Browse code
tls-crypt-v2: add unwrap_client_key
Add helper functions to unwrap tls-crypt-v2 client keys.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1540208715-14044-3-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17791.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger authored on 2018/10/22 20:45:12Showing 3 changed files
| ... | ... |
@@ -853,6 +853,13 @@ buf_read_u32(struct buffer *buf, bool *good) |
| 853 | 853 |
} |
| 854 | 854 |
} |
| 855 | 855 |
|
| 856 |
+/** Return true if buffer contents are equal */ |
|
| 857 |
+static inline bool |
|
| 858 |
+buf_equal(const struct buffer *a, const struct buffer *b) |
|
| 859 |
+{
|
|
| 860 |
+ return BLEN(a) == BLEN(b) && 0 == memcmp(BPTR(a), BPTR(b), BLEN(a)); |
|
| 861 |
+} |
|
| 862 |
+ |
|
| 856 | 863 |
/** |
| 857 | 864 |
* Compare src buffer contents with match. |
| 858 | 865 |
* *NOT* constant time. Do not use when comparing HMACs. |
| ... | ... |
@@ -434,6 +434,115 @@ tls_crypt_v2_wrap_client_key(struct buffer *wkc, |
| 434 | 434 |
return buf_copy(wkc, &work); |
| 435 | 435 |
} |
| 436 | 436 |
|
| 437 |
+static bool |
|
| 438 |
+tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, |
|
| 439 |
+ struct buffer wrapped_client_key, |
|
| 440 |
+ struct key_ctx *server_key) |
|
| 441 |
+{
|
|
| 442 |
+ const char *error_prefix = __func__; |
|
| 443 |
+ bool ret = false; |
|
| 444 |
+ struct gc_arena gc = gc_new(); |
|
| 445 |
+ /* The crypto API requires one extra cipher block of buffer head room when |
|
| 446 |
+ * decrypting, which nicely matches the tag size of WKc. So |
|
| 447 |
+ * TLS_CRYPT_V2_MAX_WKC_LEN is always large enough for the plaintext. */ |
|
| 448 |
+ uint8_t plaintext_buf_data[TLS_CRYPT_V2_MAX_WKC_LEN] = { 0 };
|
|
| 449 |
+ struct buffer plaintext = { 0 };
|
|
| 450 |
+ |
|
| 451 |
+ dmsg(D_TLS_DEBUG_MED, "%s: unwrapping client key (len=%d): %s", __func__, |
|
| 452 |
+ BLEN(&wrapped_client_key), format_hex(BPTR(&wrapped_client_key), |
|
| 453 |
+ BLEN(&wrapped_client_key), |
|
| 454 |
+ 0, &gc)); |
|
| 455 |
+ |
|
| 456 |
+ if (TLS_CRYPT_V2_MAX_WKC_LEN < BLEN(&wrapped_client_key)) |
|
| 457 |
+ {
|
|
| 458 |
+ CRYPT_ERROR("wrapped client key too big");
|
|
| 459 |
+ } |
|
| 460 |
+ |
|
| 461 |
+ /* Decrypt client key and metadata */ |
|
| 462 |
+ uint16_t net_len = 0; |
|
| 463 |
+ const uint8_t *tag = BPTR(&wrapped_client_key); |
|
| 464 |
+ |
|
| 465 |
+ if (BLEN(&wrapped_client_key) < sizeof(net_len)) |
|
| 466 |
+ {
|
|
| 467 |
+ CRYPT_ERROR("failed to read length");
|
|
| 468 |
+ } |
|
| 469 |
+ memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len), |
|
| 470 |
+ sizeof(net_len)); |
|
| 471 |
+ |
|
| 472 |
+ if (ntohs(net_len) != BLEN(&wrapped_client_key)) |
|
| 473 |
+ {
|
|
| 474 |
+ dmsg(D_TLS_DEBUG_LOW, "%s: net_len=%u, BLEN=%i", __func__, |
|
| 475 |
+ ntohs(net_len), BLEN(&wrapped_client_key)); |
|
| 476 |
+ CRYPT_ERROR("invalid length");
|
|
| 477 |
+ } |
|
| 478 |
+ |
|
| 479 |
+ buf_inc_len(&wrapped_client_key, -(int)sizeof(net_len)); |
|
| 480 |
+ |
|
| 481 |
+ if (!buf_advance(&wrapped_client_key, TLS_CRYPT_TAG_SIZE)) |
|
| 482 |
+ {
|
|
| 483 |
+ CRYPT_ERROR("failed to read tag");
|
|
| 484 |
+ } |
|
| 485 |
+ |
|
| 486 |
+ if (!cipher_ctx_reset(server_key->cipher, tag)) |
|
| 487 |
+ {
|
|
| 488 |
+ CRYPT_ERROR("failed to initialize IV");
|
|
| 489 |
+ } |
|
| 490 |
+ buf_set_write(&plaintext, plaintext_buf_data, sizeof(plaintext_buf_data)); |
|
| 491 |
+ int outlen = 0; |
|
| 492 |
+ if (!cipher_ctx_update(server_key->cipher, BPTR(&plaintext), &outlen, |
|
| 493 |
+ BPTR(&wrapped_client_key), |
|
| 494 |
+ BLEN(&wrapped_client_key))) |
|
| 495 |
+ {
|
|
| 496 |
+ CRYPT_ERROR("could not decrypt client key");
|
|
| 497 |
+ } |
|
| 498 |
+ ASSERT(buf_inc_len(&plaintext, outlen)); |
|
| 499 |
+ |
|
| 500 |
+ if (!cipher_ctx_final(server_key->cipher, BEND(&plaintext), &outlen)) |
|
| 501 |
+ {
|
|
| 502 |
+ CRYPT_ERROR("cipher final failed");
|
|
| 503 |
+ } |
|
| 504 |
+ ASSERT(buf_inc_len(&plaintext, outlen)); |
|
| 505 |
+ |
|
| 506 |
+ /* Check authentication */ |
|
| 507 |
+ uint8_t tag_check[TLS_CRYPT_TAG_SIZE] = { 0 };
|
|
| 508 |
+ hmac_ctx_reset(server_key->hmac); |
|
| 509 |
+ hmac_ctx_update(server_key->hmac, (void *)&net_len, sizeof(net_len)); |
|
| 510 |
+ hmac_ctx_update(server_key->hmac, BPTR(&plaintext), |
|
| 511 |
+ BLEN(&plaintext)); |
|
| 512 |
+ hmac_ctx_final(server_key->hmac, tag_check); |
|
| 513 |
+ |
|
| 514 |
+ if (memcmp_constant_time(tag, tag_check, sizeof(tag_check))) |
|
| 515 |
+ {
|
|
| 516 |
+ dmsg(D_CRYPTO_DEBUG, "tag : %s", |
|
| 517 |
+ format_hex(tag, sizeof(tag_check), 0, &gc)); |
|
| 518 |
+ dmsg(D_CRYPTO_DEBUG, "tag_check: %s", |
|
| 519 |
+ format_hex(tag_check, sizeof(tag_check), 0, &gc)); |
|
| 520 |
+ CRYPT_ERROR("client key authentication error");
|
|
| 521 |
+ } |
|
| 522 |
+ |
|
| 523 |
+ if (buf_len(&plaintext) < sizeof(client_key->keys)) |
|
| 524 |
+ {
|
|
| 525 |
+ CRYPT_ERROR("failed to read client key");
|
|
| 526 |
+ } |
|
| 527 |
+ memcpy(&client_key->keys, BPTR(&plaintext), sizeof(client_key->keys)); |
|
| 528 |
+ ASSERT(buf_advance(&plaintext, sizeof(client_key->keys))); |
|
| 529 |
+ |
|
| 530 |
+ if(!buf_copy(metadata, &plaintext)) |
|
| 531 |
+ {
|
|
| 532 |
+ CRYPT_ERROR("metadata too large for supplied buffer");
|
|
| 533 |
+ } |
|
| 534 |
+ |
|
| 535 |
+ ret = true; |
|
| 536 |
+error_exit: |
|
| 537 |
+ if (!ret) |
|
| 538 |
+ {
|
|
| 539 |
+ secure_memzero(client_key, sizeof(*client_key)); |
|
| 540 |
+ } |
|
| 541 |
+ buf_clear(&plaintext); |
|
| 542 |
+ gc_free(&gc); |
|
| 543 |
+ return ret; |
|
| 544 |
+} |
|
| 545 |
+ |
|
| 437 | 546 |
void |
| 438 | 547 |
tls_crypt_v2_write_server_key_file(const char *filename) |
| 439 | 548 |
{
|
| ... | ... |
@@ -544,6 +653,18 @@ tls_crypt_v2_write_client_key_file(const char *filename, |
| 544 | 544 |
tls_crypt_v2_init_client_key(&test_client_key, &test_wrapped_client_key, |
| 545 | 545 |
filename, NULL); |
| 546 | 546 |
free_key_ctx_bi(&test_client_key); |
| 547 |
+ |
|
| 548 |
+ /* Sanity check: unwrap and load client key (as "server") */ |
|
| 549 |
+ struct buffer test_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN, |
|
| 550 |
+ &gc); |
|
| 551 |
+ struct key2 test_client_key2 = { 0 };
|
|
| 552 |
+ free_key_ctx(&server_key); |
|
| 553 |
+ tls_crypt_v2_init_server_key(&server_key, false, server_key_file, |
|
| 554 |
+ server_key_inline); |
|
| 555 |
+ msg(D_GENKEY, "Testing server-side key loading..."); |
|
| 556 |
+ ASSERT(tls_crypt_v2_unwrap_client_key(&test_client_key2, &test_metadata, |
|
| 557 |
+ test_wrapped_client_key, &server_key)); |
|
| 558 |
+ secure_memzero(&test_client_key2, sizeof(test_client_key2)); |
|
| 547 | 559 |
free_buf(&test_wrapped_client_key); |
| 548 | 560 |
|
| 549 | 561 |
cleanup: |
| ... | ... |
@@ -45,7 +45,7 @@ |
| 45 | 45 |
|
| 46 | 46 |
const char plaintext_short[1]; |
| 47 | 47 |
|
| 48 |
-struct test_context {
|
|
| 48 |
+struct test_tls_crypt_context {
|
|
| 49 | 49 |
struct crypto_options co; |
| 50 | 50 |
struct key_type kt; |
| 51 | 51 |
struct buffer source; |
| ... | ... |
@@ -54,8 +54,8 @@ struct test_context {
|
| 54 | 54 |
}; |
| 55 | 55 |
|
| 56 | 56 |
static int |
| 57 |
-setup(void **state) {
|
|
| 58 |
- struct test_context *ctx = calloc(1, sizeof(*ctx)); |
|
| 57 |
+test_tls_crypt_setup(void **state) {
|
|
| 58 |
+ struct test_tls_crypt_context *ctx = calloc(1, sizeof(*ctx)); |
|
| 59 | 59 |
*state = ctx; |
| 60 | 60 |
|
| 61 | 61 |
struct key key = { 0 };
|
| ... | ... |
@@ -84,8 +84,9 @@ setup(void **state) {
|
| 84 | 84 |
} |
| 85 | 85 |
|
| 86 | 86 |
static int |
| 87 |
-teardown(void **state) {
|
|
| 88 |
- struct test_context *ctx = (struct test_context *) *state; |
|
| 87 |
+test_tls_crypt_teardown(void **state) {
|
|
| 88 |
+ struct test_tls_crypt_context *ctx = |
|
| 89 |
+ (struct test_tls_crypt_context *)*state; |
|
| 89 | 90 |
|
| 90 | 91 |
free_buf(&ctx->source); |
| 91 | 92 |
free_buf(&ctx->ciphertext); |
| ... | ... |
@@ -98,7 +99,7 @@ teardown(void **state) {
|
| 98 | 98 |
return 0; |
| 99 | 99 |
} |
| 100 | 100 |
|
| 101 |
-static void skip_if_tls_crypt_not_supported(struct test_context *ctx) |
|
| 101 |
+static void skip_if_tls_crypt_not_supported(struct test_tls_crypt_context *ctx) |
|
| 102 | 102 |
{
|
| 103 | 103 |
if (!ctx->kt.cipher || !ctx->kt.digest) |
| 104 | 104 |
{
|
| ... | ... |
@@ -111,7 +112,7 @@ static void skip_if_tls_crypt_not_supported(struct test_context *ctx) |
| 111 | 111 |
*/ |
| 112 | 112 |
static void |
| 113 | 113 |
tls_crypt_loopback(void **state) {
|
| 114 |
- struct test_context *ctx = (struct test_context *) *state; |
|
| 114 |
+ struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state; |
|
| 115 | 115 |
|
| 116 | 116 |
skip_if_tls_crypt_not_supported(ctx); |
| 117 | 117 |
|
| ... | ... |
@@ -128,7 +129,7 @@ tls_crypt_loopback(void **state) {
|
| 128 | 128 |
*/ |
| 129 | 129 |
static void |
| 130 | 130 |
tls_crypt_loopback_zero_len(void **state) {
|
| 131 |
- struct test_context *ctx = (struct test_context *) *state; |
|
| 131 |
+ struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state; |
|
| 132 | 132 |
|
| 133 | 133 |
skip_if_tls_crypt_not_supported(ctx); |
| 134 | 134 |
|
| ... | ... |
@@ -147,7 +148,7 @@ tls_crypt_loopback_zero_len(void **state) {
|
| 147 | 147 |
*/ |
| 148 | 148 |
static void |
| 149 | 149 |
tls_crypt_loopback_max_len(void **state) {
|
| 150 |
- struct test_context *ctx = (struct test_context *) *state; |
|
| 150 |
+ struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state; |
|
| 151 | 151 |
|
| 152 | 152 |
skip_if_tls_crypt_not_supported(ctx); |
| 153 | 153 |
|
| ... | ... |
@@ -168,7 +169,7 @@ tls_crypt_loopback_max_len(void **state) {
|
| 168 | 168 |
*/ |
| 169 | 169 |
static void |
| 170 | 170 |
tls_crypt_fail_msg_too_long(void **state) {
|
| 171 |
- struct test_context *ctx = (struct test_context *) *state; |
|
| 171 |
+ struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state; |
|
| 172 | 172 |
|
| 173 | 173 |
skip_if_tls_crypt_not_supported(ctx); |
| 174 | 174 |
|
| ... | ... |
@@ -184,7 +185,7 @@ tls_crypt_fail_msg_too_long(void **state) {
|
| 184 | 184 |
*/ |
| 185 | 185 |
static void |
| 186 | 186 |
tls_crypt_fail_invalid_key(void **state) {
|
| 187 |
- struct test_context *ctx = (struct test_context *) *state; |
|
| 187 |
+ struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state; |
|
| 188 | 188 |
|
| 189 | 189 |
skip_if_tls_crypt_not_supported(ctx); |
| 190 | 190 |
|
| ... | ... |
@@ -203,7 +204,7 @@ tls_crypt_fail_invalid_key(void **state) {
|
| 203 | 203 |
*/ |
| 204 | 204 |
static void |
| 205 | 205 |
tls_crypt_fail_replay(void **state) {
|
| 206 |
- struct test_context *ctx = (struct test_context *) *state; |
|
| 206 |
+ struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state; |
|
| 207 | 207 |
|
| 208 | 208 |
skip_if_tls_crypt_not_supported(ctx); |
| 209 | 209 |
|
| ... | ... |
@@ -222,7 +223,7 @@ tls_crypt_fail_replay(void **state) {
|
| 222 | 222 |
*/ |
| 223 | 223 |
static void |
| 224 | 224 |
tls_crypt_ignore_replay(void **state) {
|
| 225 |
- struct test_context *ctx = (struct test_context *) *state; |
|
| 225 |
+ struct test_tls_crypt_context *ctx = (struct test_tls_crypt_context *) *state; |
|
| 226 | 226 |
|
| 227 | 227 |
skip_if_tls_crypt_not_supported(ctx); |
| 228 | 228 |
|
| ... | ... |
@@ -236,22 +237,235 @@ tls_crypt_ignore_replay(void **state) {
|
| 236 | 236 |
assert_true(tls_crypt_unwrap(&ctx->ciphertext, &ctx->unwrapped, &ctx->co)); |
| 237 | 237 |
} |
| 238 | 238 |
|
| 239 |
+struct test_tls_crypt_v2_context {
|
|
| 240 |
+ struct gc_arena gc; |
|
| 241 |
+ struct key2 server_key2; |
|
| 242 |
+ struct key_ctx_bi server_keys; |
|
| 243 |
+ struct key2 client_key2; |
|
| 244 |
+ struct key_ctx_bi client_key; |
|
| 245 |
+ struct buffer metadata; |
|
| 246 |
+ struct buffer unwrapped_metadata; |
|
| 247 |
+ struct buffer wkc; |
|
| 248 |
+}; |
|
| 249 |
+ |
|
| 250 |
+static int |
|
| 251 |
+test_tls_crypt_v2_setup(void **state) {
|
|
| 252 |
+ struct test_tls_crypt_v2_context *ctx = calloc(1, sizeof(*ctx)); |
|
| 253 |
+ *state = ctx; |
|
| 254 |
+ |
|
| 255 |
+ ctx->gc = gc_new(); |
|
| 256 |
+ |
|
| 257 |
+ /* Sligthly longer buffers to be able to test too-long data */ |
|
| 258 |
+ ctx->metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN+16, &ctx->gc); |
|
| 259 |
+ ctx->unwrapped_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN+16, |
|
| 260 |
+ &ctx->gc); |
|
| 261 |
+ ctx->wkc = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN+16, &ctx->gc); |
|
| 262 |
+ |
|
| 263 |
+ /* Generate server key */ |
|
| 264 |
+ rand_bytes((void *)ctx->server_key2.keys, sizeof(ctx->server_key2.keys)); |
|
| 265 |
+ ctx->server_key2.n = 2; |
|
| 266 |
+ struct key_type kt = tls_crypt_kt(); |
|
| 267 |
+ init_key_ctx_bi(&ctx->server_keys, &ctx->server_key2, |
|
| 268 |
+ KEY_DIRECTION_BIDIRECTIONAL, &kt, |
|
| 269 |
+ "tls-crypt-v2 server key"); |
|
| 270 |
+ |
|
| 271 |
+ /* Generate client key */ |
|
| 272 |
+ rand_bytes((void *)ctx->client_key2.keys, sizeof(ctx->client_key2.keys)); |
|
| 273 |
+ ctx->client_key2.n = 2; |
|
| 274 |
+ |
|
| 275 |
+ return 0; |
|
| 276 |
+} |
|
| 277 |
+ |
|
| 278 |
+static int |
|
| 279 |
+test_tls_crypt_v2_teardown(void **state) {
|
|
| 280 |
+ struct test_tls_crypt_v2_context *ctx = |
|
| 281 |
+ (struct test_tls_crypt_v2_context *) *state; |
|
| 282 |
+ |
|
| 283 |
+ free_key_ctx_bi(&ctx->server_keys); |
|
| 284 |
+ free_key_ctx_bi(&ctx->client_key); |
|
| 285 |
+ |
|
| 286 |
+ gc_free(&ctx->gc); |
|
| 287 |
+ |
|
| 288 |
+ free(ctx); |
|
| 289 |
+ |
|
| 290 |
+ return 0; |
|
| 291 |
+} |
|
| 292 |
+ |
|
| 293 |
+/** |
|
| 294 |
+ * Check wrapping and unwrapping a tls-crypt-v2 client key without metadata. |
|
| 295 |
+ */ |
|
| 296 |
+static void |
|
| 297 |
+tls_crypt_v2_wrap_unwrap_no_metadata(void **state) {
|
|
| 298 |
+ struct test_tls_crypt_v2_context *ctx = |
|
| 299 |
+ (struct test_tls_crypt_v2_context *) *state; |
|
| 300 |
+ |
|
| 301 |
+ struct buffer wrapped_client_key = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN, |
|
| 302 |
+ &ctx->gc); |
|
| 303 |
+ assert_true(tls_crypt_v2_wrap_client_key(&wrapped_client_key, |
|
| 304 |
+ &ctx->client_key2, |
|
| 305 |
+ &ctx->metadata, |
|
| 306 |
+ &ctx->server_keys.encrypt, |
|
| 307 |
+ &ctx->gc)); |
|
| 308 |
+ |
|
| 309 |
+ struct buffer unwrap_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN, |
|
| 310 |
+ &ctx->gc); |
|
| 311 |
+ struct key2 unwrapped_client_key2 = { 0 };
|
|
| 312 |
+ assert_true(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2, |
|
| 313 |
+ &unwrap_metadata, |
|
| 314 |
+ wrapped_client_key, |
|
| 315 |
+ &ctx->server_keys.decrypt)); |
|
| 316 |
+ |
|
| 317 |
+ assert_true(0 == memcmp(ctx->client_key2.keys, unwrapped_client_key2.keys, |
|
| 318 |
+ sizeof(ctx->client_key2.keys))); |
|
| 319 |
+} |
|
| 320 |
+ |
|
| 321 |
+/** |
|
| 322 |
+ * Check wrapping and unwrapping a tls-crypt-v2 client key with maximum length |
|
| 323 |
+ * metadata. |
|
| 324 |
+ */ |
|
| 325 |
+static void |
|
| 326 |
+tls_crypt_v2_wrap_unwrap_max_metadata(void **state) {
|
|
| 327 |
+ struct test_tls_crypt_v2_context *ctx = |
|
| 328 |
+ (struct test_tls_crypt_v2_context *) *state; |
|
| 329 |
+ |
|
| 330 |
+ uint8_t* metadata = |
|
| 331 |
+ buf_write_alloc(&ctx->metadata, TLS_CRYPT_V2_MAX_METADATA_LEN); |
|
| 332 |
+ assert_true(rand_bytes(metadata, TLS_CRYPT_V2_MAX_METADATA_LEN)); |
|
| 333 |
+ assert_true(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2, |
|
| 334 |
+ &ctx->metadata, |
|
| 335 |
+ &ctx->server_keys.encrypt, |
|
| 336 |
+ &ctx->gc)); |
|
| 337 |
+ |
|
| 338 |
+ struct buffer unwrap_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN, |
|
| 339 |
+ &ctx->gc); |
|
| 340 |
+ struct key2 unwrapped_client_key2 = { 0 };
|
|
| 341 |
+ assert_true(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2, |
|
| 342 |
+ &unwrap_metadata, ctx->wkc, |
|
| 343 |
+ &ctx->server_keys.decrypt)); |
|
| 344 |
+ |
|
| 345 |
+ assert_true(0 == memcmp(ctx->client_key2.keys, unwrapped_client_key2.keys, |
|
| 346 |
+ sizeof(ctx->client_key2.keys))); |
|
| 347 |
+ assert_true(buf_equal(&ctx->metadata, &unwrap_metadata)); |
|
| 348 |
+} |
|
| 349 |
+ |
|
| 350 |
+/** |
|
| 351 |
+ * Check that wrapping a tls-crypt-v2 client key with too long metadata fails |
|
| 352 |
+ * as expected. |
|
| 353 |
+ */ |
|
| 354 |
+static void |
|
| 355 |
+tls_crypt_v2_wrap_too_long_metadata(void **state) {
|
|
| 356 |
+ struct test_tls_crypt_v2_context *ctx = |
|
| 357 |
+ (struct test_tls_crypt_v2_context *) *state; |
|
| 358 |
+ |
|
| 359 |
+ assert_true(buf_inc_len(&ctx->metadata, TLS_CRYPT_V2_MAX_METADATA_LEN+1)); |
|
| 360 |
+ assert_false(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2, |
|
| 361 |
+ &ctx->metadata, |
|
| 362 |
+ &ctx->server_keys.encrypt, |
|
| 363 |
+ &ctx->gc)); |
|
| 364 |
+} |
|
| 365 |
+ |
|
| 366 |
+/** |
|
| 367 |
+ * Check that unwrapping a tls-crypt-v2 client key with the wrong server key |
|
| 368 |
+ * fails as expected. |
|
| 369 |
+ */ |
|
| 370 |
+static void |
|
| 371 |
+tls_crypt_v2_wrap_unwrap_wrong_key(void **state) {
|
|
| 372 |
+ struct test_tls_crypt_v2_context *ctx = |
|
| 373 |
+ (struct test_tls_crypt_v2_context *) *state; |
|
| 374 |
+ |
|
| 375 |
+ assert_true(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2, |
|
| 376 |
+ &ctx->metadata, |
|
| 377 |
+ &ctx->server_keys.encrypt, |
|
| 378 |
+ &ctx->gc)); |
|
| 379 |
+ |
|
| 380 |
+ /* Change server key */ |
|
| 381 |
+ struct key_type kt = tls_crypt_kt(); |
|
| 382 |
+ free_key_ctx_bi(&ctx->server_keys); |
|
| 383 |
+ memset(&ctx->server_key2.keys, 0, sizeof(ctx->server_key2.keys)); |
|
| 384 |
+ init_key_ctx_bi(&ctx->server_keys, &ctx->server_key2, |
|
| 385 |
+ KEY_DIRECTION_BIDIRECTIONAL, &kt, |
|
| 386 |
+ "wrong tls-crypt-v2 server key"); |
|
| 387 |
+ |
|
| 388 |
+ |
|
| 389 |
+ struct key2 unwrapped_client_key2 = { 0 };
|
|
| 390 |
+ assert_false(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2, |
|
| 391 |
+ &ctx->unwrapped_metadata, |
|
| 392 |
+ ctx->wkc, |
|
| 393 |
+ &ctx->server_keys.decrypt)); |
|
| 394 |
+ |
|
| 395 |
+ const struct key2 zero = { 0 };
|
|
| 396 |
+ assert_true(0 == memcmp(&unwrapped_client_key2, &zero, sizeof(zero))); |
|
| 397 |
+ assert_true(0 == BLEN(&ctx->unwrapped_metadata)); |
|
| 398 |
+} |
|
| 399 |
+ |
|
| 400 |
+/** |
|
| 401 |
+ * Check that unwrapping a tls-crypt-v2 client key to a too small metadata |
|
| 402 |
+ * buffer fails as expected. |
|
| 403 |
+ */ |
|
| 404 |
+static void |
|
| 405 |
+tls_crypt_v2_wrap_unwrap_dst_too_small(void **state) {
|
|
| 406 |
+ struct test_tls_crypt_v2_context *ctx = |
|
| 407 |
+ (struct test_tls_crypt_v2_context *) *state; |
|
| 408 |
+ |
|
| 409 |
+ uint8_t* metadata = |
|
| 410 |
+ buf_write_alloc(&ctx->metadata, TLS_CRYPT_V2_MAX_METADATA_LEN); |
|
| 411 |
+ assert_true(rand_bytes(metadata, TLS_CRYPT_V2_MAX_METADATA_LEN)); |
|
| 412 |
+ assert_true(tls_crypt_v2_wrap_client_key(&ctx->wkc, &ctx->client_key2, |
|
| 413 |
+ &ctx->metadata, |
|
| 414 |
+ &ctx->server_keys.encrypt, |
|
| 415 |
+ &ctx->gc)); |
|
| 416 |
+ |
|
| 417 |
+ struct key2 unwrapped_client_key2 = { 0 };
|
|
| 418 |
+ struct buffer unwrapped_metadata = |
|
| 419 |
+ alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN-1, &ctx->gc); |
|
| 420 |
+ assert_false(tls_crypt_v2_unwrap_client_key(&unwrapped_client_key2, |
|
| 421 |
+ &unwrapped_metadata, ctx->wkc, |
|
| 422 |
+ &ctx->server_keys.decrypt)); |
|
| 423 |
+ |
|
| 424 |
+ const struct key2 zero = { 0 };
|
|
| 425 |
+ assert_true(0 == memcmp(&unwrapped_client_key2, &zero, sizeof(zero))); |
|
| 426 |
+ assert_true(0 == BLEN(&ctx->unwrapped_metadata)); |
|
| 427 |
+} |
|
| 428 |
+ |
|
| 239 | 429 |
int |
| 240 | 430 |
main(void) {
|
| 241 | 431 |
const struct CMUnitTest tests[] = {
|
| 242 |
- cmocka_unit_test_setup_teardown(tls_crypt_loopback, setup, teardown), |
|
| 432 |
+ cmocka_unit_test_setup_teardown(tls_crypt_loopback, |
|
| 433 |
+ test_tls_crypt_setup, |
|
| 434 |
+ test_tls_crypt_teardown), |
|
| 243 | 435 |
cmocka_unit_test_setup_teardown(tls_crypt_loopback_zero_len, |
| 244 |
- setup, teardown), |
|
| 436 |
+ test_tls_crypt_setup, |
|
| 437 |
+ test_tls_crypt_teardown), |
|
| 245 | 438 |
cmocka_unit_test_setup_teardown(tls_crypt_loopback_max_len, |
| 246 |
- setup, teardown), |
|
| 439 |
+ test_tls_crypt_setup, |
|
| 440 |
+ test_tls_crypt_teardown), |
|
| 247 | 441 |
cmocka_unit_test_setup_teardown(tls_crypt_fail_msg_too_long, |
| 248 |
- setup, teardown), |
|
| 442 |
+ test_tls_crypt_setup, |
|
| 443 |
+ test_tls_crypt_teardown), |
|
| 249 | 444 |
cmocka_unit_test_setup_teardown(tls_crypt_fail_invalid_key, |
| 250 |
- setup, teardown), |
|
| 445 |
+ test_tls_crypt_setup, |
|
| 446 |
+ test_tls_crypt_teardown), |
|
| 251 | 447 |
cmocka_unit_test_setup_teardown(tls_crypt_fail_replay, |
| 252 |
- setup, teardown), |
|
| 448 |
+ test_tls_crypt_setup, |
|
| 449 |
+ test_tls_crypt_teardown), |
|
| 253 | 450 |
cmocka_unit_test_setup_teardown(tls_crypt_ignore_replay, |
| 254 |
- setup, teardown), |
|
| 451 |
+ test_tls_crypt_setup, |
|
| 452 |
+ test_tls_crypt_teardown), |
|
| 453 |
+ cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_unwrap_no_metadata, |
|
| 454 |
+ test_tls_crypt_v2_setup, |
|
| 455 |
+ test_tls_crypt_v2_teardown), |
|
| 456 |
+ cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_unwrap_max_metadata, |
|
| 457 |
+ test_tls_crypt_v2_setup, |
|
| 458 |
+ test_tls_crypt_v2_teardown), |
|
| 459 |
+ cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_too_long_metadata, |
|
| 460 |
+ test_tls_crypt_v2_setup, |
|
| 461 |
+ test_tls_crypt_v2_teardown), |
|
| 462 |
+ cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_unwrap_wrong_key, |
|
| 463 |
+ test_tls_crypt_v2_setup, |
|
| 464 |
+ test_tls_crypt_v2_teardown), |
|
| 465 |
+ cmocka_unit_test_setup_teardown(tls_crypt_v2_wrap_unwrap_dst_too_small, |
|
| 466 |
+ test_tls_crypt_v2_setup, |
|
| 467 |
+ test_tls_crypt_v2_teardown), |
|
| 255 | 468 |
}; |
| 256 | 469 |
|
| 257 | 470 |
#if defined(ENABLE_CRYPTO_OPENSSL) |