OpenVPN
test_tls_crypt.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2016-2018 Fox Crypto B.V. <openvpn@fox-it.com>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #include <stdio.h>
33 #include <unistd.h>
34 #include <stdlib.h>
35 #include <stdarg.h>
36 #include <string.h>
37 #include <setjmp.h>
38 #include <cmocka.h>
39 
40 #include "tls_crypt.c"
41 
42 #include "mock_msg.h"
43 
44 #define TESTBUF_SIZE 128
45 
46 /* Defines for use in the tests and the mock parse_line() */
47 #define PATH1 "/s p a c e"
48 #define PATH2 "/foo bar/baz"
49 #define PARAM1 "param1"
50 #define PARAM2 "param two"
51 
52 static const char *test_server_key = \
53  "-----BEGIN OpenVPN tls-crypt-v2 server key-----\n"
54  "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4v\n"
55  "MDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5f\n"
56  "YGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn8=\n"
57  "-----END OpenVPN tls-crypt-v2 server key-----\n";
58 
59 static const char *test_client_key = \
60  "-----BEGIN OpenVPN tls-crypt-v2 client key-----\n"
61  "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4v\n"
62  "MDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5f\n"
63  "YGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6P\n"
64  "kJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/\n"
65  "wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v\n"
66  "8PHy8/T19vf4+fr7/P3+/xd9pcB0qUYZsWvkrLcfGmzPJPM8a7r0mEWdXwbDadSV\n"
67  "LHg5bv2TwlmPR3HgaMr8o9LTh9hxUTkrH3S0PfKRNwcso86ua/dBFTyXsM9tg4aw\n"
68  "3dS6ogH9AkaT+kRRDgNcKWkQCbwmJK2JlfkXHBwbAtmn78AkNuho6QCFqCdqGab3\n"
69  "zh2vheFqGMPdGpukbFrT3rcO3VLxUeG+RdzXiMTCpJSovFBP1lDkYwYJPnz6daEh\n"
70  "j0TzJ3BVru9W3CpotdNt7u09knxAfpCxjtrP3semsDew/gTBtcfQ/OoTFyFHnN5k\n"
71  "RZ+q17SC4nba3Pp8/Fs0+hSbv2tJozoD8SElFq7SIWJsciTYh8q8f5yQxjdt4Wxu\n"
72  "/Z5wtPCAZ0tOzj4ItTI77fBOYRTfEayzHgEr\n"
73  "-----END OpenVPN tls-crypt-v2 client key-----\n";
74 
75 
76 /* Has custom metadata of AABBCCDD (base64) */
77 static const char *test_client_key_metadata = \
78  "-----BEGIN OpenVPN tls-crypt-v2 client key-----\n"
79  "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4v\n"
80  "MDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5f\n"
81  "YGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6P\n"
82  "kJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/\n"
83  "wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v\n"
84  "8PHy8/T19vf4+fr7/P3+/2ntp1WCqhcLjJQY/igkjNt3Yb6i0neqFkfrOp2UCDcz\n"
85  "6RSJtPLZbvOOKUHk2qwxPYUsFCnz/IWV6/ZiLRrabzUpS8oSN1HS6P7qqAdrHKgf\n"
86  "hVTHasdSf2UdMTPC7HBgnP9Ll0FhKN0h7vSzbbt7QM7wH9mr1ecc/Mt0SYW2lpwA\n"
87  "aJObYGTyk6hTgWm0g/MLrworLrezTqUHBZzVsu+LDyqLWK1lzJNd66MuNOsGA4YF\n"
88  "fbCsDh8n3H+Cw1k5YNBZDYYJOtVUgBWXheO6vgoOmqDdI0dAQ3hVo9DE+SkCFjgf\n"
89  "l4FY2yLEh9ZVZZrl1eD1Owh/X178CkHrBJYl9LNQSyQEKlDGWwBLQ/pY3qtjctr3\n"
90  "pV62MPQdBo+1lcsjDCJVQA6XUyltas4BKQ==\n"
91  "-----END OpenVPN tls-crypt-v2 client key-----\n";
92 
93 int
94 __wrap_parse_line(const char *line, char **p, const int n, const char *file,
95  const int line_num, int msglevel, struct gc_arena *gc)
96 {
97  p[0] = PATH1 PATH2;
98  p[1] = PARAM1;
99  p[2] = PARAM2;
100  return 3;
101 }
102 
103 bool
104 __wrap_buffer_write_file(const char *filename, const struct buffer *buf)
105 {
106  const char *pem = BSTR(buf);
107  check_expected(filename);
108  check_expected(pem);
109 
110  return mock();
111 }
112 
113 struct buffer
114 __wrap_buffer_read_from_file(const char *filename, struct gc_arena *gc)
115 {
116  check_expected(filename);
117 
118  const char *pem_str = (const char *) mock();
119  struct buffer ret = alloc_buf_gc(strlen(pem_str) + 1, gc);
120  buf_write(&ret, pem_str, strlen(pem_str) + 1);
121 
122  return ret;
123 }
124 
125 
127 int
128 __wrap_rand_bytes(uint8_t *output, int len)
129 {
130  for (int i = 0; i < len; i++)
131  {
132  output[i] = i;
133  }
134  return true;
135 }
136 
139  struct key_type kt;
140  struct buffer source;
143 };
144 
145 static int
146 test_tls_crypt_setup(void **state)
147 {
148  struct test_tls_crypt_context *ctx = calloc(1, sizeof(*ctx));
149  *state = ctx;
150 
151  struct key key = { 0 };
152 
153  ctx->kt = tls_crypt_kt();
154  if (!ctx->kt.cipher || !ctx->kt.digest)
155  {
156  return 0;
157  }
158  init_key_ctx(&ctx->co.key_ctx_bi.encrypt, &key, &ctx->kt, true, "TEST");
159  init_key_ctx(&ctx->co.key_ctx_bi.decrypt, &key, &ctx->kt, false, "TEST");
160 
161  packet_id_init(&ctx->co.packet_id, 0, 0, "test", 0);
162 
163  ctx->source = alloc_buf(TESTBUF_SIZE);
166 
167  /* Write test plaintext */
168  const char *plaintext = "1234567890";
169  buf_write(&ctx->source, plaintext, strlen(plaintext));
170 
171  /* Write test ciphertext */
172  const char *ciphertext = "012345678";
173  buf_write(&ctx->ciphertext, ciphertext, strlen(ciphertext));
174 
175  return 0;
176 }
177 
178 static int
180 {
181  struct test_tls_crypt_context *ctx =
182  (struct test_tls_crypt_context *)*state;
183 
184  free_buf(&ctx->source);
185  free_buf(&ctx->ciphertext);
186  free_buf(&ctx->unwrapped);
187 
189 
190  free(ctx);
191 
192  return 0;
193 }
194 
195 static void
197 {
198  if (!ctx->kt.cipher || !ctx->kt.digest)
199  {
200  skip();
201  }
202 }
203 
207 static void
208 tls_crypt_loopback(void **state)
209 {
210  struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state;
211 
213 
214  assert_true(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co));
215  assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext));
216  assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co));
217  assert_int_equal(BLEN(&ctx->source), BLEN(&ctx->unwrapped));
219  BLEN(&ctx->source));
220 }
221 
225 static void
227 {
228  struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state;
229 
231 
232  buf_clear(&ctx->source);
233 
234  assert_true(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co));
235  assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext));
236  assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co));
237  assert_int_equal(BLEN(&ctx->source), BLEN(&ctx->unwrapped));
239  BLEN(&ctx->source));
240 }
241 
245 static void
247 {
248  struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state;
249 
251 
252  buf_clear(&ctx->source);
255 
256  assert_true(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co));
257  assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext));
258  assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co));
259  assert_int_equal(BLEN(&ctx->source), BLEN(&ctx->unwrapped));
261  BLEN(&ctx->source));
262 }
263 
267 static void
269 {
270  struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state;
271 
273 
274  buf_clear(&ctx->source);
277  assert_false(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co));
278 }
279 
284 static void
286 {
287  struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state;
288 
290 
291  /* Change decrypt key */
292  struct key key = { { 1 } };
294  init_key_ctx(&ctx->co.key_ctx_bi.decrypt, &key, &ctx->kt, false, "TEST");
295 
296  assert_true(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co));
297  assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext));
298  assert_false(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co));
299 }
300 
304 static void
306 {
307  struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state;
308 
310 
311  assert_true(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co));
312  assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext));
313  struct buffer tmp = ctx->ciphertext;
314  assert_true(tls_crypt_unwrap(&tmp, &ctx->unwrapped, &ctx->co));
315  buf_clear(&ctx->unwrapped);
316  assert_false(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co));
317 }
318 
324 static void
326 {
327  struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state;
328 
330 
331  ctx->co.flags |= CO_IGNORE_PACKET_ID;
332 
333  assert_true(tls_crypt_wrap(&ctx->source, &ctx->ciphertext, &ctx->co));
334  assert_true(BLEN(&ctx->source) < BLEN(&ctx->ciphertext));
335  struct buffer tmp = ctx->ciphertext;
336  assert_true(tls_crypt_unwrap(&tmp, &ctx->unwrapped, &ctx->co));
337  buf_clear(&ctx->unwrapped);
338  assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co));
339 }
340 
342  struct gc_arena gc;
343  struct key2 server_key2;
344  struct key_ctx_bi server_keys;
345  struct key2 client_key2;
346  struct key_ctx_bi client_key;
347  struct buffer metadata;
348  struct buffer unwrapped_metadata;
349  struct buffer wkc;
350 };
351 
352 static int
354 {
355  struct test_tls_crypt_v2_context *ctx = calloc(1, sizeof(*ctx));
356  *state = ctx;
357 
358  ctx->gc = gc_new();
359 
360  /* Slightly longer buffers to be able to test too-long data */
363  &ctx->gc);
364  ctx->wkc = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN+16, &ctx->gc);
365 
366  /* Generate server key */
367  rand_bytes((void *)ctx->server_key2.keys, sizeof(ctx->server_key2.keys));
368  ctx->server_key2.n = 2;
369  struct key_type kt = tls_crypt_kt();
372  "tls-crypt-v2 server key");
373 
374  /* Generate client key */
375  rand_bytes((void *)ctx->client_key2.keys, sizeof(ctx->client_key2.keys));
376  ctx->client_key2.n = 2;
377 
378  return 0;
379 }
380 
381 static int
383 {
384  struct test_tls_crypt_v2_context *ctx =
385  (struct test_tls_crypt_v2_context *) *state;
386 
389 
390  gc_free(&ctx->gc);
391 
392  free(ctx);
393 
394  return 0;
395 }
396 
400 static void
402 {
403  struct test_tls_crypt_v2_context *ctx =
404  (struct test_tls_crypt_v2_context *) *state;
405 
406  struct buffer wrapped_client_key = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN,
407  &ctx->gc);
408  assert_true(tls_crypt_v2_wrap_client_key(&wrapped_client_key,
409  &ctx->client_key2,
410  &ctx->metadata,
411  &ctx->server_keys.encrypt,
412  &ctx->gc));
413 
414  struct buffer unwrap_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN,
415  &ctx->gc);
416  struct key2 unwrapped_client_key2 = { 0 };
417  assert_true(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2,
418  &unwrap_metadata,
419  wrapped_client_key,
420  &ctx->server_keys.decrypt));
421 
422  assert_true(0 == memcmp(ctx->client_key2.keys, unwrapped_client_key2.keys,
423  sizeof(ctx->client_key2.keys)));
424 }
425 
430 static void
432 {
433  struct test_tls_crypt_v2_context *ctx =
434  (struct test_tls_crypt_v2_context *) *state;
435 
436  uint8_t *metadata =
440  &ctx->metadata,
441  &ctx->server_keys.encrypt,
442  &ctx->gc));
443 
444  struct buffer unwrap_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN,
445  &ctx->gc);
446  struct key2 unwrapped_client_key2 = { 0 };
447  assert_true(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2,
448  &unwrap_metadata, ctx->wkc,
449  &ctx->server_keys.decrypt));
450 
451  assert_true(0 == memcmp(ctx->client_key2.keys, unwrapped_client_key2.keys,
452  sizeof(ctx->client_key2.keys)));
453  assert_true(buf_equal(&ctx->metadata, &unwrap_metadata));
454 
455  struct tls_wrap_ctx wrap_ctx = {
456  .mode = TLS_WRAP_CRYPT,
457  .tls_crypt_v2_server_key = ctx->server_keys.encrypt,
458  };
459  assert_true(tls_crypt_v2_extract_client_key(&ctx->wkc, &wrap_ctx, NULL));
460  tls_wrap_free(&wrap_ctx);
461 }
462 
467 static void
469 {
470  struct test_tls_crypt_v2_context *ctx =
471  (struct test_tls_crypt_v2_context *) *state;
472 
475  &ctx->metadata,
476  &ctx->server_keys.encrypt,
477  &ctx->gc));
478 }
479 
484 static void
486 {
487  struct test_tls_crypt_v2_context *ctx =
488  (struct test_tls_crypt_v2_context *) *state;
489 
491  &ctx->metadata,
492  &ctx->server_keys.encrypt,
493  &ctx->gc));
494 
495  /* Change server key */
496  struct key_type kt = tls_crypt_kt();
498  memset(&ctx->server_key2.keys, 0, sizeof(ctx->server_key2.keys));
501  "wrong tls-crypt-v2 server key");
502 
503 
504  struct key2 unwrapped_client_key2 = { 0 };
505  assert_false(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2,
506  &ctx->unwrapped_metadata,
507  ctx->wkc,
508  &ctx->server_keys.decrypt));
509 
510  const struct key2 zero = { 0 };
511  assert_true(0 == memcmp(&unwrapped_client_key2, &zero, sizeof(zero)));
512  assert_true(0 == BLEN(&ctx->unwrapped_metadata));
513 }
514 
519 static void
521 {
522  struct test_tls_crypt_v2_context *ctx =
523  (struct test_tls_crypt_v2_context *) *state;
524 
525  uint8_t *metadata =
529  &ctx->metadata,
530  &ctx->server_keys.encrypt,
531  &ctx->gc));
532 
533  struct key2 unwrapped_client_key2 = { 0 };
534  struct buffer unwrapped_metadata =
536  assert_false(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2,
537  &unwrapped_metadata, ctx->wkc,
538  &ctx->server_keys.decrypt));
539 
540  const struct key2 zero = { 0 };
541  assert_true(0 == memcmp(&unwrapped_client_key2, &zero, sizeof(zero)));
542  assert_true(0 == BLEN(&ctx->unwrapped_metadata));
543 }
544 
545 static void
547 {
548  const char *filename = "testfilename.key";
549 
550  expect_string(__wrap_buffer_write_file, filename, filename);
552  strlen(test_server_key));
554 
556 }
557 
558 static void
560 {
561  const char *filename = "testfilename.key";
562 
563  /* Test writing the client key */
564  expect_string(__wrap_buffer_write_file, filename, filename);
566  strlen(test_client_key));
568 
569  /* Key generation re-reads the created file as a sanity check */
570  expect_string(__wrap_buffer_read_from_file, filename, filename);
572 
574 }
575 
576 static void
578 {
579  const char *filename = "testfilename.key";
580  const char *b64metadata = "AABBCCDD";
581 
582  /* Test writing the client key */
583  expect_string(__wrap_buffer_write_file, filename, filename);
585  strlen(test_client_key_metadata));
587 
588  /* Key generation re-reads the created file as a sanity check */
589  expect_string(__wrap_buffer_read_from_file, filename, filename);
591 
593  true);
594 }
595 
596 int
597 main(void)
598 {
599  const struct CMUnitTest tests[] = {
639  };
640 
641 #if defined(ENABLE_CRYPTO_OPENSSL)
642  OpenSSL_add_all_algorithms();
643 #endif
644 
645  int ret = cmocka_run_group_tests_name("tls-crypt tests", tests, NULL, NULL);
646 
647 #if defined(ENABLE_CRYPTO_OPENSSL)
648  EVP_cleanup();
649 #endif
650 
651  return ret;
652 }
int __wrap_parse_line(const char *line, char **p, const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
#define assert_true(c)
Definition: cmocka.h:1045
Security parameter state for processing data channel packets.
Definition: crypto.h:232
static void tls_wrap_free(struct tls_wrap_ctx *tls_wrap)
Free the elements of a tls_wrap_ctx structure.
Definition: ssl.h:518
#define assert_non_null(c)
Definition: cmocka.h:1102
#define cmocka_unit_test(f)
Initializes a CMUnitTest structure.
Definition: cmocka.h:1653
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:887
static void tls_crypt_v2_wrap_unwrap_wrong_key(void **state)
Check that unwrapping a tls-crypt-v2 client key with the wrong server key fails as expected...
static void tls_crypt_fail_msg_too_long(void **state)
Check that too-long messages are gracefully rejected.
void free_buf(struct buffer *buf)
Definition: buffer.c:185
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:261
#define PARAM2
static uint8_t * buf_write_alloc(struct buffer *buf, size_t size)
Definition: buffer.h:656
struct key keys[2]
Two unidirectional sets of key material.
Definition: crypto.h:185
void init_key_ctx(struct key_ctx *ctx, const struct key *key, const struct key_type *kt, int enc, const char *prefix)
Definition: crypto.c:819
#define PARAM1
static int test_tls_crypt_setup(void **state)
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:638
static bool tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, struct buffer wrapped_client_key, struct key_ctx *server_key)
Definition: tls_crypt.c:402
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
static void tls_crypt_fail_replay(void **state)
Check that replayed packets are not accepted.
int n
The number of key objects stored in the key2.keys array.
Definition: crypto.h:183
Control channel encryption and authentication.
Definition: ssl_common.h:255
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
struct crypto_options co
int main(void)
static void skip_if_tls_crypt_not_supported(struct test_tls_crypt_context *ctx)
#define TLS_CRYPT_V2_MAX_WKC_LEN
Definition: tls_crypt.h:97
static void tls_crypt_loopback_max_len(void **state)
Check that max-length messages are successfully wrapped-and-unwrapped.
static int test_tls_crypt_v2_teardown(void **state)
static void test_tls_crypt_v2_write_server_key_file(void **state)
struct key_ctx_bi server_keys
static void tls_crypt_v2_wrap_unwrap_dst_too_small(void **state)
Check that unwrapping a tls-crypt-v2 client key to a too small metadata buffer fails as expected...
static void tls_crypt_fail_invalid_key(void **state)
Check that packets that were wrapped (or unwrapped) with a different key are not accepted.
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition: tls_crypt.c:75
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
#define BPTR(buf)
Definition: buffer.h:124
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:78
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition: ssl_common.h:250
#define cmocka_run_group_tests_name(group_name, group_tests, group_setup, group_teardown)
Definition: cmocka.h:1818
static void tls_crypt_loopback_zero_len(void **state)
Check that zero-byte messages are successfully wrapped-and-unwrapped.
static struct key_type tls_crypt_kt(void)
Definition: tls_crypt.c:51
static void tls_crypt_ignore_replay(void **state)
Check that packet replays are accepted when CO_IGNORE_PACKET_ID is set.
#define assert_memory_equal(a, b, size)
Definition: cmocka.h:1254
#define PATH2
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
#define KEY_DIRECTION_BIDIRECTIONAL
Definition: crypto.h:173
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Wrap a control channel packet (both authenticates and encrypts the data).
Definition: tls_crypt.c:106
static const char * test_client_key_metadata
static const char * test_server_key
struct buffer ciphertext
#define expect_memory(function, parameter, memory, size)
Definition: cmocka.h:848
int __wrap_rand_bytes(uint8_t *output, int len)
Predictable random for tests.
static void tls_crypt_v2_wrap_unwrap_max_metadata(void **state)
Check wrapping and unwrapping a tls-crypt-v2 client key with maximum length metadata.
bool __wrap_buffer_write_file(const char *filename, const struct buffer *buf)
static int test_tls_crypt_v2_setup(void **state)
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition: crypto.h:221
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition: crypto.c:867
void buf_clear(struct buffer *buf)
Definition: buffer.c:164
struct buffer unwrapped_metadata
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition: crypto.c:904
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
Definition: crypto.h:248
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition: crypto.h:223
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:181
#define will_return(function, value)
Definition: cmocka.h:294
#define BLEN(buf)
Definition: buffer.h:127
#define skip()
Definition: cmocka.h:1540
#define cmocka_unit_test_setup_teardown(f, setup, teardown)
Initialize an array of CMUnitTest structures with a setup function for a test and a teardown function...
Definition: cmocka.h:1665
enum tls_wrap_ctx::@11 mode
Control channel wrapping mode.
static bool buf_inc_len(struct buffer *buf, int inc)
Definition: buffer.h:611
const md_kt_t * digest
Message digest static parameters.
Definition: crypto.h:144
static int test_tls_crypt_teardown(void **state)
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:234
#define check_expected(parameter)
Definition: cmocka.h:986
#define mock()
Definition: cmocka.h:210
#define TLS_CRYPT_V2_MAX_METADATA_LEN
Definition: tls_crypt.h:101
static const char * test_client_key
static void tls_crypt_v2_wrap_unwrap_no_metadata(void **state)
Check wrapping and unwrapping a tls-crypt-v2 client key without metadata.
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
static void tls_crypt_loopback(void **state)
Check that short messages are successfully wrapped-and-unwrapped.
bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key int...
Definition: tls_crypt.c:570
static void test_tls_crypt_v2_write_client_key_file(void **state)
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Unwrap a control channel packet (decrypts, authenticates and performs replay checks).
Definition: tls_crypt.c:183
#define free
Definition: cmocka.c:1850
static void tls_crypt_v2_wrap_too_long_metadata(void **state)
Check that wrapping a tls-crypt-v2 client key with too long metadata fails as expected.
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
void tls_crypt_v2_write_server_key_file(const char *filename)
Generate a tls-crypt-v2 server key, and write to file.
Definition: tls_crypt.c:632
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition: buffer.h:689
static bool tls_crypt_v2_wrap_client_key(struct buffer *wkc, const struct key2 *src_key, const struct buffer *src_metadata, struct key_ctx *server_key, struct gc_arena *gc)
Definition: tls_crypt.c:345
#define PATH1
struct key_ctx_bi client_key
struct buffer __wrap_buffer_read_from_file(const char *filename, struct gc_arena *gc)
#define BSTR(buf)
Definition: buffer.h:129
#define assert_false(c)
Definition: cmocka.h:1063
const cipher_kt_t * cipher
Cipher static parameters.
Definition: crypto.h:143
#define TESTBUF_SIZE
static bool buf_equal(const struct buffer *a, const struct buffer *b)
Return true if buffer contents are equal.
Definition: buffer.h:859
#define expect_string(function, parameter, string)
Definition: cmocka.h:753
#define assert_int_equal(a, b)
Definition: cmocka.h:1174
static void test_tls_crypt_v2_write_client_key_file_metadata(void **state)
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition: crypto.h:219
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151