From nobody Mon Nov 15 20:03:51 2021
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id BEF891889761;
	Mon, 15 Nov 2021 20:03:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HtKrl2p6jz3D6q;
	Mon, 15 Nov 2021 20:03:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 292B21FE40;
	Mon, 15 Nov 2021 20:03:51 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1AFK3ph5087745;
	Mon, 15 Nov 2021 20:03:51 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1AFK3pCd087744;
	Mon, 15 Nov 2021 20:03:51 GMT
	(envelope-from git)
Date: Mon, 15 Nov 2021 20:03:51 GMT
Message-Id: <202111152003.1AFK3pCd087744@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: John Baldwin <jhb@FreeBSD.org>
Subject: git: 0ff2a12ae32a - main - ktls: Add tests for sending empty fragments for TLS 1.0 connections.
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jhb
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 0ff2a12ae32a3a88be63f4036599c1324ce04f78
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=0ff2a12ae32a3a88be63f4036599c1324ce04f78

commit 0ff2a12ae32a3a88be63f4036599c1324ce04f78
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2021-11-15 19:27:15 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2021-11-15 19:28:12 +0000

    ktls: Add tests for sending empty fragments for TLS 1.0 connections.
    
    Reviewed by:    markj
    Sponsored by:   Netflix
    Differential Revision:  https://reviews.freebsd.org/D32841
---
 tests/sys/kern/ktls_test.c | 85 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)

diff --git a/tests/sys/kern/ktls_test.c b/tests/sys/kern/ktls_test.c
index bf2b81645d31..423ccf65cb0c 100644
--- a/tests/sys/kern/ktls_test.c
+++ b/tests/sys/kern/ktls_test.c
@@ -911,6 +911,64 @@ test_ktls_transmit_control(struct tls_enable *en, uint64_t seqno, uint8_t type,
 	close(sockets[0]);
 }
 
+static void
+test_ktls_transmit_empty_fragment(struct tls_enable *en, uint64_t seqno)
+{
+	struct tls_record_layer *hdr;
+	char *outbuf;
+	size_t outbuf_cap, payload_len, record_len;
+	ssize_t rv;
+	int sockets[2];
+	uint8_t record_type;
+
+	outbuf_cap = tls_header_len(en) + tls_trailer_len(en);
+	outbuf = malloc(outbuf_cap);
+	hdr = (struct tls_record_layer *)outbuf;
+
+	ATF_REQUIRE_MSG(socketpair_tcp(sockets), "failed to create sockets");
+
+	ATF_REQUIRE(setsockopt(sockets[1], IPPROTO_TCP, TCP_TXTLS_ENABLE, en,
+	    sizeof(*en)) == 0);
+
+	fd_set_blocking(sockets[0]);
+	fd_set_blocking(sockets[1]);
+
+	/* A write of zero bytes should send an empty fragment. */
+	rv = write(sockets[1], NULL, 0);
+	ATF_REQUIRE(rv == 0);
+
+	/*
+	 * First read the header to determine how much additional data
+	 * to read.
+	 */
+	rv = read(sockets[0], outbuf, sizeof(struct tls_record_layer));
+	ATF_REQUIRE(rv == sizeof(struct tls_record_layer));
+	payload_len = ntohs(hdr->tls_length);
+	record_len = payload_len + sizeof(struct tls_record_layer);
+	ATF_REQUIRE(record_len <= outbuf_cap);
+	rv = read(sockets[0], outbuf + sizeof(struct tls_record_layer),
+	    payload_len);
+	ATF_REQUIRE(rv == (ssize_t)payload_len);
+
+	rv = decrypt_tls_record(en, seqno, outbuf, record_len, NULL, 0,
+	    &record_type);
+
+	ATF_REQUIRE_MSG(rv == 0,
+	    "read %zd decrypted bytes for an empty fragment", rv);
+	ATF_REQUIRE(record_type == TLS_RLTYPE_APP);
+
+	free(outbuf);
+
+	close(sockets[1]);
+	close(sockets[0]);
+}
+
+#define	TLS_10_TESTS(M)							\
+	M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8,			\
+	    CRYPTO_SHA1_HMAC)						\
+	M(aes256_cbc_1_0_sha1, CRYPTO_AES_CBC, 256 / 8,			\
+	    CRYPTO_SHA1_HMAC)
+
 #define	AES_CBC_TESTS(M)						\
 	M(aes128_cbc_1_0_sha1, CRYPTO_AES_CBC, 128 / 8,			\
 	    CRYPTO_SHA1_HMAC, TLS_MINOR_VER_ZERO)			\
@@ -989,6 +1047,26 @@ ATF_TC_BODY(ktls_transmit_##cipher_name##_##name, tc)			\
 	    auth_alg, minor, name)					\
 	ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_##name);
 
+#define GEN_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg,	\
+	    key_size, auth_alg)						\
+ATF_TC_WITHOUT_HEAD(ktls_transmit_##cipher_name##_empty_fragment);	\
+ATF_TC_BODY(ktls_transmit_##cipher_name##_empty_fragment, tc)		\
+{									\
+	struct tls_enable en;						\
+	uint64_t seqno;							\
+									\
+	ATF_REQUIRE_KTLS();						\
+	seqno = random();						\
+	build_tls_enable(cipher_alg, key_size, auth_alg,		\
+	    TLS_MINOR_VER_ZERO,	seqno, &en);				\
+	test_ktls_transmit_empty_fragment(&en, seqno);			\
+	free_tls_enable(&en);						\
+}
+
+#define ADD_TRANSMIT_EMPTY_FRAGMENT_TEST(cipher_name, cipher_alg,	\
+	    key_size, auth_alg)						\
+	ATF_TP_ADD_TC(tp, ktls_transmit_##cipher_name##_empty_fragment);
+
 #define GEN_TRANSMIT_TESTS(cipher_name, cipher_alg, key_size, auth_alg,	\
 	    minor)							\
 	GEN_TRANSMIT_APP_DATA_TEST(cipher_name, cipher_alg, key_size,	\
@@ -1103,12 +1181,19 @@ CHACHA20_TESTS(GEN_TRANSMIT_TESTS);
  */
 AES_CBC_TESTS(GEN_TRANSMIT_PADDING_TESTS);
 
+/*
+ * Test "empty fragments" which are TLS records with no payload that
+ * OpenSSL can send for TLS 1.0 connections.
+ */
+TLS_10_TESTS(GEN_TRANSMIT_EMPTY_FRAGMENT_TEST);
+
 ATF_TP_ADD_TCS(tp)
 {
 	AES_CBC_TESTS(ADD_TRANSMIT_TESTS);
 	AES_GCM_TESTS(ADD_TRANSMIT_TESTS);
 	CHACHA20_TESTS(ADD_TRANSMIT_TESTS);
 	AES_CBC_TESTS(ADD_TRANSMIT_PADDING_TESTS);
+	TLS_10_TESTS(ADD_TRANSMIT_EMPTY_FRAGMENT_TEST);
 
 	return (atf_no_error());
 }