Add known answer tests for TLS 1.3 record protection
This commit adds four known answer tests for TLS 1.3 record protection
from the following sources:
- RFC 8448 "Example Handshake Traces for TLS 1.3"
- tls13.ulfheim.net "The New Illustrated TLS Connection"
It extends the test coverage of the existing record protection tests
in the following ways:
- The existing record protection tests hand-craft record transform
structures; the new tests use the function
mbedtls_ssl_tls13_populate_transform()
from library source to create an TLS 1.3 transform from raw
key material and connection information.
- The existing record protection tests only check that encryption
and decryption are inverse to each other; as such, they don't
catch non-compliant implementations of encryption and decryption
which happen to be inverse to each other. By adding a known answer
test for TLS 1.3 record protection, can gain confidence that our
implementation is indeed standards-compliant.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index 5d92469..efedd06 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -6021,6 +6021,61 @@
# Vector from RFC 8448
ssl_tls1_3_derive_handshake_secrets:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03":"2faac08f851d35fea3604fcb4de82dc62c9b164a70974d0462e27f1ab278700f":"fe927ae271312e8bf0275b581c54eef020450dc4ecffaa05a1a35d27518e7803"
+SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #1
+# - Server App Key: 0b6d22c8ff68097ea871c672073773bf
+# - Server App IV: 1b13dd9f8d8f17091d34b349
+# - Client App Key: 49134b95328f279f0183860589ac6707
+# - Client App IV: bc4dd5f7b98acff85466261d
+# - App data payload: 70696e67
+# - Complete record: 1703030015c74061535eb12f5f25a781957874742ab7fb305dd5
+ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"70696e67":"c74061535eb12f5f25a781957874742ab7fb305dd5"
+
+SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2
+# - Server App Key: 0b6d22c8ff68097ea871c672073773bf
+# - Server App IV: 1b13dd9f8d8f17091d34b349
+# - Client App Key: 49134b95328f279f0183860589ac6707
+# - Client App IV: bc4dd5f7b98acff85466261d
+# - App data payload: 706f6e67
+# - Complete record: 1703030015370e5f168afa7fb16b663ecdfca3dbb81931a90ca7
+ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"706f6e67":"370e5f168afa7fb16b663ecdfca3dbb81931a90ca7"
+
+SSL TLS 1.3 Record Encryption RFC 8448 Example #1
+# Application Data record sent by Client in 1-RTT example of RFC 8448, Section 3
+# - Server App Key: 9f 02 28 3b 6c 9c 07 ef c2 6b b9 f2 ac 92 e3 56
+# - Server App IV: cf 78 2b 88 dd 83 54 9a ad f1 e9 84
+# - Client App Key: 17 42 2d da 59 6e d5 d9 ac d8 90 e3 c6 3f 50 51
+# - Client App IV: 5b 78 92 3d ee 08 57 90 33 e5 23 d9
+# - App data payload: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
+# 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
+# 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
+# 30 31
+# - Complete record: 17 03 03 00 43 a2 3f 70 54 b6 2c 94 d0 af fa fe
+# 82 28 ba 55 cb ef ac ea 42 f9 14 aa 66 bc ab 3f
+# 2b 98 19 a8 a5 b4 6b 39 5b d5 4a 9a 20 44 1e 2b
+# 62 97 4e 1f 5a 62 92 a2 97 70 14 bd 1e 3d ea e6
+# 3a ee bb 21 69 49 15 e4
+ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"a23f7054b62c94d0affafe8228ba55cbefacea42f914aa66bcab3f2b9819a8a5b46b395bd54a9a20441e2b62974e1f5a6292a2977014bd1e3deae63aeebb21694915e4"
+
+SSL TLS 1.3 Record Encryption RFC 8448 Example #2
+# Application Data record sent by Server in 1-RTT example of RFC 8448, Section 3
+# - Server App Key: 9f 02 28 3b 6c 9c 07 ef c2 6b b9 f2 ac 92 e3 56
+# - Server App IV: cf 78 2b 88 dd 83 54 9a ad f1 e9 84
+# - Client App Key: 17 42 2d da 59 6e d5 d9 ac d8 90 e3 c6 3f 50 51
+# - Client App IV: 5b 78 92 3d ee 08 57 90 33 e5 23 d9
+# - App data payload: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
+# 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
+# 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
+# 30 31
+# - Complete record: 17 03 03 00 43 2e 93 7e 11 ef 4a c7 40 e5 38 ad
+# 36 00 5f c4 a4 69 32 fc 32 25 d0 5f 82 aa 1b 36
+# e3 0e fa f9 7d 90 e6 df fc 60 2d cb 50 1a 59 a8
+# fc c4 9c 4b f2 e5 f0 a2 1c 00 47 c2 ab f3 32 54
+# 0d d0 32 e1 67 c2 95 5d
+ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"2e937e11ef4ac740e538ad36005fc4a46932fc3225d05f82aa1b36e30efaf97d90e6dffc602dcb501a59a8fcc49c4bf2e5f0a21c0047c2abf332540dd032e167c2955d"
+
+SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE
+ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
+
SSL TLS 1.3 Key schedule: Application secrets derivation helper
# Vector from RFC 8448
ssl_tls1_3_derive_application_secrets:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1":"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691":"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4"
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 081e8a4..a83d6e2 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -3944,6 +3944,92 @@
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+void ssl_tls1_3_record_protection( int ciphersuite,
+ int endpoint,
+ int ctr,
+ data_t *server_write_key,
+ data_t *server_write_iv,
+ data_t *client_write_key,
+ data_t *client_write_iv,
+ data_t *plaintext,
+ data_t *ciphertext )
+{
+ mbedtls_ssl_key_set keys;
+ mbedtls_ssl_transform transform_send;
+ mbedtls_ssl_transform transform_recv;
+ mbedtls_record rec;
+ unsigned char *buf = NULL;
+ int other_endpoint;
+
+ TEST_ASSERT( endpoint == MBEDTLS_SSL_IS_CLIENT ||
+ endpoint == MBEDTLS_SSL_IS_SERVER );
+
+ if( endpoint == MBEDTLS_SSL_IS_SERVER )
+ other_endpoint = MBEDTLS_SSL_IS_CLIENT;
+ if( endpoint == MBEDTLS_SSL_IS_CLIENT )
+ other_endpoint = MBEDTLS_SSL_IS_SERVER;
+
+ TEST_ASSERT( server_write_key->len == client_write_key->len );
+ TEST_ASSERT( server_write_iv->len == client_write_iv->len );
+
+ memcpy( keys.client_write_key,
+ client_write_key->x, client_write_key->len );
+ memcpy( keys.client_write_iv,
+ client_write_iv->x, client_write_iv->len );
+ memcpy( keys.server_write_key,
+ server_write_key->x, server_write_key->len );
+ memcpy( keys.server_write_iv,
+ server_write_iv->x, server_write_iv->len );
+
+ keys.key_len = server_write_key->len;
+ keys.iv_len = server_write_iv->len;
+
+ mbedtls_ssl_transform_init( &transform_recv );
+ mbedtls_ssl_transform_init( &transform_send );
+
+ TEST_ASSERT( mbedtls_ssl_tls13_populate_transform(
+ &transform_send, endpoint,
+ ciphersuite, &keys, NULL ) == 0 );
+ TEST_ASSERT( mbedtls_ssl_tls13_populate_transform(
+ &transform_recv, other_endpoint,
+ ciphersuite, &keys, NULL ) == 0 );
+
+ ASSERT_ALLOC( buf, ciphertext->len );
+ rec.type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+ mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3,
+ MBEDTLS_SSL_MINOR_VERSION_3,
+ MBEDTLS_SSL_TRANSPORT_STREAM,
+ rec.ver );
+
+ /* Copy plaintext into record structure */
+ rec.buf = buf;
+ rec.buf_len = ciphertext->len;
+ rec.data_offset = 0;
+ TEST_ASSERT( plaintext->len <= ciphertext->len );
+ memcpy( rec.buf + rec.data_offset, plaintext->x, plaintext->len );
+ rec.data_len = plaintext->len;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+ rec.cid_len = 0;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+ memset( &rec.ctr[0], 0, 8 );
+ rec.ctr[7] = ctr;
+
+ TEST_ASSERT( mbedtls_ssl_encrypt_buf( NULL, &transform_send, &rec,
+ NULL, NULL ) == 0 );
+ ASSERT_COMPARE( rec.buf + rec.data_offset, rec.data_len,
+ ciphertext->x, ciphertext->len );
+
+ TEST_ASSERT( mbedtls_ssl_decrypt_buf( NULL, &transform_recv, &rec ) == 0 );
+ ASSERT_COMPARE( rec.buf + rec.data_offset, rec.data_len,
+ plaintext->x, plaintext->len );
+
+ mbedtls_ssl_transform_free( &transform_send );
+ mbedtls_ssl_transform_free( &transform_recv );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
void ssl_tls1_3_key_evolution( int hash_alg,
data_t *secret,
data_t *input,
