From: Apoorv Kothari <apoorvko@amazon.com>
To: <sd@queasysnail.net>
Cc: <fkrenzel@redhat.com>, <netdev@vger.kernel.org>
Subject: [PATCH net-next 5/5] selftests: tls: add rekey tests
Date: Thu, 19 Jan 2023 22:51:42 -0800 [thread overview]
Message-ID: <20230120065142.78346-1-apoorvko@amazon.com> (raw)
In-Reply-To: <803aee7cbc1321a06795ec194685931d6aeec53d.1673952268.git.sd@queasysnail.net>
> Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
> ---
> tools/testing/selftests/net/tls.c | 258 ++++++++++++++++++++++++++++++
> 1 file changed, 258 insertions(+)
>
> diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c
> index 5f3adb28fee1..97c20e2246e1 100644
> --- a/tools/testing/selftests/net/tls.c
> +++ b/tools/testing/selftests/net/tls.c
> @@ -1453,6 +1453,264 @@ TEST_F(tls, shutdown_reuse)
> EXPECT_EQ(errno, EISCONN);
> }
>
> +#define TLS_RECORD_TYPE_HANDSHAKE 0x16
> +/* key_update, length 1, update_not_requested */
> +static const char key_update_msg[] = "\x18\x00\x00\x01\x00";
> +static void tls_send_keyupdate(struct __test_metadata *_metadata, int fd)
> +{
> + size_t len = sizeof(key_update_msg);
> +
> + EXPECT_EQ(tls_send_cmsg(fd, TLS_RECORD_TYPE_HANDSHAKE,
> + (char *)key_update_msg, len, 0),
> + len);
> +}
> +
> +static void tls_recv_keyupdate(struct __test_metadata *_metadata, int fd, int flags)
> +{
> + char buf[100];
> +
> + EXPECT_EQ(tls_recv_cmsg(_metadata, fd, TLS_RECORD_TYPE_HANDSHAKE, buf, sizeof(buf), flags),
> + sizeof(key_update_msg));
> + EXPECT_EQ(memcmp(buf, key_update_msg, sizeof(key_update_msg)), 0);
> +}
> +
> +/* set the key to 0 then 1 for RX, immediately to 1 for TX */
> +TEST_F(tls_basic, rekey_rx)
> +{
> + struct tls_crypto_info_keys tls12_0, tls12_1;
nit: Did you mean tls13_0 and tls13_1? There are also a few others in this patch.
> + char const *test_str = "test_message";
> + int send_len = strlen(test_str) + 1;
> + char buf[20];
> + int ret;
> +
> + if (self->notls)
> + return;
> +
> + tls_crypto_info_init(TLS_1_3_VERSION, TLS_CIPHER_AES_GCM_128,
> + &tls12_0, 0);
> + tls_crypto_info_init(TLS_1_3_VERSION, TLS_CIPHER_AES_GCM_128,
> + &tls12_1, 1);
> +
> +
> + ret = setsockopt(self->fd, SOL_TLS, TLS_TX, &tls12_1, tls12_1.len);
> + ASSERT_EQ(ret, 0);
> +
> + ret = setsockopt(self->cfd, SOL_TLS, TLS_RX, &tls12_0, tls12_0.len);
> + ASSERT_EQ(ret, 0);
> +
> + ret = setsockopt(self->cfd, SOL_TLS, TLS_RX, &tls12_1, tls12_1.len);
> + EXPECT_EQ(ret, 0);
> +
> + EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
> + EXPECT_EQ(recv(self->cfd, buf, send_len, 0), send_len);
> + EXPECT_EQ(memcmp(buf, test_str, send_len), 0);
> +}
> +
> +/* set the key to 0 then 1 for TX, immediately to 1 for RX */
> +TEST_F(tls_basic, rekey_tx)
> +{
> + struct tls_crypto_info_keys tls12_0, tls12_1;
> + char const *test_str = "test_message";
> + int send_len = strlen(test_str) + 1;
> + char buf[20];
> + int ret;
> +
> + if (self->notls)
> + return;
> +
> + tls_crypto_info_init(TLS_1_3_VERSION, TLS_CIPHER_AES_GCM_128,
> + &tls12_0, 0);
> + tls_crypto_info_init(TLS_1_3_VERSION, TLS_CIPHER_AES_GCM_128,
> + &tls12_1, 1);
> +
> +
> + ret = setsockopt(self->fd, SOL_TLS, TLS_TX, &tls12_0, tls12_0.len);
> + ASSERT_EQ(ret, 0);
> +
> + ret = setsockopt(self->cfd, SOL_TLS, TLS_RX, &tls12_1, tls12_1.len);
> + ASSERT_EQ(ret, 0);
> +
> + ret = setsockopt(self->fd, SOL_TLS, TLS_TX, &tls12_1, tls12_1.len);
> + EXPECT_EQ(ret, 0);
> +
> + EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
> + EXPECT_EQ(recv(self->cfd, buf, send_len, 0), send_len);
> + EXPECT_EQ(memcmp(buf, test_str, send_len), 0);
> +}
> +
> +TEST_F(tls, rekey)
> +{
> + char const *test_str_1 = "test_message_before_rekey";
> + char const *test_str_2 = "test_message_after_rekey";
> + struct tls_crypto_info_keys tls12;
> + int send_len;
> + char buf[100];
> +
> + if (variant->tls_version != TLS_1_3_VERSION)
> + return;
> +
> + /* initial send/recv */
> + send_len = strlen(test_str_1) + 1;
> + EXPECT_EQ(send(self->fd, test_str_1, send_len, 0), send_len);
> + EXPECT_EQ(recv(self->cfd, buf, send_len, 0), send_len);
> + EXPECT_EQ(memcmp(buf, test_str_1, send_len), 0);
> +
> + /* update TX key */
> + tls_send_keyupdate(_metadata, self->fd);
> + tls_crypto_info_init(variant->tls_version, variant->cipher_type, &tls12, 1);
> + EXPECT_EQ(setsockopt(self->fd, SOL_TLS, TLS_TX, &tls12, tls12.len), 0);
> +
> + /* send after rekey */
> + send_len = strlen(test_str_2) + 1;
> + EXPECT_EQ(send(self->fd, test_str_2, send_len, 0), send_len);
> +
> + /* can't receive the KeyUpdate without a control message */
> + EXPECT_EQ(recv(self->cfd, buf, send_len, 0), -1);
> +
> + /* get KeyUpdate */
> + tls_recv_keyupdate(_metadata, self->cfd, 0);
> +
> + /* recv blocking -> -EKEYEXPIRED */
> + EXPECT_EQ(recv(self->cfd, buf, sizeof(buf), 0), -1);
> + EXPECT_EQ(errno, EKEYEXPIRED);
> +
> + /* recv non-blocking -> -EKEYEXPIRED */
> + EXPECT_EQ(recv(self->cfd, buf, sizeof(buf), MSG_DONTWAIT), -1);
> + EXPECT_EQ(errno, EKEYEXPIRED);
> +
> + /* update RX key */
> + EXPECT_EQ(setsockopt(self->cfd, SOL_TLS, TLS_RX, &tls12, tls12.len), 0);
> +
> + /* recv after rekey */
> + EXPECT_NE(recv(self->cfd, buf, send_len, 0), -1);
> + EXPECT_EQ(memcmp(buf, test_str_2, send_len), 0);
> +}
> +
> +TEST_F(tls, rekey_peek)
> +{
> + char const *test_str_1 = "test_message_before_rekey";
> + struct tls_crypto_info_keys tls12;
> + int send_len;
> + char buf[100];
> +
> + if (variant->tls_version != TLS_1_3_VERSION)
> + return;
> +
> + send_len = strlen(test_str_1) + 1;
> + EXPECT_EQ(send(self->fd, test_str_1, send_len, 0), send_len);
> +
> + /* update TX key */
> + tls_send_keyupdate(_metadata, self->fd);
> + tls_crypto_info_init(variant->tls_version, variant->cipher_type, &tls12, 1);
> + EXPECT_EQ(setsockopt(self->fd, SOL_TLS, TLS_TX, &tls12, tls12.len), 0);
> +
> + EXPECT_EQ(recv(self->cfd, buf, sizeof(buf), MSG_PEEK), send_len);
> + EXPECT_EQ(memcmp(buf, test_str_1, send_len), 0);
> +
> + EXPECT_EQ(recv(self->cfd, buf, send_len, 0), send_len);
> + EXPECT_EQ(memcmp(buf, test_str_1, send_len), 0);
> +
> + /* can't receive the KeyUpdate without a control message */
> + EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_PEEK), -1);
> +
> + /* peek KeyUpdate */
> + tls_recv_keyupdate(_metadata, self->cfd, MSG_PEEK);
> +
> + /* get KeyUpdate */
> + tls_recv_keyupdate(_metadata, self->cfd, 0);
> +
> + /* update RX key */
> + EXPECT_EQ(setsockopt(self->cfd, SOL_TLS, TLS_RX, &tls12, tls12.len), 0);
> +}
> +
> +TEST_F(tls, splice_rekey)
> +{
> + int send_len = TLS_PAYLOAD_MAX_LEN / 2;
> + char mem_send[TLS_PAYLOAD_MAX_LEN];
> + char mem_recv[TLS_PAYLOAD_MAX_LEN];
> + struct tls_crypto_info_keys tls12;
> + int p[2];
> +
> + if (variant->tls_version != TLS_1_3_VERSION)
> + return;
> +
> + memrnd(mem_send, sizeof(mem_send));
> +
> + ASSERT_GE(pipe(p), 0);
> + EXPECT_EQ(send(self->fd, mem_send, send_len, 0), send_len);
> +
> + /* update TX key */
> + tls_send_keyupdate(_metadata, self->fd);
> + tls_crypto_info_init(variant->tls_version, variant->cipher_type, &tls12, 1);
> + EXPECT_EQ(setsockopt(self->fd, SOL_TLS, TLS_TX, &tls12, tls12.len), 0);
> +
> + EXPECT_EQ(send(self->fd, mem_send, send_len, 0), send_len);
> +
> + EXPECT_EQ(splice(self->cfd, NULL, p[1], NULL, TLS_PAYLOAD_MAX_LEN, 0), send_len);
> + EXPECT_EQ(read(p[0], mem_recv, send_len), send_len);
> + EXPECT_EQ(memcmp(mem_send, mem_recv, send_len), 0);
> +
> + /* can't splice the KeyUpdate */
> + EXPECT_EQ(splice(self->cfd, NULL, p[1], NULL, TLS_PAYLOAD_MAX_LEN, 0), -1);
> + EXPECT_EQ(errno, EINVAL);
> +
> + /* peek KeyUpdate */
> + tls_recv_keyupdate(_metadata, self->cfd, MSG_PEEK);
> +
> + /* get KeyUpdate */
> + tls_recv_keyupdate(_metadata, self->cfd, 0);
> +
> + /* can't splice before updating the key */
> + EXPECT_EQ(splice(self->cfd, NULL, p[1], NULL, TLS_PAYLOAD_MAX_LEN, 0), -1);
> + EXPECT_EQ(errno, EKEYEXPIRED);
> +
> + /* update RX key */
> + EXPECT_EQ(setsockopt(self->cfd, SOL_TLS, TLS_RX, &tls12, tls12.len), 0);
> +
> + EXPECT_EQ(splice(self->cfd, NULL, p[1], NULL, TLS_PAYLOAD_MAX_LEN, 0), send_len);
> + EXPECT_EQ(read(p[0], mem_recv, send_len), send_len);
> + EXPECT_EQ(memcmp(mem_send, mem_recv, send_len), 0);
> +}
> +
> +TEST_F(tls, rekey_getsockopt)
> +{
> + struct tls_crypto_info_keys tls12;
> + struct tls_crypto_info_keys tls12_get;
> + socklen_t len;
> +
> + tls_crypto_info_init(variant->tls_version, variant->cipher_type, &tls12, 0);
> +
> + len = tls12.len;
> + EXPECT_EQ(getsockopt(self->fd, SOL_TLS, TLS_TX, &tls12_get, &len), 0);
> + EXPECT_EQ(len, tls12.len);
> + EXPECT_EQ(memcmp(&tls12_get, &tls12, tls12.len), 0);
> +
> + len = tls12.len;
> + EXPECT_EQ(getsockopt(self->cfd, SOL_TLS, TLS_RX, &tls12_get, &len), 0);
> + EXPECT_EQ(len, tls12.len);
> + EXPECT_EQ(memcmp(&tls12_get, &tls12, tls12.len), 0);
> +
> + if (variant->tls_version != TLS_1_3_VERSION)
> + return;
> +
> + tls_send_keyupdate(_metadata, self->fd);
> + tls_crypto_info_init(variant->tls_version, variant->cipher_type, &tls12, 1);
> + EXPECT_EQ(setsockopt(self->fd, SOL_TLS, TLS_TX, &tls12, tls12.len), 0);
> +
> + tls_recv_keyupdate(_metadata, self->cfd, 0);
> + EXPECT_EQ(setsockopt(self->cfd, SOL_TLS, TLS_RX, &tls12, tls12.len), 0);
> +
> + len = tls12.len;
> + EXPECT_EQ(getsockopt(self->fd, SOL_TLS, TLS_TX, &tls12_get, &len), 0);
> + EXPECT_EQ(len, tls12.len);
> + EXPECT_EQ(memcmp(&tls12_get, &tls12, tls12.len), 0);
> +
> + len = tls12.len;
> + EXPECT_EQ(getsockopt(self->cfd, SOL_TLS, TLS_RX, &tls12_get, &len), 0);
> + EXPECT_EQ(len, tls12.len);
> + EXPECT_EQ(memcmp(&tls12_get, &tls12, tls12.len), 0);
> +}
> +
> FIXTURE(tls_err)
> {
> int fd, cfd;
> --
> 2.38.1
next prev parent reply other threads:[~2023-01-20 6:51 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-17 13:45 [PATCH net-next 0/5] tls: implement key updates for TLS1.3 Sabrina Dubroca
2023-01-17 13:45 ` [PATCH net-next 1/5] tls: remove tls_context argument from tls_set_sw_offload Sabrina Dubroca
2023-01-18 23:12 ` Vadim Fedorenko
2023-01-17 13:45 ` [PATCH net-next 2/5] tls: block decryption when a rekey is pending Sabrina Dubroca
2023-01-19 2:10 ` [PATCH net-next 0/5] tls: implement key updates for TLS1.3 Apoorv Kothari
2023-01-17 13:45 ` [PATCH net-next 3/5] tls: implement rekey " Sabrina Dubroca
2023-01-17 23:16 ` Kuniyuki Iwashima
2023-01-18 10:38 ` Sabrina Dubroca
2023-01-19 1:25 ` Apoorv Kothari
2023-01-19 15:16 ` Sabrina Dubroca
2023-01-18 23:10 ` Vadim Fedorenko
2023-01-19 15:14 ` Sabrina Dubroca
2023-01-17 13:45 ` [PATCH net-next 4/5] selftests: tls: add key_generation argument to tls_crypto_info_init Sabrina Dubroca
2023-01-17 13:45 ` [PATCH net-next 5/5] selftests: tls: add rekey tests Sabrina Dubroca
2023-01-20 6:51 ` Apoorv Kothari [this message]
2023-01-18 2:03 ` [PATCH net-next 0/5] tls: implement key updates for TLS1.3 Jakub Kicinski
2023-01-18 10:06 ` Sabrina Dubroca
2023-01-19 2:55 ` Jakub Kicinski
2023-01-19 9:27 ` Gal Pressman
2023-01-23 10:13 ` Boris Pismenny
2023-01-24 15:56 ` Sabrina Dubroca
2023-01-25 18:47 ` Apoorv Kothari
2023-01-25 18:57 ` Jakub Kicinski
2023-01-25 21:17 ` Simo Sorce
2023-01-25 22:43 ` Jakub Kicinski
2023-01-25 23:05 ` Simo Sorce
2023-01-25 23:08 ` Jakub Kicinski
2023-01-25 23:52 ` Simo Sorce
2023-01-19 15:40 ` Sabrina Dubroca
2023-01-19 17:00 ` Jakub Kicinski
2023-01-19 20:51 ` Apoorv Kothari
2023-01-20 1:37 ` Vadim Fedorenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230120065142.78346-1-apoorvko@amazon.com \
--to=apoorvko@amazon.com \
--cc=fkrenzel@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=sd@queasysnail.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).