Merge pull request #1790 from private-octopus/code-coverage-202411

Additional tests of tls_api.c
private-octopus · Nov 27, 2024 · 390a4e7 · 390a4e7
2 parents 4bdf7c7 + 4a13afc
commit 390a4e7
Show file tree

Hide file tree

Showing 8 changed files with 278 additions and 391 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -8,7 +8,7 @@ else()
 endif()
 
 project(picoquic
-        VERSION 1.1.28.4
+        VERSION 1.1.28.5
         DESCRIPTION "picoquic library"
         LANGUAGES C CXX)
 

diff --git a/UnitTest1/unittest1.cpp b/UnitTest1/unittest1.cpp
@@ -1264,6 +1264,12 @@ namespace UnitTest1
 
             Assert::AreEqual(ret, 0);
         }
+
+        TEST_METHOD(keylog) {
+            int ret = keylog_test();
+
+            Assert::AreEqual(ret, 0);
+        }
 
         TEST_METHOD(draft17_vector)
         {
@@ -2982,6 +2988,17 @@ namespace UnitTest1
             Assert::AreEqual(ret, 0);
         }
 
+        TEST_METHOD(get_hash) {
+            int ret = get_hash_test();
+
+            Assert::AreEqual(ret, 0);
+        }
+
+        TEST_METHOD(get_tls_errors) {
+            int ret = get_tls_errors_test();
+
+            Assert::AreEqual(ret, 0);
+        }
         TEST_METHOD(getter) {
             int ret = getter_test();
 

diff --git a/picoquic/picoquic.h b/picoquic/picoquic.h
@@ -40,7 +40,7 @@
 extern "C" {
 #endif
 
-#define PICOQUIC_VERSION "1.1.28.4"
+#define PICOQUIC_VERSION "1.1.28.5"
 #define PICOQUIC_ERROR_CLASS 0x400
 #define PICOQUIC_ERROR_DUPLICATE (PICOQUIC_ERROR_CLASS + 1)
 #define PICOQUIC_ERROR_AEAD_CHECK (PICOQUIC_ERROR_CLASS + 3)

diff --git a/picoquic/tls_api.c b/picoquic/tls_api.c
@@ -366,7 +366,7 @@ int picoquic_set_cipher_suite(picoquic_quic_t* quic, int cipher_suite_id)
 }
 
 /* Obtain AES128GCM SHA256, AES256GCM_SHA384 or CHACHA20 suite according to current provider */
-ptls_cipher_suite_t* picoquic_get_selected_cipher_suite_by_id(int cipher_suite_id, int use_low_memory)
+ptls_cipher_suite_t* picoquic_get_cipher_suite_by_id(int cipher_suite_id, int use_low_memory)
 {
     ptls_cipher_suite_t* selected_suites[4];
     ptls_cipher_suite_t* cipher;
@@ -377,13 +377,8 @@ ptls_cipher_suite_t* picoquic_get_selected_cipher_suite_by_id(int cipher_suite_i
     else {
         cipher = selected_suites[0];
     }
-
-    return cipher;
-}
 
-static ptls_cipher_suite_t* picoquic_get_cipher_suite_by_id(int cipher_suite_id, int use_low_memory)
-{
-    return picoquic_get_selected_cipher_suite_by_id(cipher_suite_id, use_low_memory);
+    return cipher;
 }
 
 static ptls_cipher_algorithm_t* picoquic_get_ecb_cipher_by_id(const char* ecb_cipher_name)
@@ -412,17 +407,21 @@ static ptls_cipher_algorithm_t* picoquic_get_ecb_cipher_by_id(const char* ecb_ci
 * then derive the ECB function from the selection of the AEAD function.
 * This will obviate the need of providing a specific API.
 */
-void* picoquic_aes128_ecb_create(int is_enc, const void* ecb_key)
+
+void* picoquic_ecb_create_by_name(int is_enc, const void* ecb_key, char const* alg_name)
 {
     void* created = NULL;
-    ptls_cipher_algorithm_t* ecb_cipher = picoquic_get_ecb_cipher_by_id("AES128-ECB");
+    ptls_cipher_algorithm_t* ecb_cipher = picoquic_get_ecb_cipher_by_id(alg_name);
 
     if (ecb_cipher != NULL) {
         created = (void*)ptls_cipher_new(ecb_cipher, is_enc, ecb_key);
     }
 
     return created;
 }
+void* picoquic_aes128_ecb_create(int is_enc, const void* ecb_key) {
+    return picoquic_ecb_create_by_name(is_enc, ecb_key, "AES128-ECB");
+}
 
 /* Obtain a hash algorithm from the table of supported cipher suites.*/
 ptls_hash_algorithm_t* picoquic_get_hash_algorithm_by_name(const char* hash_algorithm_name)
@@ -448,11 +447,6 @@ ptls_hash_algorithm_t* picoquic_get_sha256()
     return picoquic_get_hash_algorithm_by_name("sha256");
 }
 
-void* picoquic_get_sha256_v()
-{
-    return (void*)picoquic_get_sha256();
-}
-
 /* Export hash functions so applications do not need to access picotls.
 * It is not clear that these functions are actually used by applications.
 */
@@ -1156,15 +1150,17 @@ uint64_t picoquic_get_simulated_time_cb(ptls_get_time_t* self)
 /*
  * Verify certificate
  */
-
-int picoquic_enable_custom_verify_certificate_callback(picoquic_quic_t* quic) {
+#if 0
+/* The custom cert call is not used and not tested, so disabled for now. */
+int picoquic_enable_custom_verify_certificate_callback(picoquic_quic_t* quic)
+{
     ptls_context_t* ctx = (ptls_context_t*)quic->tls_master_ctx;
 
     ctx->verify_certificate = quic->verify_certificate_callback;
     quic->is_cert_store_not_empty = 1;
     return 0;
 }
-
+#endif
 void picoquic_dispose_verify_certificate_callback(picoquic_quic_t* quic) {
     ptls_context_t* ctx = (ptls_context_t*)quic->tls_master_ctx;
 
@@ -1838,13 +1834,22 @@ uint64_t picoquic_get_tls_time(picoquic_quic_t* quic)
 int picoquic_tlscontext_create(picoquic_quic_t* quic, picoquic_cnx_t* cnx, uint64_t current_time)
 {
     int ret = 0;
-    /* allocate a context structure */
-    picoquic_tls_ctx_t* ctx = (picoquic_tls_ctx_t*)malloc(sizeof(picoquic_tls_ctx_t));
+    /* allocate a context structure, but only if checks are correct */
+    picoquic_tls_ctx_t* ctx = NULL;
+
+    if (!cnx->client_mode && ((ptls_context_t*)quic->tls_master_ctx)->encrypt_ticket == NULL) {
+        /* A server side connection, but no cert/key where given for the master context */
+        ret = PICOQUIC_ERROR_TLS_SERVER_CON_WITHOUT_CERT;
+    }
+    else {
+        ctx = (picoquic_tls_ctx_t*)malloc(sizeof(picoquic_tls_ctx_t));
+        if (ctx == NULL) {
+            ret = PICOQUIC_ERROR_MEMORY;
+        }
+    }
 
     /* Create the TLS context */
-    if (ctx == NULL) {
-        ret = -1;
-    } else {
+    if (ctx != NULL) {
         memset(ctx, 0, sizeof(picoquic_tls_ctx_t));
         ctx->ext_data_size = PICOQUIC_TRANSPORT_PARAMETERS_MAX_SIZE;
         if (!cnx->client_mode && quic->test_large_server_flight) {
@@ -1865,22 +1870,14 @@ int picoquic_tlscontext_create(picoquic_quic_t* quic, picoquic_cnx_t* cnx, uint6
 
             ctx->tls = ptls_new((ptls_context_t*)quic->tls_master_ctx,
                 (ctx->client_mode) ? 0 : 1);
-            *ptls_get_data_ptr(ctx->tls) = cnx;
-
             if (ctx->tls == NULL) {
-                free(ctx);
+                picoquic_tlscontext_free(ctx);
                 ctx = NULL;
-                ret = -1;
+                ret = PICOQUIC_ERROR_MEMORY;
             }
-            else if (!ctx->client_mode) {
-                /* A server side connection, but no cert/key where given for the master context */
-                if (((ptls_context_t*)quic->tls_master_ctx)->encrypt_ticket == NULL) {
-                    ret = PICOQUIC_ERROR_TLS_SERVER_CON_WITHOUT_CERT;
-                    picoquic_tlscontext_free(ctx);
-                    ctx = NULL;
-                }
-
-                if (ctx != NULL) {
+            else{
+                *ptls_get_data_ptr(ctx->tls) = cnx;
+                if (!ctx->client_mode) {
                     /* The server should never attempt a stateless retry */
                     ctx->handshake_properties.server.enforce_retry = 0;
                     ctx->handshake_properties.server.retry_uses_cookie = 0;
@@ -1891,7 +1888,7 @@ int picoquic_tlscontext_create(picoquic_quic_t* quic, picoquic_cnx_t* cnx, uint6
             }
         }
     }
-    
+
     if (cnx->tls_ctx != NULL) {
         picoquic_tlscontext_free(cnx->tls_ctx);
     }
@@ -1973,79 +1970,6 @@ void picoquic_set_key_log_file(picoquic_quic_t *quic, char const * keylog_filena
     ctx->log_event = (ptls_log_event_t*)log_event;
 }
 
-/*
-Check whether the ticket that was received, or used, authorizes 0-RTT data.
-
-From TLS 1.3 spec:
-struct {
-uint32 ticket_lifetime;
-uint32 ticket_age_add;
-opaque ticket_nonce<0..255>;
-opaque ticket<1..2^16-1>;
-Extension extensions<0..2^16-2>;
-} NewSessionTicket;
-
-struct {
-ExtensionType extension_type;
-opaque extension_data<0..2^16-1>;
-} Extension;
-*/
-
-int picoquic_does_tls_ticket_allow_early_data(uint8_t* ticket, uint16_t ticket_length)
-{
-    uint8_t nonce_length = 0;
-    uint16_t ticket_val_length = 0;
-    uint16_t extension_length = 0;
-    uint8_t* extension_ptr = NULL;
-    uint16_t byte_index = 0;
-    uint16_t min_length = 4 + 4 + 1 + 2 + 2;
-    int ret = 0;
-
-    if (ticket_length >= min_length) {
-        byte_index += 4; /* Skip lifetime */
-        byte_index += 4; /* Skip age add */
-        nonce_length = ticket[byte_index++];
-        min_length += nonce_length;
-        if (ticket_length >= min_length) {
-            byte_index += nonce_length;
-
-            ticket_val_length = PICOPARSE_16(ticket + byte_index);
-            byte_index += 2;
-            min_length += ticket_val_length;
-            if (ticket_length >= min_length) {
-                byte_index += ticket_val_length;
-
-                extension_length = PICOPARSE_16(ticket + byte_index);
-                byte_index += 2;
-                min_length += extension_length;
-                if (ticket_length >= min_length) {
-                    extension_ptr = &ticket[byte_index];
-                }
-            }
-        }
-    }
-
-    if (extension_ptr != NULL) {
-        uint16_t x_index = 0;
-
-        while (x_index + 4 < extension_length) {
-            uint16_t x_type = PICOPARSE_16(extension_ptr + x_index);
-            uint16_t x_len = PICOPARSE_16(extension_ptr + x_index + 2);
-            x_index += 4 + x_len;
-
-            if (x_type == 42 && x_len == 4) {
-                uint32_t ed_len = PICOPARSE_32(extension_ptr + x_index - 4);
-                if (ed_len == 0xFFFFFFFF) {
-                    ret = 1;
-                }
-                break;
-            }
-        }
-    }
-
-    return ret;
-}
-
 /*
 * Creation of a TLS context.
 * This includes setting the handshake properties that will later be
@@ -2962,6 +2886,8 @@ int picoquic_verify_retry_token(picoquic_quic_t* quic, const struct sockaddr * a
     return ret;
 }
 
+#if 0
+/* Disabling this code for now, as it is not used */
 /*
  * Encryption functions for CID encryption
  */
@@ -3033,6 +2959,7 @@ void picoquic_cid_decrypt_under_mask(void *cid_enc, const picoquic_connection_id
 {
     picoquic_cid_encrypt_under_mask(cid_enc, cid_in, mask, cid_out);
 }
+#endif
 
 /* Retry Packet Protection.
  * This is done by applying AES-GCM128 with a constant key and a NULL nonce,

diff --git a/picoquic/tls_api.h b/picoquic/tls_api.h
@@ -154,19 +154,18 @@ int picoquic_verify_retry_token(picoquic_quic_t* quic, const struct sockaddr * a
     const picoquic_connection_id_t* rcid, uint32_t initial_pn,
     const uint8_t * token, size_t token_size, int check_reuse);
 
+#if 0
 void picoquic_cid_free_under_mask_ctx(void * v_pn_enc);
 int picoquic_cid_get_under_mask_ctx(void ** v_pn_enc, const void * secret, const char *prefix_label);
 void picoquic_cid_encrypt_under_mask(void * cid_enc, const picoquic_connection_id_t * cid_in, const picoquic_connection_id_t * mask, picoquic_connection_id_t * cid_out);
 void picoquic_cid_decrypt_under_mask(void * cid_enc, const picoquic_connection_id_t * cid_in, const picoquic_connection_id_t * mask, picoquic_connection_id_t * cid_out);
-
 void picoquic_cid_free_encrypt_global_ctx(void ** v_cid_enc);
+#endif
 
 /* Define hash functions here so applications don't need to directly interface picotls */
 #define PICOQUIC_HASH_SIZE_MAX 64
 void * picoquic_hash_create(char const * algorithm_name);
-#if 0
 size_t picoquic_hash_get_length(char const* algorithm_name);
-#endif
 void picoquic_hash_update(uint8_t* input, size_t input_length, void* hash_context);
 void picoquic_hash_finalize(uint8_t* output, void* hash_context);
 
@@ -193,6 +192,7 @@ void* picoquic_get_aes128gcm_sha256_v(int use_low_memory);
 void* picoquic_get_aes128gcm_v(int use_low_memory);
 
 /* AES ECB function used for CID encryption */
+void* picoquic_ecb_create_by_name(int is_enc, const void* ecb_key, char const * alg_name);
 void* picoquic_aes128_ecb_create(int is_enc, const void* ecb_key);
 
 void picoquic_aes128_ecb_free(void* v_aesecb);

diff --git a/picoquic_t/picoquic_t.c b/picoquic_t/picoquic_t.c
@@ -284,6 +284,7 @@ static const picoquic_test_def_t test_table[] = {
     { "nat_handshake", nat_handshake_test },
     { "key_rotation_vector", key_rotation_vector_test },
     { "key_rotation_stress", key_rotation_stress_test },
+    { "keylog_test", keylog_test },
     { "short_initial_cid", short_initial_cid_test },
     { "stream_id_max", stream_id_max_test },
     { "padding_test", padding_test },
@@ -485,6 +486,8 @@ static const picoquic_test_def_t test_table[] = {
     { "multipath_tunnel", multipath_tunnel_test },
     { "monopath_0rtt", monopath_0rtt_test },
     { "monopath_0rtt_loss", monopath_0rtt_loss_test },
+    { "get_hash", get_hash_test },
+    { "get_tls_errors", get_tls_errors_test },
     { "getter", getter_test },
     { "grease_quic_bit", grease_quic_bit_test },
     { "grease_quic_bit_one_way", grease_quic_bit_one_way_test },

diff --git a/picoquictest/picoquictest.h b/picoquictest/picoquictest.h
@@ -224,6 +224,7 @@ int false_migration_test();
 int nat_handshake_test();
 int key_rotation_vector_test();
 int key_rotation_stress_test();
+int keylog_test();
 int short_initial_cid_test();
 int stream_id_max_test();
 int padding_test();
@@ -480,6 +481,8 @@ int multipath_discovery_test();
 int multipath_qlog_test();
 int multipath_tunnel_test();
 int token_reuse_api_test();
+int get_hash_test();
+int get_tls_errors_test();
 int getter_test();
 int grease_quic_bit_test();
 int grease_quic_bit_one_way_test();