tls13: Add checks of overread check failures
In Certificate message parsing tests with
invalid vector lengths, add checks that the
parsing failed on the expected overread check.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 29a065b..97eccbd 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -106,6 +106,22 @@
opts->resize_buffers = 1;
}
+#if defined(MBEDTLS_TEST_HOOKS)
+static void set_chk_buf_ptr_args(
+ mbedtls_ssl_chk_buf_ptr_args *args,
+ unsigned char *cur, unsigned char *end, size_t need )
+{
+ args->cur = cur;
+ args->end = end;
+ args->need = need;
+}
+
+static void reset_chk_buf_ptr_args( mbedtls_ssl_chk_buf_ptr_args *args )
+{
+ memset( args, 0, sizeof( *args ) );
+}
+#endif /* MBEDTLS_TEST_HOOKS */
+
/*
* Buffer structure for custom I/O callbacks.
*/
@@ -2308,6 +2324,7 @@
}
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
+#if defined(MBEDTLS_TEST_HOOKS)
/*
* Tweak vector lengths in a TLS 1.3 Certificate message
*
@@ -2320,7 +2337,8 @@
* MBEDTLS_SSL_CHK_BUF_READ_PTR failure is expected.
*/
int tweak_tls13_certificate_msg_vector_len(
- unsigned char *buf, unsigned char **end, int tweak, int *expected_result )
+ unsigned char *buf, unsigned char **end, int tweak,
+ int *expected_result, mbedtls_ssl_chk_buf_ptr_args *args )
{
/*
* The definition of the tweaks assume that the certificate list contains only
@@ -2362,6 +2380,7 @@
* certificate list length can be read
*/
*end = buf + 3;
+ set_chk_buf_ptr_args( args, buf, *end, 4 );
break;
case 2:
@@ -2369,34 +2388,46 @@
*/
*p_certificate_request_context_len =
certificate_request_context_len + 1;
+ reset_chk_buf_ptr_args( args );
break;
case 3:
/* Failure when checking if certificate_list data can be read. */
MBEDTLS_PUT_UINT24_BE( certificate_list_len + 1,
p_certificate_list_len, 0 );
+ set_chk_buf_ptr_args( args, certificate_list, *end,
+ certificate_list_len + 1 );
break;
case 4:
/* Failure when checking if the cert_data length can be read. */
MBEDTLS_PUT_UINT24_BE( 2, p_certificate_list_len, 0 );
+ set_chk_buf_ptr_args( args, p_cert_data_len, certificate_list + 2, 3 );
break;
case 5:
/* Failure when checking if cert_data data can be read. */
MBEDTLS_PUT_UINT24_BE( certificate_list_len - 3 + 1,
p_cert_data_len, 0 );
+ set_chk_buf_ptr_args( args, cert_data,
+ certificate_list + certificate_list_len,
+ certificate_list_len - 3 + 1 );
break;
case 6:
/* Failure when checking if the extensions length can be read. */
MBEDTLS_PUT_UINT24_BE( certificate_list_len - extensions_len - 1,
p_certificate_list_len, 0 );
+ set_chk_buf_ptr_args( args, p_extensions_len,
+ certificate_list + certificate_list_len - extensions_len - 1, 2 );
break;
case 7:
/* Failure when checking if extensions data can be read. */
MBEDTLS_PUT_UINT16_BE( extensions_len + 1, p_extensions_len, 0 );
+
+ set_chk_buf_ptr_args( args, extensions,
+ certificate_list + certificate_list_len, extensions_len + 1 );
break;
default:
@@ -2405,6 +2436,7 @@
return( 0 );
}
+#endif /* MBEDTLS_TEST_HOOKS */
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -5815,6 +5847,7 @@
size_t buf_len;
int step = 0;
int expected_result;
+ mbedtls_ssl_chk_buf_ptr_args expected_chk_buf_ptr_args;
/*
* Test set-up
@@ -5862,7 +5895,7 @@
*/
ret = tweak_tls13_certificate_msg_vector_len(
- buf, &end, step, &expected_result );
+ buf, &end, step, &expected_result, &expected_chk_buf_ptr_args );
if( ret != 0 )
break;
@@ -5870,6 +5903,11 @@
ret = mbedtls_ssl_tls13_parse_certificate( &(client_ep.ssl), buf, end );
TEST_EQUAL( ret, expected_result );
+ TEST_ASSERT( mbedtls_ssl_cmp_chk_buf_ptr_fail_args(
+ &expected_chk_buf_ptr_args ) == 0 );
+
+ mbedtls_ssl_reset_chk_buf_ptr_fail_args( );
+
ret = mbedtls_ssl_session_reset( &(client_ep.ssl) );
TEST_EQUAL( ret, 0 );
@@ -5878,6 +5916,7 @@
}
exit:
+ mbedtls_ssl_reset_chk_buf_ptr_fail_args( );
mbedtls_endpoint_free( &client_ep, NULL );
mbedtls_endpoint_free( &server_ep, NULL );
USE_PSA_DONE( );