From a16f9d3366a4b4e8c8014bbf39b86baaf1a04047 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 26 Jul 2022 12:44:28 +0100 Subject: [PATCH] Update the tls13encryptiontest for new read record layer The tls13encryption is an internal test that reaches inside libssl to test encryption/decryption of records. It needs to be amended for the new code structure so that it is testing the equivalent things as before. Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/18132) --- ssl/record/methods/tls_common.c | 95 +++++++++++++++++++-------------- test/tls13encryptiontest.c | 34 +++++++----- 2 files changed, 75 insertions(+), 54 deletions(-) diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c index 8dace6c21a7..4d6cc781e35 100644 --- a/ssl/record/methods/tls_common.c +++ b/ssl/record/methods/tls_common.c @@ -1045,35 +1045,46 @@ tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, } /* Loop through all the settings since they must all be understood */ - for (p = settings; p->key != NULL; p++) { - if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM) == 0) { - if (!OSSL_PARAM_get_int(p, &rl->use_etm)) { - RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER); - goto err; - } - } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN) == 0) { - if (!OSSL_PARAM_get_uint(p, &rl->max_frag_len)) { - RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER); - goto err; - } - } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA) == 0) { - if (!OSSL_PARAM_get_uint32(p, &rl->max_early_data)) { - RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER); - goto err; - } - } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC) == 0) { - if (!OSSL_PARAM_get_int(p, &rl->stream_mac)) { - RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER); - goto err; - } - } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE) == 0) { - if (!OSSL_PARAM_get_int(p, &rl->tlstree)) { - RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_FAILED_TO_GET_PARAMETER); + if (settings != NULL) { + for (p = settings; p->key != NULL; p++) { + if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_USE_ETM) == 0) { + if (!OSSL_PARAM_get_int(p, &rl->use_etm)) { + RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, + SSL_R_FAILED_TO_GET_PARAMETER); + goto err; + } + } else if (strcmp(p->key, + OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_FRAG_LEN) == 0) { + if (!OSSL_PARAM_get_uint(p, &rl->max_frag_len)) { + RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, + SSL_R_FAILED_TO_GET_PARAMETER); + goto err; + } + } else if (strcmp(p->key, + OSSL_LIBSSL_RECORD_LAYER_PARAM_MAX_EARLY_DATA) == 0) { + if (!OSSL_PARAM_get_uint32(p, &rl->max_early_data)) { + RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, + SSL_R_FAILED_TO_GET_PARAMETER); + goto err; + } + } else if (strcmp(p->key, + OSSL_LIBSSL_RECORD_LAYER_PARAM_STREAM_MAC) == 0) { + if (!OSSL_PARAM_get_int(p, &rl->stream_mac)) { + RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, + SSL_R_FAILED_TO_GET_PARAMETER); + goto err; + } + } else if (strcmp(p->key, OSSL_LIBSSL_RECORD_LAYER_PARAM_TLSTREE) == 0) { + if (!OSSL_PARAM_get_int(p, &rl->tlstree)) { + RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, + SSL_R_FAILED_TO_GET_PARAMETER); + goto err; + } + } else { + RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, + SSL_R_UNKNOWN_MANDATORY_PARAMETER); goto err; } - } else { - RLAYERfatal(rl, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_MANDATORY_PARAMETER); - goto err; } } @@ -1115,20 +1126,22 @@ tls_int_new_record_layer(OSSL_LIB_CTX *libctx, const char *propq, int vers, rl->next = next; rl->cbarg = cbarg; - for (; fns->function_id != 0; fns++) { - switch (fns->function_id) { - case OSSL_FUNC_RLAYER_SKIP_EARLY_DATA: - rl->skip_early_data = OSSL_FUNC_rlayer_skip_early_data(fns); - break; - case OSSL_FUNC_RLAYER_MSG_CALLBACK: - rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns); - break; - case OSSL_FUNC_RLAYER_SECURITY: - rl->security = OSSL_FUNC_rlayer_security(fns); - break; - default: - /* Just ignore anything we don't understand */ - break; + if (fns != NULL) { + for (; fns->function_id != 0; fns++) { + switch (fns->function_id) { + case OSSL_FUNC_RLAYER_SKIP_EARLY_DATA: + rl->skip_early_data = OSSL_FUNC_rlayer_skip_early_data(fns); + break; + case OSSL_FUNC_RLAYER_MSG_CALLBACK: + rl->msg_callback = OSSL_FUNC_rlayer_msg_callback(fns); + break; + case OSSL_FUNC_RLAYER_SECURITY: + rl->security = OSSL_FUNC_rlayer_security(fns); + break; + default: + /* Just ignore anything we don't understand */ + break; + } } } diff --git a/test/tls13encryptiontest.c b/test/tls13encryptiontest.c index 0ce5ee1328b..a29e238a84d 100644 --- a/test/tls13encryptiontest.c +++ b/test/tls13encryptiontest.c @@ -11,6 +11,8 @@ #include #include "../ssl/ssl_local.h" #include "../ssl/record/record_local.h" +#include "../ssl/record/recordmethod.h" +#include "../ssl/record/methods/recmethod_local.h" #include "internal/nelem.h" #include "testutil.h" @@ -306,11 +308,14 @@ static int test_tls13_encryption(void) SSL_CTX *ctx = NULL; SSL *ssl = NULL; SSL3_RECORD rec; - unsigned char *key = NULL, *iv = NULL, *seq = NULL; + unsigned char *key = NULL; const EVP_CIPHER *ciph = EVP_aes_128_gcm(); int ret = 0; size_t ivlen, ctr; SSL_CONNECTION *s; + unsigned char seqbuf[SEQ_NUM_SIZE]; + unsigned char iv[EVP_MAX_IV_LENGTH]; + OSSL_RECORD_LAYER *rl; /* * Encrypted TLSv1.3 records always have an outer content type of @@ -349,16 +354,14 @@ static int test_tls13_encryption(void) for (ctr = 0; ctr < OSSL_NELEM(refdata); ctr++) { /* Load the record */ ivlen = EVP_CIPHER_get_iv_length(ciph); - if (!load_record(&rec, &refdata[ctr], &key, s->read_iv, ivlen, - RECORD_LAYER_get_read_sequence(&s->rlayer))) { + if (!load_record(&rec, &refdata[ctr], &key, iv, ivlen, seqbuf)) { TEST_error("Failed loading key into EVP_CIPHER_CTX"); goto err; } /* Set up the read/write sequences */ - memcpy(RECORD_LAYER_get_write_sequence(&s->rlayer), - RECORD_LAYER_get_read_sequence(&s->rlayer), SEQ_NUM_SIZE); - memcpy(s->write_iv, s->read_iv, ivlen); + memcpy(RECORD_LAYER_get_write_sequence(&s->rlayer), seqbuf, sizeof(seqbuf)); + memcpy(s->write_iv, iv, ivlen); /* Load the key into the EVP_CIPHER_CTXs */ if (EVP_CipherInit_ex(s->enc_write_ctx, ciph, NULL, key, NULL, 1) <= 0 @@ -378,8 +381,18 @@ static int test_tls13_encryption(void) goto err; } + if (!TEST_true(ossl_tls_record_method.new_record_layer( + NULL, NULL, TLS1_3_VERSION, OSSL_RECORD_ROLE_SERVER, + OSSL_RECORD_DIRECTION_READ, + OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 0, key, 16, + iv, ivlen, NULL, 0, EVP_aes_128_gcm(), + EVP_GCM_TLS_TAG_LEN, 0, NULL, NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, NULL, NULL, &rl))) { + goto err; + } + memcpy(rl->sequence, seqbuf, sizeof(seqbuf)); /* Decrypt it */ - if (!TEST_int_eq(tls13_enc(s, &rec, 1, 0, NULL, 0), 1)) { + if (!TEST_int_eq(rl->funcs->cipher(rl, &rec, 1, 0, NULL, 0), 1)) { TEST_info("Failed to decrypt record %zu", ctr); goto err; } @@ -388,14 +401,11 @@ static int test_tls13_encryption(void) goto err; } + ossl_tls_record_method.free(rl); OPENSSL_free(rec.data); OPENSSL_free(key); - OPENSSL_free(iv); - OPENSSL_free(seq); rec.data = NULL; key = NULL; - iv = NULL; - seq = NULL; } TEST_note("PASS: %zu records tested", ctr); @@ -404,8 +414,6 @@ static int test_tls13_encryption(void) err: OPENSSL_free(rec.data); OPENSSL_free(key); - OPENSSL_free(iv); - OPENSSL_free(seq); SSL_free(ssl); SSL_CTX_free(ctx); return ret; -- 2.47.2