Go to the documentation of this file.
45 const char *label,
size_t label_size,
46 void *ekm,
size_t ekm_size)
48 memset(ekm, 0xba, ekm_size);
53 #define TESTBUF_SIZE 128
56 #define PATH1 "/s p a c e"
57 #define PATH2 "/foo bar/baz"
58 #define PARAM1 "param1"
59 #define PARAM2 "param two"
62 "-----BEGIN OpenVPN tls-crypt-v2 server key-----\n"
63 "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4v\n"
64 "MDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5f\n"
65 "YGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn8=\n"
66 "-----END OpenVPN tls-crypt-v2 server key-----\n";
69 "-----BEGIN OpenVPN tls-crypt-v2 client key-----\n"
70 "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4v\n"
71 "MDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5f\n"
72 "YGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6P\n"
73 "kJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/\n"
74 "wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v\n"
75 "8PHy8/T19vf4+fr7/P3+/xd9pcB0qUYZsWvkrLcfGmzPJPM8a7r0mEWdXwbDadSV\n"
76 "LHg5bv2TwlmPR3HgaMr8o9LTh9hxUTkrH3S0PfKRNwcso86ua/dBFTyXsM9tg4aw\n"
77 "3dS6ogH9AkaT+kRRDgNcKWkQCbwmJK2JlfkXHBwbAtmn78AkNuho6QCFqCdqGab3\n"
78 "zh2vheFqGMPdGpukbFrT3rcO3VLxUeG+RdzXiMTCpJSovFBP1lDkYwYJPnz6daEh\n"
79 "j0TzJ3BVru9W3CpotdNt7u09knxAfpCxjtrP3semsDew/gTBtcfQ/OoTFyFHnN5k\n"
80 "RZ+q17SC4nba3Pp8/Fs0+hSbv2tJozoD8SElFq7SIWJsciTYh8q8f5yQxjdt4Wxu\n"
81 "/Z5wtPCAZ0tOzj4ItTI77fBOYRTfEayzHgEr\n"
82 "-----END OpenVPN tls-crypt-v2 client key-----\n";
87 "-----BEGIN OpenVPN tls-crypt-v2 client key-----\n"
88 "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4v\n"
89 "MDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5f\n"
90 "YGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6P\n"
91 "kJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/\n"
92 "wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v\n"
93 "8PHy8/T19vf4+fr7/P3+/2ntp1WCqhcLjJQY/igkjNt3Yb6i0neqFkfrOp2UCDcz\n"
94 "6RSJtPLZbvOOKUHk2qwxPYUsFCnz/IWV6/ZiLRrabzUpS8oSN1HS6P7qqAdrHKgf\n"
95 "hVTHasdSf2UdMTPC7HBgnP9Ll0FhKN0h7vSzbbt7QM7wH9mr1ecc/Mt0SYW2lpwA\n"
96 "aJObYGTyk6hTgWm0g/MLrworLrezTqUHBZzVsu+LDyqLWK1lzJNd66MuNOsGA4YF\n"
97 "fbCsDh8n3H+Cw1k5YNBZDYYJOtVUgBWXheO6vgoOmqDdI0dAQ3hVo9DE+SkCFjgf\n"
98 "l4FY2yLEh9ZVZZrl1eD1Owh/X178CkHrBJYl9LNQSyQEKlDGWwBLQ/pY3qtjctr3\n"
99 "pV62MPQdBo+1lcsjDCJVQA6XUyltas4BKQ==\n"
100 "-----END OpenVPN tls-crypt-v2 client key-----\n";
104 const int line_num,
int msglevel,
struct gc_arena *gc)
115 const char *pem =
BSTR(buf);
116 check_expected(filename);
119 return mock_type(
bool);
125 check_expected(filename);
127 const char *pem_str = mock_ptr_type(
const char *);
129 buf_write(&ret, pem_str, strlen(pem_str) + 1);
139 for (
int i = 0; i <
len; i++)
178 const char *plaintext =
"1234567890";
182 const char *ciphertext =
"012345678";
260 uint8_t expected_ciphertext[] = {
261 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xe3, 0x19, 0x27, 0x7f, 0x1c, 0x8d, 0x6e, 0x6a,
262 0x77, 0x96, 0xa8, 0x55, 0x33, 0x7b, 0x9c, 0xfb, 0x56, 0xe1, 0xf1, 0x3a, 0x87, 0x0e, 0x66, 0x47,
263 0xdf, 0xa1, 0x95, 0xc9, 0x2c, 0x17, 0xa0, 0x15, 0xba, 0x49, 0x67, 0xa1, 0x1d, 0x55, 0xea, 0x1a,
272 memset(&
session.tls_wrap.original_wrap_keydata.keys, 0x00,
sizeof(
session.tls_wrap.original_wrap_keydata.keys));
273 session.tls_wrap.original_wrap_keydata.n = 2;
283 memset(&
session.tls_wrap.original_wrap_keydata.keys, 0x42,
sizeof(
session.tls_wrap.original_wrap_keydata.keys));
290 assert_memory_equal(
BPTR(&rctx->
work), expected_ciphertext, 8);
371 struct key key = { { 1 } };
451 "tls-crypt-v2 server key");
495 struct key2 unwrapped_client_key2 = { 0 };
525 struct key2 unwrapped_client_key2 = { 0 };
527 &unwrap_metadata, ctx->
wkc,
580 "wrong tls-crypt-v2 server key");
583 struct key2 unwrapped_client_key2 = { 0 };
589 const struct key2 zero = { 0 };
590 assert_true(0 == memcmp(&unwrapped_client_key2, &zero,
sizeof(zero)));
612 struct key2 unwrapped_client_key2 = { 0 };
613 struct buffer unwrapped_metadata =
616 &unwrapped_metadata, ctx->
wkc,
619 const struct key2 zero = { 0 };
620 assert_true(0 == memcmp(&unwrapped_client_key2, &zero,
sizeof(zero)));
627 const char *filename =
"testfilename.key";
640 const char *filename =
"testfilename.key";
658 const char *filename =
"testfilename.key";
659 const char *b64metadata =
"AABBCCDD";
678 const struct CMUnitTest tests[] = {
723 #if defined(ENABLE_CRYPTO_OPENSSL)
724 OpenSSL_add_all_algorithms();
727 int ret = cmocka_run_group_tests_name(
"tls-crypt tests", tests, NULL, NULL);
729 #if defined(ENABLE_CRYPTO_OPENSSL)
int n
The number of key objects stored in the key2.keys array.
static void tls_crypt_v2_wrap_unwrap_wrong_key(void **state)
Check that unwrapping a tls-crypt-v2 client key with the wrong server key fails as expected.
#define TLS_CRYPT_V2_MAX_METADATA_LEN
static void tls_crypt_v2_wrap_too_long_metadata(void **state)
Check that wrapping a tls-crypt-v2 client key with too long metadata fails as expected.
#define KEY_DIRECTION_BIDIRECTIONAL
static struct gc_arena gc_new(void)
static void tls_crypt_ignore_replay(void **state)
Check that packet replays are accepted when CO_IGNORE_PACKET_ID is set.
static void tls_crypt_fail_invalid_key(void **state)
Check that packets that were wrapped (or unwrapped) with a different key are not accepted.
int len
Length in bytes of the actual content within the allocated memory.
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
static void skip_if_tls_crypt_not_supported(struct test_tls_crypt_context *ctx)
#define TLS_CRYPT_V2_MAX_WKC_LEN
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Unwrap a control channel packet (decrypts, authenticates and performs replay checks).
int __wrap_parse_line(const char *line, char **p, const int n, const char *file, const int line_num, int msglevel, struct gc_arena *gc)
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
void buf_clear(struct buffer *buf)
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
@ TLS_WRAP_CRYPT
Control channel encryption and authentication.
static int test_tls_crypt_v2_teardown(void **state)
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Security parameter state for a single VPN tunnel.
static void tls_wrap_free(struct tls_wrap_ctx *tls_wrap)
Free the elements of a tls_wrap_ctx structure.
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Container for unidirectional cipher and HMAC key material.
static void tls_crypt_fail_replay(void **state)
Check that replayed packets are not accepted.
static bool buf_equal(const struct buffer *a, const struct buffer *b)
Return true if buffer contents are equal.
static int test_tls_crypt_setup(void **state)
void free_key_ctx_bi(struct key_ctx_bi *ctx)
static const char * test_client_key_metadata
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
struct crypto_options opt
Crypto state.
static bool buf_advance(struct buffer *buf, int size)
static bool buf_inc_len(struct buffer *buf, int inc)
static struct key_type tls_crypt_kt(void)
static bool tls_crypt_v2_wrap_client_key(struct buffer *wkc, const struct key2 *src_key, const struct buffer *src_metadata, struct key_ctx *server_key, struct gc_arena *gc)
static void tls_crypt_fail_msg_too_long(void **state)
Check that too-long messages are gracefully rejected.
const char * digest
Message digest static parameters.
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Control channel wrapping (–tls-auth/–tls-crypt) context.
struct buffer work
Work buffer (only for –tls-crypt)
static const char * test_server_key
void init_key_ctx(struct key_ctx *ctx, const struct key *key, const struct key_type *kt, int enc, const char *prefix)
static void test_tls_crypt_v2_write_client_key_file(void **state)
static void tls_crypt_loopback(void **state)
Check that short messages are successfully wrapped-and-unwrapped.
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Wrap a control channel packet (both authenticates and encrypts the data).
static void test_tls_crypt_v2_write_server_key_file(void **state)
bool __wrap_buffer_write_file(const char *filename, const struct buffer *buf)
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
struct key_ctx_bi client_key
static const char * test_client_key
Wrapper structure for dynamically allocated memory.
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Security parameter state of a single session within a VPN tunnel.
static void tls_crypt_loopback_zero_len(void **state)
Check that zero-byte messages are successfully wrapped-and-unwrapped.
Garbage collection arena used to keep track of dynamically allocated memory.
const char * cipher
const name of the cipher
static bool tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, struct buffer wrapped_client_key, struct key_ctx *server_key)
static void test_tls_crypt_secure_reneg_key(void **state)
Test generating dynamic tls-crypt key.
void free_buf(struct buffer *buf)
void free_key_ctx(struct key_ctx *ctx)
int __wrap_rand_bytes(uint8_t *output, int len)
Predictable random for tests.
static int buf_len(const struct buffer *buf)
static int test_tls_crypt_teardown(void **state)
static void tls_crypt_v2_wrap_unwrap_max_metadata(void **state)
Check wrapping and unwrapping a tls-crypt-v2 client key with maximum length metadata.
static void tls_crypt_v2_wrap_unwrap_no_metadata(void **state)
Check wrapping and unwrapping a tls-crypt-v2 client key without metadata.
bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key int...
static void gc_free(struct gc_arena *a)
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
static uint8_t * buf_write_alloc(struct buffer *buf, size_t size)
static int test_tls_crypt_v2_setup(void **state)
Container for bidirectional cipher and HMAC key material.
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
static void tls_crypt_loopback_max_len(void **state)
Check that max-length messages are successfully wrapped-and-unwrapped.
unsigned int flags
Bit-flags determining behavior of security operation functions.
struct key keys[2]
Two unidirectional sets of key material.
struct buffer alloc_buf(size_t size)
enum tls_wrap_ctx::@17 mode
Control channel wrapping mode.
struct key_ctx_bi server_keys
struct buffer unwrapped_metadata
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
bool tls_session_generate_dynamic_tls_crypt_key(struct tls_multi *multi, struct tls_session *session)
Generates a TLS-Crypt key to be used with dynamic tls-crypt using the TLS EKM exporter function.
struct buffer __wrap_buffer_read_from_file(const char *filename, struct gc_arena *gc)
static void test_tls_crypt_v2_write_client_key_file_metadata(void **state)
static void tls_crypt_v2_wrap_unwrap_dst_too_small(void **state)
Check that unwrapping a tls-crypt-v2 client key to a too small metadata buffer fails as expected.
Security parameter state for processing data channel packets.
void tls_crypt_v2_write_server_key_file(const char *filename)
Generate a tls-crypt-v2 server key, and write to file.
