TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / ac5fabed25375dec26e7b764e16d607ec6a3f4f1 / . / tests / suites / test_suite_ssl_decrypt.function
blob: 01cee618bfdc8ff007902b1bb1710f86cac66b22 [file] [log] [blame]
Gilles Peskinea3237ef2023-09-18 14:23:13 +0200[diff] [blame]1/* BEGIN_HEADER */
2/* Testing of mbedtls_ssl_decrypt_buf() specifically, focusing on negative
3 * testing (using malformed inputs). */
4
5#include <mbedtls/ssl.h>
6#include <ssl_misc.h>
7#include <test/ssl_helpers.h>
8
9/* END_HEADER */
10
11/* BEGIN_DEPENDENCIES
12 * depends_on:MBEDTLS_SSL_TLS_C
13 * END_DEPENDENCIES
14 */
15
16/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_SSL_PROTO_TLS1_2 */
17void ssl_decrypt_non_etm_cbc(int cipher_type, int hash_id, int trunc_hmac,
18 int length_selector)
19{
20 /*
21 * Test record decryption for CBC without EtM, focused on the verification
22 * of padding and MAC.
23 *
24 * Actually depends on TLS 1.2 and either AES, ARIA or Camellia, but since
25 * the test framework doesn't support alternation in dependency statements,
26 * just depend on AES.
27 *
28 * The length_selector argument is interpreted as follows:
29 * - if it's -1, the plaintext length is 0 and minimal padding is applied
30 * - if it's -2, the plaintext length is 0 and maximal padding is applied
31 * - otherwise it must be in [0, 255] and is padding_length from RFC 5246:
32 * it's the length of the rest of the padding, that is, excluding the
33 * byte that encodes the length. The minimal non-zero plaintext length
34 * that gives this padding_length is automatically selected.
35 */
36 mbedtls_ssl_context ssl; /* ONLY for debugging */
37 mbedtls_ssl_transform t0, t1;
38 mbedtls_record rec, rec_save;
39 unsigned char *buf = NULL, *buf_save = NULL;
40 size_t buflen, olen = 0;
41 size_t plaintext_len, block_size, i;
42 unsigned char padlen; /* excluding the padding_length byte */
Gilles Peskinea3237ef2023-09-18 14:23:13 +0200[diff] [blame]43#if defined(MBEDTLS_USE_PSA_CRYPTO)
44 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
Gilles Peskinea3237ef2023-09-18 14:23:13 +0200[diff] [blame]45#endif
46 int exp_ret;
47 int ret;
48 const unsigned char pad_max_len = 255; /* Per the standard */
49
50 mbedtls_ssl_init(&ssl);
51 mbedtls_ssl_transform_init(&t0);
52 mbedtls_ssl_transform_init(&t1);
53 MD_OR_USE_PSA_INIT();
54
55 /* Set up transforms with dummy keys */
56 ret = mbedtls_test_ssl_build_transforms(&t0, &t1, cipher_type, hash_id,
57 0, trunc_hmac,
58 MBEDTLS_SSL_VERSION_TLS1_2,
59 0, 0);
60
61 TEST_ASSERT(ret == 0);
62
63 /* Determine padding/plaintext length */
64 TEST_ASSERT(length_selector >= -2 && length_selector <= 255);
65 block_size = t0.ivlen;
66 if (length_selector < 0) {
67 plaintext_len = 0;
68
69 /* Minimal padding
70 * The +1 is for the padding_length byte, not counted in padlen. */
71 padlen = block_size - (t0.maclen + 1) % block_size;
72
73 /* Maximal padding? */
74 if (length_selector == -2) {
75 padlen += block_size * ((pad_max_len - padlen) / block_size);
76 }
77 } else {
78 padlen = length_selector;
79
80 /* Minimal non-zero plaintext_length giving desired padding.
81 * The +1 is for the padding_length byte, not counted in padlen. */
82 plaintext_len = block_size - (padlen + t0.maclen + 1) % block_size;
83 }
84
85 /* Prepare a buffer for record data */
86 buflen = block_size
87 + plaintext_len
88 + t0.maclen
89 + padlen + 1;
90 TEST_CALLOC(buf, buflen);
91 TEST_CALLOC(buf_save, buflen);
92
93 /* Prepare a dummy record header */
94 memset(rec.ctr, 0, sizeof(rec.ctr));
95 rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
96 mbedtls_ssl_write_version(rec.ver, MBEDTLS_SSL_TRANSPORT_STREAM,
97 MBEDTLS_SSL_VERSION_TLS1_2);
98#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
99 rec.cid_len = 0;
100#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
101
102 /* Prepare dummy record content */
103 rec.buf = buf;
104 rec.buf_len = buflen;
105 rec.data_offset = block_size;
106 rec.data_len = plaintext_len;
107 memset(rec.buf + rec.data_offset, 42, rec.data_len);
108
Gilles Peskinea3237ef2023-09-18 14:23:13 +0200[diff] [blame]109 /* Set dummy IV */
110 memset(t0.iv_enc, 0x55, t0.ivlen);
111 memcpy(rec.buf, t0.iv_enc, t0.ivlen);
112
113 /*
114 * Prepare a pre-encryption record (with MAC and padding), and save it.
115 */
Gilles Peskineac5fabe2023-09-18 13:05:35 +0200[diff] [blame^]116 mbedtls_ssl_transform *transform_out = &t0;
117 mbedtls_record *record = &rec;
118
119 /* Serialized version of record header for MAC purposes */
120 unsigned char add_data[13];
121 memcpy(add_data, record->ctr, 8);
122 add_data[8] = record->type;
123 add_data[9] = record->ver[0];
124 add_data[10] = record->ver[1];
125 add_data[11] = (record->data_len >> 8) & 0xff;
126 add_data[12] = (record->data_len >> 0) & 0xff;
Gilles Peskinea3237ef2023-09-18 14:23:13 +0200[diff] [blame]127
128 /* MAC with additional data */
129#if defined(MBEDTLS_USE_PSA_CRYPTO)
Gilles Peskineac5fabe2023-09-18 13:05:35 +0200[diff] [blame^]130 size_t sign_mac_length = 0;
Gilles Peskinea3237ef2023-09-18 14:23:13 +0200[diff] [blame]131 TEST_EQUAL(PSA_SUCCESS, psa_mac_sign_setup(&operation,
Gilles Peskineac5fabe2023-09-18 13:05:35 +0200[diff] [blame^]132 transform_out->psa_mac_enc,
133 transform_out->psa_mac_alg));
Gilles Peskinea3237ef2023-09-18 14:23:13 +0200[diff] [blame]134 TEST_EQUAL(PSA_SUCCESS, psa_mac_update(&operation, add_data, 13));
135 TEST_EQUAL(PSA_SUCCESS, psa_mac_update(&operation,
Gilles Peskineac5fabe2023-09-18 13:05:35 +0200[diff] [blame^]136 record->buf + record->data_offset,
137 record->data_len));
138 /* Use a temporary buffer for the MAC, because with the truncated HMAC
139 * extension, there might not be enough room in the record for the
140 * full-length MAC. */
141 unsigned char mac[PSA_HASH_MAX_SIZE];
Gilles Peskinea3237ef2023-09-18 14:23:13 +0200[diff] [blame]142 TEST_EQUAL(PSA_SUCCESS, psa_mac_sign_finish(&operation,
143 mac, sizeof(mac),
144 &sign_mac_length));
145#else
Gilles Peskineac5fabe2023-09-18 13:05:35 +0200[diff] [blame^]146 TEST_EQUAL(0, mbedtls_md_hmac_update(&transform_out->md_ctx_enc, add_data, 13));
147 TEST_EQUAL(0, mbedtls_md_hmac_update(&transform_out->md_ctx_enc,
148 record->buf + record->data_offset,
149 record->data_len));
150 /* Use a temporary buffer for the MAC, because with the truncated HMAC
151 * extension, there might not be enough room in the record for the
152 * full-length MAC. */
153 unsigned char mac[MBEDTLS_MD_MAX_SIZE];
154 TEST_EQUAL(0, mbedtls_md_hmac_finish(&transform_out->md_ctx_enc, mac));
Gilles Peskinea3237ef2023-09-18 14:23:13 +0200[diff] [blame]155#endif
Gilles Peskineac5fabe2023-09-18 13:05:35 +0200[diff] [blame^]156 memcpy(record->buf + record->data_offset + record->data_len, mac, transform_out->maclen);
157 record->data_len += transform_out->maclen;
Gilles Peskinea3237ef2023-09-18 14:23:13 +0200[diff] [blame]158
159 /* Pad */
160 memset(rec.buf + rec.data_offset + rec.data_len, padlen, padlen + 1);
161 rec.data_len += padlen + 1;
162
163 /* Save correct pre-encryption record */
164 rec_save = rec;
165 rec_save.buf = buf_save;
166 memcpy(buf_save, buf, buflen);
167
168 /*
169 * Encrypt and decrypt the correct record, expecting success
170 */
171 TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper(
172 &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset,
173 rec.data_len, rec.buf + rec.data_offset, &olen));
174 rec.data_offset -= t0.ivlen;
175 rec.data_len += t0.ivlen;
176
177 TEST_EQUAL(0, mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec));
178
179 /*
180 * Modify each byte of the pre-encryption record before encrypting and
181 * decrypting it, expecting failure every time.
182 */
183 for (i = block_size; i < buflen; i++) {
184 mbedtls_test_set_step(i);
185
186 /* Restore correct pre-encryption record */
187 rec = rec_save;
188 rec.buf = buf;
189 memcpy(buf, buf_save, buflen);
190
191 /* Corrupt one byte of the data (could be plaintext, MAC or padding) */
192 rec.buf[i] ^= 0x01;
193
194 /* Encrypt */
195 TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper(
196 &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset,
197 rec.data_len, rec.buf + rec.data_offset, &olen));
198 rec.data_offset -= t0.ivlen;
199 rec.data_len += t0.ivlen;
200
201 /* Decrypt and expect failure */
202 TEST_EQUAL(MBEDTLS_ERR_SSL_INVALID_MAC,
203 mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec));
204 }
205
206 /*
207 * Use larger values of the padding bytes - with small buffers, this tests
208 * the case where the announced padlen would be larger than the buffer
209 * (and before that, than the buffer minus the size of the MAC), to make
210 * sure our padding checking code does not perform any out-of-bounds reads
211 * in this case. (With larger buffers, ie when the plaintext is long or
212 * maximal length padding is used, this is less relevant but still doesn't
213 * hurt to test.)
214 *
215 * (Start the loop with correct padding, just to double-check that record
216 * saving did work, and that we're overwriting the correct bytes.)
217 */
218 for (i = padlen; i <= pad_max_len; i++) {
219 mbedtls_test_set_step(i);
220
221 /* Restore correct pre-encryption record */
222 rec = rec_save;
223 rec.buf = buf;
224 memcpy(buf, buf_save, buflen);
225
226 /* Set padding bytes to new value */
227 memset(buf + buflen - padlen - 1, i, padlen + 1);
228
229 /* Encrypt */
230 TEST_EQUAL(0, mbedtls_test_psa_cipher_encrypt_helper(
231 &t0, t0.iv_enc, t0.ivlen, rec.buf + rec.data_offset,
232 rec.data_len, rec.buf + rec.data_offset, &olen));
233 rec.data_offset -= t0.ivlen;
234 rec.data_len += t0.ivlen;
235
236 /* Decrypt and expect failure except the first time */
237 exp_ret = (i == padlen) ? 0 : MBEDTLS_ERR_SSL_INVALID_MAC;
238 TEST_EQUAL(exp_ret, mbedtls_ssl_decrypt_buf(&ssl, &t1, &rec));
239 }
240
241exit:
242 mbedtls_ssl_free(&ssl);
243 mbedtls_ssl_transform_free(&t0);
244 mbedtls_ssl_transform_free(&t1);
245 mbedtls_free(buf);
246 mbedtls_free(buf_save);
247 MD_OR_USE_PSA_DONE();
248}
249/* END_CASE */