET_DEFAULT) == 0);
1179 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
1180
1181 TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
1182
1183 /* Read previous record numbers */
1184 for (len = 0; len < prevs->len; len += 6) {
1185 memcpy(ssl.in_ctr + 2, prevs->x + len, 6);
1186 mbedtls_ssl_dtls_replay_update(&ssl);
1187 }
1188
1189 /* Check new number */
1190 memcpy(ssl.in_ctr + 2, new->x, 6);
1191 TEST_ASSERT(mbedtls_ssl_dtls_replay_check(&ssl) == ret);
1192
1193exit:
1194 mbedtls_ssl_free(&ssl);
1195 mbedtls_ssl_config_free(&conf);
1196 MD_OR_USE_PSA_DONE();
1197}
1198/* END_CASE */
1199
1200/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
1201void ssl_set_hostname_twice(char *input_hostname0, char *input_hostname1)
1202{
1203 const char *output_hostname;
1204 mbedtls_ssl_context ssl;
1205
1206 mbedtls_ssl_init(&ssl);
1207 USE_PSA_INIT();
1208
1209 TEST_ASSERT(mbedtls_ssl_set_hostname(&ssl, input_hostname0) == 0);
1210 output_hostname = mbedtls_ssl_get_hostname(&ssl);
1211 TEST_ASSERT(strcmp(input_hostname0, output_hostname) == 0);
1212
1213 TEST_ASSERT(mbedtls_ssl_set_hostname(&ssl, input_hostname1) == 0);
1214 output_hostname = mbedtls_ssl_get_hostname(&ssl);
1215 TEST_ASSERT(strcmp(input_hostname1, output_hostname) == 0);
1216
1217exit:
1218 mbedtls_ssl_free(&ssl);
1219 USE_PSA_DONE();
1220}
1221/* END_CASE */
1222
1223/* BEGIN_CASE */
1224void ssl_crypt_record(int cipher_type, int hash_id,
1225 int etm, int tag_mode, int ver,
1226 int cid0_len, int cid1_len)
1227{
1228 /*
1229 * Test several record encryptions and decryptions
1230 * with plenty of space before and after the data
1231 * within the record buffer.
1232 */
1233
1234 int ret;
1235 int num_records = 16;
1236 mbedtls_ssl_context ssl; /* ONLY for debugging */
1237
1238 mbedtls_ssl_transform t0, t1;
1239 unsigned char *buf = NULL;
1240 size_t const buflen = 512;
1241 mbedtls_record rec, rec_backup;
1242
1243 mbedtls_ssl_init(&ssl);
1244 mbedtls_ssl_transform_init(&t0);
1245 mbedtls_ssl_transform_init(&t1);
1246 MD_OR_USE_PSA_INIT();
1247
1248 ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id,
1249 etm, tag_mode, ver,
1250 (size_t) cid0_len,
1251 (size_t) cid1_len);
1252
1253 TEST_ASSERT(ret == 0);
1254
1255 TEST_CALLOC(buf, buflen);
1256
1257 while (num_records-- > 0) {
1258 mbedtls_ssl_transform *t_dec, *t_enc;
1259 /* Take turns in who's sending and who's receiving. */
1260 if (num_records % 3 == 0) {
1261 t_dec = &t0;
1262 t_enc = &t1;
1263 } else {
1264 t_dec = &t1;
1265 t_enc = &t0;
1266 }
1267
1268 /*
1269 * The record header affects the transformation in two ways:
1270 * 1) It determines the AEAD additional data
1271 * 2) The record counter sometimes determines the IV.
1272 *
1273 * Apart from that, the fields don't have influence.
1274 * In particular, it is currently not the responsibility
1275 * of ssl_encrypt/decrypt_buf to check if the transform
1276 * version matches the record version, or that the
1277 * type is sensible.
1278 */
1279
1280 memset(rec.ctr, num_records, sizeof(rec.ctr));
1281 rec.type = 42;
1282 rec.ver[0] = num_records;
1283 rec.ver[1] = num_records;
1284#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1285 rec.cid_len = 0;
1286#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1287
1288 rec.buf = buf;
1289 rec.buf_len = buflen;
1290 rec.data_offset = 16;
1291 /* Make sure to vary the length to exercise different
1292 * paddings. */
1293 rec.data_len = 1 + num_records;
1294
1295 memset(rec.buf + rec.data_offset, 42, rec.data_len);
1296
1297 /* Make a copy for later comparison */
1298 rec_backup = rec;
1299
1300 /* Encrypt record */
1301 ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec,
1302 mbedtls_test_rnd_std_rand, NULL);
1303 TEST_ASSERT(ret == 0 || ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
1304 if (ret != 0) {
1305 continue;
1306 }
1307
1308#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1309 if (rec.cid_len != 0) {
1310 /* DTLS 1.2 + CID hides the real content type and
1311 * uses a special CID content type in the protected
1312 * record. Double-check this. */
1313 TEST_ASSERT(rec.type == MBEDTLS_SSL_MSG_CID);
1314 }
1315#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1316
1317#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1318 if (t_enc->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
1319 /* TLS 1.3 hides the real content type and
1320 * always uses Application Data as the content type
1321 * for protected records. Double-check this. */
1322 TEST_ASSERT(rec.type == MBEDTLS_SSL_MSG_APPLICATION_DATA);
1323 }
1324#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1325
1326 /* Decrypt record with t_dec */
1327 ret = mbedtls_ssl_decrypt_buf(&ssl, t_dec, &rec);
1328 TEST_ASSERT(ret == 0);
1329
1330 /* Compare results */
1331 TEST_ASSERT(rec.type == rec_backup.type);
1332 TEST_ASSERT(memcmp(rec.ctr, rec_backup.ctr, 8) == 0);
1333 TEST_ASSERT(rec.ver[0] == rec_backup.ver[0]);
1334 TEST_ASSERT(rec.ver[1] == rec_backup.ver[1]);
1335 TEST_ASSERT(rec.data_len == rec_backup.data_len);
1336 TEST_ASSERT(rec.data_offset == rec_backup.data_offset);
1337 TEST_ASSERT(memcmp(rec.buf + rec.data_offset,
1338 rec_backup.buf + rec_backup.data_offset,
1339 rec.data_len) == 0);
1340 }
1341
1342exit:
1343
1344 /* Cleanup */
1345 mbedtls_ssl_free(&ssl);
1346 mbedtls_ssl_transform_free(&t0);
1347 mbedtls_ssl_transform_free(&t1);
1348
1349 mbedtls_free(buf);
1350 MD_OR_USE_PSA_DONE();
1351}
1352/* END_CASE */
1353
1354/* BEGIN_CASE */
1355void ssl_crypt_record_small(int cipher_type, int hash_id,
1356 int etm, int tag_mode, int ver,
1357 int cid0_len, int cid1_len)
1358{
1359 /*
1360 * Test pairs of encryption and decryption with an increasing
1361 * amount of space in the record buffer - in more detail:
1362 * 1) Try to encrypt with 0, 1, 2, ... bytes available
1363 * in front of the plaintext, and expect the encryption
1364 * to succeed starting from some offset. Always keep
1365 * enough space in the end of the buffer.
1366 * 2) Try to encrypt with 0, 1, 2, ... bytes available
1367 * at the end of the plaintext, and expect the encryption
1368 * to succeed starting from some offset. Always keep
1369 * enough space at the beginning of the buffer.
1370 * 3) Try to encrypt with 0, 1, 2, ... bytes available
1371 * both at the front and end of the plaintext,
1372 * and expect the encryption to succeed starting from
1373 * some offset.
1374 *
1375 * If encryption succeeds, check that decryption succeeds
1376 * and yields the original record.
1377 */
1378
1379 mbedtls_ssl_context ssl; /* ONLY for debugging */
1380
1381 mbedtls_ssl_transform t0, t1;
1382 unsigned char *buf = NULL;
1383 size_t const buflen = 256;
1384 mbedtls_record rec, rec_backup;
1385
1386 int ret;
1387 int mode; /* Mode 1, 2 or 3 as explained above */
1388 size_t offset; /* Available space at beginning/end/both */
1389 size_t threshold = 96; /* Maximum offset to test against */
1390
1391 size_t default_pre_padding = 64; /* Pre-padding to use in mode 2 */
1392 size_t default_post_padding = 128; /* Post-padding to use in mode 1 */
1393
1394 int seen_success; /* Indicates if in the current mode we've
1395 * already seen a successful test. */
1396
1397 mbedtls_ssl_init(&ssl);
1398 mbedtls_ssl_transform_init(&t0);
1399 mbedtls_ssl_transform_init(&t1);
1400 MD_OR_USE_PSA_INIT();
1401
1402 ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id,
1403 etm, tag_mode, ver,
1404 (size_t) cid0_len,
1405 (size_t) cid1_len);
1406
1407 TEST_ASSERT(ret == 0);
1408
1409 TEST_CALLOC(buf, buflen);
1410
1411 for (mode = 1; mode <= 3; mode++) {
1412 seen_success = 0;
1413 for (offset = 0; offset <= threshold; offset++) {
1414 mbedtls_ssl_transform *t_dec, *t_enc;
1415 t_dec = &t0;
1416 t_enc = &t1;
1417
1418 memset(rec.ctr, offset, sizeof(rec.ctr));
1419 rec.type = 42;
1420 rec.ver[0] = offset;
1421 rec.ver[1] = offset;
1422 rec.buf = buf;
1423 rec.buf_len = buflen;
1424#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1425 rec.cid_len = 0;
1426#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1427
1428 switch (mode) {
1429 case 1: /* Space in the beginning */
1430 rec.data_offset = offset;
1431 rec.data_len = buflen - offset - default_post_padding;
1432 break;
1433
1434 case 2: /* Space in the end */
1435 rec.data_offset = default_pre_padding;
1436 rec.data_len = buflen - default_pre_padding - offset;
1437 break;
1438
1439 case 3: /* Space in the beginning and end */
1440 rec.data_offset = offset;
1441 rec.data_len = buflen - 2 * offset;
1442 break;
1443
1444 default:
1445 TEST_ASSERT(0);
1446 break;
1447 }
1448
1449 memset(rec.buf + rec.data_offset, 42, rec.data_len);
1450
1451 /* Make a copy for later comparison */
1452 rec_backup = rec;
1453
1454 /* Encrypt record */
1455 ret = mbedtls_ssl_encrypt_buf(&ssl, t_enc, &rec,
1456 mbedtls_test_rnd_std_rand, NULL);
1457
1458 if (ret == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
1459 /* It's ok if the output buffer is too small. We do insist
1460 * on at least one mode succeeding; this is tracked by
1461 * seen_success. */
1462 continue;
1463 }
1464
1465 TEST_EQUAL(ret, 0);
1466 seen_success = 1;
1467
1468#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1469 if (rec.cid_len != 0) {
1470 /* DTLS 1.2 + CID hides the real content type and
1471 * uses a special CID content type in the protected
1472 * record. Double-check this. */
1473 TEST_ASSERT(rec.type == MBEDTLS_SSL_MSG_CID);
1474 }
1475#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1476
1477#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1478 if (t_enc->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
1479 /* TLS 1.3 hides the real content type and
1480 * always uses Application Data as the content type
1481 * for protected records. Double-check this. */
1482 TEST_ASSERT(rec.type == MBEDTLS_SSL_MSG_APPLICATION_DATA);
1483 }
1484#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1485
1486 /* Decrypt record with t_dec */
1487 TEST_ASSERT(mbedtls_ssl_decrypt_buf(&ssl, t_dec, &rec) == 0);
1488
1489 /* Compare results */
1490 TEST_ASSERT(rec.type == rec_backup.type);
1491 TEST_ASSERT(memcmp(rec.ctr, rec_backup.ctr, 8) == 0);
1492 TEST_ASSERT(rec.ver[0] == rec_backup.ver[0]);
1493 TEST_ASSERT(rec.ver[1] == rec_backup.ver[1]);
1494 TEST_ASSERT(rec.data_len == rec_backup.data_len);
1495 TEST_ASSERT(rec.data_offset == rec_backup.data_offset);
1496 TEST_ASSERT(memcmp(rec.buf + rec.data_offset,
1497 rec_backup.buf + rec_backup.data_offset,
1498 rec.data_len) == 0);
1499 }
1500
1501 TEST_ASSERT(seen_success == 1);
1502 }
1503
1504exit:
1505
1506 /* Cleanup */
1507 mbedtls_ssl_free(&ssl);
1508 mbedtls_ssl_transform_free(&t0);
1509 mbedtls_ssl_transform_free(&t1);
1510
1511 mbedtls_free(buf);
1512 MD_OR_USE_PSA_DONE();
1513}
1514/* END_CASE */
1515
1516/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
1517void ssl_tls13_hkdf_expand_label(int hash_alg,
1518 data_t *secret,
1519 int label_idx,
1520 data_t *ctx,
1521 int desired_length,
1522 data_t *expected)
1523{
1524 unsigned char dst[100];
1525
1526 unsigned char const *lbl = NULL;
1527 size_t lbl_len;
1528#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \
1529 if (label_idx == (int) tls13_label_ ## name) \
1530 { \
1531 lbl = mbedtls_ssl_tls13_labels.name; \
1532 lbl_len = sizeof(mbedtls_ssl_tls13_labels.name); \
1533 }
1534 MBEDTLS_SSL_TLS1_3_LABEL_LIST
1535#undef MBEDTLS_SSL_TLS1_3_LABEL
1536 TEST_ASSERT(lbl != NULL);
1537
1538 /* Check sanity of test parameters. */
1539 TEST_ASSERT((size_t) desired_length <= sizeof(dst));
1540 TEST_ASSERT((size_t) desired_length == expected->len);
1541
1542 PSA_INIT();
1543
1544 TEST_ASSERT(mbedtls_ssl_tls13_hkdf_expand_label(
1545 (psa_algorithm_t) hash_alg,
1546 secret->x, secret->len,
1547 lbl, lbl_len,
1548 ctx->x, ctx->len,
1549 dst, desired_length) == 0);
1550
1551 TEST_MEMORY_COMPARE(dst, (size_t) desired_length,
1552 expected->x, (size_t) expected->len);
1553
1554exit:
1555 PSA_DONE();
1556}
1557/* END_CASE */
1558
1559/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
1560void ssl_tls13_traffic_key_generation(int hash_alg,
1561 data_t *server_secret,
1562 data_t *client_secret,
1563 int desired_iv_len,
1564 int desired_key_len,
1565 data_t *expected_server_write_key,
1566 data_t *expected_server_write_iv,
1567 data_t *expected_client_write_key,
1568 data_t *expected_client_write_iv)
1569{
1570 mbedtls_ssl_key_set keys;
1571
1572 /* Check sanity of test parameters. */
1573 TEST_ASSERT(client_secret->len == server_secret->len);
1574 TEST_ASSERT(
1575 expected_client_write_iv->len == expected_server_write_iv->len &&
1576 expected_client_write_iv->len == (size_t) desired_iv_len);
1577 TEST_ASSERT(
1578 expected_client_write_key->len == expected_server_write_key->len &&
1579 expected_client_write_key->len == (size_t) desired_key_len);
1580
1581 PSA_INIT();
1582
1583 TEST_ASSERT(mbedtls_ssl_tls13_make_traffic_keys(
1584 (psa_algorithm_t) hash_alg,
1585 client_secret->x,
1586 server_secret->x,
1587 client_secret->len /* == server_secret->len */,
1588 desired_key_len, desired_iv_len,
1589 &keys) == 0);
1590
1591 TEST_MEMORY_COMPARE(keys.client_write_key,
1592 keys.key_len,
1593 expected_client_write_key->x,
1594 (size_t) desired_key_len);
1595 TEST_MEMORY_COMPARE(keys.server_write_key,
1596 keys.key_len,
1597 expected_server_write_key->x,
1598 (size_t) desired_key_len);
1599 TEST_MEMORY_COMPARE(keys.client_write_iv,
1600 keys.iv_len,
1601 expected_client_write_iv->x,
1602 (size_t) desired_iv_len);
1603 TEST_MEMORY_COMPARE(keys.server_write_iv,
1604 keys.iv_len,
1605 expected_server_write_iv->x,
1606 (size_t) desired_iv_len);
1607
1608exit:
1609 PSA_DONE();
1610}
1611/* END_CASE */
1612
1613/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
1614void ssl_tls13_derive_secret(int hash_alg,
1615 data_t *secret,
1616 int label_idx,
1617 data_t *ctx,
1618 int desired_length,
1619 int already_hashed,
1620 data_t *expected)
1621{
1622 unsigned char dst[100];
1623
1624 unsigned char const *lbl = NULL;
1625 size_t lbl_len;
1626#define MBEDTLS_SSL_TLS1_3_LABEL(name, string) \
1627 if (label_idx == (int) tls13_label_ ## name) \
1628 { \
1629 lbl = mbedtls_ssl_tls13_labels.name; \
1630 lbl_len = sizeof(mbedtls_ssl_tls13_labels.name); \
1631 }
1632 MBEDTLS_SSL_TLS1_3_LABEL_LIST
1633#undef MBEDTLS_SSL_TLS1_3_LABEL
1634 TEST_ASSERT(lbl != NULL);
1635
1636 /* Check sanity of test parameters. */
1637 TEST_ASSERT((size_t) desired_length <= sizeof(dst));
1638 TEST_ASSERT((size_t) desired_length == expected->len);
1639
1640 PSA_INIT();
1641
1642 TEST_ASSERT(mbedtls_ssl_tls13_derive_secret(
1643 (psa_algorithm_t) hash_alg,
1644 secret->x, secret->len,
1645 lbl, lbl_len,
1646 ctx->x, ctx->len,
1647 already_hashed,
1648 dst, desired_length) == 0);
1649
1650 TEST_MEMORY_COMPARE(dst, desired_length,
1651 expected->x, desired_length);
1652
1653exit:
1654 PSA_DONE();
1655}
1656/* END_CASE */
1657
1658/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
1659void ssl_tls13_derive_early_secrets(int hash_alg,
1660 data_t *secret,
1661 data_t *transcript,
1662 data_t *traffic_expected,
1663 data_t *exporter_expected)
1664{
1665 mbedtls_ssl_tls13_early_secrets secrets;
1666
1667 /* Double-check that we've passed sane parameters. */
1668 psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
1669 size_t const hash_len = PSA_HASH_LENGTH(alg);
1670 TEST_ASSERT(PSA_ALG_IS_HASH(alg) &&
1671 secret->len == hash_len &&
1672 transcript->len == hash_len &&
1673 traffic_expected->len == hash_len &&
1674 exporter_expected->len == hash_len);
1675
1676 PSA_INIT();
1677
1678 TEST_ASSERT(mbedtls_ssl_tls13_derive_early_secrets(
1679 alg, secret->x, transcript->x, transcript->len,
1680 &secrets) == 0);
1681
1682 TEST_MEMORY_COMPARE(secrets.client_early_traffic_secret, hash_len,
1683 traffic_expected->x, traffic_expected->len);
1684 TEST_MEMORY_COMPARE(secrets.early_exporter_master_secret, hash_len,
1685 exporter_expected->x, exporter_expected->len);
1686
1687exit:
1688 PSA_DONE();
1689}
1690/* END_CASE */
1691
1692/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
1693void ssl_tls13_derive_handshake_secrets(int hash_alg,
1694 data_t *secret,
1695 data_t *transcript,
1696 data_t *client_expected,
1697 data_t *server_expected)
1698{
1699 mbedtls_ssl_tls13_handshake_secrets secrets;
1700
1701 /* Double-check that we've passed sane parameters. */
1702 psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
1703 size_t const hash_len = PSA_HASH_LENGTH(alg);
1704 TEST_ASSERT(PSA_ALG_IS_HASH(alg) &&
1705 secret->len == hash_len &&
1706 transcript->len == hash_len &&
1707 client_expected->len == hash_len &&
1708 server_expected->len == hash_len);
1709
1710 PSA_INIT();
1711
1712 TEST_ASSERT(mbedtls_ssl_tls13_derive_handshake_secrets(
1713 alg, secret->x, transcript->x, transcript->len,
1714 &secrets) == 0);
1715
1716 TEST_MEMORY_COMPARE(secrets.client_handshake_traffic_secret, hash_len,
1717 client_expected->x, client_expected->len);
1718 TEST_MEMORY_COMPARE(secrets.server_handshake_traffic_secret, hash_len,
1719 server_expected->x, server_expected->len);
1720
1721exit:
1722 PSA_DONE();
1723}
1724/* END_CASE */
1725
1726/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
1727void ssl_tls13_derive_application_secrets(int hash_alg,
1728 data_t *secret,
1729 data_t *transcript,
1730 data_t *client_expected,
1731 data_t *server_expected,
1732 data_t *exporter_expected)
1733{
1734 mbedtls_ssl_tls13_application_secrets secrets;
1735
1736 /* Double-check that we've passed sane parameters. */
1737 psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
1738 size_t const hash_len = PSA_HASH_LENGTH(alg);
1739 TEST_ASSERT(PSA_ALG_IS_HASH(alg) &&
1740 secret->len == hash_len &&
1741 transcript->len == hash_len &&
1742 client_expected->len == hash_len &&
1743 server_expected->len == hash_len &&
1744 exporter_expected->len == hash_len);
1745
1746 PSA_INIT();
1747
1748 TEST_ASSERT(mbedtls_ssl_tls13_derive_application_secrets(
1749 alg, secret->x, transcript->x, transcript->len,
1750 &secrets) == 0);
1751
1752 TEST_MEMORY_COMPARE(secrets.client_application_traffic_secret_N, hash_len,
1753 client_expected->x, client_expected->len);
1754 TEST_MEMORY_COMPARE(secrets.server_application_traffic_secret_N, hash_len,
1755 server_expected->x, server_expected->len);
1756 TEST_MEMORY_COMPARE(secrets.exporter_master_secret, hash_len,
1757 exporter_expected->x, exporter_expected->len);
1758
1759exit:
1760 PSA_DONE();
1761}
1762/* END_CASE */
1763
1764/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
1765void ssl_tls13_derive_resumption_secrets(int hash_alg,
1766 data_t *secret,
1767 data_t *transcript,
1768 data_t *resumption_expected)
1769{
1770 mbedtls_ssl_tls13_application_secrets secrets;
1771
1772 /* Double-check that we've passed sane parameters. */
1773 psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
1774 size_t const hash_len = PSA_HASH_LENGTH(alg);
1775 TEST_ASSERT(PSA_ALG_IS_HASH(alg) &&
1776 secret->len == hash_len &&
1777 transcript->len == hash_len &&
1778 resumption_expected->len == hash_len);
1779
1780 PSA_INIT();
1781
1782 TEST_ASSERT(mbedtls_ssl_tls13_derive_resumption_master_secret(
1783 alg, secret->x, transcript->x, transcript->len,
1784 &secrets) == 0);
1785
1786 TEST_MEMORY_COMPARE(secrets.resumption_master_secret, hash_len,
1787 resumption_expected->x, resumption_expected->len);
1788
1789exit:
1790 PSA_DONE();
1791}
1792/* END_CASE */
1793
1794/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
1795void ssl_tls13_create_psk_binder(int hash_alg,
1796 data_t *psk,
1797 int psk_type,
1798 data_t *transcript,
1799 data_t *binder_expected)
1800{
1801 unsigned char binder[MBEDTLS_MD_MAX_SIZE];
1802
1803 /* Double-check that we've passed sane parameters. */
1804 psa_algorithm_t alg = (psa_algorithm_t) hash_alg;
1805 size_t const hash_len = PSA_HASH_LENGTH(alg);
1806 TEST_ASSERT(PSA_ALG_IS_HASH(alg) &&
1807 transcript->len == hash_len &&
1808 binder_expected->len == hash_len);
1809
1810 PSA_INIT();
1811
1812 TEST_ASSERT(mbedtls_ssl_tls13_create_psk_binder(
1813 NULL, /* SSL context for debugging only */
1814 alg,
1815 psk->x, psk->len,
1816 psk_type,
1817 transcript->x,
1818 binder) == 0);
1819
1820 TEST_MEMORY_COMPARE(binder, hash_len,
1821 binder_expected->x, binder_expected->len);
1822
1823exit:
1824 PSA_DONE();
1825}
1826/* END_CASE */
1827
1828/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
1829void ssl_tls13_record_protection(int ciphersuite,
1830 int endpoint,
1831 int ctr,
1832 int padding_used,
1833 data_t *server_write_key,
1834 data_t *server_write_iv,
1835 data_t *client_write_key,
1836 data_t *client_write_iv,
1837 data_t *plaintext,
1838 data_t *ciphertext)
1839{
1840 mbedtls_ssl_key_set keys;
1841 mbedtls_ssl_transform transform_send;
1842 mbedtls_ssl_transform_init(&transform_send);
1843 mbedtls_ssl_transform transform_recv;
1844 mbedtls_ssl_transform_init(&transform_recv);
1845 mbedtls_record rec;
1846 unsigned char *buf = NULL;
1847 size_t buf_len;
1848 int other_endpoint;
1849
1850 TEST_ASSERT(endpoint == MBEDTLS_SSL_IS_CLIENT ||
1851 endpoint == MBEDTLS_SSL_IS_SERVER);
1852
1853 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
1854 other_endpoint = MBEDTLS_SSL_IS_CLIENT;
1855 }
1856 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
1857 other_endpoint = MBEDTLS_SSL_IS_SERVER;
1858 }
1859
1860 TEST_ASSERT(server_write_key->len == client_write_key->len);
1861 TEST_ASSERT(server_write_iv->len == client_write_iv->len);
1862
1863 memcpy(keys.client_write_key,
1864 client_write_key->x, client_write_key->len);
1865 memcpy(keys.client_write_iv,
1866 client_write_iv->x, client_write_iv->len);
1867 memcpy(keys.server_write_key,
1868 server_write_key->x, server_write_key->len);
1869 memcpy(keys.server_write_iv,
1870 server_write_iv->x, server_write_iv->len);
1871
1872 keys.key_len = server_write_key->len;
1873 keys.iv_len = server_write_iv->len;
1874
1875 MD_OR_USE_PSA_INIT();
1876
1877 TEST_ASSERT(mbedtls_ssl_tls13_populate_transform(
1878 &transform_send, endpoint,
1879 ciphersuite, &keys, NULL) == 0);
1880 TEST_ASSERT(mbedtls_ssl_tls13_populate_transform(
1881 &transform_recv, other_endpoint,
1882 ciphersuite, &keys, NULL) == 0);
1883
1884 /* Make sure we have enough space in the buffer even if
1885 * we use more padding than the KAT. */
1886 buf_len = ciphertext->len + MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY;
1887 TEST_CALLOC(buf, buf_len);
1888 rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
1889
1890 /* TLS 1.3 uses the version identifier from TLS 1.2 on the wire. */
1891 mbedtls_ssl_write_version(rec.ver,
1892 MBEDTLS_SSL_TRANSPORT_STREAM,
1893 MBEDTLS_SSL_VERSION_TLS1_2);
1894
1895 /* Copy plaintext into record structure */
1896 rec.buf = buf;
1897 rec.buf_len = buf_len;
1898 rec.data_offset = 0;
1899 TEST_ASSERT(plaintext->len <= ciphertext->len);
1900 memcpy(rec.buf + rec.data_offset, plaintext->x, plaintext->len);
1901 rec.data_len = plaintext->len;
1902#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1903 rec.cid_len = 0;
1904#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1905
1906 memset(&rec.ctr[0], 0, 8);
1907 rec.ctr[7] = ctr;
1908
1909 TEST_ASSERT(mbedtls_ssl_encrypt_buf(NULL, &transform_send, &rec,
1910 NULL, NULL) == 0);
1911
1912 if (padding_used == MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) {
1913 TEST_MEMORY_COMPARE(rec.buf + rec.data_offset, rec.data_len,
1914 ciphertext->x, ciphertext->len);
1915 }
1916
1917 TEST_ASSERT(mbedtls_ssl_decrypt_buf(NULL, &transform_recv, &rec) == 0);
1918 TEST_MEMORY_COMPARE(rec.buf + rec.data_offset, rec.data_len,
1919 plaintext->x, plaintext->len);
1920
1921exit:
1922 mbedtls_free(buf);
1923 mbedtls_ssl_transform_free(&transform_send);
1924 mbedtls_ssl_transform_free(&transform_recv);
1925 MD_OR_USE_PSA_DONE();
1926}
1927/* END_CASE */
1928
1929/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */
1930void ssl_tls13_key_evolution(int hash_alg,
1931 data_t *secret,
1932 data_t *input,
1933 data_t *expected)
1934{
1935 unsigned char secret_new[MBEDTLS_MD_MAX_SIZE];
1936
1937 PSA_INIT();
1938
1939 TEST_ASSERT(mbedtls_ssl_tls13_evolve_secret(
1940 (psa_algorithm_t) hash_alg,
1941 secret->len ? secret->x : NULL,
1942 input->len ? input->x : NULL, input->len,
1943 secret_new) == 0);
1944
1945 TEST_MEMORY_COMPARE(secret_new, (size_t) expected->len,
1946 expected->x, (size_t) expected->len);
1947
1948exit:
1949 PSA_DONE();
1950}
1951/* END_CASE */
1952
1953/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2 */
1954void ssl_tls_prf(int type, data_t *secret, data_t *random,
1955 char *label, data_t *result_str, int exp_ret)
1956{
1957 unsigned char *output;
1958
1959 output = mbedtls_calloc(1, result_str->len);
1960 if (output == NULL) {
1961 goto exit;
1962 }
1963
1964 MD_OR_USE_PSA_INIT();
1965
1966 TEST_ASSERT(mbedtls_ssl_tls_prf(type, secret->x, secret->len,
1967 label, random->x, random->len,
1968 output, result_str->len) == exp_ret);
1969
1970 if (exp_ret == 0) {
1971 TEST_ASSERT(mbedtls_test_hexcmp(output, result_str->x,
1972 result_str->len, result_str->len) == 0);
1973 }
1974exit:
1975
1976 mbedtls_free(output);
1977 MD_OR_USE_PSA_DONE();
1978}
1979/* END_CASE */
1980
1981/* BEGIN_CASE */
1982void ssl_serialize_session_save_load(int ticket_len, char *crt_file,
1983 int endpoint_type, int tls_version)
1984{
1985 mbedtls_ssl_session original, restored;
1986 unsigned char *buf = NULL;
1987 size_t len;
1988
1989 /*
1990 * Test that a save-load pair is the identity
1991 */
1992 mbedtls_ssl_session_init(&original);
1993 mbedtls_ssl_session_init(&restored);
1994 USE_PSA_INIT();
1995
1996 /* Prepare a dummy session to work on */
1997 ((void) tls_version);
1998 ((void) ticket_len);
1999 ((void) crt_file);
2000#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2001 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
2002 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
2003 &original, 0, endpoint_type) == 0);
2004 }
2005#endif
2006
2007#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2008 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
2009 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
2010 &original, ticket_len, endpoint_type, crt_file) == 0);
2011 }
2012#endif
2013
2014 /* Serialize it */
2015 TEST_ASSERT(mbedtls_ssl_session_save(&original, NULL, 0, &len)
2016 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
2017 TEST_CALLOC(buf, len);
2018 TEST_ASSERT(mbedtls_ssl_session_save(&original, buf, len, &len)
2019 == 0);
2020
2021 /* Restore session from serialized data */
2022 TEST_ASSERT(mbedtls_ssl_session_load(&restored, buf, len) == 0);
2023
2024 /*
2025 * Make sure both session structures are identical
2026 */
2027#if defined(MBEDTLS_HAVE_TIME)
2028 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
2029 TEST_ASSERT(original.start == restored.start);
2030 }
2031#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C)
2032 TEST_ASSERT(original.ticket_creation_time == restored.ticket_creation_time);
2033#endif
2034#endif /* MBEDTLS_HAVE_TIME */
2035
2036 TEST_ASSERT(original.tls_version == restored.tls_version);
2037 TEST_ASSERT(original.endpoint == restored.endpoint);
2038 TEST_ASSERT(original.ciphersuite == restored.ciphersuite);
2039#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2040 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
2041 TEST_ASSERT(original.id_len == restored.id_len);
2042 TEST_ASSERT(memcmp(original.id,
2043 restored.id, sizeof(original.id)) == 0);
2044 TEST_ASSERT(memcmp(original.master,
2045 restored.master, sizeof(original.master)) == 0);
2046
2047#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2048#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2049 TEST_ASSERT((original.peer_cert == NULL) ==
2050 (restored.peer_cert == NULL));
2051 if (original.peer_cert != NULL) {
2052 TEST_ASSERT(original.peer_cert->raw.len ==
2053 restored.peer_cert->raw.len);
2054 TEST_ASSERT(memcmp(original.peer_cert->raw.p,
2055 restored.peer_cert->raw.p,
2056 original.peer_cert->raw.len) == 0);
2057 }
2058#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2059 TEST_ASSERT(original.peer_cert_digest_type ==
2060 restored.peer_cert_digest_type);
2061 TEST_ASSERT(original.peer_cert_digest_len ==
2062 restored.peer_cert_digest_len);
2063 TEST_ASSERT((original.peer_cert_digest == NULL) ==
2064 (restored.peer_cert_digest == NULL));
2065 if (original.peer_cert_digest != NULL) {
2066 TEST_ASSERT(memcmp(original.peer_cert_digest,
2067 restored.peer_cert_digest,
2068 original.peer_cert_digest_len) == 0);
2069 }
2070#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2071#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2072 TEST_ASSERT(original.verify_result == restored.verify_result);
2073
2074#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2075 TEST_ASSERT(original.mfl_code == restored.mfl_code);
2076#endif
2077
2078#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2079 TEST_ASSERT(original.encrypt_then_mac == restored.encrypt_then_mac);
2080#endif
2081#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
2082 TEST_ASSERT(original.ticket_len == restored.ticket_len);
2083 if (original.ticket_len != 0) {
2084 TEST_ASSERT(original.ticket != NULL);
2085 TEST_ASSERT(restored.ticket != NULL);
2086 TEST_ASSERT(memcmp(original.ticket,
2087 restored.ticket, original.ticket_len) == 0);
2088 }
2089 TEST_ASSERT(original.ticket_lifetime == restored.ticket_lifetime);
2090#endif
2091 }
2092#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2093
2094#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2095 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
2096 TEST_ASSERT(original.ciphersuite == restored.ciphersuite);
2097 TEST_ASSERT(original.ticket_age_add == restored.ticket_age_add);
2098 TEST_ASSERT(original.ticket_flags == restored.ticket_flags);
2099 TEST_ASSERT(original.resumption_key_len == restored.resumption_key_len);
2100 if (original.resumption_key_len != 0) {
2101 TEST_ASSERT(original.resumption_key != NULL);
2102 TEST_ASSERT(restored.resumption_key != NULL);
2103 TEST_ASSERT(memcmp(original.resumption_key,
2104 restored.resumption_key,
2105 original.resumption_key_len) == 0);
2106 }
2107
2108#if defined(MBEDTLS_SSL_EARLY_DATA)
2109 TEST_ASSERT(
2110 original.max_early_data_size == restored.max_early_data_size);
2111#if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C)
2112 if (endpoint_type == MBEDTLS_SSL_IS_SERVER) {
2113 TEST_ASSERT(original.ticket_alpn != NULL);
2114 TEST_ASSERT(restored.ticket_alpn != NULL);
2115 TEST_MEMORY_COMPARE(original.ticket_alpn, strlen(original.ticket_alpn),
2116 restored.ticket_alpn, strlen(restored.ticket_alpn));
2117 }
2118#endif
2119#endif
2120
2121#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
2122 if (endpoint_type == MBEDTLS_SSL_IS_CLIENT) {
2123#if defined(MBEDTLS_HAVE_TIME)
2124 TEST_ASSERT(original.ticket_reception_time == restored.ticket_reception_time);
2125#endif
2126 TEST_ASSERT(original.ticket_lifetime == restored.ticket_lifetime);
2127 TEST_ASSERT(original.ticket_len == restored.ticket_len);
2128 if (original.ticket_len != 0) {
2129 TEST_ASSERT(original.ticket != NULL);
2130 TEST_ASSERT(restored.ticket != NULL);
2131 TEST_ASSERT(memcmp(original.ticket,
2132 restored.ticket,
2133 original.ticket_len) == 0);
2134 }
2135
2136 }
2137#endif
2138 }
2139#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2140
2141#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2142 TEST_ASSERT(original.record_size_limit == restored.record_size_limit);
2143#endif
2144
2145exit:
2146 mbedtls_ssl_session_free(&original);
2147 mbedtls_ssl_session_free(&restored);
2148 mbedtls_free(buf);
2149 USE_PSA_DONE();
2150}
2151/* END_CASE */
2152
2153/* BEGIN_CASE */
2154void ssl_serialize_session_load_save(int ticket_len, char *crt_file,
2155 int endpoint_type, int tls_version)
2156{
2157 mbedtls_ssl_session session;
2158 unsigned char *buf1 = NULL, *buf2 = NULL;
2159 size_t len0, len1, len2;
2160
2161 /*
2162 * Test that a load-save pair is the identity
2163 */
2164 mbedtls_ssl_session_init(&session);
2165 USE_PSA_INIT();
2166
2167 /* Prepare a dummy session to work on */
2168 ((void) ticket_len);
2169 ((void) crt_file);
2170
2171 switch (tls_version) {
2172#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2173 case MBEDTLS_SSL_VERSION_TLS1_3:
2174 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
2175 &session, 0, endpoint_type) == 0);
2176 break;
2177#endif
2178
2179#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2180 case MBEDTLS_SSL_VERSION_TLS1_2:
2181 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
2182 &session, ticket_len, endpoint_type, crt_file) == 0);
2183 break;
2184#endif
2185 default:
2186 /* should never happen */
2187 TEST_ASSERT(0);
2188 break;
2189 }
2190
2191 /* Get desired buffer size for serializing */
2192 TEST_ASSERT(mbedtls_ssl_session_save(&session, NULL, 0, &len0)
2193 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
2194
2195 /* Allocate first buffer */
2196 buf1 = mbedtls_calloc(1, len0);
2197 TEST_ASSERT(buf1 != NULL);
2198
2199 /* Serialize to buffer and free live session */
2200 TEST_ASSERT(mbedtls_ssl_session_save(&session, buf1, len0, &len1)
2201 == 0);
2202 TEST_ASSERT(len0 == len1);
2203 mbedtls_ssl_session_free(&session);
2204
2205 /* Restore session from serialized data */
2206 TEST_ASSERT(mbedtls_ssl_session_load(&session, buf1, len1) == 0);
2207
2208 /* Allocate second buffer and serialize to it */
2209 buf2 = mbedtls_calloc(1, len0);
2210 TEST_ASSERT(buf2 != NULL);
2211 TEST_ASSERT(mbedtls_ssl_session_save(&session, buf2, len0, &len2)
2212 == 0);
2213
2214 /* Make sure both serialized versions are identical */
2215 TEST_ASSERT(len1 == len2);
2216 TEST_ASSERT(memcmp(buf1, buf2, len1) == 0);
2217
2218exit:
2219 mbedtls_ssl_session_free(&session);
2220 mbedtls_free(buf1);
2221 mbedtls_free(buf2);
2222 USE_PSA_DONE();
2223}
2224/* END_CASE */
2225
2226/* BEGIN_CASE */
2227void ssl_serialize_session_save_buf_size(int ticket_len, char *crt_file,
2228 int endpoint_type, int tls_version)
2229{
2230 mbedtls_ssl_session session;
2231 unsigned char *buf = NULL;
2232 size_t good_len, bad_len, test_len;
2233
2234 /*
2235 * Test that session_save() fails cleanly on small buffers
2236 */
2237 mbedtls_ssl_session_init(&session);
2238 USE_PSA_INIT();
2239
2240 /* Prepare dummy session and get serialized size */
2241 ((void) ticket_len);
2242 ((void) crt_file);
2243
2244 switch (tls_version) {
2245#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2246 case MBEDTLS_SSL_VERSION_TLS1_3:
2247 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
2248 &session, 0, endpoint_type) == 0);
2249 break;
2250#endif
2251#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2252 case MBEDTLS_SSL_VERSION_TLS1_2:
2253 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
2254 &session, ticket_len, endpoint_type, crt_file) == 0);
2255 break;
2256#endif
2257 default:
2258 /* should never happen */
2259 TEST_ASSERT(0);
2260 break;
2261 }
2262
2263 TEST_ASSERT(mbedtls_ssl_session_save(&session, NULL, 0, &good_len)
2264 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
2265
2266 /* Try all possible bad lengths */
2267 for (bad_len = 1; bad_len < good_len; bad_len++) {
2268 /* Allocate exact size so that asan/valgrind can detect any overwrite */
2269 mbedtls_free(buf);
2270 buf = NULL;
2271 TEST_CALLOC(buf, bad_len);
2272 TEST_ASSERT(mbedtls_ssl_session_save(&session, buf, bad_len,
2273 &test_len)
2274 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
2275 TEST_ASSERT(test_len == good_len);
2276 }
2277
2278exit:
2279 mbedtls_ssl_session_free(&session);
2280 mbedtls_free(buf);
2281 USE_PSA_DONE();
2282}
2283/* END_CASE */
2284
2285/* BEGIN_CASE */
2286void ssl_serialize_session_load_buf_size(int ticket_len, char *crt_file,
2287 int endpoint_type, int tls_version)
2288{
2289 mbedtls_ssl_session session;
2290 unsigned char *good_buf = NULL, *bad_buf = NULL;
2291 size_t good_len, bad_len;
2292
2293 /*
2294 * Test that session_load() fails cleanly on small buffers
2295 */
2296 mbedtls_ssl_session_init(&session);
2297 USE_PSA_INIT();
2298
2299 /* Prepare serialized session data */
2300 ((void) ticket_len);
2301 ((void) crt_file);
2302
2303 switch (tls_version) {
2304#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2305 case MBEDTLS_SSL_VERSION_TLS1_3:
2306 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
2307 &session, 0, endpoint_type) == 0);
2308 break;
2309#endif
2310
2311#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2312 case MBEDTLS_SSL_VERSION_TLS1_2:
2313 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
2314 &session, ticket_len, endpoint_type, crt_file) == 0);
2315 break;
2316#endif
2317
2318 default:
2319 /* should never happen */
2320 TEST_ASSERT(0);
2321 break;
2322 }
2323
2324 TEST_ASSERT(mbedtls_ssl_session_save(&session, NULL, 0, &good_len)
2325 == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL);
2326 TEST_CALLOC(good_buf, good_len);
2327 TEST_ASSERT(mbedtls_ssl_session_save(&session, good_buf, good_len,
2328 &good_len) == 0);
2329 mbedtls_ssl_session_free(&session);
2330
2331 /* Try all possible bad lengths */
2332 for (bad_len = 0; bad_len < good_len; bad_len++) {
2333 /* Allocate exact size so that asan/valgrind can detect any overread */
2334 mbedtls_free(bad_buf);
2335 bad_buf = NULL;
2336 TEST_CALLOC_NONNULL(bad_buf, bad_len);
2337 memcpy(bad_buf, good_buf, bad_len);
2338
2339 TEST_ASSERT(mbedtls_ssl_session_load(&session, bad_buf, bad_len)
2340 == MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
2341 }
2342
2343exit:
2344 mbedtls_ssl_session_free(&session);
2345 mbedtls_free(good_buf);
2346 mbedtls_free(bad_buf);
2347 USE_PSA_DONE();
2348}
2349/* END_CASE */
2350
2351/* BEGIN_CASE */
2352void ssl_session_serialize_version_check(int corrupt_major,
2353 int corrupt_minor,
2354 int corrupt_patch,
2355 int corrupt_config,
2356 int endpoint_type,
2357 int tls_version)
2358{
2359 unsigned char serialized_session[2048];
2360 size_t serialized_session_len;
2361 unsigned cur_byte;
2362 mbedtls_ssl_session session;
2363 uint8_t should_corrupt_byte[] = { corrupt_major == 1,
2364 corrupt_minor == 1,
2365 corrupt_patch == 1,
2366 corrupt_config == 1,
2367 corrupt_config == 1 };
2368
2369 mbedtls_ssl_session_init(&session);
2370 USE_PSA_INIT();
2371
2372 switch (tls_version) {
2373#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2374 case MBEDTLS_SSL_VERSION_TLS1_3:
2375 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
2376 &session, 0, endpoint_type) == 0);
2377 break;
2378#endif
2379#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2380 case MBEDTLS_SSL_VERSION_TLS1_2:
2381 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
2382 &session, 0, endpoint_type, NULL) == 0);
2383
2384 break;
2385#endif
2386 default:
2387 /* should never happen */
2388 TEST_ASSERT(0);
2389 break;
2390 }
2391
2392 /* Infer length of serialized session. */
2393 TEST_ASSERT(mbedtls_ssl_session_save(&session,
2394 serialized_session,
2395 sizeof(serialized_session),
2396 &serialized_session_len) == 0);
2397
2398 mbedtls_ssl_session_free(&session);
2399
2400 /* Without any modification, we should be able to successfully
2401 * de-serialize the session - double-check that. */
2402 TEST_ASSERT(mbedtls_ssl_session_load(&session,
2403 serialized_session,
2404 serialized_session_len) == 0);
2405 mbedtls_ssl_session_free(&session);
2406
2407 /* Go through the bytes in the serialized session header and
2408 * corrupt them bit-by-bit. */
2409 for (cur_byte = 0; cur_byte < sizeof(should_corrupt_byte); cur_byte++) {
2410 int cur_bit;
2411 unsigned char *const byte = &serialized_session[cur_byte];
2412
2413 if (should_corrupt_byte[cur_byte] == 0) {
2414 continue;
2415 }
2416
2417 for (cur_bit = 0; cur_bit < CHAR_BIT; cur_bit++) {
2418 unsigned char const corrupted_bit = 0x1u << cur_bit;
2419 /* Modify a single bit in the serialized session. */
2420 *byte ^= corrupted_bit;
2421
2422 /* Attempt to deserialize */
2423 TEST_ASSERT(mbedtls_ssl_session_load(&session,
2424 serialized_session,
2425 serialized_session_len) ==
2426 MBEDTLS_ERR_SSL_VERSION_MISMATCH);
2427
2428 /* Undo the change */
2429 *byte ^= corrupted_bit;
2430 }
2431 }
2432exit:
2433 USE_PSA_DONE();
2434}
2435/* END_CASE */
2436
2437/* BEGIN_CASE */
2438void ssl_session_id_accessors_check(int tls_version)
2439{
2440 mbedtls_ssl_session session;
2441 int ciphersuite_id;
2442 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2443
2444 mbedtls_ssl_session_init(&session);
2445 USE_PSA_INIT();
2446
2447 switch (tls_version) {
2448#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2449 case MBEDTLS_SSL_VERSION_TLS1_3:
2450 ciphersuite_id = MBEDTLS_TLS1_3_AES_128_GCM_SHA256;
2451 TEST_ASSERT(mbedtls_test_ssl_tls13_populate_session(
2452 &session, 0, MBEDTLS_SSL_IS_SERVER) == 0);
2453 break;
2454#endif
2455#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2456 case MBEDTLS_SSL_VERSION_TLS1_2:
2457 ciphersuite_id = MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256;
2458 TEST_ASSERT(mbedtls_test_ssl_tls12_populate_session(
2459 &session, 0, MBEDTLS_SSL_IS_SERVER, NULL) == 0);
2460
2461 break;
2462#endif
2463 default:
2464 /* should never happen */
2465 TEST_ASSERT(0);
2466 break;
2467 }
2468 TEST_ASSERT(*mbedtls_ssl_session_get_id(&session) == session.id);
2469 TEST_ASSERT(mbedtls_ssl_session_get_id_len(&session) == session.id_len);
2470 /* mbedtls_test_ssl_tls1x_populate_session sets a mock suite-id of 0xabcd */
2471 TEST_ASSERT(mbedtls_ssl_session_get_ciphersuite_id(&session) == 0xabcd);
2472
2473 /* Test setting a reference id for tls1.3 and tls1.2 */
2474 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
2475 if (ciphersuite_info != NULL) {
2476 TEST_ASSERT(mbedtls_ssl_ciphersuite_get_id(ciphersuite_info) == ciphersuite_id);
2477 }
2478
2479exit:
2480 mbedtls_ssl_session_free(&session);
2481 USE_PSA_DONE();
2482}
2483/* END_CASE */
2484
2485/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256 */
2486void mbedtls_endpoint_sanity(int endpoint_type)
2487{
2488 enum { BUFFSIZE = 1024 };
2489 mbedtls_test_ssl_endpoint ep;
2490 int ret = -1;
2491 mbedtls_test_handshake_test_options options;
2492 mbedtls_test_init_handshake_options(&options);
2493 options.pk_alg = MBEDTLS_PK_RSA;
2494
2495 MD_OR_USE_PSA_INIT();
2496
2497 ret = mbedtls_test_ssl_endpoint_init(NULL, endpoint_type, &options,
2498 NULL, NULL, NULL);
2499 TEST_ASSERT(MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret);
2500
2501 ret = mbedtls_test_ssl_endpoint_certificate_init(NULL, options.pk_alg,
2502 0, 0, 0);
2503 TEST_ASSERT(MBEDTLS_ERR_SSL_BAD_INPUT_DATA == ret);
2504
2505 ret = mbedtls_test_ssl_endpoint_init(&ep, endpoint_type, &options,
2506 NULL, NULL, NULL);
2507 TEST_ASSERT(ret == 0);
2508
2509exit:
2510 mbedtls_test_ssl_endpoint_free(&ep, NULL);
2511 mbedtls_test_free_handshake_options(&options);
2512 MD_OR_USE_PSA_DONE();
2513}
2514/* END_CASE */
2515
2516/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_HAVE_ECC_KEYS */
2517void move_handshake_to_state(int endpoint_type, int tls_version, int state, int need_pass)
2518{
2519 enum { BUFFSIZE = 1024 };
2520 mbedtls_test_ssl_endpoint base_ep, second_ep;
2521 int ret = -1;
2522 (void) tls_version;
2523
2524 mbedtls_test_handshake_test_options options;
2525 mbedtls_test_init_handshake_options(&options);
2526
2527 options.pk_alg = MBEDTLS_PK_RSA;
2528
2529 /*
2530 * If both TLS 1.2 and 1.3 are enabled and we want to do a TLS 1.2
2531 * handshake, force the TLS 1.2 version on endpoint under test.
2532 */
2533#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
2534 if (MBEDTLS_SSL_VERSION_TLS1_2 == tls_version) {
2535 if (MBEDTLS_SSL_IS_CLIENT == endpoint_type) {
2536 options.client_min_version = MBEDTLS_SSL_VERSION_TLS1_2;
2537 options.client_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
2538 } else {
2539 options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2;
2540 options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
2541 }
2542 }
2543#endif
2544
2545 MD_OR_USE_PSA_INIT();
2546 mbedtls_platform_zeroize(&base_ep, sizeof(base_ep));
2547 mbedtls_platform_zeroize(&second_ep, sizeof(second_ep));
2548
2549 ret = mbedtls_test_ssl_endpoint_init(&base_ep, endpoint_type, &options,
2550 NULL, NULL, NULL);
2551 TEST_ASSERT(ret == 0);
2552
2553 ret = mbedtls_test_ssl_endpoint_init(
2554 &second_ep,
2555 (endpoint_type == MBEDTLS_SSL_IS_SERVER) ?
2556 MBEDTLS_SSL_IS_CLIENT : MBEDTLS_SSL_IS_SERVER,
2557 &options, NULL, NULL, NULL);
2558
2559 TEST_ASSERT(ret == 0);
2560
2561 ret = mbedtls_test_mock_socket_connect(&(base_ep.socket),
2562 &(second_ep.socket),
2563 BUFFSIZE);
2564 TEST_ASSERT(ret == 0);
2565
2566 ret = mbedtls_test_move_handshake_to_state(&(base_ep.ssl),
2567 &(second_ep.ssl),
2568 state);
2569 if (need_pass) {
2570 TEST_ASSERT(ret == 0 ||
2571 ret == MBEDTLS_ERR_SSL_WANT_READ ||
2572 ret == MBEDTLS_ERR_SSL_WANT_WRITE);
2573 TEST_ASSERT(base_ep.ssl.state == state);
2574 } else {
2575 TEST_ASSERT(ret != 0 &&
2576 ret != MBEDTLS_ERR_SSL_WANT_READ &&
2577 ret != MBEDTLS_ERR_SSL_WANT_WRITE);
2578 TEST_ASSERT(base_ep.ssl.state != state);
2579 }
2580
2581exit:
2582 mbedtls_test_free_handshake_options(&options);
2583 mbedtls_test_ssl_endpoint_free(&base_ep, NULL);
2584 mbedtls_test_ssl_endpoint_free(&second_ep, NULL);
2585 MD_OR_USE_PSA_DONE();
2586}
2587/* END_CASE */
2588
2589/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */
2590void handshake_version(int dtls, int client_min_version, int client_max_version,
2591 int server_min_version, int server_max_version,
2592 int expected_negotiated_version)
2593{
2594 mbedtls_test_handshake_test_options options;
2595 mbedtls_test_init_handshake_options(&options);
2596
2597 options.client_min_version = client_min_version;
2598 options.client_max_version = client_max_version;
2599 options.server_min_version = server_min_version;
2600 options.server_max_version = server_max_version;
2601 options.expected_negotiated_version = expected_negotiated_version;
2602
2603 options.dtls = dtls;
2604 mbedtls_test_ssl_perform_handshake(&options);
2605
2606 /* The goto below is used to avoid an "unused label" warning.*/
2607 goto exit;
2608
2609exit:
2610 mbedtls_test_free_handshake_options(&options);
2611}
2612/* END_CASE */
2613
2614/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256 */
2615void handshake_psk_cipher(char *cipher, int pk_alg, data_t *psk_str, int dtls)
2616{
2617 mbedtls_test_handshake_test_options options;
2618 mbedtls_test_init_handshake_options(&options);
2619
2620 options.cipher = cipher;
2621 options.dtls = dtls;
2622 options.psk_str = psk_str;
2623 options.pk_alg = pk_alg;
2624
2625 options.client_min_version = MBEDTLS_SSL_VERSION_TLS1_2;
2626 options.client_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
2627 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;
2628
2629 mbedtls_test_ssl_perform_handshake(&options);
2630
2631 /* The goto below is used to avoid an "unused label" warning.*/
2632 goto exit;
2633
2634exit:
2635 mbedtls_test_free_handshake_options(&options);
2636}
2637/* END_CASE */
2638
2639/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256 */
2640void handshake_cipher(char *cipher, int pk_alg, int dtls)
2641{
2642 test_handshake_psk_cipher(cipher, pk_alg, NULL, dtls);
2643
2644 /* The goto below is used to avoid an "unused label" warning.*/
2645 goto exit;
2646}
2647/* END_CASE */
2648
2649/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_MD_CAN_SHA256 */
2650void handshake_ciphersuite_select(char *cipher, int pk_alg, data_t *psk_str,
2651 int psa_alg, int psa_alg2, int psa_usage,
2652 int expected_handshake_result,
2653 int expected_ciphersuite)
2654{
2655 mbedtls_test_handshake_test_options options;
2656 mbedtls_test_init_handshake_options(&options);
2657
2658 options.cipher = cipher;
2659 options.psk_str = psk_str;
2660 options.pk_alg = pk_alg;
2661 options.opaque_alg = psa_alg;
2662 options.opaque_alg2 = psa_alg2;
2663 options.opaque_usage = psa_usage;
2664 options.expected_handshake_result = expected_handshake_result;
2665 options.expected_ciphersuite = expected_ciphersuite;
2666
2667 options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2;
2668 options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
2669 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;
2670
2671 mbedtls_test_ssl_perform_handshake(&options);
2672
2673 /* The goto below is used to avoid an "unused label" warning.*/
2674 goto exit;
2675
2676exit:
2677 mbedtls_test_free_handshake_options(&options);
2678}
2679/* END_CASE */
2680
2681/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 */
2682void app_data(int mfl, int cli_msg_len, int srv_msg_len,
2683 int expected_cli_fragments,
2684 int expected_srv_fragments, int dtls)
2685{
2686 mbedtls_test_handshake_test_options options;
2687 mbedtls_test_init_handshake_options(&options);
2688
2689 options.mfl = mfl;
2690 options.cli_msg_len = cli_msg_len;
2691 options.srv_msg_len = srv_msg_len;
2692 options.expected_cli_fragments = expected_cli_fragments;
2693 options.expected_srv_fragments = expected_srv_fragments;
2694 options.dtls = dtls;
2695
2696 options.client_min_version = MBEDTLS_SSL_VERSION_TLS1_2;
2697 options.client_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
2698 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;
2699
2700 mbedtls_test_ssl_perform_handshake(&options);
2701
2702 /* The goto below is used to avoid an "unused label" warning.*/
2703 goto exit;
2704
2705exit:
2706 mbedtls_test_free_handshake_options(&options);
2707}
2708/* END_CASE */
2709
2710/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_PK_HAVE_ECC_KEYS:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */
2711void app_data_tls(int mfl, int cli_msg_len, int srv_msg_len,
2712 int expected_cli_fragments,
2713 int expected_srv_fragments)
2714{
2715 test_app_data(mfl, cli_msg_len, srv_msg_len, expected_cli_fragments,
2716 expected_srv_fragments, 0);
2717 /* The goto below is used to avoid an "unused label" warning.*/
2718 goto exit;
2719}
2720/* END_CASE */
2721
2722/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */
2723void app_data_dtls(int mfl, int cli_msg_len, int srv_msg_len,
2724 int expected_cli_fragments,
2725 int expected_srv_fragments)
2726{
2727 test_app_data(mfl, cli_msg_len, srv_msg_len, expected_cli_fragments,
2728 expected_srv_fragments, 1);
2729 /* The goto below is used to avoid an "unused label" warning.*/
2730 goto exit;
2731}
2732/* END_CASE */
2733
2734/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */
2735void handshake_serialization()
2736{
2737 mbedtls_test_handshake_test_options options;
2738 mbedtls_test_init_handshake_options(&options);
2739
2740 options.serialize = 1;
2741 options.dtls = 1;
2742 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;
2743 mbedtls_test_ssl_perform_handshake(&options);
2744 /* The goto below is used to avoid an "unused label" warning.*/
2745 goto exit;
2746exit:
2747 mbedtls_test_free_handshake_options(&options);
2748}
2749/* END_CASE */
2750
2751/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_SSL_HAVE_AES:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_MD_CAN_SHA256:MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */
2752void handshake_fragmentation(int mfl,
2753 int expected_srv_hs_fragmentation,
2754 int expected_cli_hs_fragmentation)
2755{
2756 mbedtls_test_handshake_test_options options;
2757 mbedtls_test_ssl_log_pattern srv_pattern, cli_pattern;
2758
2759 srv_pattern.pattern = cli_pattern.pattern = "found fragmented DTLS handshake";
2760 srv_pattern.counter = 0;
2761 cli_pattern.counter = 0;
2762
2763 mbedtls_test_init_handshake_options(&options);
2764 options.dtls = 1;
2765 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;
2766 options.mfl = mfl;
2767 /* Set cipher to one using CBC so that record splitting can be tested */
2768 options.cipher = "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256";
2769 options.srv_auth_mode = MBEDTLS_SSL_VERIFY_REQUIRED;
2770 options.srv_log_obj = &srv_pattern;
2771 options.cli_log_obj = &cli_pattern;
2772 options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
2773 options.cli_log_fun = mbedtls_test_ssl_log_analyzer;
2774
2775 mbedtls_test_ssl_perform_handshake(&options);
2776
2777 /* Test if the server received a fragmented handshake */
2778 if (expected_srv_hs_fragmentation) {
2779 TEST_ASSERT(srv_pattern.counter >= 1);
2780 }
2781 /* Test if the client received a fragmented handshake */
2782 if (expected_cli_hs_fragmentation) {
2783 TEST_ASSERT(cli_pattern.counter >= 1);
2784 }
2785
2786exit:
2787 mbedtls_test_free_handshake_options(&options);
2788}
2789/* END_CASE */
2790
2791/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */
2792void renegotiation(int legacy_renegotiation)
2793{
2794 mbedtls_test_handshake_test_options options;
2795 mbedtls_test_init_handshake_options(&options);
2796
2797 options.renegotiate = 1;
2798 options.legacy_renegotiation = legacy_renegotiation;
2799 options.dtls = 1;
2800 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;
2801
2802 mbedtls_test_ssl_perform_handshake(&options);
2803
2804 /* The goto below is used to avoid an "unused label" warning.*/
2805 goto exit;
2806exit:
2807 mbedtls_test_free_handshake_options(&options);
2808}
2809/* END_CASE */
2810
2811/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256 */
2812void resize_buffers(int mfl, int renegotiation, int legacy_renegotiation,
2813 int serialize, int dtls, char *cipher)
2814{
2815 mbedtls_test_handshake_test_options options;
2816 mbedtls_test_init_handshake_options(&options);
2817
2818 options.mfl = mfl;
2819 options.cipher = cipher;
2820 options.renegotiate = renegotiation;
2821 options.legacy_renegotiation = legacy_renegotiation;
2822 options.serialize = serialize;
2823 options.dtls = dtls;
2824 if (dtls) {
2825 options.expected_negotiated_version = MBEDTLS_SSL_VERSION_TLS1_2;
2826 }
2827 options.resize_buffers = 1;
2828
2829 mbedtls_test_ssl_perform_handshake(&options);
2830
2831 /* The goto below is used to avoid an "unused label" warning.*/
2832 goto exit;
2833exit:
2834 mbedtls_test_free_handshake_options(&options);
2835}
2836/* END_CASE */
2837
2838/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */
2839void resize_buffers_serialize_mfl(int mfl)
2840{
2841 test_resize_buffers(mfl, 0, MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION, 1, 1,
2842 (char *) "");
2843 /* The goto below is used to avoid an "unused label" warning.*/
2844 goto exit;
2845}
2846/* END_CASE */
2847
2848/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA256:MBEDTLS_CAN_HANDLE_RSA_TEST_KEY */
2849void resize_buffers_renegotiate_mfl(int mfl, int legacy_renegotiation,
2850 char *cipher)
2851{
2852 test_resize_buffers(mfl, 1, legacy_renegotiation, 0, 1, cipher);
2853 /* The goto below is used to avoid an "unused label" warning.*/
2854 goto exit;
2855}
2856/* END_CASE */
2857
2858/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
2859void test_multiple_psks()
2860{
2861 unsigned char psk0[10] = { 0 };
2862 unsigned char psk0_identity[] = { 'f', 'o', 'o' };
2863
2864 unsigned char psk1[10] = { 0 };
2865 unsigned char psk1_identity[] = { 'b', 'a', 'r' };
2866
2867 mbedtls_ssl_config conf;
2868
2869 mbedtls_ssl_config_init(&conf);
2870 MD_OR_USE_PSA_INIT();
2871
2872 TEST_ASSERT(mbedtls_ssl_conf_psk(&conf,
2873 psk0, sizeof(psk0),
2874 psk0_identity, sizeof(psk0_identity)) == 0);
2875 TEST_ASSERT(mbedtls_ssl_conf_psk(&conf,
2876 psk1, sizeof(psk1),
2877 psk1_identity, sizeof(psk1_identity)) ==
2878 MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
2879
2880exit:
2881 mbedtls_ssl_config_free(&conf);
2882 MD_OR_USE_PSA_DONE();
2883}
2884/* END_CASE */
2885
2886/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO */
2887void test_multiple_psks_opaque(int mode)
2888{
2889 /*
2890 * Mode 0: Raw PSK, then opaque PSK
2891 * Mode 1: Opaque PSK, then raw PSK
2892 * Mode 2: 2x opaque PSK
2893 */
2894
2895 unsigned char psk0_raw[10] = { 0 };
2896 unsigned char psk0_raw_identity[] = { 'f', 'o', 'o' };
2897
2898 mbedtls_svc_key_id_t psk0_opaque = mbedtls_svc_key_id_make(0x1, (psa_key_id_t) 1);
2899
2900 unsigned char psk0_opaque_identity[] = { 'f', 'o', 'o' };
2901
2902 unsigned char psk1_raw[10] = { 0 };
2903 unsigned char psk1_raw_identity[] = { 'b', 'a', 'r' };
2904
2905 mbedtls_svc_key_id_t psk1_opaque = mbedtls_svc_key_id_make(0x1, (psa_key_id_t) 2);
2906
2907 unsigned char psk1_opaque_identity[] = { 'b', 'a', 'r' };
2908
2909 mbedtls_ssl_config conf;
2910
2911 mbedtls_ssl_config_init(&conf);
2912 MD_OR_USE_PSA_INIT();
2913
2914 switch (mode) {
2915 case 0:
2916
2917 TEST_ASSERT(mbedtls_ssl_conf_psk(&conf,
2918 psk0_raw, sizeof(psk0_raw),
2919 psk0_raw_identity, sizeof(psk0_raw_identity))
2920 == 0);
2921 TEST_ASSERT(mbedtls_ssl_conf_psk_opaque(&conf,
2922 psk1_opaque,
2923 psk1_opaque_identity,
2924 sizeof(psk1_opaque_identity))
2925 == MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
2926 break;
2927
2928 case 1:
2929
2930 TEST_ASSERT(mbedtls_ssl_conf_psk_opaque(&conf,
2931 psk0_opaque,
2932 psk0_opaque_identity,
2933 sizeof(psk0_opaque_identity))
2934 == 0);
2935 TEST_ASSERT(mbedtls_ssl_conf_psk(&conf,
2936 psk1_raw, sizeof(psk1_raw),
2937 psk1_raw_identity, sizeof(psk1_raw_identity))
2938 == MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
2939
2940 break;
2941
2942 case 2:
2943
2944 TEST_ASSERT(mbedtls_ssl_conf_psk_opaque(&conf,
2945 psk0_opaque,
2946 psk0_opaque_identity,
2947 sizeof(psk0_opaque_identity))
2948 == 0);
2949 TEST_ASSERT(mbedtls_ssl_conf_psk_opaque(&conf,
2950 psk1_opaque,
2951 psk1_opaque_identity,
2952 sizeof(psk1_opaque_identity))
2953 == MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
2954
2955 break;
2956
2957 default:
2958 TEST_ASSERT(0);
2959 break;
2960 }
2961
2962exit:
2963 mbedtls_ssl_config_free(&conf);
2964 MD_OR_USE_PSA_DONE();
2965
2966}
2967/* END_CASE */
2968
2969/* BEGIN_CASE */
2970void conf_version(int endpoint, int transport,
2971 int min_tls_version, int max_tls_version,
2972 int expected_ssl_setup_result)
2973{
2974 mbedtls_ssl_config conf;
2975 mbedtls_ssl_context ssl;
2976
2977 mbedtls_ssl_config_init(&conf);
2978 mbedtls_ssl_init(&ssl);
2979 MD_OR_USE_PSA_INIT();
2980
2981 mbedtls_ssl_conf_endpoint(&conf, endpoint);
2982 mbedtls_ssl_conf_transport(&conf, transport);
2983 mbedtls_ssl_conf_min_tls_version(&conf, min_tls_version);
2984 mbedtls_ssl_conf_max_tls_version(&conf, max_tls_version);
2985 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
2986
2987 TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == expected_ssl_setup_result);
2988 TEST_EQUAL(mbedtls_ssl_conf_get_endpoint(
2989 mbedtls_ssl_context_get_config(&ssl)), endpoint);
2990
2991 mbedtls_ssl_free(&ssl);
2992 mbedtls_ssl_config_free(&conf);
2993
2994exit:
2995 MD_OR_USE_PSA_DONE();
2996}
2997/* END_CASE */
2998
2999/* BEGIN_CASE depends_on:MBEDTLS_ECP_C:!MBEDTLS_DEPRECATED_REMOVED:!MBEDTLS_DEPRECATED_WARNING:MBEDTLS_ECP_HAVE_SECP192R1:MBEDTLS_ECP_HAVE_SECP224R1:MBEDTLS_ECP_HAVE_SECP256R1 */
3000void conf_curve()
3001{
3002
3003 mbedtls_ecp_group_id curve_list[] = { MBEDTLS_ECP_DP_SECP192R1,
3004 MBEDTLS_ECP_DP_SECP224R1,
3005 MBEDTLS_ECP_DP_SECP256R1,
3006 MBEDTLS_ECP_DP_NONE };
3007 uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1,
3008 MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1,
3009 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
3010 MBEDTLS_SSL_IANA_TLS_GROUP_NONE };
3011
3012 mbedtls_ssl_config conf;
3013 mbedtls_ssl_config_init(&conf);
3014#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3015 mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
3016 mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
3017#else
3018 mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3);
3019 mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3);
3020#endif
3021 mbedtls_ssl_conf_curves(&conf, curve_list);
3022
3023 mbedtls_ssl_context ssl;
3024 mbedtls_ssl_init(&ssl);
3025 MD_OR_USE_PSA_INIT();
3026
3027 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
3028
3029 TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
3030
3031 TEST_ASSERT(ssl.handshake != NULL && ssl.handshake->group_list != NULL);
3032 TEST_ASSERT(ssl.conf != NULL && ssl.conf->group_list == NULL);
3033
3034 TEST_EQUAL(ssl.handshake->
3035 group_list[ARRAY_LENGTH(iana_tls_group_list) - 1],
3036 MBEDTLS_SSL_IANA_TLS_GROUP_NONE);
3037
3038 for (size_t i = 0; i < ARRAY_LENGTH(iana_tls_group_list); i++) {
3039 TEST_EQUAL(iana_tls_group_list[i], ssl.handshake->group_list[i]);
3040 }
3041
3042exit:
3043 mbedtls_ssl_free(&ssl);
3044 mbedtls_ssl_config_free(&conf);
3045 MD_OR_USE_PSA_DONE();
3046}
3047/* END_CASE */
3048
3049/* BEGIN_CASE depends_on:MBEDTLS_DEPRECATED_REMOVED */
3050void conf_group()
3051{
3052 uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1,
3053 MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1,
3054 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
3055 MBEDTLS_SSL_IANA_TLS_GROUP_NONE };
3056
3057 mbedtls_ssl_config conf;
3058 mbedtls_ssl_config_init(&conf);
3059
3060 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
3061 mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
3062 mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2);
3063
3064 mbedtls_ssl_conf_groups(&conf, iana_tls_group_list);
3065
3066 mbedtls_ssl_context ssl;
3067 mbedtls_ssl_init(&ssl);
3068 MD_OR_USE_PSA_INIT();
3069
3070 TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
3071
3072 TEST_ASSERT(ssl.conf != NULL && ssl.conf->group_list != NULL);
3073
3074 TEST_EQUAL(ssl.conf->
3075 group_list[ARRAY_LENGTH(iana_tls_group_list) - 1],
3076 MBEDTLS_SSL_IANA_TLS_GROUP_NONE);
3077
3078 for (size_t i = 0; i < ARRAY_LENGTH(iana_tls_group_list); i++) {
3079 TEST_EQUAL(iana_tls_group_list[i], ssl.conf->group_list[i]);
3080 }
3081
3082exit:
3083 mbedtls_ssl_free(&ssl);
3084 mbedtls_ssl_config_free(&conf);
3085 MD_OR_USE_PSA_DONE();
3086}
3087/* END_CASE */
3088
3089/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_CACHE_C:!MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_DEBUG_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256 */
3090void force_bad_session_id_len()
3091{
3092 enum { BUFFSIZE = 1024 };
3093 mbedtls_test_handshake_test_options options;
3094 mbedtls_test_ssl_endpoint client, server;
3095 mbedtls_test_ssl_log_pattern srv_pattern, cli_pattern;
3096 mbedtls_test_message_socket_context server_context, client_context;
3097
3098 srv_pattern.pattern = cli_pattern.pattern = "cache did not store session";
3099 srv_pattern.counter = 0;
3100 mbedtls_test_init_handshake_options(&options);
3101
3102 options.srv_log_obj = &srv_pattern;
3103 options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
3104
3105 mbedtls_platform_zeroize(&client, sizeof(client));
3106 mbedtls_platform_zeroize(&server, sizeof(server));
3107
3108 mbedtls_test_message_socket_init(&server_context);
3109 mbedtls_test_message_socket_init(&client_context);
3110 MD_OR_USE_PSA_INIT();
3111
3112 TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT,
3113 &options, NULL, NULL,
3114 NULL) == 0);
3115
3116 TEST_ASSERT(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER,
3117 &options, NULL, NULL, NULL) == 0);
3118
3119 mbedtls_debug_set_threshold(1);
3120 mbedtls_ssl_conf_dbg(&server.conf, options.srv_log_fun,
3121 options.srv_log_obj);
3122
3123 TEST_ASSERT(mbedtls_test_mock_socket_connect(&(client.socket),
3124 &(server.socket),
3125 BUFFSIZE) == 0);
3126
3127 TEST_ASSERT(mbedtls_test_move_handshake_to_state(
3128 &(client.ssl), &(server.ssl), MBEDTLS_SSL_HANDSHAKE_WRAPUP)
3129 == 0);
3130 /* Force a bad session_id_len that will be read by the server in
3131 * mbedtls_ssl_cache_set. */
3132 server.ssl.session_negotiate->id_len = 33;
3133 if (options.cli_msg_len != 0 || options.srv_msg_len != 0) {
3134 /* Start data exchanging test */
3135 TEST_ASSERT(mbedtls_test_ssl_exchange_data(
3136 &(client.ssl), options.cli_msg_len,
3137 options.expected_cli_fragments,
3138 &(server.ssl), options.srv_msg_len,
3139 options.expected_srv_fragments)
3140 == 0);
3141 }
3142
3143 /* Make sure that the cache did not store the session */
3144 TEST_EQUAL(srv_pattern.counter, 1);
3145exit:
3146 mbedtls_test_ssl_endpoint_free(&client, NULL);
3147 mbedtls_test_ssl_endpoint_free(&server, NULL);
3148 mbedtls_test_free_handshake_options(&options);
3149 mbedtls_debug_set_threshold(0);
3150 MD_OR_USE_PSA_DONE();
3151}
3152/* END_CASE */
3153
3154/* BEGIN_CASE depends_on:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE:MBEDTLS_TEST_HOOKS */
3155void cookie_parsing(data_t *cookie, int exp_ret)
3156{
3157 mbedtls_ssl_context ssl;
3158 mbedtls_ssl_config conf;
3159 size_t len;
3160
3161 mbedtls_ssl_init(&ssl);
3162 mbedtls_ssl_config_init(&conf);
3163 USE_PSA_INIT();
3164
3165 TEST_EQUAL(mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_SERVER,
3166 MBEDTLS_SSL_TRANSPORT_DATAGRAM,
3167 MBEDTLS_SSL_PRESET_DEFAULT),
3168 0);
3169 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
3170
3171 TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0);
3172 TEST_EQUAL(mbedtls_ssl_check_dtls_clihlo_cookie(&ssl, ssl.cli_id,
3173 ssl.cli_id_len,
3174 cookie->x, cookie->len,
3175 ssl.out_buf,
3176 MBEDTLS_SSL_OUT_CONTENT_LEN,
3177 &len),
3178 exp_ret);
3179
3180exit:
3181 mbedtls_ssl_free(&ssl);
3182 mbedtls_ssl_config_free(&conf);
3183 USE_PSA_DONE();
3184}
3185/* END_CASE */
3186
3187/* BEGIN_CASE depends_on:MBEDTLS_TIMING_C:MBEDTLS_HAVE_TIME */
3188void timing_final_delay_accessor()
3189{
3190 mbedtls_timing_delay_context delay_context;
3191
3192 USE_PSA_INIT();
3193 mbedtls_timing_set_delay(&delay_context, 50, 100);
3194
3195 TEST_ASSERT(mbedtls_timing_get_final_delay(&delay_context) == 100);
3196
3197exit:
3198 USE_PSA_DONE();
3199}
3200/* END_CASE */
3201
3202/* BEGIN_CASE depends_on:MBEDTLS_SSL_DTLS_CONNECTION_ID */
3203void cid_sanity()
3204{
3205 mbedtls_ssl_context ssl;
3206 mbedtls_ssl_config conf;
3207
3208 unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
3209 unsigned char test_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
3210 int cid_enabled;
3211 size_t own_cid_len;
3212
3213 mbedtls_test_rnd_std_rand(NULL, own_cid, sizeof(own_cid));
3214
3215 mbedtls_ssl_init(&ssl);
3216 mbedtls_ssl_config_init(&conf);
3217 MD_OR_USE_PSA_INIT();
3218
3219 TEST_ASSERT(mbedtls_ssl_config_defaults(&conf,
3220 MBEDTLS_SSL_IS_CLIENT,
3221 MBEDTLS_SSL_TRANSPORT_STREAM,
3222 MBEDTLS_SSL_PRESET_DEFAULT)
3223 == 0);
3224 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
3225
3226 TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0);
3227
3228 /* Can't use CID functions with stream transport. */
3229 TEST_ASSERT(mbedtls_ssl_set_cid(&ssl, MBEDTLS_SSL_CID_ENABLED, own_cid,
3230 sizeof(own_cid))
3231 == MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
3232
3233 TEST_ASSERT(mbedtls_ssl_get_own_cid(&ssl, &cid_enabled, test_cid,
3234 &own_cid_len)
3235 == MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
3236
3237 TEST_ASSERT(mbedtls_ssl_config_defaults(&conf,
3238 MBEDTLS_SSL_IS_CLIENT,
3239 MBEDTLS_SSL_TRANSPORT_DATAGRAM,
3240 MBEDTLS_SSL_PRESET_DEFAULT)
3241 == 0);
3242
3243 /* Attempt to set config cid size too big. */
3244 TEST_ASSERT(mbedtls_ssl_conf_cid(&conf, MBEDTLS_SSL_CID_IN_LEN_MAX + 1,
3245 MBEDTLS_SSL_UNEXPECTED_CID_IGNORE)
3246 == MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
3247
3248 TEST_ASSERT(mbedtls_ssl_conf_cid(&conf, sizeof(own_cid),
3249 MBEDTLS_SSL_UNEXPECTED_CID_IGNORE)
3250 == 0);
3251
3252 /* Attempt to set CID length not matching config. */
3253 TEST_ASSERT(mbedtls_ssl_set_cid(&ssl, MBEDTLS_SSL_CID_ENABLED, own_cid,
3254 MBEDTLS_SSL_CID_IN_LEN_MAX - 1)
3255 == MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
3256
3257 TEST_ASSERT(mbedtls_ssl_set_cid(&ssl, MBEDTLS_SSL_CID_ENABLED, own_cid,
3258 sizeof(own_cid))
3259 == 0);
3260
3261 /* Test we get back what we put in. */
3262 TEST_ASSERT(mbedtls_ssl_get_own_cid(&ssl, &cid_enabled, test_cid,
3263 &own_cid_len)
3264 == 0);
3265
3266 TEST_EQUAL(cid_enabled, MBEDTLS_SSL_CID_ENABLED);
3267 TEST_MEMORY_COMPARE(own_cid, own_cid_len, test_cid, own_cid_len);
3268
3269 /* Test disabling works. */
3270 TEST_ASSERT(mbedtls_ssl_set_cid(&ssl, MBEDTLS_SSL_CID_DISABLED, NULL,
3271 0)
3272 == 0);
3273
3274 TEST_ASSERT(mbedtls_ssl_get_own_cid(&ssl, &cid_enabled, test_cid,
3275 &own_cid_len)
3276 == 0);
3277
3278 TEST_EQUAL(cid_enabled, MBEDTLS_SSL_CID_DISABLED);
3279
3280exit:
3281 mbedtls_ssl_free(&ssl);
3282 mbedtls_ssl_config_free(&conf);
3283 MD_OR_USE_PSA_DONE();
3284}
3285/* END_CASE */
3286
3287/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_RSA_C:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_SOME */
3288void raw_key_agreement_fail(int bad_server_ecdhe_key)
3289{
3290 enum { BUFFSIZE = 17000 };
3291 mbedtls_test_ssl_endpoint client, server;
3292 mbedtls_psa_stats_t stats;
3293 size_t free_slots_before = -1;
3294 mbedtls_test_handshake_test_options client_options, server_options;
3295 mbedtls_test_init_handshake_options(&client_options);
3296 mbedtls_test_init_handshake_options(&server_options);
3297
3298 uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
3299 MBEDTLS_SSL_IANA_TLS_GROUP_NONE };
3300 MD_OR_USE_PSA_INIT();
3301 mbedtls_platform_zeroize(&client, sizeof(client));
3302 mbedtls_platform_zeroize(&server, sizeof(server));
3303
3304 /* Client side, force SECP256R1 to make one key bitflip fail
3305 * the raw key agreement. Flipping the first byte makes the
3306 * required 0x04 identifier invalid. */
3307 client_options.pk_alg = MBEDTLS_PK_ECDSA;
3308 client_options.group_list = iana_tls_group_list;
3309 TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&client, MBEDTLS_SSL_IS_CLIENT,
3310 &client_options, NULL, NULL,
3311 NULL), 0);
3312
3313 /* Server side */
3314 server_options.pk_alg = MBEDTLS_PK_ECDSA;
3315 server_options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2;
3316 server_options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2;
3317 TEST_EQUAL(mbedtls_test_ssl_endpoint_init(&server, MBEDTLS_SSL_IS_SERVER,
3318 &server_options, NULL, NULL,
3319 NULL), 0);
3320
3321 TEST_EQUAL(mbedtls_test_mock_socket_connect(&(client.socket),
3322 &(server.socket),
3323 BUFFSIZE), 0);
3324
3325 TEST_EQUAL(mbedtls_test_move_handshake_to_state(
3326 &(client.ssl), &(server.ssl),
3327 MBEDTLS_SSL_CLIENT_KEY_EXCHANGE), 0);
3328
3329 mbedtls_psa_get_stats(&stats);
3330 /* Save the number of slots in use up to this point.
3331 * With PSA, one can be used for the ECDH private key. */
3332 free_slots_before = stats.empty_slots;
3333
3334 if (bad_server_ecdhe_key) {
3335 /* Force a simulated bitflip in the server key. to make the
3336 * raw key agreement in ssl_write_client_key_exchange fail. */
3337 (client.ssl).handshake->xxdh_psa_peerkey[0] ^= 0x02;
3338 }
3339
3340 TEST_EQUAL(mbedtls_test_move_handshake_to_state(
3341 &(client.ssl), &(server.ssl), MBEDTLS_SSL_HANDSHAKE_OVER),
3342 bad_server_ecdhe_key ? MBEDTLS_ERR_SSL_HW_ACCEL_FAILED : 0);
3343
3344 mbedtls_psa_get_stats(&stats);
3345
3346 /* Make sure that the key slot is already destroyed in case of failure,
3347 * without waiting to close the connection. */
3348 if (bad_server_ecdhe_key) {
3349 TEST_EQUAL(free_slots_before, stats.empty_slots);
3350 }
3351
3352exit:
3353 mbedtls_test_ssl_endpoint_free(&client, NULL);
3354 mbedtls_test_ssl_endpoint_free(&server, NULL);
3355 mbedtls_test_free_handshake_options(&client_options);
3356 mbedtls_test_free_handshake_options(&server_options);
3357
3358 MD_OR_USE_PSA_DONE();
3359}
3360/* END_CASE */
3361/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS:MBEDTLS_SSL_PROTO_TLS1_3:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_ECP_HAVE_SECP384R1 */
3362void tls13_server_certificate_msg_invalid_vector_len()
3363{
3364 int ret = -1;
3365 mbedtls_test_ssl_endpoint client_ep, server_ep;
3366 unsigned char *buf, *end;
3367 size_t buf_len;
3368 int step = 0;
3369 int expected_result;
3370 mbedtls_ssl_chk_buf_ptr_args expected_chk_buf_ptr_args;
3371 mbedtls_test_handshake_test_options client_options;
3372 mbedtls_test_handshake_test_options server_options;
3373
3374 /*
3375 * Test set-up
3376 */
3377 mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
3378 mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
3379
3380 mbedtls_test_init_handshake_options(&client_options);
3381 MD_OR_USE_PSA_INIT();
3382
3383 client_options.pk_alg = MBEDTLS_PK_ECDSA;
3384 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
3385 &client_options, NULL, NULL, NULL);
3386 TEST_EQUAL(ret, 0);
3387
3388 mbedtls_test_init_handshake_options(&server_options);
3389 server_options.pk_alg = MBEDTLS_PK_ECDSA;
3390 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
3391 &server_options, NULL, NULL, NULL);
3392 TEST_EQUAL(ret, 0);
3393
3394 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
3395 &(server_ep.socket), 1024);
3396 TEST_EQUAL(ret, 0);
3397
3398 while (1) {
3399 mbedtls_test_set_step(++step);
3400
3401 ret = mbedtls_test_move_handshake_to_state(
3402 &(server_ep.ssl), &(client_ep.ssl),
3403 MBEDTLS_SSL_CERTIFICATE_VERIFY);
3404 TEST_EQUAL(ret, 0);
3405
3406 ret = mbedtls_ssl_flush_output(&(server_ep.ssl));
3407 TEST_EQUAL(ret, 0);
3408
3409 ret = mbedtls_test_move_handshake_to_state(
3410 &(client_ep.ssl), &(server_ep.ssl),
3411 MBEDTLS_SSL_SERVER_CERTIFICATE);
3412 TEST_EQUAL(ret, 0);
3413
3414 ret = mbedtls_ssl_tls13_fetch_handshake_msg(&(client_ep.ssl),
3415 MBEDTLS_SSL_HS_CERTIFICATE,
3416 &buf, &buf_len);
3417 TEST_EQUAL(ret, 0);
3418
3419 end = buf + buf_len;
3420
3421 /*
3422 * Tweak server Certificate message and parse it.
3423 */
3424
3425 ret = mbedtls_test_tweak_tls13_certificate_msg_vector_len(
3426 buf, &end, step, &expected_result, &expected_chk_buf_ptr_args);
3427
3428 if (ret != 0) {
3429 break;
3430 }
3431
3432 ret = mbedtls_ssl_tls13_parse_certificate(&(client_ep.ssl), buf, end);
3433 TEST_EQUAL(ret, expected_result);
3434
3435 TEST_ASSERT(mbedtls_ssl_cmp_chk_buf_ptr_fail_args(
3436 &expected_chk_buf_ptr_args) == 0);
3437
3438 mbedtls_ssl_reset_chk_buf_ptr_fail_args();
3439
3440 ret = mbedtls_ssl_session_reset(&(client_ep.ssl));
3441 TEST_EQUAL(ret, 0);
3442
3443 ret = mbedtls_ssl_session_reset(&(server_ep.ssl));
3444 TEST_EQUAL(ret, 0);
3445 }
3446
3447exit:
3448 mbedtls_ssl_reset_chk_buf_ptr_fail_args();
3449 mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
3450 mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
3451 mbedtls_test_free_handshake_options(&client_options);
3452 mbedtls_test_free_handshake_options(&server_options);
3453 MD_OR_USE_PSA_DONE();
3454}
3455/* END_CASE */
3456
3457/* BEGIN_CASE depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
3458void ssl_ecjpake_set_password(int use_opaque_arg)
3459{
3460 mbedtls_ssl_context ssl;
3461 mbedtls_ssl_config conf;
3462#if defined(MBEDTLS_USE_PSA_CRYPTO)
3463 mbedtls_svc_key_id_t pwd_slot = MBEDTLS_SVC_KEY_ID_INIT;
3464#else /* MBEDTLS_USE_PSA_CRYPTO */
3465 (void) use_opaque_arg;
3466#endif /* MBEDTLS_USE_PSA_CRYPTO */
3467 unsigned char pwd_string[sizeof(ECJPAKE_TEST_PWD)] = "";
3468 size_t pwd_len = 0;
3469 int ret;
3470
3471 mbedtls_ssl_init(&ssl);
3472 MD_OR_USE_PSA_INIT();
3473
3474 /* test with uninitalized SSL context */
3475 ECJPAKE_TEST_SET_PASSWORD(MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
3476
3477 mbedtls_ssl_config_init(&conf);
3478
3479 TEST_EQUAL(mbedtls_ssl_config_defaults(&conf,
3480 MBEDTLS_SSL_IS_CLIENT,
3481 MBEDTLS_SSL_TRANSPORT_STREAM,
3482 MBEDTLS_SSL_PRESET_DEFAULT), 0);
3483 mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL);
3484
3485 TEST_EQUAL(mbedtls_ssl_setup(&ssl, &conf), 0);
3486
3487 /* test with empty password or unitialized password key (depending on use_opaque_arg) */
3488 ECJPAKE_TEST_SET_PASSWORD(MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
3489
3490 pwd_len = strlen(ECJPAKE_TEST_PWD);
3491 memcpy(pwd_string, ECJPAKE_TEST_PWD, pwd_len);
3492
3493#if defined(MBEDTLS_USE_PSA_CRYPTO)
3494 if (use_opaque_arg) {
3495 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
3496 psa_key_attributes_t check_attributes = PSA_KEY_ATTRIBUTES_INIT;
3497
3498 /* First try with an invalid usage */
3499 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
3500 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE);
3501 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
3502
3503 PSA_ASSERT(psa_import_key(&attributes, pwd_string,
3504 pwd_len, &pwd_slot));
3505
3506 ECJPAKE_TEST_SET_PASSWORD(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED);
3507
3508 /* check that the opaque key is still valid after failure */
3509 TEST_EQUAL(psa_get_key_attributes(pwd_slot, &check_attributes),
3510 PSA_SUCCESS);
3511
3512 psa_destroy_key(pwd_slot);
3513
3514 /* Then set the correct usage */
3515 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
3516
3517 PSA_ASSERT(psa_import_key(&attributes, pwd_string,
3518 pwd_len, &pwd_slot));
3519 }
3520#endif /* MBEDTLS_USE_PSA_CRYPTO */
3521
3522 /* final check which should work without errors */
3523 ECJPAKE_TEST_SET_PASSWORD(0);
3524
3525#if defined(MBEDTLS_USE_PSA_CRYPTO)
3526 if (use_opaque_arg) {
3527 psa_destroy_key(pwd_slot);
3528 }
3529#endif /* MBEDTLS_USE_PSA_CRYPTO */
3530 mbedtls_ssl_free(&ssl);
3531 mbedtls_ssl_config_free(&conf);
3532
3533 MD_OR_USE_PSA_DONE();
3534}
3535/* END_CASE */
3536
3537/* BEGIN_CASE */
3538void elliptic_curve_get_properties()
3539{
3540 psa_key_type_t psa_type = PSA_KEY_TYPE_NONE;
3541 size_t psa_bits;
3542
3543 MD_OR_USE_PSA_INIT();
3544
3545#if defined(MBEDTLS_ECP_HAVE_SECP521R1) || defined(PSA_WANT_ECC_SECP_R1_521)
3546 TEST_AVAILABLE_ECC(25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521);
3547#else
3548 TEST_UNAVAILABLE_ECC(25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521);
3549#endif
3550#if defined(MBEDTLS_ECP_HAVE_BP512R1) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
3551 TEST_AVAILABLE_ECC(28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512);
3552#else
3553 TEST_UNAVAILABLE_ECC(28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512);
3554#endif
3555#if defined(MBEDTLS_ECP_HAVE_SECP384R1) || defined(PSA_WANT_ECC_SECP_R1_384)
3556 TEST_AVAILABLE_ECC(24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384);
3557#else
3558 TEST_UNAVAILABLE_ECC(24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384);
3559#endif
3560#if defined(MBEDTLS_ECP_HAVE_BP384R1) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
3561 TEST_AVAILABLE_ECC(27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384);
3562#else
3563 TEST_UNAVAILABLE_ECC(27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384);
3564#endif
3565#if defined(MBEDTLS_ECP_HAVE_SECP256R1) || defined(PSA_WANT_ECC_SECP_R1_256)
3566 TEST_AVAILABLE_ECC(23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256);
3567#else
3568 TEST_UNAVAILABLE_ECC(23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256);
3569#endif
3570#if defined(MBEDTLS_ECP_HAVE_SECP256K1) || defined(PSA_WANT_ECC_SECP_K1_256)
3571 TEST_AVAILABLE_ECC(22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256);
3572#else
3573 TEST_UNAVAILABLE_ECC(22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256);
3574#endif
3575#if defined(MBEDTLS_ECP_HAVE_BP256R1) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
3576 TEST_AVAILABLE_ECC(26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256);
3577#else
3578 TEST_UNAVAILABLE_ECC(26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256);
3579#endif
3580#if defined(MBEDTLS_ECP_HAVE_SECP224R1) || defined(PSA_WANT_ECC_SECP_R1_224)
3581 TEST_AVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224);
3582#else
3583 TEST_UNAVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224);
3584#endif
3585#if defined(MBEDTLS_ECP_HAVE_SECP224K1) || defined(PSA_WANT_ECC_SECP_K1_224)
3586 TEST_AVAILABLE_ECC(20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224);
3587#else
3588 TEST_UNAVAILABLE_ECC(20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224);
3589#endif
3590#if defined(MBEDTLS_ECP_HAVE_SECP192R1) || defined(PSA_WANT_ECC_SECP_R1_192)
3591 TEST_AVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192);
3592#else
3593 TEST_UNAVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192);
3594#endif
3595#if defined(MBEDTLS_ECP_HAVE_SECP192K1) || defined(PSA_WANT_ECC_SECP_K1_192)
3596 TEST_AVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192);
3597#else
3598 TEST_UNAVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192);
3599#endif
3600#if defined(MBEDTLS_ECP_HAVE_CURVE25519) || defined(PSA_WANT_ECC_MONTGOMERY_255)
3601 TEST_AVAILABLE_ECC(29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255);
3602#else
3603 TEST_UNAVAILABLE_ECC(29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255);
3604#endif
3605#if defined(MBEDTLS_ECP_HAVE_CURVE448) || defined(PSA_WANT_ECC_MONTGOMERY_448)
3606 TEST_AVAILABLE_ECC(30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448);
3607#else
3608 TEST_UNAVAILABLE_ECC(30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448);
3609#endif
3610 goto exit;
3611exit:
3612 MD_OR_USE_PSA_DONE();
3613}
3614/* END_CASE */
3615
3616/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
3617void tls13_resume_session_with_ticket()
3618{
3619 int ret = -1;
3620 mbedtls_test_ssl_endpoint client_ep, server_ep;
3621 mbedtls_test_handshake_test_options client_options;
3622 mbedtls_test_handshake_test_options server_options;
3623 mbedtls_ssl_session saved_session;
3624
3625 mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
3626 mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
3627 mbedtls_test_init_handshake_options(&client_options);
3628 mbedtls_test_init_handshake_options(&server_options);
3629 mbedtls_ssl_session_init(&saved_session);
3630
3631 PSA_INIT();
3632
3633 /*
3634 * Run first handshake to get a ticket from the server.
3635 */
3636 client_options.pk_alg = MBEDTLS_PK_ECDSA;
3637 server_options.pk_alg = MBEDTLS_PK_ECDSA;
3638
3639 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
3640 &saved_session);
3641 TEST_EQUAL(ret, 0);
3642
3643 /*
3644 * Prepare for handshake with the ticket.
3645 */
3646 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
3647 &client_options, NULL, NULL, NULL);
3648 TEST_EQUAL(ret, 0);
3649
3650 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
3651 &server_options, NULL, NULL, NULL);
3652 TEST_EQUAL(ret, 0);
3653
3654 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
3655 mbedtls_test_ticket_write,
3656 mbedtls_test_ticket_parse,
3657 NULL);
3658 TEST_EQUAL(ret, 0);
3659
3660 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
3661 &(server_ep.socket), 1024);
3662 TEST_EQUAL(ret, 0);
3663
3664 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
3665 TEST_EQUAL(ret, 0);
3666
3667 /*
3668 * Handshake with ticket.
3669 *
3670 * Run the handshake up to MBEDTLS_SSL_HANDSHAKE_WRAPUP and not
3671 * MBEDTLS_SSL_HANDSHAKE_OVER to preserve handshake data for the checks
3672 * below.
3673 */
3674 TEST_EQUAL(mbedtls_test_move_handshake_to_state(
3675 &(server_ep.ssl), &(client_ep.ssl),
3676 MBEDTLS_SSL_HANDSHAKE_WRAPUP), 0);
3677
3678 TEST_EQUAL(server_ep.ssl.handshake->resume, 1);
3679 TEST_EQUAL(server_ep.ssl.handshake->new_session_tickets_count, 1);
3680 TEST_EQUAL(server_ep.ssl.handshake->key_exchange_mode,
3681 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
3682
3683exit:
3684 mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
3685 mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
3686 mbedtls_test_free_handshake_options(&client_options);
3687 mbedtls_test_free_handshake_options(&server_options);
3688 mbedtls_ssl_session_free(&saved_session);
3689 PSA_DONE();
3690}
3691/* END_CASE */
3692
3693/*
3694 * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_read_early_data() below is
3695 * a temporary workaround to not run the test in Windows-2013 where there is
3696 * an issue with mbedtls_vsnprintf().
3697 */
3698/* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
3699void tls13_read_early_data(int scenario)
3700{
3701 int ret = -1;
3702 unsigned char buf[64];
3703 const char *early_data = "This is early data.";
3704 size_t early_data_len = strlen(early_data);
3705 mbedtls_test_ssl_endpoint client_ep, server_ep;
3706 mbedtls_test_handshake_test_options client_options;
3707 mbedtls_test_handshake_test_options server_options;
3708 mbedtls_ssl_session saved_session;
3709 mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 };
3710 uint16_t group_list[3] = {
3711 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
3712 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
3713 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
3714 };
3715
3716 mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
3717 mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
3718 mbedtls_test_init_handshake_options(&client_options);
3719 mbedtls_test_init_handshake_options(&server_options);
3720 mbedtls_ssl_session_init(&saved_session);
3721
3722 PSA_INIT();
3723
3724 /*
3725 * Run first handshake to get a ticket from the server.
3726 */
3727
3728 client_options.pk_alg = MBEDTLS_PK_ECDSA;
3729 client_options.group_list = group_list;
3730 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
3731 server_options.pk_alg = MBEDTLS_PK_ECDSA;
3732 server_options.group_list = group_list;
3733 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
3734
3735#if defined(MBEDTLS_SSL_ALPN)
3736 switch (scenario) {
3737 case TEST_EARLY_DATA_SAME_ALPN:
3738 case TEST_EARLY_DATA_DIFF_ALPN:
3739 case TEST_EARLY_DATA_NO_LATER_ALPN:
3740 client_options.alpn_list[0] = "ALPNExample";
3741 client_options.alpn_list[1] = NULL;
3742 server_options.alpn_list[0] = "ALPNExample";
3743 server_options.alpn_list[1] = NULL;
3744 break;
3745 }
3746#endif
3747
3748 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
3749 &saved_session);
3750 TEST_EQUAL(ret, 0);
3751
3752 /*
3753 * Prepare for handshake with the ticket.
3754 */
3755 switch (scenario) {
3756 case TEST_EARLY_DATA_ACCEPTED:
3757 break;
3758
3759 case TEST_EARLY_DATA_NO_INDICATION_SENT:
3760 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
3761 break;
3762
3763 case TEST_EARLY_DATA_SERVER_REJECTS:
3764 mbedtls_debug_set_threshold(3);
3765 server_pattern.pattern =
3766 "EarlyData: deprotect and discard app data records.";
3767 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
3768 break;
3769
3770 case TEST_EARLY_DATA_HRR:
3771 mbedtls_debug_set_threshold(3);
3772 server_pattern.pattern =
3773 "EarlyData: Ignore application message before 2nd ClientHello";
3774 server_options.group_list = group_list + 1;
3775 break;
3776#if defined(MBEDTLS_SSL_ALPN)
3777 case TEST_EARLY_DATA_SAME_ALPN:
3778 client_options.alpn_list[0] = "ALPNExample";
3779 client_options.alpn_list[1] = NULL;
3780 server_options.alpn_list[0] = "ALPNExample";
3781 server_options.alpn_list[1] = NULL;
3782 break;
3783 case TEST_EARLY_DATA_DIFF_ALPN:
3784 case TEST_EARLY_DATA_NO_INITIAL_ALPN:
3785 client_options.alpn_list[0] = "ALPNExample2";
3786 client_options.alpn_list[1] = NULL;
3787 server_options.alpn_list[0] = "ALPNExample2";
3788 server_options.alpn_list[1] = NULL;
3789 mbedtls_debug_set_threshold(3);
3790 server_pattern.pattern =
3791 "EarlyData: rejected, the selected ALPN is different "
3792 "from the one associated with the pre-shared key.";
3793 break;
3794 case TEST_EARLY_DATA_NO_LATER_ALPN:
3795 client_options.alpn_list[0] = NULL;
3796 server_options.alpn_list[0] = NULL;
3797 mbedtls_debug_set_threshold(3);
3798 server_pattern.pattern =
3799 "EarlyData: rejected, the selected ALPN is different "
3800 "from the one associated with the pre-shared key.";
3801 break;
3802#endif
3803
3804 default:
3805 TEST_FAIL("Unknown scenario.");
3806 }
3807
3808 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
3809 &client_options, NULL, NULL, NULL);
3810 TEST_EQUAL(ret, 0);
3811
3812 server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
3813 server_options.srv_log_obj = &server_pattern;
3814 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
3815 &server_options, NULL, NULL, NULL);
3816 TEST_EQUAL(ret, 0);
3817
3818 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
3819 mbedtls_test_ticket_write,
3820 mbedtls_test_ticket_parse,
3821 NULL);
3822
3823 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
3824 &(server_ep.socket), 1024);
3825 TEST_EQUAL(ret, 0);
3826
3827 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
3828 TEST_EQUAL(ret, 0);
3829
3830 /*
3831 * Handshake with ticket and send early data.
3832 */
3833 TEST_EQUAL(mbedtls_test_move_handshake_to_state(
3834 &(client_ep.ssl), &(server_ep.ssl),
3835 MBEDTLS_SSL_SERVER_HELLO), 0);
3836
3837 ret = mbedtls_ssl_write_early_data(&(client_ep.ssl),
3838 (unsigned char *) early_data,
3839 early_data_len);
3840
3841 if (client_ep.ssl.early_data_state !=
3842 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT) {
3843 TEST_EQUAL(ret, early_data_len);
3844 } else {
3845 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
3846 }
3847
3848 ret = mbedtls_test_move_handshake_to_state(
3849 &(server_ep.ssl), &(client_ep.ssl),
3850 MBEDTLS_SSL_HANDSHAKE_WRAPUP);
3851
3852 switch (scenario) {
3853 case TEST_EARLY_DATA_ACCEPTED:
3854#if defined(MBEDTLS_SSL_ALPN)
3855 case TEST_EARLY_DATA_SAME_ALPN:
3856#endif
3857 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);
3858 TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 1);
3859 TEST_EQUAL(mbedtls_ssl_read_early_data(&(server_ep.ssl),
3860 buf, sizeof(buf)), early_data_len);
3861 TEST_MEMORY_COMPARE(buf, early_data_len, early_data, early_data_len);
3862 break;
3863
3864 case TEST_EARLY_DATA_NO_INDICATION_SENT:
3865 TEST_EQUAL(ret, 0);
3866 TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0);
3867 break;
3868
3869 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
3870 case TEST_EARLY_DATA_HRR:
3871#if defined(MBEDTLS_SSL_ALPN)
3872 case TEST_EARLY_DATA_DIFF_ALPN:
3873 case TEST_EARLY_DATA_NO_INITIAL_ALPN:
3874 case TEST_EARLY_DATA_NO_LATER_ALPN:
3875#endif
3876 TEST_EQUAL(ret, 0);
3877 TEST_EQUAL(server_ep.ssl.handshake->early_data_accepted, 0);
3878 TEST_EQUAL(server_pattern.counter, 1);
3879 break;
3880
3881 default:
3882 TEST_FAIL("Unknown scenario.");
3883 }
3884
3885 TEST_EQUAL(mbedtls_test_move_handshake_to_state(
3886 &(server_ep.ssl), &(client_ep.ssl),
3887 MBEDTLS_SSL_HANDSHAKE_OVER), 0);
3888
3889exit:
3890 mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
3891 mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
3892 mbedtls_test_free_handshake_options(&client_options);
3893 mbedtls_test_free_handshake_options(&server_options);
3894 mbedtls_ssl_session_free(&saved_session);
3895 mbedtls_debug_set_threshold(0);
3896 PSA_DONE();
3897}
3898/* END_CASE */
3899
3900/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
3901void tls13_cli_early_data_state(int scenario)
3902{
3903 int ret = -1;
3904 mbedtls_test_ssl_endpoint client_ep, server_ep;
3905 mbedtls_test_handshake_test_options client_options;
3906 mbedtls_test_handshake_test_options server_options;
3907 mbedtls_ssl_session saved_session;
3908 uint16_t group_list[3] = {
3909 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
3910 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
3911 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
3912 };
3913 uint8_t client_random[MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
3914
3915 mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
3916 mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
3917 mbedtls_test_init_handshake_options(&client_options);
3918 mbedtls_test_init_handshake_options(&server_options);
3919 mbedtls_ssl_session_init(&saved_session);
3920
3921 PSA_INIT();
3922
3923 /*
3924 * Run first handshake to get a ticket from the server.
3925 */
3926 client_options.pk_alg = MBEDTLS_PK_ECDSA;
3927 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
3928 server_options.pk_alg = MBEDTLS_PK_ECDSA;
3929 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
3930 if (scenario == TEST_EARLY_DATA_HRR) {
3931 client_options.group_list = group_list;
3932 server_options.group_list = group_list;
3933 }
3934
3935 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
3936 &saved_session);
3937 TEST_EQUAL(ret, 0);
3938
3939 /*
3940 * Prepare for handshake with the ticket.
3941 */
3942 switch (scenario) {
3943 case TEST_EARLY_DATA_ACCEPTED:
3944 break;
3945
3946 case TEST_EARLY_DATA_NO_INDICATION_SENT:
3947 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
3948 break;
3949
3950 case TEST_EARLY_DATA_SERVER_REJECTS:
3951 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
3952 break;
3953
3954 case TEST_EARLY_DATA_HRR:
3955 server_options.group_list = group_list + 1;
3956 break;
3957
3958 default:
3959 TEST_FAIL("Unknown scenario.");
3960 }
3961
3962 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
3963 &client_options, NULL, NULL, NULL);
3964 TEST_EQUAL(ret, 0);
3965
3966 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
3967 &server_options, NULL, NULL, NULL);
3968 TEST_EQUAL(ret, 0);
3969
3970 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
3971 mbedtls_test_ticket_write,
3972 mbedtls_test_ticket_parse,
3973 NULL);
3974
3975 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
3976 &(server_ep.socket), 1024);
3977 TEST_EQUAL(ret, 0);
3978
3979 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
3980 TEST_EQUAL(ret, 0);
3981
3982 /*
3983 * Go through the handshake sequence, state by state, checking the early
3984 * data status each time.
3985 */
3986 do {
3987 int state = client_ep.ssl.state;
3988
3989 /* Progress the handshake from at least one state */
3990 while (client_ep.ssl.state == state) {
3991 ret = mbedtls_ssl_handshake_step(&(client_ep.ssl));
3992 TEST_ASSERT((ret == 0) ||
3993 (ret == MBEDTLS_ERR_SSL_WANT_READ) ||
3994 (ret == MBEDTLS_ERR_SSL_WANT_WRITE));
3995 if (client_ep.ssl.state != state) {
3996 break;
3997 }
3998 ret = mbedtls_ssl_handshake_step(&(server_ep.ssl));
3999 TEST_ASSERT((ret == 0) ||
4000 (ret == MBEDTLS_ERR_SSL_WANT_READ) ||
4001 (ret == MBEDTLS_ERR_SSL_WANT_WRITE));
4002 }
4003
4004 if (client_ep.ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER) {
4005 TEST_EQUAL(mbedtls_ssl_get_early_data_status(&(client_ep.ssl)),
4006 MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
4007 }
4008
4009 switch (client_ep.ssl.state) {
4010 case MBEDTLS_SSL_CLIENT_HELLO:
4011 switch (scenario) {
4012 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
4013 case TEST_EARLY_DATA_NO_INDICATION_SENT: /* Intentional fallthrough */
4014 case TEST_EARLY_DATA_SERVER_REJECTS:
4015 TEST_EQUAL(client_ep.ssl.early_data_state,
4016 MBEDTLS_SSL_EARLY_DATA_STATE_IDLE);
4017 break;
4018
4019 case TEST_EARLY_DATA_HRR:
4020 if (!client_ep.ssl.handshake->hello_retry_request_flag) {
4021 TEST_EQUAL(client_ep.ssl.early_data_state,
4022 MBEDTLS_SSL_EARLY_DATA_STATE_IDLE);
4023 } else {
4024 TEST_EQUAL(client_ep.ssl.early_data_state,
4025 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
4026 }
4027 break;
4028
4029 default:
4030 TEST_FAIL("Unknown scenario.");
4031 }
4032 break;
4033
4034 case MBEDTLS_SSL_SERVER_HELLO:
4035 switch (scenario) {
4036 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
4037 case TEST_EARLY_DATA_SERVER_REJECTS:
4038 TEST_EQUAL(client_ep.ssl.early_data_state,
4039 MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE);
4040 break;
4041
4042 case TEST_EARLY_DATA_NO_INDICATION_SENT:
4043 TEST_EQUAL(client_ep.ssl.early_data_state,
4044 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
4045 break;
4046
4047 case TEST_EARLY_DATA_HRR:
4048 if (!client_ep.ssl.handshake->hello_retry_request_flag) {
4049 TEST_EQUAL(client_ep.ssl.early_data_state,
4050 MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE);
4051 memcpy(client_random,
4052 client_ep.ssl.handshake->randbytes,
4053 MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
4054 } else {
4055 TEST_EQUAL(client_ep.ssl.early_data_state,
4056 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
4057 TEST_MEMORY_COMPARE(client_random,
4058 MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
4059 client_ep.ssl.handshake->randbytes,
4060 MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
4061 }
4062 break;
4063
4064 default:
4065 TEST_FAIL("Unknown scenario.");
4066 }
4067 break;
4068
4069 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
4070 switch (scenario) {
4071 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
4072 case TEST_EARLY_DATA_SERVER_REJECTS:
4073 TEST_EQUAL(client_ep.ssl.early_data_state,
4074 MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE);
4075 break;
4076
4077 case TEST_EARLY_DATA_NO_INDICATION_SENT:
4078 TEST_EQUAL(client_ep.ssl.early_data_state,
4079 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
4080 break;
4081
4082 case TEST_EARLY_DATA_HRR:
4083 TEST_EQUAL(client_ep.ssl.early_data_state,
4084 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
4085 break;
4086
4087 default:
4088 TEST_FAIL("Unknown scenario.");
4089 }
4090 break;
4091
4092 case MBEDTLS_SSL_SERVER_FINISHED:
4093 switch (scenario) {
4094 case TEST_EARLY_DATA_ACCEPTED:
4095 TEST_EQUAL(client_ep.ssl.early_data_state,
4096 MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED);
4097 break;
4098
4099 case TEST_EARLY_DATA_NO_INDICATION_SENT:
4100 TEST_EQUAL(client_ep.ssl.early_data_state,
4101 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
4102 break;
4103
4104 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
4105 case TEST_EARLY_DATA_HRR:
4106 TEST_EQUAL(client_ep.ssl.early_data_state,
4107 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
4108 break;
4109
4110 default:
4111 TEST_FAIL("Unknown scenario.");
4112 }
4113 break;
4114
4115 case MBEDTLS_SSL_END_OF_EARLY_DATA:
4116 TEST_EQUAL(scenario, TEST_EARLY_DATA_ACCEPTED);
4117 TEST_EQUAL(client_ep.ssl.early_data_state,
4118 MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED);
4119 break;
4120
4121 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
4122 switch (scenario) {
4123 case TEST_EARLY_DATA_ACCEPTED:
4124 TEST_EQUAL(client_ep.ssl.early_data_state,
4125 MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED);
4126 break;
4127
4128 case TEST_EARLY_DATA_NO_INDICATION_SENT:
4129 TEST_EQUAL(client_ep.ssl.early_data_state,
4130 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
4131 break;
4132
4133 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
4134 case TEST_EARLY_DATA_HRR:
4135 TEST_EQUAL(client_ep.ssl.early_data_state,
4136 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
4137 break;
4138
4139 default:
4140 TEST_FAIL("Unknown scenario.");
4141 }
4142 break;
4143
4144 case MBEDTLS_SSL_CLIENT_FINISHED:
4145 switch (scenario) {
4146 case TEST_EARLY_DATA_ACCEPTED:
4147 TEST_EQUAL(client_ep.ssl.early_data_state,
4148 MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED);
4149 break;
4150
4151 case TEST_EARLY_DATA_NO_INDICATION_SENT:
4152 TEST_EQUAL(client_ep.ssl.early_data_state,
4153 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
4154 break;
4155
4156 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
4157 case TEST_EARLY_DATA_HRR:
4158 TEST_EQUAL(client_ep.ssl.early_data_state,
4159 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
4160 break;
4161
4162 default:
4163 TEST_FAIL("Unknown scenario.");
4164 }
4165 break;
4166
4167#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
4168 case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
4169 switch (scenario) {
4170 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
4171 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
4172 case TEST_EARLY_DATA_HRR:
4173 TEST_EQUAL(client_ep.ssl.early_data_state,
4174 MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT);
4175 break;
4176
4177 default:
4178 TEST_FAIL("Unexpected or unknown scenario.");
4179 }
4180 break;
4181
4182 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
4183 TEST_ASSERT(scenario == TEST_EARLY_DATA_HRR);
4184 TEST_EQUAL(client_ep.ssl.early_data_state,
4185 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
4186 break;
4187
4188 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
4189 switch (scenario) {
4190 case TEST_EARLY_DATA_NO_INDICATION_SENT:
4191 TEST_EQUAL(client_ep.ssl.early_data_state,
4192 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
4193 break;
4194
4195 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
4196 case TEST_EARLY_DATA_HRR:
4197 TEST_EQUAL(client_ep.ssl.early_data_state,
4198 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
4199 break;
4200
4201 default:
4202 TEST_FAIL("Unexpected or unknown scenario.");
4203 }
4204 break;
4205#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
4206
4207 case MBEDTLS_SSL_FLUSH_BUFFERS: /* Intentional fallthrough */
4208 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: /* Intentional fallthrough */
4209 case MBEDTLS_SSL_HANDSHAKE_OVER:
4210 switch (scenario) {
4211 case TEST_EARLY_DATA_ACCEPTED:
4212 TEST_EQUAL(client_ep.ssl.early_data_state,
4213 MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED);
4214 break;
4215
4216 case TEST_EARLY_DATA_NO_INDICATION_SENT:
4217 TEST_EQUAL(client_ep.ssl.early_data_state,
4218 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
4219 break;
4220
4221 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
4222 case TEST_EARLY_DATA_HRR:
4223 TEST_EQUAL(client_ep.ssl.early_data_state,
4224 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED);
4225 break;
4226
4227 default:
4228 TEST_FAIL("Unknown scenario.");
4229 }
4230 break;
4231
4232 default:
4233 TEST_FAIL("Unexpected state.");
4234 }
4235 } while (client_ep.ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER);
4236
4237 ret = mbedtls_ssl_get_early_data_status(&(client_ep.ssl));
4238 switch (scenario) {
4239 case TEST_EARLY_DATA_ACCEPTED:
4240 TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED);
4241 break;
4242
4243 case TEST_EARLY_DATA_NO_INDICATION_SENT:
4244 TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED);
4245 break;
4246
4247 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
4248 case TEST_EARLY_DATA_HRR:
4249 TEST_EQUAL(ret, MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED);
4250 break;
4251
4252 default:
4253 TEST_FAIL("Unknown scenario.");
4254 }
4255
4256 ret = mbedtls_ssl_get_early_data_status(&(server_ep.ssl));
4257 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_BAD_INPUT_DATA);
4258
4259#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
4260 TEST_EQUAL(client_ep.ssl.handshake->ccs_sent, 1);
4261#endif
4262
4263exit:
4264 mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
4265 mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
4266 mbedtls_test_free_handshake_options(&client_options);
4267 mbedtls_test_free_handshake_options(&server_options);
4268 mbedtls_ssl_session_free(&saved_session);
4269 PSA_DONE();
4270}
4271/* END_CASE */
4272
4273/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
4274void tls13_write_early_data(int scenario)
4275{
4276 int ret = -1;
4277 mbedtls_test_ssl_endpoint client_ep, server_ep;
4278 mbedtls_test_handshake_test_options client_options;
4279 mbedtls_test_handshake_test_options server_options;
4280 mbedtls_ssl_session saved_session;
4281 uint16_t group_list[3] = {
4282 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
4283 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
4284 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
4285 };
4286 int beyond_first_hello = 0;
4287
4288 mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
4289 mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
4290 mbedtls_test_init_handshake_options(&client_options);
4291 mbedtls_test_init_handshake_options(&server_options);
4292 mbedtls_ssl_session_init(&saved_session);
4293
4294 PSA_INIT();
4295
4296 /*
4297 * Run first handshake to get a ticket from the server.
4298 */
4299 client_options.pk_alg = MBEDTLS_PK_ECDSA;
4300 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
4301 server_options.pk_alg = MBEDTLS_PK_ECDSA;
4302 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
4303 if (scenario == TEST_EARLY_DATA_HRR) {
4304 client_options.group_list = group_list;
4305 server_options.group_list = group_list;
4306 }
4307
4308 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
4309 &saved_session);
4310 TEST_EQUAL(ret, 0);
4311
4312 /*
4313 * Prepare for handshake with the ticket.
4314 */
4315 switch (scenario) {
4316 case TEST_EARLY_DATA_ACCEPTED:
4317 break;
4318
4319 case TEST_EARLY_DATA_NO_INDICATION_SENT:
4320 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
4321 break;
4322
4323 case TEST_EARLY_DATA_SERVER_REJECTS:
4324 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
4325 break;
4326
4327 case TEST_EARLY_DATA_HRR:
4328 /*
4329 * Remove server support for the group negotiated in
4330 * mbedtls_test_get_tls13_ticket() forcing a HelloRetryRequest.
4331 */
4332 server_options.group_list = group_list + 1;
4333 break;
4334
4335 default:
4336 TEST_FAIL("Unknown scenario.");
4337 }
4338
4339 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
4340 &client_options, NULL, NULL, NULL);
4341 TEST_EQUAL(ret, 0);
4342
4343 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
4344 &server_options, NULL, NULL, NULL);
4345 TEST_EQUAL(ret, 0);
4346
4347 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
4348 mbedtls_test_ticket_write,
4349 mbedtls_test_ticket_parse,
4350 NULL);
4351
4352 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
4353 &(server_ep.socket), 1024);
4354 TEST_EQUAL(ret, 0);
4355
4356 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
4357 TEST_EQUAL(ret, 0);
4358
4359 /*
4360 * Run handshakes going one state further in the handshake sequence at each
4361 * loop up to the point where we reach the MBEDTLS_SSL_HANDSHAKE_OVER
4362 * state. For each reached handshake state, check the result of the call
4363 * to mbedtls_ssl_write_early_data(), make sure we can complete the
4364 * handshake successfully and then reset the connection to restart the
4365 * handshake from scratch.
4366 */
4367 do {
4368 int client_state = client_ep.ssl.state;
4369 int previous_client_state;
4370 const char *early_data_string = "This is early data.";
4371 const unsigned char *early_data = (const unsigned char *) early_data_string;
4372 size_t early_data_len = strlen(early_data_string);
4373 int write_early_data_ret, read_early_data_ret;
4374 unsigned char read_buf[64];
4375
4376 write_early_data_ret = mbedtls_ssl_write_early_data(&(client_ep.ssl),
4377 early_data,
4378 early_data_len);
4379
4380 if (scenario == TEST_EARLY_DATA_NO_INDICATION_SENT) {
4381 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
4382 TEST_EQUAL(client_ep.ssl.state, client_state);
4383 goto complete_handshake;
4384 }
4385
4386 switch (client_state) {
4387 case MBEDTLS_SSL_HELLO_REQUEST: /* Intentional fallthrough */
4388 case MBEDTLS_SSL_CLIENT_HELLO:
4389 switch (scenario) {
4390 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
4391 case TEST_EARLY_DATA_SERVER_REJECTS:
4392 TEST_EQUAL(write_early_data_ret, early_data_len);
4393 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
4394 break;
4395
4396 case TEST_EARLY_DATA_HRR:
4397 if (!client_ep.ssl.handshake->hello_retry_request_flag) {
4398 TEST_EQUAL(write_early_data_ret, early_data_len);
4399 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
4400 } else {
4401 beyond_first_hello = 1;
4402 TEST_EQUAL(write_early_data_ret,
4403 MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
4404 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_CLIENT_HELLO);
4405 }
4406 break;
4407
4408 default:
4409 TEST_FAIL("Unknown scenario.");
4410 }
4411 break;
4412
4413 case MBEDTLS_SSL_SERVER_HELLO:
4414 switch (scenario) {
4415 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
4416 case TEST_EARLY_DATA_SERVER_REJECTS:
4417 TEST_EQUAL(write_early_data_ret, early_data_len);
4418 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
4419 break;
4420
4421 case TEST_EARLY_DATA_HRR:
4422 if (!client_ep.ssl.handshake->hello_retry_request_flag) {
4423 TEST_EQUAL(write_early_data_ret, early_data_len);
4424 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
4425 } else {
4426 TEST_EQUAL(write_early_data_ret,
4427 MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
4428 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
4429 }
4430 break;
4431
4432 default:
4433 TEST_FAIL("Unknown scenario.");
4434 }
4435 break;
4436
4437 case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
4438 switch (scenario) {
4439 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
4440 case TEST_EARLY_DATA_SERVER_REJECTS:
4441 TEST_EQUAL(write_early_data_ret, early_data_len);
4442 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
4443 break;
4444
4445 case TEST_EARLY_DATA_HRR:
4446 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
4447 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS);
4448 break;
4449
4450 default:
4451 TEST_FAIL("Unknown scenario.");
4452 }
4453 break;
4454
4455 case MBEDTLS_SSL_SERVER_FINISHED:
4456 switch (scenario) {
4457 case TEST_EARLY_DATA_ACCEPTED:
4458 TEST_EQUAL(write_early_data_ret, early_data_len);
4459 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED);
4460 break;
4461
4462 case TEST_EARLY_DATA_SERVER_REJECTS:
4463 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
4464 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED);
4465 break;
4466
4467 case TEST_EARLY_DATA_HRR:
4468 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
4469 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_FINISHED);
4470 break;
4471
4472 default:
4473 TEST_FAIL("Unknown scenario.");
4474 }
4475 break;
4476
4477 case MBEDTLS_SSL_END_OF_EARLY_DATA:
4478 TEST_EQUAL(scenario, TEST_EARLY_DATA_ACCEPTED);
4479 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
4480 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_END_OF_EARLY_DATA);
4481 break;
4482
4483#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
4484 case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
4485 switch (scenario) {
4486 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
4487 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
4488 case TEST_EARLY_DATA_HRR:
4489 TEST_EQUAL(write_early_data_ret, early_data_len);
4490 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_SERVER_HELLO);
4491 break;
4492 default:
4493 TEST_FAIL("Unknown scenario.");
4494 }
4495 break;
4496
4497 case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
4498 TEST_EQUAL(scenario, TEST_EARLY_DATA_HRR);
4499 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
4500 TEST_EQUAL(client_ep.ssl.state, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);
4501 break;
4502
4503 case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
4504 switch (scenario) {
4505 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
4506 case TEST_EARLY_DATA_HRR:
4507 TEST_EQUAL(write_early_data_ret,
4508 MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
4509 TEST_EQUAL(client_ep.ssl.state,
4510 MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED);
4511 break;
4512 default:
4513 TEST_FAIL("Unexpected or unknown scenario.");
4514 }
4515 break;
4516#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
4517
4518 case MBEDTLS_SSL_CLIENT_CERTIFICATE: /* Intentional fallthrough */
4519 case MBEDTLS_SSL_CLIENT_FINISHED: /* Intentional fallthrough */
4520 case MBEDTLS_SSL_FLUSH_BUFFERS: /* Intentional fallthrough */
4521 case MBEDTLS_SSL_HANDSHAKE_WRAPUP: /* Intentional fallthrough */
4522 case MBEDTLS_SSL_HANDSHAKE_OVER:
4523 switch (scenario) {
4524 case TEST_EARLY_DATA_ACCEPTED: /* Intentional fallthrough */
4525 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
4526 case TEST_EARLY_DATA_HRR:
4527 TEST_EQUAL(write_early_data_ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
4528 TEST_EQUAL(client_ep.ssl.state, client_state);
4529 break;
4530 default:
4531 TEST_FAIL("Unknown scenario.");
4532 }
4533 break;
4534
4535 default:
4536 TEST_FAIL("Unexpected state.");
4537 }
4538
4539complete_handshake:
4540 do {
4541 ret = mbedtls_test_move_handshake_to_state(
4542 &(server_ep.ssl), &(client_ep.ssl),
4543 MBEDTLS_SSL_HANDSHAKE_OVER);
4544
4545 if (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA) {
4546 read_early_data_ret = mbedtls_ssl_read_early_data(
4547 &(server_ep.ssl), read_buf, sizeof(read_buf));
4548
4549 TEST_EQUAL(read_early_data_ret, early_data_len);
4550 }
4551 } while (ret == MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);
4552
4553 TEST_EQUAL(ret, 0);
4554 TEST_EQUAL(mbedtls_test_move_handshake_to_state(
4555 &(client_ep.ssl), &(server_ep.ssl),
4556 MBEDTLS_SSL_HANDSHAKE_OVER), 0);
4557
4558 mbedtls_test_mock_socket_close(&(client_ep.socket));
4559 mbedtls_test_mock_socket_close(&(server_ep.socket));
4560
4561 ret = mbedtls_ssl_session_reset(&(client_ep.ssl));
4562 TEST_EQUAL(ret, 0);
4563
4564 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
4565 TEST_EQUAL(ret, 0);
4566
4567 ret = mbedtls_ssl_session_reset(&(server_ep.ssl));
4568 TEST_EQUAL(ret, 0);
4569
4570 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
4571 &(server_ep.socket), 1024);
4572 TEST_EQUAL(ret, 0);
4573
4574 previous_client_state = client_state;
4575 if (previous_client_state == MBEDTLS_SSL_HANDSHAKE_OVER) {
4576 break;
4577 }
4578
4579 /* In case of HRR scenario, once we have been through it, move over
4580 * the first ClientHello and ServerHello otherwise we just keep playing
4581 * this first part of the handshake with HRR.
4582 */
4583 if ((scenario == TEST_EARLY_DATA_HRR) && (beyond_first_hello)) {
4584 TEST_ASSERT(mbedtls_test_move_handshake_to_state(
4585 &(client_ep.ssl), &(server_ep.ssl),
4586 MBEDTLS_SSL_SERVER_HELLO) == 0);
4587 TEST_ASSERT(mbedtls_test_move_handshake_to_state(
4588 &(client_ep.ssl), &(server_ep.ssl),
4589 MBEDTLS_SSL_CLIENT_HELLO) == 0);
4590 }
4591
4592 TEST_EQUAL(mbedtls_test_move_handshake_to_state(
4593 &(client_ep.ssl), &(server_ep.ssl),
4594 previous_client_state), 0);
4595
4596 /* Progress the handshake from at least one state */
4597 while (client_ep.ssl.state == previous_client_state) {
4598 ret = mbedtls_ssl_handshake_step(&(client_ep.ssl));
4599 TEST_ASSERT((ret == 0) ||
4600 (ret == MBEDTLS_ERR_SSL_WANT_READ) ||
4601 (ret == MBEDTLS_ERR_SSL_WANT_WRITE));
4602 if (client_ep.ssl.state != previous_client_state) {
4603 break;
4604 }
4605 ret = mbedtls_ssl_handshake_step(&(server_ep.ssl));
4606 TEST_ASSERT((ret == 0) ||
4607 (ret == MBEDTLS_ERR_SSL_WANT_READ) ||
4608 (ret == MBEDTLS_ERR_SSL_WANT_WRITE));
4609 }
4610 } while (1);
4611
4612exit:
4613 mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
4614 mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
4615 mbedtls_test_free_handshake_options(&client_options);
4616 mbedtls_test_free_handshake_options(&server_options);
4617 mbedtls_ssl_session_free(&saved_session);
4618 PSA_DONE();
4619}
4620/* END_CASE */
4621
4622/* BEGIN_CASE depends_on:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
4623void tls13_cli_max_early_data_size(int max_early_data_size_arg)
4624{
4625 int ret = -1;
4626 mbedtls_test_ssl_endpoint client_ep, server_ep;
4627 mbedtls_test_handshake_test_options client_options;
4628 mbedtls_test_handshake_test_options server_options;
4629 mbedtls_ssl_session saved_session;
4630 unsigned char *buf = NULL;
4631 uint32_t buf_size = 64;
4632 uint32_t max_early_data_size;
4633 uint32_t written_early_data_size = 0;
4634 uint32_t read_early_data_size = 0;
4635
4636 mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
4637 mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
4638 mbedtls_test_init_handshake_options(&client_options);
4639 mbedtls_test_init_handshake_options(&server_options);
4640 mbedtls_ssl_session_init(&saved_session);
4641
4642 PSA_INIT();
4643 TEST_CALLOC(buf, buf_size);
4644
4645 /*
4646 * Run first handshake to get a ticket from the server.
4647 */
4648
4649 client_options.pk_alg = MBEDTLS_PK_ECDSA;
4650 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
4651 server_options.pk_alg = MBEDTLS_PK_ECDSA;
4652 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
4653 server_options.max_early_data_size = max_early_data_size_arg;
4654
4655 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
4656 &saved_session);
4657 TEST_EQUAL(ret, 0);
4658
4659 /*
4660 * Prepare for handshake with the ticket.
4661 */
4662 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
4663 &client_options, NULL, NULL, NULL);
4664 TEST_EQUAL(ret, 0);
4665
4666 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
4667 &server_options, NULL, NULL, NULL);
4668 TEST_EQUAL(ret, 0);
4669
4670 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
4671 mbedtls_test_ticket_write,
4672 mbedtls_test_ticket_parse,
4673 NULL);
4674
4675 max_early_data_size = saved_session.max_early_data_size;
4676 /*
4677 * (max_early_data_size + 1024) for the size of the socket buffers for the
4678 * server one to be able to contain the maximum number of early data bytes
4679 * plus the first flight of client messages. Needed because we cannot
4680 * initiate the handshake on server side before doing all the calls to
4681 * mbedtls_ssl_write_early_data() we want to test. See below for more
4682 * information.
4683 */
4684 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
4685 &(server_ep.socket),
4686 max_early_data_size + 1024);
4687 TEST_EQUAL(ret, 0);
4688
4689 /* If our server is configured with max_early_data_size equal to zero, it
4690 * does not set the MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA flag for
4691 * the tickets it creates. To be able to test early data with a ticket
4692 * allowing early data in its flags but with max_early_data_size equal to
4693 * zero (case supported by our client) tweak the ticket flags here.
4694 */
4695 if (max_early_data_size == 0) {
4696 saved_session.ticket_flags |= MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA;
4697 }
4698
4699 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
4700 TEST_EQUAL(ret, 0);
4701
4702 while (written_early_data_size < max_early_data_size) {
4703 uint32_t remaining = max_early_data_size - written_early_data_size;
4704
4705 for (size_t i = 0; i < buf_size; i++) {
4706 buf[i] = (unsigned char) (written_early_data_size + i);
4707 }
4708
4709 ret = mbedtls_ssl_write_early_data(&(client_ep.ssl),
4710 buf,
4711 buf_size);
4712
4713 if (buf_size <= remaining) {
4714 TEST_EQUAL(ret, buf_size);
4715 } else {
4716 TEST_EQUAL(ret, remaining);
4717 }
4718 written_early_data_size += buf_size;
4719 }
4720 TEST_EQUAL(client_ep.ssl.total_early_data_size, max_early_data_size);
4721
4722 ret = mbedtls_ssl_write_early_data(&(client_ep.ssl), buf, 1);
4723 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA);
4724 TEST_EQUAL(client_ep.ssl.total_early_data_size, max_early_data_size);
4725 TEST_EQUAL(client_ep.ssl.early_data_state,
4726 MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE);
4727
4728 /*
4729 * Now, check data on server side. It is not done in the previous loop as
4730 * in the first call to mbedtls_ssl_handshake(), the server ends up sending
4731 * its Finished message and then in the following call to
4732 * mbedtls_ssl_write_early_data() we go past the early data writing window
4733 * and we cannot test multiple calls to the API is this writing window.
4734 */
4735 while (read_early_data_size < max_early_data_size) {
4736 ret = mbedtls_ssl_handshake(&(server_ep.ssl));
4737 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);
4738
4739 ret = mbedtls_ssl_read_early_data(&(server_ep.ssl),
4740 buf,
4741 buf_size);
4742 TEST_ASSERT(ret > 0);
4743
4744 for (size_t i = 0; i < (size_t) ret; i++) {
4745 TEST_EQUAL(buf[i], (unsigned char) (read_early_data_size + i));
4746 }
4747
4748 read_early_data_size += ret;
4749 }
4750 TEST_EQUAL(read_early_data_size, max_early_data_size);
4751
4752 ret = mbedtls_ssl_handshake(&(server_ep.ssl));
4753 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);
4754
4755 TEST_ASSERT(mbedtls_test_move_handshake_to_state(
4756 &(client_ep.ssl), &(server_ep.ssl), MBEDTLS_SSL_HANDSHAKE_OVER)
4757 == 0);
4758
4759exit:
4760 mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
4761 mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
4762 mbedtls_test_free_handshake_options(&client_options);
4763 mbedtls_test_free_handshake_options(&server_options);
4764 mbedtls_ssl_session_free(&saved_session);
4765 mbedtls_free(buf);
4766 PSA_DONE();
4767}
4768/* END_CASE */
4769
4770/*
4771 * The !MBEDTLS_SSL_PROTO_TLS1_2 dependency of tls13_early_data() below is
4772 * a temporary workaround to not run the test in Windows-2013 where there is
4773 * an issue with mbedtls_vsnprintf().
4774 */
4775/* BEGIN_CASE depends_on:!MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_EARLY_DATA:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_DEBUG_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
4776void tls13_srv_max_early_data_size(int scenario, int max_early_data_size_arg, int write_size_arg)
4777{
4778 int ret = -1;
4779 mbedtls_test_ssl_endpoint client_ep, server_ep;
4780 mbedtls_test_handshake_test_options client_options;
4781 mbedtls_test_handshake_test_options server_options;
4782 mbedtls_ssl_session saved_session;
4783 mbedtls_test_ssl_log_pattern server_pattern = { NULL, 0 };
4784 uint16_t group_list[3] = {
4785 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
4786 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
4787 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
4788 };
4789 char pattern[128];
4790 unsigned char *buf_write = NULL;
4791 uint32_t write_size = (uint32_t) write_size_arg;
4792 unsigned char *buf_read = NULL;
4793 uint32_t read_size;
4794 uint32_t expanded_early_data_chunk_size = 0;
4795 uint32_t written_early_data_size = 0;
4796 uint32_t max_early_data_size;
4797
4798 mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
4799 mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
4800 mbedtls_test_init_handshake_options(&client_options);
4801 mbedtls_test_init_handshake_options(&server_options);
4802 mbedtls_ssl_session_init(&saved_session);
4803 PSA_INIT();
4804
4805 TEST_CALLOC(buf_write, write_size);
4806
4807 /*
4808 * Allocate a smaller buffer for early data reading to exercise the reading
4809 * of data in one record in multiple calls.
4810 */
4811 read_size = (write_size / 2) + 1;
4812 TEST_CALLOC(buf_read, read_size);
4813
4814 /*
4815 * Run first handshake to get a ticket from the server.
4816 */
4817
4818 client_options.pk_alg = MBEDTLS_PK_ECDSA;
4819 client_options.group_list = group_list;
4820 client_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
4821 server_options.pk_alg = MBEDTLS_PK_ECDSA;
4822 server_options.group_list = group_list;
4823 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_ENABLED;
4824 server_options.max_early_data_size = max_early_data_size_arg;
4825
4826 ret = mbedtls_test_get_tls13_ticket(&client_options, &server_options,
4827 &saved_session);
4828 TEST_EQUAL(ret, 0);
4829
4830 /*
4831 * Prepare for handshake with the ticket.
4832 */
4833 server_options.srv_log_fun = mbedtls_test_ssl_log_analyzer;
4834 server_options.srv_log_obj = &server_pattern;
4835 server_pattern.pattern = pattern;
4836
4837 switch (scenario) {
4838 case TEST_EARLY_DATA_ACCEPTED:
4839 break;
4840
4841 case TEST_EARLY_DATA_SERVER_REJECTS:
4842 server_options.early_data = MBEDTLS_SSL_EARLY_DATA_DISABLED;
4843 ret = mbedtls_snprintf(pattern, sizeof(pattern),
4844 "EarlyData: deprotect and discard app data records.");
4845 TEST_ASSERT(ret < (int) sizeof(pattern));
4846 mbedtls_debug_set_threshold(3);
4847 break;
4848
4849 case TEST_EARLY_DATA_HRR:
4850 /*
4851 * Remove server support for the group negotiated in
4852 * mbedtls_test_get_tls13_ticket() forcing an HelloRetryRequest.
4853 */
4854 server_options.group_list = group_list + 1;
4855 ret = mbedtls_snprintf(
4856 pattern, sizeof(pattern),
4857 "EarlyData: Ignore application message before 2nd ClientHello");
4858 TEST_ASSERT(ret < (int) sizeof(pattern));
4859 mbedtls_debug_set_threshold(3);
4860 break;
4861
4862 default:
4863 TEST_FAIL("Unknown scenario.");
4864 }
4865
4866 ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
4867 &client_options, NULL, NULL, NULL);
4868 TEST_EQUAL(ret, 0);
4869
4870 ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
4871 &server_options, NULL, NULL, NULL);
4872 TEST_EQUAL(ret, 0);
4873
4874 mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
4875 mbedtls_test_ticket_write,
4876 mbedtls_test_ticket_parse,
4877 NULL);
4878
4879 ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
4880 &(server_ep.socket), 1024);
4881 TEST_EQUAL(ret, 0);
4882
4883 max_early_data_size = saved_session.max_early_data_size;
4884
4885 ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
4886 TEST_EQUAL(ret, 0);
4887
4888 /*
4889 * Start an handshake based on the ticket up to the point where early data
4890 * can be sent from client side. Then send in a loop as much early data as
4891 * possible without going over the maximum permitted size for the ticket.
4892 * Finally, do a last writting to go past that maximum permitted size and
4893 * check that we detect it.
4894 */
4895 TEST_EQUAL(mbedtls_test_move_handshake_to_state(
4896 &(client_ep.ssl), &(server_ep.ssl),
4897 MBEDTLS_SSL_SERVER_HELLO), 0);
4898
4899 TEST_ASSERT(client_ep.ssl.early_data_state !=
4900 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT);
4901
4902 ret = mbedtls_ssl_handshake(&(server_ep.ssl));
4903 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_WANT_READ);
4904
4905 /*
4906 * Write and if possible read as much as possible chunks of write_size
4907 * bytes data without getting over the max_early_data_size limit.
4908 */
4909 do {
4910 uint32_t read_early_data_size = 0;
4911
4912 /*
4913 * The contents of the early data are not very important, write a
4914 * pattern that varies byte-by-byte and is different for every chunk of
4915 * early data.
4916 */
4917 if ((written_early_data_size + write_size) > max_early_data_size) {
4918 break;
4919 }
4920
4921 /*
4922 * If the server rejected early data, base the determination of when
4923 * to stop the loop on the expanded size (padding and encryption
4924 * expansion) of early data on server side and the number of early data
4925 * received so far by the server (multiple of the expanded size).
4926 */
4927 if ((expanded_early_data_chunk_size != 0) &&
4928 ((server_ep.ssl.total_early_data_size +
4929 expanded_early_data_chunk_size) > max_early_data_size)) {
4930 break;
4931 }
4932
4933 for (size_t i = 0; i < write_size; i++) {
4934 buf_write[i] = (unsigned char) (written_early_data_size + i);
4935 }
4936
4937 ret = write_early_data(&(client_ep.ssl), buf_write, write_size);
4938 TEST_EQUAL(ret, write_size);
4939 written_early_data_size += write_size;
4940
4941 switch (scenario) {
4942 case TEST_EARLY_DATA_ACCEPTED:
4943 while (read_early_data_size < write_size) {
4944 ret = mbedtls_ssl_handshake(&(server_ep.ssl));
4945 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA);
4946
4947 ret = mbedtls_ssl_read_early_data(&(server_ep.ssl),
4948 buf_read, read_size);
4949 TEST_ASSERT(ret > 0);
4950
4951 TEST_MEMORY_COMPARE(buf_read, ret,
4952 buf_write + read_early_data_size, ret);
4953 read_early_data_size += ret;
4954
4955 TEST_EQUAL(server_ep.ssl.total_early_data_size,
4956 written_early_data_size);
4957 }
4958 break;
4959
4960 case TEST_EARLY_DATA_SERVER_REJECTS: /* Intentional fallthrough */
4961 case TEST_EARLY_DATA_HRR:
4962 ret = mbedtls_ssl_handshake(&(server_ep.ssl));
4963 /*
4964 * In this write loop we try to always stay below the
4965 * max_early_data_size limit but if max_early_data_size is very
4966 * small we may exceed the max_early_data_size limit on the
4967 * first write. In TEST_EARLY_DATA_SERVER_REJECTS/
4968 * TEST_EARLY_DATA_HRR scenario, this is for sure the case if
4969 * max_early_data_size is smaller than the smallest possible
4970 * inner content/protected record. Take into account this
4971 * possibility here but only for max_early_data_size values
4972 * that are close to write_size. Below, '1' is for the inner
4973 * type byte and '16' is to take into account some AEAD
4974 * expansion (tag, ...).
4975 */
4976 if (ret == MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) {
4977 if (scenario == TEST_EARLY_DATA_SERVER_REJECTS) {
4978 TEST_LE_U(max_early_data_size,
4979 write_size + 1 +
4980 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY);
4981 } else {
4982 TEST_LE_U(max_early_data_size,
4983 write_size + 1 + 16 +
4984 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY);
4985 }
4986 goto exit;
4987 }
4988
4989 TEST_ASSERT(ret == MBEDTLS_ERR_SSL_WANT_READ);
4990
4991 TEST_EQUAL(server_pattern.counter, 1);
4992 server_pattern.counter = 0;
4993 if (expanded_early_data_chunk_size == 0) {
4994 expanded_early_data_chunk_size = server_ep.ssl.total_early_data_size;
4995 }
4996 break;
4997 }
4998 TEST_LE_U(server_ep.ssl.total_early_data_size, max_early_data_size);
4999 } while (1);
5000
5001 mbedtls_debug_set_threshold(3);
5002 ret = write_early_data(&(client_ep.ssl), buf_write, write_size);
5003 TEST_EQUAL(ret, write_size);
5004
5005 ret = mbedtls_snprintf(pattern, sizeof(pattern),
5006 "EarlyData: Too much early data received");
5007 TEST_ASSERT(ret < (int) sizeof(pattern));
5008
5009 ret = mbedtls_ssl_handshake(&(server_ep.ssl));
5010 TEST_EQUAL(ret, MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
5011 TEST_EQUAL(server_pattern.counter, 1);
5012
5013exit:
5014 mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
5015 mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
5016 mbedtls_test_free_handshake_options(&client_options);
5017 mbedtls_test_free_handshake_options(&server_options);
5018 mbedtls_ssl_session_free(&saved_session);
5019 mbedtls_free(buf_write);
5020 mbedtls_free(buf_read);
5021 mbedtls_debug_set_threshold(0);
5022 PSA_DONE();
5023}
5024/* END_CASE */