From nobody Mon Nov 15 20:03:51 2021 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id BEF891889761; Mon, 15 Nov 2021 20:03:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HtKrl2p6jz3D6q; Mon, 15 Nov 2021 20:03:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 292B21FE40; Mon, 15 Nov 2021 20:03:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1AFK3ph5087745; Mon, 15 Nov 2021 20:03:51 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1AFK3pCd087744; Mon, 15 Nov 2021 20:03:51 GMT (envelope-from git) Date: Mon, 15 Nov 2021 20:03:51 GMT Message-Id: <202111152003.1AFK3pCd087744@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: John Baldwin Subject: git: 0ff2a12ae32a - main - ktls: Add tests for sending empty fragments for TLS 1.0 connections. List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 0ff2a12ae32a3a88be63f4036599c1324ce04f78 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=0ff2a12ae32a3a88be63f4036599c1324ce04f78 commit 0ff2a12ae32a3a88be63f4036599c1324ce04f78 Author: John Baldwin AuthorDate: 2021-11-15 19:27:15 +0000 Commit: John Baldwin CommitDate: 2021-11-15 19:28:12 +0000 ktls: Add tests for sending empty fragments for TLS 1.0 connections. Reviewed by: markj Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D32841 --- tests/sys/kern/ktls_test.c | 85 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) diff --git a/tests/sys/kern/ktls_test.c b/tests/sys/kern/ktls_test.c index bf2b81645d31..423ccf65cb0c 100644 --- a/tests/sys/kern/ktls_test.c +++ b/tests/sys/kern/ktls_test.c @@ -911,6 +911,64 @@ test_ktls_transmit_control(struct tls_enable *en, uint64_t seqno, uint8_t type, close(sockets[0]); } +static void +test_ktls_transmit_empty_fragment(struct tls_enable *en, uint64_t seqno) +{ + struct tls_record_layer *hdr; + char *outbuf; + size_t outbuf_cap, payload_len, record_len; + ssize_t rv; + int sockets[2]; + uint8_t record_type; + + outbuf_cap = tls_header_len(en) + tls_trailer_len(en); + outbuf = malloc(outbuf_cap); + hdr = (struct tls_record_layer *)outbuf; + + ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets"); + + ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en, + sizeof(*en)) == 0); + + fd_set_blocking(sockets[0]); + fd_set_blocking(sockets[1]); + + /* A write of zero bytes should send an empty fragment. */ + rv = write(sockets[1], NULL, 0); + ATF_REQUIRE(rv == 0); + + /* + * First read the header to determine how much additional data + * to read. + */ + rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer)); + ATF_REQUIRE(rv == sizeof(struct tls_record_layer)); + payload_len = ntohs(hdr->tls_length); + record_len = payload_len + sizeof(struct tls_record_layer); + ATF_REQUIRE(record_len <= outbuf_cap); + rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer), + payload_len); + ATF_REQUIRE(rv == (ssize_t)payload_len); + + rv = decrypt_tls_record(en, seqno, outbuf, record_len, NULL, 0, + &record_type); + + ATF_REQUIRE_MSG(rv == 0, + "read %zd decrypted bytes for an empty fragment", rv); + ATF_REQUIRE(record_type == TLS_RLTYPE_APP); + + free(outbuf); + + close(sockets[1]); + close(sockets[0]); +} + +#define TLS_10_TESTS(M) \ + M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8, \ + CRYPTO_SHA1_HMAC) \ + M(aes256_cbc_1_0_sha1, CRYPTO_AES_CBC, 256 / 8, \ + CRYPTO_SHA1_HMAC) + #define AES_CBC_TESTS(M) \ M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8, \ CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO) \ @@ -989,6 +1047,26 @@ ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc) \ auth_alg, minor, name) \ ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name); +#define GEN_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \ + key_size, auth_alg) \ +ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_empty_fragment); \ +ATF_TC_BODY(ktls_transmit_##cipher_name##_empty_fragment, tc) \ +{ \ + struct tls_enable en; \ + uint64_t seqno; \ + \ + ATF_REQUIRE_KTLS(); \ + seqno = random(); \ + build_tls_enable(cipher_alg, key_size, auth_alg, \ + TLS_MINOR_VER_ZERO, seqno, &en); \ + test_ktls_transmit_empty_fragment(&en, seqno); \ + free_tls_enable(&en); \ +} + +#define ADD_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg, \ + key_size, auth_alg) \ + ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_empty_fragment); + #define GEN_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg, \ minor) \ GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size, \ @@ -1103,12 +1181,19 @@ CHACHA20_TESTS(GEN_TRANSMIT_TESTS); */ AES_CBC_TESTS(GEN_TRANSMIT_PADDING_TESTS); +/* + * Test "empty fragments" which are TLS records with no payload that + * OpenSSL can send for TLS 1.0 connections. + */ +TLS_10_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST); + ATF_TP_ADD_TCS(tp) { AES_CBC_TESTS(ADD_TRANSMIT_TESTS); AES_GCM_TESTS(ADD_TRANSMIT_TESTS); CHACHA20_TESTS(ADD_TRANSMIT_TESTS); AES_CBC_TESTS(ADD_TRANSMIT_PADDING_TESTS); + TLS_10_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST); return (atf_no_error()); }