diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index 3ba314f83..772278135 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -589,6 +589,13 @@ int mbedtls_test_ssl_exchange_data( mbedtls_ssl_context *ssl_2, int msg_len_2, const int expected_fragments_2); +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +int mbedtls_test_ssl_do_handshake_with_endpoints( + mbedtls_test_ssl_endpoint *server_ep, + mbedtls_test_ssl_endpoint *client_ep, + mbedtls_ssl_protocol_version proto); +#endif /* defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) */ + #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) void mbedtls_test_ssl_perform_handshake( mbedtls_test_handshake_test_options *options); diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index bffb35372..65ad10c6f 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -2028,6 +2028,55 @@ exit: } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +int mbedtls_test_ssl_do_handshake_with_endpoints( + mbedtls_test_ssl_endpoint *server_ep, + mbedtls_test_ssl_endpoint *client_ep, + mbedtls_ssl_protocol_version proto) +{ + enum { BUFFSIZE = 1024 }; + + int ret = -1; + mbedtls_test_handshake_test_options options; + + mbedtls_test_init_handshake_options(&options); + options.server_min_version = proto; + options.client_min_version = proto; + options.server_max_version = proto; + options.client_max_version = proto; + + ret = mbedtls_test_ssl_endpoint_init(client_ep, MBEDTLS_SSL_IS_CLIENT, &options, + NULL, NULL, NULL); + if (ret != 0) { + return ret; + } + ret = mbedtls_test_ssl_endpoint_init(server_ep, MBEDTLS_SSL_IS_SERVER, &options, + NULL, NULL, NULL); + if (ret != 0) { + return ret; + } + + ret = mbedtls_test_mock_socket_connect(&client_ep->socket, &server_ep->socket, BUFFSIZE); + if (ret != 0) { + return ret; + } + + ret = mbedtls_test_move_handshake_to_state(&server_ep->ssl, &client_ep->ssl, MBEDTLS_SSL_HANDSHAKE_OVER); + if (ret != 0 && ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { + return ret; + } + ret = mbedtls_test_move_handshake_to_state(&client_ep->ssl, &server_ep->ssl, MBEDTLS_SSL_HANDSHAKE_OVER); + if (ret != 0 && ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { + return ret; + } + if (!mbedtls_ssl_is_handshake_over(&client_ep->ssl) || !mbedtls_ssl_is_handshake_over(&server_ep->ssl)) { + return -1; + } + + return 0; +} +#endif /* defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) */ + #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) void mbedtls_test_ssl_perform_handshake( mbedtls_test_handshake_test_options *options) diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 25cb965e8..ad0d2851f 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3334,3 +3334,67 @@ tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:3:3 TLS 1.3 srv, max early data size, HRR, 98, wsz=49 tls13_srv_max_early_data_size:TEST_EARLY_DATA_HRR:97:0 + +TLS 1.2 Keying Material Exporter: Consistent results, no context +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:24:0 + +TLS 1.2 Keying Material Exporter: Consistent results, with context +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:24:1 + +TLS 1.2 Keying Material Exporter: Consistent results, large keys +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_2:UINT16_MAX:0 + +TLS 1.2 Keying Material Exporter: Uses label +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +ssl_tls_exporter_uses_label:MBEDTLS_SSL_VERSION_TLS1_2 + +TLS 1.2 Keying Material Exporter: Uses context +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +ssl_tls_exporter_uses_context:MBEDTLS_SSL_VERSION_TLS1_2 + +TLS 1.2 Keying Material Exporter: Context too long +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_2:24:251:UINT16_MAX + 1 + +TLS 1.2 Keying Material Exporter: Handshake not done +depends_on:MBEDTLS_SSL_PROTO_TLS1_2 +ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_2:1:MBEDTLS_SSL_SERVER_CERTIFICATE + +TLS 1.3 Keying Material Exporter: Consistent results, no context +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:24:0 + +TLS 1.3 Keying Material Exporter: Consistent results, with context +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:24:1 + +TLS 1.3 Keying Material Exporter: Consistent results, large keys +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls_exporter_consistent_result:MBEDTLS_SSL_VERSION_TLS1_3:UINT16_MAX:0 + +TLS 1.3 Keying Material Exporter: Uses label +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls_exporter_uses_label:MBEDTLS_SSL_VERSION_TLS1_3 + +TLS 1.3 Keying Material Exporter: Uses context +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls_exporter_uses_context:MBEDTLS_SSL_VERSION_TLS1_3 + +TLS 1.3 Keying Material Exporter: Uses length +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls13_exporter_uses_length + +TLS 1.3 Keying Material Exporter: Exported key too long +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:UINT16_MAX + 1:20:20 + +TLS 1.3 Keying Material Exporter: Label too long +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls_exporter_rejects_bad_parameters:MBEDTLS_SSL_VERSION_TLS1_3:24:251:10 + +TLS 1.3 Keying Material Exporter: Handshake not done +depends_on:MBEDTLS_SSL_PROTO_TLS1_3 +ssl_tls_exporter_too_early:MBEDTLS_SSL_VERSION_TLS1_3:1:MBEDTLS_SSL_SERVER_CERTIFICATE diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index ab61e0346..33012493e 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -1695,7 +1695,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3 */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ void ssl_tls13_exporter(int hash_alg, data_t *secret, char *label, @@ -5229,5 +5229,234 @@ exit: mbedtls_debug_set_threshold(0); mbedtls_free(first_frag); PSA_DONE(); +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +void ssl_tls_exporter_consistent_result(int proto, int exported_key_length, int use_context) +{ + /* Test that the client and server generate the same key. */ + + int ret = -1; + uint8_t *key_buffer_server = NULL; + uint8_t *key_buffer_client = NULL; + mbedtls_test_ssl_endpoint client_ep, server_ep; + + MD_OR_USE_PSA_INIT(); + + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, proto); + TEST_ASSERT(ret == 0); + + TEST_ASSERT(exported_key_length > 0); + TEST_CALLOC(key_buffer_server, exported_key_length); + TEST_CALLOC(key_buffer_client, exported_key_length); + + char label[] = "test-label"; + unsigned char context[128] = { 0 }; + ret = mbedtls_ssl_export_keying_material(&server_ep.ssl, + key_buffer_server, (size_t)exported_key_length, + label, sizeof(label), + context, sizeof(context), use_context); + TEST_ASSERT(ret == 0); + ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, + key_buffer_client, (size_t)exported_key_length, + label, sizeof(label), + context, sizeof(context), use_context); + TEST_ASSERT(ret == 0); + TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, (size_t)exported_key_length) == 0); + +exit: + MD_OR_USE_PSA_DONE(); + mbedtls_free(key_buffer_server); + mbedtls_free(key_buffer_client); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +void ssl_tls_exporter_uses_label(int proto) +{ + /* Test that the client and server export different keys when using different labels. */ + + int ret = -1; + mbedtls_test_ssl_endpoint client_ep, server_ep; + + MD_OR_USE_PSA_INIT(); + + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, proto); + TEST_ASSERT(ret == 0); + + char label_server[] = "test-label-server"; + char label_client[] = "test-label-client"; + uint8_t key_buffer_server[24] = { 0 }; + uint8_t key_buffer_client[24] = { 0 }; + unsigned char context[128] = { 0 }; + ret = mbedtls_ssl_export_keying_material(&server_ep.ssl, + key_buffer_server, sizeof(key_buffer_server), + label_server, sizeof(label_server), + context, sizeof(context), 1); + TEST_ASSERT(ret == 0); + ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, + key_buffer_client, sizeof(key_buffer_client), + label_client, sizeof(label_client), + context, sizeof(context), 1); + TEST_ASSERT(ret == 0); + TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, sizeof(key_buffer_server)) != 0); + +exit: + MD_OR_USE_PSA_DONE(); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +void ssl_tls_exporter_uses_context(int proto) +{ + /* Test that the client and server export different keys when using different contexts. */ + + int ret = -1; + mbedtls_test_ssl_endpoint client_ep, server_ep; + + MD_OR_USE_PSA_INIT(); + + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, proto); + TEST_ASSERT(ret == 0); + + char label[] = "test-label"; + uint8_t key_buffer_server[24] = { 0 }; + uint8_t key_buffer_client[24] = { 0 }; + unsigned char context_server[128] = { 0 }; + unsigned char context_client[128] = { 23 }; + ret = mbedtls_ssl_export_keying_material(&server_ep.ssl, + key_buffer_server, sizeof(key_buffer_server), + label, sizeof(label), + context_server, sizeof(context_server), 1); + TEST_ASSERT(ret == 0); + ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, + key_buffer_client, sizeof(key_buffer_client), + label, sizeof(label), + context_client, sizeof(context_client), 1); + TEST_ASSERT(ret == 0); + TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, sizeof(key_buffer_server)) != 0); + +exit: + MD_OR_USE_PSA_DONE(); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +void ssl_tls13_exporter_uses_length(void) +{ + /* In TLS 1.3, when two keys are exported with the same parameters except one is shorter, + * the shorter key should NOT be a prefix of the longer one. */ + + int ret = -1; + mbedtls_test_ssl_endpoint client_ep, server_ep; + + MD_OR_USE_PSA_INIT(); + + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, MBEDTLS_SSL_VERSION_TLS1_3); + TEST_ASSERT(ret == 0); + + char label[] = "test-label"; + uint8_t key_buffer_server[16] = { 0 }; + uint8_t key_buffer_client[24] = { 0 }; + unsigned char context[128] = { 0 }; + ret = mbedtls_ssl_export_keying_material(&server_ep.ssl, + key_buffer_server, sizeof(key_buffer_server), + label, sizeof(label), + context, sizeof(context), 1); + TEST_ASSERT(ret == 0); + ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, + key_buffer_client, sizeof(key_buffer_client), + label, sizeof(label), + context, sizeof(context), 1); + TEST_ASSERT(ret == 0); + TEST_ASSERT(memcmp(key_buffer_server, key_buffer_client, sizeof(key_buffer_server)) != 0); + +exit: + MD_OR_USE_PSA_DONE(); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +void ssl_tls_exporter_rejects_bad_parameters( + int proto, int exported_key_length, int label_length, int context_length) +{ + MD_OR_USE_PSA_INIT(); + + int ret = -1; + uint8_t *key_buffer = NULL; + char *label = NULL; + uint8_t *context = NULL; + mbedtls_test_ssl_endpoint client_ep, server_ep; + + TEST_ASSERT(exported_key_length > 0); + TEST_ASSERT(label_length > 0); + TEST_ASSERT(context_length > 0); + TEST_CALLOC(key_buffer, exported_key_length); + TEST_CALLOC(label, label_length); + TEST_CALLOC(context, context_length); + + ret = mbedtls_test_ssl_do_handshake_with_endpoints(&server_ep, &client_ep, proto); + TEST_ASSERT(ret == 0); + + ret = mbedtls_ssl_export_keying_material(&client_ep.ssl, + key_buffer, exported_key_length, + label, label_length, + context, context_length, 1); + TEST_ASSERT(ret == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); + +exit: + MD_OR_USE_PSA_DONE(); + mbedtls_free(key_buffer); + mbedtls_free(label); + mbedtls_free(context); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */ +void ssl_tls_exporter_too_early(int proto, int check_server, int state) +{ + enum { BUFFSIZE = 1024 }; + + int ret = -1; + mbedtls_test_ssl_endpoint server_ep, client_ep; + + mbedtls_test_handshake_test_options options; + mbedtls_test_init_handshake_options(&options); + options.server_min_version = proto; + options.client_min_version = proto; + options.server_max_version = proto; + options.client_max_version = proto; + + MD_OR_USE_PSA_INIT(); + + ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER, &options, + NULL, NULL, NULL); + TEST_ASSERT(ret == 0); + ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT, &options, + NULL, NULL, NULL); + TEST_ASSERT(ret == 0); + + ret = mbedtls_test_mock_socket_connect(&client_ep.socket, &server_ep.socket, BUFFSIZE); + TEST_ASSERT(ret == 0); + + if (check_server) { + ret = mbedtls_test_move_handshake_to_state(&server_ep.ssl, &client_ep.ssl, state); + } else { + ret = mbedtls_test_move_handshake_to_state(&client_ep.ssl, &server_ep.ssl, state); + } + TEST_ASSERT(ret == 0 || ret == MBEDTLS_ERR_SSL_WANT_READ || MBEDTLS_ERR_SSL_WANT_WRITE); + + char label[] = "test-label"; + uint8_t key_buffer[24] = { 0 }; + ret = mbedtls_ssl_export_keying_material(check_server ? &server_ep.ssl : &client_ep.ssl, + key_buffer, sizeof(key_buffer), + label, sizeof(label), + NULL, 0, 0); + + /* FIXME: A more appropriate error code should be created for this case. */ + TEST_ASSERT(ret == MBEDTLS_ERR_SSL_BAD_INPUT_DATA); + +exit: + MD_OR_USE_PSA_DONE(); } /* END_CASE */