TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls.git / 766be1f8f4ea2f22cbb004f4c8c2341f789ea97f / . / tests / suites / test_suite_ssl_decrypt.function
blob: 2d75a29bc51d97adb8b50ec931483490db51739c [file] [log] [blame]
Gilles Peskinea3237ef2023-09-18 14:23:13 +0200[diff] [blame]1/* BEGIN_HEADER */
2/* Testing of mbedtls_ssl_decrypt_buf() specifically, focusing on negative
3 * testing (using malformed inputs). */
4
5#include <mbedtls/ssl.h>
6#include <ssl_misc.h>
7#include <test/ssl_helpers.h>
8
9/* END_HEADER */
10
11/* BEGIN_DEPENDENCIES
12 * depends_on:MBEDTLS_SSL_TLS_C
13 * END_DEPENDENCIES
14 */
15
Gilles Peskined2e004e2023-09-18 14:05:55 +0200[diff] [blame]16/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_CIPHER_NULL_CIPHER */
17void ssl_decrypt_null(int hash_id)
18{
19 mbedtls_ssl_transform transform_in, transform_out;
20 mbedtls_ssl_transform_init(&transform_in);
21 mbedtls_ssl_transform_init(&transform_out);
22 const mbedtls_ssl_protocol_version version = MBEDTLS_SSL_VERSION_TLS1_2;
23 const mbedtls_cipher_type_t cipher_type = MBEDTLS_CIPHER_NULL;
24 mbedtls_record rec_good = {
25 .ctr = { 0 },
26 .type = MBEDTLS_SSL_MSG_APPLICATION_DATA,
27 .ver = { 0, 0 }, /* Will be set by a function call below */
28 .buf = NULL,
29 .buf_len = 0,
30 .data_offset = 0,
31 .data_len = 0,
32#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
33 .cid_len = 0,
34 .cid = { 0 },
35#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
36 };
37 mbedtls_ssl_write_version(rec_good.ver,
38 MBEDTLS_SSL_TRANSPORT_STREAM,
39 version);
Felix Conway2e1399f2025-06-11 16:04:30 +0100[diff] [blame]40 /* We need to tell the compiler that we meant to leave out the null character. */
Felix Conway766be1f2025-06-12 10:52:36 +0100[diff] [blame^]41 const char sample_plaintext[3] MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING = "ABC";
Gilles Peskined2e004e2023-09-18 14:05:55 +0200[diff] [blame]42 mbedtls_ssl_context ssl;
43 mbedtls_ssl_init(&ssl);
44 uint8_t *buf = NULL;
45
46 MD_OR_USE_PSA_INIT();
47
48 TEST_EQUAL(mbedtls_test_ssl_build_transforms(&transform_in, &transform_out,
49 cipher_type, hash_id, 0, 0,
50 version,
51 0, 0), 0);
52
53 const size_t plaintext_length = sizeof(sample_plaintext);
54 rec_good.buf_len = plaintext_length + transform_in.maclen;
55 rec_good.data_len = plaintext_length;
56 TEST_CALLOC(rec_good.buf, rec_good.buf_len);
57 memcpy(rec_good.buf, sample_plaintext, plaintext_length);
58 TEST_EQUAL(mbedtls_test_ssl_prepare_record_mac(&rec_good,
59 &transform_out), 0);
60
61 /* Good case */
62 mbedtls_record rec = rec_good;
63 TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec), 0);
64
65 /* Change any one byte of the plaintext or MAC. The MAC will be wrong. */
66 TEST_CALLOC(buf, rec.buf_len);
67 for (size_t i = 0; i < rec.buf_len; i++) {
68 mbedtls_test_set_step(i);
69 rec = rec_good;
70 rec.buf = buf;
71 memcpy(buf, rec_good.buf, rec.buf_len);
72 buf[i] ^= 1;
73 TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec),
74 MBEDTLS_ERR_SSL_INVALID_MAC);
75 }
76 mbedtls_free(buf);
77 buf = NULL;
78
79 /* Shorter input buffer. Either the MAC will be wrong, or there isn't
80 * enough room for a MAC. */
81 for (size_t n = 1; n < rec.buf_len; n++) {
82 mbedtls_test_set_step(n);
83 rec = rec_good;
84 TEST_CALLOC(buf, n);
85 rec.buf = buf;
86 rec.buf_len = n;
87 rec.data_len = n;
88 memcpy(buf, rec_good.buf, n);
89 TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec),
90 MBEDTLS_ERR_SSL_INVALID_MAC);
91 mbedtls_free(buf);
92 buf = NULL;
93 }
94
95 /* For robustness, check a 0-length buffer (non-null, then null).
96 * This should not reach mbedtls_ssl_decrypt_buf() as used in the library,
97 * so the exact error doesn't matter, but we don't want a crash. */
98 {
99 const uint8_t buf1[1] = { 'a' };
100 rec = rec_good;
101 /* We won't write to buf1[0] since it's out of range, so we can cast
102 * the const away. */
103 rec.buf = (uint8_t *) buf1;
104 rec.buf_len = 0;
105 TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec),
106 MBEDTLS_ERR_SSL_INTERNAL_ERROR);
107 }
108 rec = rec_good;
109 rec.buf = NULL;
110 rec.buf_len = 0;
111 TEST_EQUAL(mbedtls_ssl_decrypt_buf(&ssl, &transform_in, &rec),
112 MBEDTLS_ERR_SSL_INTERNAL_ERROR);
113
114exit:
115 mbedtls_ssl_transform_free(&transform_in);
116 mbedtls_ssl_transform_free(&transform_out);
117 mbedtls_free(rec_good.buf);
118 mbedtls_ssl_free(&ssl);
119 mbedtls_free(buf);
120 MD_OR_USE_PSA_DONE();
121}
122/* END_CASE */
123
Pengyu Lvba6825e2023-11-08 12:16:29 +0800[diff] [blame]124/* BEGIN_CASE depends_on:MBEDTLS_SSL_HAVE_CBC:MBEDTLS_SSL_HAVE_AES:MBEDTLS_SSL_PROTO_TLS1_2 */
Gilles Peskinea3237ef2023-09-18 14:23:13 +0200[diff] [blame]125void ssl_decrypt_non_etm_cbc(int cipher_type, int hash_id, int trunc_hmac,
126 int length_selector)
127{
128 /*
129 * Test record decryption for CBC without EtM, focused on the verification
130 * of padding and MAC.
131 *
132 * Actually depends on TLS 1.2 and either AES, ARIA or Camellia, but since
133 * the test framework doesn't support alternation in dependency statements,
134 * just depend on AES.
135 *
136 * The length_selector argument is interpreted as follows:
137 * - if it's -1, the plaintext length is 0 and minimal padding is applied
138 * - if it's -2, the plaintext length is 0 and maximal padding is applied
139 * - otherwise it must be in [0, 255] and is padding_length from RFC 5246:
140 * it's the length of the rest of the padding, that is, excluding the
141 * byte that encodes the length. The minimal non-zero plaintext length
142 * that gives this padding_length is automatically selected.
143 */
144 mbedtls_ssl_context ssl; /* ONLY for debugging */
145 mbedtls_ssl_transform t0, t1;
146 mbedtls_record rec, rec_save;
147 unsigned char *buf = NULL, *buf_save = NULL;
148 size_t buflen, olen = 0;
149 size_t plaintext_len, block_size, i;
150 unsigned char padlen; /* excluding the padding_length byte */
Gilles Peskinea3237ef2023-09-18 14:23:13 +0200[diff] [blame]151 int exp_ret;
152 int ret;
153 const unsigned char pad_max_len = 255; /* Per the standard */
154
155 mbedtls_ssl_init(&ssl);
156 mbedtls_ssl_transform_init(&t0);
157 mbedtls_ssl_transform_init(&t1);
158 MD_OR_USE_PSA_INIT();
159
160 /* Set up transforms with dummy keys */
161 ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id,
162 0, trunc_hmac,
163 MBEDTLS_SSL_VERSION_TLS1_2,
164 0, 0);
165
166 TEST_ASSERT(ret == 0);
167
168 /* Determine padding/plaintext length */
169 TEST_ASSERT(length_selector >= -2 && length_selector <= 255);
170 block_size = t0.ivlen;
171 if (length_selector < 0) {
172 plaintext_len = 0;
173
174 /* Minimal padding
175 * The +1 is for the padding_length byte, not counted in padlen. */
176 padlen = block_size - (t0.maclen + 1) % block_size;
177
178 /* Maximal padding? */
179 if (length_selector == -2) {
180 padlen += block_size * ((pad_max_len - padlen) / block_size);
181 }
182 } else {
183 padlen = length_selector;
184
185 /* Minimal non-zero plaintext_length giving desired padding.
186 * The +1 is for the padding_length byte, not counted in padlen. */
187 plaintext_len = block_size - (padlen + t0.maclen + 1) % block_size;
188 }
189
190 /* Prepare a buffer for record data */
191 buflen = block_size
192 + plaintext_len
193 + t0.maclen
194 + padlen + 1;
195 TEST_CALLOC(buf, buflen);
196 TEST_CALLOC(buf_save, buflen);
197
198 /* Prepare a dummy record header */
199 memset(rec.ctr, 0, sizeof(rec.ctr));
200 rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
201 mbedtls_ssl_write_version(rec.ver, MBEDTLS_SSL_TRANSPORT_STREAM,
202 MBEDTLS_SSL_VERSION_TLS1_2);
203#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
204 rec.cid_len = 0;
205#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
206
207 /* Prepare dummy record content */
208 rec.buf = buf;
209 rec.buf_len = buflen;
210 rec.data_offset = block_size;
211 rec.data_len = plaintext_len;
212 memset(rec.buf + rec.data_offset, 42, rec.data_len);
213
Gilles Peskinea3237ef2023-09-18 14:23:13 +0200[diff] [blame]214 /* Set dummy IV */
215 memset(t0.iv_enc, 0x55, t0.ivlen);
216 memcpy(rec.buf, t0.iv_enc, t0.ivlen);
217
218 /*
219 * Prepare a pre-encryption record (with MAC and padding), and save it.
220 */
Gilles Peskine9099d3f2023-09-18 13:11:50 +0200[diff] [blame]221 TEST_EQUAL(0, mbedtls_test_ssl_prepare_record_mac(&rec, &t0));
Gilles Peskinea3237ef2023-09-18 14:23:13 +0200[diff] [blame]222
223 /* Pad */
224 memset(rec.buf + rec.data_offset + rec.data_len, padlen, padlen + 1);
225 rec.data_len += padlen + 1;
226
227 /* Save correct pre-encryption record */
228 rec_save = rec;
229 rec_save.buf = buf_save;
230 memcpy(buf_save, buf, buflen);
231
232 /*
233 * Encrypt and decrypt the correct record, expecting success
234 */
235 TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper(
236 &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset,
237 rec.data_len, rec.buf + rec.data_offset, &olen));
238 rec.data_offset -= t0.ivlen;
239 rec.data_len += t0.ivlen;
240
241 TEST_EQUAL(0, mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec));
242
243 /*
244 * Modify each byte of the pre-encryption record before encrypting and
245 * decrypting it, expecting failure every time.
246 */
247 for (i = block_size; i < buflen; i++) {
248 mbedtls_test_set_step(i);
249
250 /* Restore correct pre-encryption record */
251 rec = rec_save;
252 rec.buf = buf;
253 memcpy(buf, buf_save, buflen);
254
255 /* Corrupt one byte of the data (could be plaintext, MAC or padding) */
256 rec.buf[i] ^= 0x01;
257
258 /* Encrypt */
259 TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper(
260 &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset,
261 rec.data_len, rec.buf + rec.data_offset, &olen));
262 rec.data_offset -= t0.ivlen;
263 rec.data_len += t0.ivlen;
264
265 /* Decrypt and expect failure */
266 TEST_EQUAL(MBEDTLS_ERR_SSL_INVALID_MAC,
267 mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec));
268 }
269
270 /*
271 * Use larger values of the padding bytes - with small buffers, this tests
272 * the case where the announced padlen would be larger than the buffer
273 * (and before that, than the buffer minus the size of the MAC), to make
274 * sure our padding checking code does not perform any out-of-bounds reads
275 * in this case. (With larger buffers, ie when the plaintext is long or
276 * maximal length padding is used, this is less relevant but still doesn't
277 * hurt to test.)
278 *
279 * (Start the loop with correct padding, just to double-check that record
280 * saving did work, and that we're overwriting the correct bytes.)
281 */
282 for (i = padlen; i <= pad_max_len; i++) {
283 mbedtls_test_set_step(i);
284
285 /* Restore correct pre-encryption record */
286 rec = rec_save;
287 rec.buf = buf;
288 memcpy(buf, buf_save, buflen);
289
290 /* Set padding bytes to new value */
291 memset(buf + buflen - padlen - 1, i, padlen + 1);
292
293 /* Encrypt */
294 TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper(
295 &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset,
296 rec.data_len, rec.buf + rec.data_offset, &olen));
297 rec.data_offset -= t0.ivlen;
298 rec.data_len += t0.ivlen;
299
300 /* Decrypt and expect failure except the first time */
301 exp_ret = (i == padlen) ? 0 : MBEDTLS_ERR_SSL_INVALID_MAC;
302 TEST_EQUAL(exp_ret, mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec));
303 }
304
305exit:
Gilles Peskinea3237ef2023-09-18 14:23:13 +0200[diff] [blame]306 mbedtls_ssl_free(&ssl);
307 mbedtls_ssl_transform_free(&t0);
308 mbedtls_ssl_transform_free(&t1);
309 mbedtls_free(buf);
310 mbedtls_free(buf_save);
311 MD_OR_USE_PSA_DONE();
312}
313/* END_CASE */