From 0d2982be13f6920b965ffa7a77c01557ee4cf332 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 18 Oct 2022 07:55:46 -0400 Subject: [PATCH] Refactor ssl test suite to use pointers more This way it's easier to track structures that are partially set up. Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_ssl.function | 102 ++++++++++++++++++--------- 1 file changed, 69 insertions(+), 33 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index a1e660f28..606072af3 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -734,9 +734,9 @@ int mbedtls_mock_tcp_recv_msg( void *ctx, unsigned char *buf, size_t buf_len ) */ typedef struct mbedtls_endpoint_certificate { - mbedtls_x509_crt ca_cert; - mbedtls_x509_crt cert; - mbedtls_pk_context pkey; + mbedtls_x509_crt* ca_cert; + mbedtls_x509_crt* cert; + mbedtls_pk_context* pkey; } mbedtls_endpoint_certificate; /* @@ -753,6 +753,42 @@ typedef struct mbedtls_endpoint mbedtls_endpoint_certificate cert; } mbedtls_endpoint; +/* + * Deinitializes certificates from endpoint represented by \p ep. + */ +void mbedtls_endpoint_certificate_free( mbedtls_endpoint *ep ) +{ + mbedtls_endpoint_certificate *cert = &( ep->cert ); + if( cert != NULL ) + { + if( cert->ca_cert != NULL ) + { + mbedtls_x509_crt_free( cert->ca_cert ); + mbedtls_free( cert->ca_cert ); + cert->ca_cert = NULL; + } + if( cert->cert != NULL ) + { + mbedtls_x509_crt_free( cert->cert ); + mbedtls_free( cert->cert ); + cert->cert = NULL; + } + if( cert->pkey != NULL ) + { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( mbedtls_pk_get_type( cert->pkey ) == MBEDTLS_PK_OPAQUE ) + { + mbedtls_svc_key_id_t *key_slot = cert->pkey->pk_ctx; + psa_destroy_key( *key_slot ); + } +#endif + mbedtls_pk_free( cert->pkey ); + mbedtls_free( cert->pkey ); + cert->pkey = NULL; + } + } +} + /* * Initializes \p ep_cert structure and assigns it to endpoint * represented by \p ep. @@ -763,7 +799,7 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg ) { int i = 0; int ret = -1; - mbedtls_endpoint_certificate *cert; + mbedtls_endpoint_certificate *cert = NULL; if( ep == NULL ) { @@ -771,15 +807,19 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg ) } cert = &( ep->cert ); - mbedtls_x509_crt_init( &( cert->ca_cert ) ); - mbedtls_x509_crt_init( &( cert->cert ) ); - mbedtls_pk_init( &( cert->pkey ) ); + cert->ca_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) ); + cert->cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) ); + cert->pkey = mbedtls_calloc( 1, sizeof(mbedtls_pk_context) ); + + mbedtls_x509_crt_init( cert->ca_cert ); + mbedtls_x509_crt_init( cert->cert ); + mbedtls_pk_init( cert->pkey ); /* Load the trusted CA */ for( i = 0; mbedtls_test_cas_der[i] != NULL; i++ ) { - ret = mbedtls_x509_crt_parse_der( &( cert->ca_cert ), + ret = mbedtls_x509_crt_parse_der( cert->ca_cert, (const unsigned char *) mbedtls_test_cas_der[i], mbedtls_test_cas_der_len[i] ); TEST_ASSERT( ret == 0 ); @@ -791,24 +831,24 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg ) { if( pk_alg == MBEDTLS_PK_RSA ) { - ret = mbedtls_x509_crt_parse( &( cert->cert ), + ret = mbedtls_x509_crt_parse( cert->cert, (const unsigned char*) mbedtls_test_srv_crt_rsa_sha256_der, mbedtls_test_srv_crt_rsa_sha256_der_len ); TEST_ASSERT( ret == 0 ); - ret = mbedtls_pk_parse_key( &( cert->pkey ), + ret = mbedtls_pk_parse_key( cert->pkey, (const unsigned char*) mbedtls_test_srv_key_rsa_der, mbedtls_test_srv_key_rsa_der_len, NULL, 0 ); TEST_ASSERT( ret == 0 ); } else { - ret = mbedtls_x509_crt_parse( &( cert->cert ), + ret = mbedtls_x509_crt_parse( cert->cert, (const unsigned char*) mbedtls_test_srv_crt_ec_der, mbedtls_test_srv_crt_ec_der_len ); TEST_ASSERT( ret == 0 ); - ret = mbedtls_pk_parse_key( &( cert->pkey ), + ret = mbedtls_pk_parse_key( cert->pkey, (const unsigned char*) mbedtls_test_srv_key_ec_der, mbedtls_test_srv_key_ec_der_len, NULL, 0 ); TEST_ASSERT( ret == 0 ); @@ -818,42 +858,40 @@ int mbedtls_endpoint_certificate_init( mbedtls_endpoint *ep, int pk_alg ) { if( pk_alg == MBEDTLS_PK_RSA ) { - ret = mbedtls_x509_crt_parse( &( cert->cert ), + ret = mbedtls_x509_crt_parse( cert->cert, (const unsigned char *) mbedtls_test_cli_crt_rsa_der, mbedtls_test_cli_crt_rsa_der_len ); TEST_ASSERT( ret == 0 ); - ret = mbedtls_pk_parse_key( &( cert->pkey ), + ret = mbedtls_pk_parse_key( cert->pkey, (const unsigned char *) mbedtls_test_cli_key_rsa_der, mbedtls_test_cli_key_rsa_der_len, NULL, 0 ); TEST_ASSERT( ret == 0 ); } else { - ret = mbedtls_x509_crt_parse( &( cert->cert ), + ret = mbedtls_x509_crt_parse( cert->cert, (const unsigned char *) mbedtls_test_cli_crt_ec_der, mbedtls_test_cli_crt_ec_len ); TEST_ASSERT( ret == 0 ); - ret = mbedtls_pk_parse_key( &( cert->pkey ), + ret = mbedtls_pk_parse_key( cert->pkey, (const unsigned char *) mbedtls_test_cli_key_ec_der, mbedtls_test_cli_key_ec_der_len, NULL, 0 ); TEST_ASSERT( ret == 0 ); } } - mbedtls_ssl_conf_ca_chain( &( ep->conf ), &( cert->ca_cert ), NULL ); + mbedtls_ssl_conf_ca_chain( &( ep->conf ), cert->ca_cert, NULL ); - ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), &( cert->cert ), - &( cert->pkey ) ); + ret = mbedtls_ssl_conf_own_cert( &( ep->conf ), cert->cert, + cert->pkey ); TEST_ASSERT( ret == 0 ); exit: if( ret != 0 ) { - mbedtls_x509_crt_free( &( cert->ca_cert ) ); - mbedtls_x509_crt_free( &( cert->cert ) ); - mbedtls_pk_free( &( cert->pkey ) ); + mbedtls_endpoint_certificate_free( ep ); } return ret; @@ -959,17 +997,6 @@ exit: return ret; } -/* - * Deinitializes certificates from endpoint represented by \p ep. - */ -void mbedtls_endpoint_certificate_free( mbedtls_endpoint *ep ) -{ - mbedtls_endpoint_certificate *cert = &( ep->cert ); - mbedtls_x509_crt_free( &( cert->ca_cert ) ); - mbedtls_x509_crt_free( &( cert->cert ) ); - mbedtls_pk_free( &( cert->pkey ) ); -} - /* * Deinitializes endpoint represented by \p ep. */ @@ -1709,6 +1736,10 @@ void perform_handshake( handshake_test_options* options ) #endif int expected_handshake_result = 0; + USE_PSA_INIT( ); + mbedtls_platform_zeroize( &client, sizeof(client) ); + mbedtls_platform_zeroize( &server, sizeof(server) ); + mbedtls_test_message_queue server_queue, client_queue; mbedtls_test_message_socket_context server_context, client_context; mbedtls_message_socket_init( &server_context ); @@ -4185,6 +4216,9 @@ void move_handshake_to_state(int endpoint_type, int state, int need_pass) mbedtls_endpoint base_ep, second_ep; int ret = -1; + mbedtls_platform_zeroize( &base_ep, sizeof(base_ep) ); + mbedtls_platform_zeroize( &second_ep, sizeof(second_ep) ); + ret = mbedtls_endpoint_init( &base_ep, endpoint_type, MBEDTLS_PK_RSA, NULL, NULL, NULL, NULL ); TEST_ASSERT( ret == 0 ); @@ -4571,6 +4605,8 @@ void raw_key_agreement_fail( int bad_server_ecdhe_key ) mbedtls_ecp_group_id curve_list[] = { MBEDTLS_ECP_DP_SECP256R1, MBEDTLS_ECP_DP_NONE }; USE_PSA_INIT( ); + mbedtls_platform_zeroize( &client, sizeof(client) ); + mbedtls_platform_zeroize( &server, sizeof(server) ); /* Client side, force SECP256R1 to make one key bitflip fail * the raw key agreement. Flipping the first byte makes the