commit a77d005d39e78b55231311d034f2187eae8d5929
author Hanno Becker <hanno.becker@arm.com> Mon Mar 22 15:16:33 2021 +0000
committer Hanno Becker <hanno.becker@arm.com> Mon Aug 02 04:53:58 2021 +0100
tree 88400c46416510020f2fc4403d61579599c30049
parent 79e2d1b6f6eb5c07370afe20c20af00a727a190b

Add known answer tests for TLS 1.3 record protection

This commit adds four known answer tests for TLS 1.3 record protection
from the following sources:

- RFC 8448 "Example Handshake Traces for TLS 1.3"
- tls13.ulfheim.net "The New Illustrated TLS Connection"

It extends the test coverage of the existing record protection tests
in the following ways:

- The existing record protection tests hand-craft record transform
  structures; the new tests use the function

     mbedtls_ssl_tls13_populate_transform()

  from library source to create an TLS 1.3 transform from raw
  key material and connection information.
- The existing record protection tests only check that encryption
  and decryption are inverse to each other; as such, they don't
  catch non-compliant implementations of encryption and decryption
  which happen to be inverse to each other. By adding a known answer
  test for TLS 1.3 record protection, can gain confidence that our
  implementation is indeed standards-compliant.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>

tests/suites/test_suite_ssl.function

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 081e8a4..a83d6e2 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -3944,6 +3944,92 @@
 /* END_CASE */
 
 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+void ssl_tls1_3_record_protection( int ciphersuite,
+                                   int endpoint,
+                                   int ctr,
+                                   data_t *server_write_key,
+                                   data_t *server_write_iv,
+                                   data_t *client_write_key,
+                                   data_t *client_write_iv,
+                                   data_t *plaintext,
+                                   data_t *ciphertext )
+{
+    mbedtls_ssl_key_set keys;
+    mbedtls_ssl_transform transform_send;
+    mbedtls_ssl_transform transform_recv;
+    mbedtls_record rec;
+    unsigned char *buf = NULL;
+    int other_endpoint;
+
+    TEST_ASSERT( endpoint == MBEDTLS_SSL_IS_CLIENT ||
+                 endpoint == MBEDTLS_SSL_IS_SERVER );
+
+    if( endpoint == MBEDTLS_SSL_IS_SERVER )
+        other_endpoint = MBEDTLS_SSL_IS_CLIENT;
+    if( endpoint == MBEDTLS_SSL_IS_CLIENT )
+        other_endpoint = MBEDTLS_SSL_IS_SERVER;
+
+    TEST_ASSERT( server_write_key->len == client_write_key->len );
+    TEST_ASSERT( server_write_iv->len  == client_write_iv->len  );
+
+    memcpy( keys.client_write_key,
+            client_write_key->x, client_write_key->len );
+    memcpy( keys.client_write_iv,
+            client_write_iv->x, client_write_iv->len );
+    memcpy( keys.server_write_key,
+            server_write_key->x, server_write_key->len );
+    memcpy( keys.server_write_iv,
+            server_write_iv->x, server_write_iv->len );
+
+    keys.key_len = server_write_key->len;
+    keys.iv_len  = server_write_iv->len;
+
+    mbedtls_ssl_transform_init( &transform_recv );
+    mbedtls_ssl_transform_init( &transform_send );
+
+    TEST_ASSERT( mbedtls_ssl_tls13_populate_transform(
+                     &transform_send, endpoint,
+                     ciphersuite, &keys, NULL ) == 0 );
+    TEST_ASSERT( mbedtls_ssl_tls13_populate_transform(
+                     &transform_recv, other_endpoint,
+                     ciphersuite, &keys, NULL ) == 0 );
+
+    ASSERT_ALLOC( buf, ciphertext->len );
+    rec.type   = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+    mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3,
+                               MBEDTLS_SSL_MINOR_VERSION_3,
+                               MBEDTLS_SSL_TRANSPORT_STREAM,
+                               rec.ver );
+
+    /* Copy plaintext into record structure */
+    rec.buf = buf;
+    rec.buf_len = ciphertext->len;
+    rec.data_offset = 0;
+    TEST_ASSERT( plaintext->len <= ciphertext->len );
+    memcpy( rec.buf + rec.data_offset, plaintext->x, plaintext->len );
+    rec.data_len = plaintext->len;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    rec.cid_len = 0;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+    memset( &rec.ctr[0], 0, 8 );
+    rec.ctr[7] = ctr;
+
+    TEST_ASSERT( mbedtls_ssl_encrypt_buf( NULL, &transform_send, &rec,
+                                          NULL, NULL ) == 0 );
+    ASSERT_COMPARE( rec.buf + rec.data_offset, rec.data_len,
+                    ciphertext->x, ciphertext->len );
+
+    TEST_ASSERT( mbedtls_ssl_decrypt_buf( NULL, &transform_recv, &rec ) == 0 );
+    ASSERT_COMPARE( rec.buf + rec.data_offset, rec.data_len,
+                    plaintext->x, plaintext->len );
+
+    mbedtls_ssl_transform_free( &transform_send );
+    mbedtls_ssl_transform_free( &transform_recv );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
 void ssl_tls1_3_key_evolution( int hash_alg,
                                data_t *secret,
                                data_t *input,