1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2018, Linaro Limited */
3
4 #include "xtest_test.h"
5 #include "xtest_helpers.h"
6
7 #include <stdarg.h>
8 #include <stdio.h>
9 #include <stdlib.h>
10 #include <string.h>
11 #include <ta_crypt.h>
12 #include <tee_api_types.h>
13 #include <adbg.h>
14
15 #ifdef OPENSSL_FOUND
16 #include <openssl/x509_vfy.h>
17 #include <openssl/pem.h>
18 #include <openssl/err.h>
19 #include <openssl/crypto.h>
20 #endif
21
22 #include "regression_8100_ca_crt.h"
23 #include "regression_8100_mid_crt.h"
24 #include "regression_8100_my_crt.h"
25 #include "regression_8100_my_csr.h"
26
27 #ifdef CFG_TA_MBEDTLS
28
test_8101(ADBG_Case_t * c __maybe_unused)29 static void test_8101(ADBG_Case_t *c __maybe_unused)
30 {
31 #ifdef CFG_TA_MBEDTLS_SELF_TEST
32 TEEC_Session session = { };
33 uint32_t ret_orig = 0;
34
35 if (!ADBG_EXPECT_TEEC_SUCCESS(c, xtest_teec_open_session(
36 &session, &crypt_user_ta_uuid,
37 NULL, &ret_orig)))
38 return;
39 ADBG_EXPECT_TEEC_SUCCESS(c,
40 TEEC_InvokeCommand(&session, TA_CRYPT_CMD_MBEDTLS_SELF_TESTS,
41 NULL, &ret_orig));
42 TEEC_CloseSession(&session);
43 #else
44 Do_ADBG_Log("CFG_TA_MBEDTLS_SELF_TEST not set, test skipped");
45 #endif
46 }
47 ADBG_CASE_DEFINE(regression, 8101, test_8101, "TA mbedTLS self tests");
48
myasprintf(char ** strp,const char * fmt,...)49 static int __printf(2, 3) myasprintf(char **strp, const char *fmt, ...)
50 {
51 char *str = NULL;
52 int rc = 0;
53 va_list ap;
54
55 va_start(ap, fmt);
56 rc = vsnprintf(str, rc, fmt, ap);
57 va_end(ap);
58 if (rc <= 0)
59 goto out;
60
61 str = malloc(rc);
62 if (!str) {
63 rc = -1;
64 goto out;
65 }
66
67 va_start(ap, fmt);
68 rc = vsnprintf(str, rc, fmt, ap);
69 va_end(ap);
70 if (rc <= 0)
71 free(str);
72 else
73 *strp = str;
74
75 out:
76 return rc;
77 }
78
test_8102(ADBG_Case_t * c)79 static void test_8102(ADBG_Case_t *c)
80 {
81 TEEC_Session session = { };
82 TEEC_Operation op = TEEC_OPERATION_INITIALIZER;
83 uint32_t ret_orig = 0;
84 char *chain = NULL;
85 int clen = 0;
86 char *trust = NULL;
87 int tlen = 0;
88
89 if (!ADBG_EXPECT_TEEC_SUCCESS(c, xtest_teec_open_session(
90 &session, &crypt_user_ta_uuid,
91 NULL, &ret_orig)))
92 return;
93
94 clen = myasprintf(&chain, "%*s\n%*s",
95 (int)regression_8100_my_crt_size,
96 regression_8100_my_crt,
97 (int)regression_8100_mid_crt_size,
98 regression_8100_mid_crt);
99 if (!ADBG_EXPECT_COMPARE_SIGNED(c, clen, !=, -1))
100 goto out;
101 tlen = myasprintf(&trust, "%*s", (int)regression_8100_ca_crt_size,
102 regression_8100_ca_crt);
103 if (!ADBG_EXPECT_COMPARE_SIGNED(c, tlen, !=, -1))
104 goto out;
105
106 op.params[0].tmpref.buffer = chain;
107 op.params[0].tmpref.size = clen;
108 op.params[1].tmpref.buffer = trust;
109 op.params[1].tmpref.size = tlen;
110 op.paramTypes = TEEC_PARAM_TYPES(TEEC_MEMREF_TEMP_INPUT,
111 TEEC_MEMREF_TEMP_INPUT,
112 TEEC_NONE, TEEC_NONE);
113
114 ADBG_EXPECT_TEEC_SUCCESS(c,
115 TEEC_InvokeCommand(&session, TA_CRYPT_CMD_MBEDTLS_CHECK_CERT,
116 &op, &ret_orig));
117 out:
118 free(chain);
119 free(trust);
120 TEEC_CloseSession(&session);
121 }
122 ADBG_CASE_DEFINE(regression, 8102, test_8102, "TA mbedTLS test cert chain");
123
124 #ifdef OPENSSL_FOUND
osslerr(void)125 static void osslerr(void)
126 {
127 while (true) {
128 unsigned long e = 0;
129 char b[256] = { };
130 const char *f = NULL;
131 int l = 0;
132
133 e = ERR_get_error_line(&f, &l);
134 if (!e)
135 return;
136 ERR_error_string_n(e, b, sizeof(b));
137 Do_ADBG_Log("%s:%d \"%s\"", f, l, b);
138 }
139 }
140
get_cert(ADBG_Case_t * c,const char * crt_str,X509 ** crt)141 static bool get_cert(ADBG_Case_t *c, const char *crt_str, X509 **crt)
142 {
143 bool ret = false;
144 size_t slen = strlen(crt_str) + 1;
145 BIO *buf = BIO_new(BIO_s_mem());
146 size_t b = 0;
147
148 if (!ADBG_EXPECT_NOT_NULL(c, buf))
149 goto out;
150
151 b = BIO_write(buf, crt_str, slen);
152 if (!ADBG_EXPECT_COMPARE_UNSIGNED(c, b, ==, slen))
153 goto out;
154
155 if (!PEM_read_bio_X509(buf, crt, 0, NULL))
156 goto out;
157
158 ret = true;
159 out:
160 if (!ret)
161 osslerr();
162 BIO_free(buf);
163 return ret;
164 }
165
push_cert(ADBG_Case_t * c,const char * crt_str,STACK_OF (X509)* cs)166 static bool push_cert(ADBG_Case_t *c, const char *crt_str, STACK_OF(X509) *cs)
167 {
168 X509 *crt = NULL;
169 int rc = 0;
170
171 if (!get_cert(c, crt_str, &crt))
172 return false;
173 rc = sk_X509_push(cs, crt);
174 if (!ADBG_EXPECT_COMPARE_SIGNED(c, rc, >, 0)) {
175 osslerr();
176 X509_free(crt);
177 return false;
178 }
179
180 return true;
181 }
182
check(ADBG_Case_t * c,STACK_OF (X509)* trusted,STACK_OF (X509)* untrusted,X509 * crt)183 static bool check(ADBG_Case_t *c, STACK_OF(X509) *trusted,
184 STACK_OF(X509) *untrusted, X509 *crt)
185 {
186 bool ret = false;
187 X509_STORE *store = NULL;
188 X509_STORE_CTX *csc = NULL;
189 X509_VERIFY_PARAM *pm = NULL;
190 int i = 0;
191 time_t vfy_time = 0;
192
193 pm = X509_VERIFY_PARAM_new();
194 vfy_time = 1526898005; /* Mon, 21 May 2018 10:20:05 +0000 */
195 X509_VERIFY_PARAM_set_time(pm, vfy_time);
196
197 store = X509_STORE_new();
198 if (!ADBG_EXPECT_NOT_NULL(c, store))
199 goto out;
200 X509_STORE_set_flags(store, 0);
201 if (!ADBG_EXPECT_TRUE(c, X509_STORE_set1_param(store, pm)))
202 goto out;
203
204 csc = X509_STORE_CTX_new();
205 if (!ADBG_EXPECT_NOT_NULL(c, csc))
206 goto out;
207
208 if (!ADBG_EXPECT_TRUE(c, X509_STORE_CTX_init(csc, store, crt,
209 untrusted)))
210 goto out;
211 X509_STORE_CTX_trusted_stack(csc, trusted);
212
213 i = X509_verify_cert(csc);
214 if (!ADBG_EXPECT_COMPARE_SIGNED(c, i, >, 0))
215 goto out;
216 i = X509_STORE_CTX_get_error(csc);
217 if (!ADBG_EXPECT_COMPARE_SIGNED(c, i, ==, X509_V_OK))
218 goto out;
219 ret = true;
220 out:
221 if (!ret)
222 osslerr();
223 X509_VERIFY_PARAM_free(pm);
224 X509_STORE_free(store);
225 X509_STORE_CTX_free(csc);
226 return ret;
227 }
228
verify_cert(ADBG_Case_t * c,const char * ca,const char * mid,const char * cert)229 static bool verify_cert(ADBG_Case_t *c, const char *ca, const char *mid,
230 const char *cert)
231 {
232 bool ret = false;
233 STACK_OF(X509) *trusted = NULL;
234 STACK_OF(X509) *untrusted = NULL;
235 X509 *crt = NULL;
236
237 trusted = sk_X509_new_null();
238 if (!ADBG_EXPECT_NOT_NULL(c, trusted))
239 goto out;
240 untrusted = sk_X509_new_null();
241 if (!ADBG_EXPECT_NOT_NULL(c, untrusted))
242 goto out;
243
244 if (!ADBG_EXPECT_TRUE(c, get_cert(c, cert, &crt)))
245 goto out;
246 if (!ADBG_EXPECT_TRUE(c, push_cert(c, mid, untrusted)))
247 goto out;
248 if (!ADBG_EXPECT_TRUE(c, push_cert(c, ca, trusted)))
249 goto out;
250
251 ret = ADBG_EXPECT_TRUE(c, check(c, trusted, untrusted, crt));
252 out:
253 if (!ret)
254 osslerr();
255 X509_free(crt);
256 sk_X509_pop_free(untrusted, X509_free);
257 sk_X509_pop_free(trusted, X509_free);
258 return ret;
259 }
260 #else /*!OPENSSL_FOUND*/
verify_cert(ADBG_Case_t * c,const char * ca,const char * mid,const char * cert)261 static bool verify_cert(ADBG_Case_t *c, const char *ca,
262 const char *mid, const char *cert)
263 {
264 UNUSED(c);
265 UNUSED(ca);
266 UNUSED(mid);
267 UNUSED(cert);
268 Do_ADBG_Log("OpenSSL not available, skipping certificate verification");
269 return true;
270 }
271 #endif
272
test_8103(ADBG_Case_t * c)273 static void test_8103(ADBG_Case_t *c)
274 {
275 TEEC_Result res = TEEC_ERROR_GENERIC;
276 TEEC_Session session = { };
277 TEEC_Operation op = TEEC_OPERATION_INITIALIZER;
278 uint32_t ret_orig = 0;
279 char *csr = NULL;
280 int clen = 0;
281 char cert[2048];
282 char chain[4096];
283 char *ca = NULL;
284
285 if (!ADBG_EXPECT_TEEC_SUCCESS(c, xtest_teec_open_session(
286 &session, &crypt_user_ta_uuid,
287 NULL, &ret_orig)))
288 return;
289
290 clen = myasprintf(&csr, "%*s", (int)regression_8100_my_csr_size,
291 regression_8100_my_csr);
292 if (!ADBG_EXPECT_COMPARE_SIGNED(c, clen, >=, 0))
293 goto out;
294 op.params[0].tmpref.buffer = csr;
295 op.params[0].tmpref.size = clen;
296 op.params[1].tmpref.buffer = cert;
297 op.params[1].tmpref.size = sizeof(cert);
298 op.params[2].tmpref.buffer = chain;
299 op.params[2].tmpref.size = sizeof(chain);
300 op.paramTypes = TEEC_PARAM_TYPES(TEEC_MEMREF_TEMP_INPUT,
301 TEEC_MEMREF_TEMP_OUTPUT,
302 TEEC_MEMREF_TEMP_OUTPUT, TEEC_NONE);
303 res = TEEC_InvokeCommand(&session, TA_CRYPT_CMD_MBEDTLS_SIGN_CERT, &op,
304 &ret_orig);
305 if (!ADBG_EXPECT_TEEC_SUCCESS(c, res))
306 goto out;
307
308 myasprintf(&ca, "%*s", (int)regression_8100_ca_crt_size,
309 regression_8100_ca_crt);
310 if (!ADBG_EXPECT_NOT_NULL(c, ca))
311 goto out;
312 verify_cert(c, ca, op.params[2].tmpref.buffer,
313 op.params[1].tmpref.buffer);
314 out:
315 free(ca);
316 free(csr);
317 TEEC_CloseSession(&session);
318 }
319 ADBG_CASE_DEFINE(regression, 8103, test_8103,
320 "TA mbedTLS process certificate request");
321 #endif /*CFG_TA_MBEDTLS*/
322