Mayank Gupta
/
pelion-example-frdm
Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependencies: FXAS21002 FXOS8700Q
Embed:
(wiki syntax)
Show/hide line numbers
pal_tls_test.c
00001 /******************************************************************************* 00002 * Copyright 2016, 2017 ARM Ltd. 00003 * 00004 * Licensed under the Apache License, Version 2.0 (the "License"); 00005 * you may not use this file except in compliance with the License. 00006 * You may obtain a copy of the License at 00007 * 00008 * http://www.apache.org/licenses/LICENSE-2.0 00009 * 00010 * Unless required by applicable law or agreed to in writing, software 00011 * distributed under the License is distributed on an "AS IS" BASIS, 00012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00013 * See the License for the specific language governing permissions and 00014 * limitations under the License. 00015 *******************************************************************************/ 00016 00017 #include "unity.h" 00018 #include "unity_fixture.h" 00019 #include "pal.h" 00020 #include "pal_tls_utils.h" 00021 #include "pal_network.h" 00022 #include "storage.h" 00023 #include "test_runners.h" 00024 #ifdef MBED_CONF_MBED_CLOUD_CLIENT_EXTERNAL_SST_SUPPORT 00025 #include "pal_sst.h" 00026 #else 00027 #include "sotp.h" 00028 #endif 00029 00030 #include <stdlib.h> 00031 00032 #define TRACE_GROUP "PAL" 00033 #define PAL_TEST_PSK_IDENTITY "Client_identity" 00034 00035 #define PAL_TEST_PSK {0x12,0x34,0x45,0x67,0x89,0x10} 00036 #define PAL_WAIT_TIME 3 00037 00038 #define HOSTNAME_STR_MAX_LEN 256 00039 00040 PAL_PRIVATE palSocket_t g_socket = 0; 00041 extern void * g_palTestTLSInterfaceCTX; // this is set by the palTestMain funciton 00042 PAL_PRIVATE uint32_t g_interfaceCTXIndex = 0; 00043 00044 #if ((PAL_USE_SECURE_TIME == 1) && (PAL_USE_INTERNAL_FLASH == 1)) 00045 PAL_PRIVATE uint8_t g_trustedServerID[PAL_CERT_ID_SIZE] __attribute__((aligned(4))) = { 0 }; 00046 PAL_PRIVATE size_t g_actualServerIDSize = 0; 00047 #endif 00048 00049 PAL_PRIVATE palMutexID_t g_mutex1 = NULLPTR; 00050 #if (PAL_ENABLE_X509 == 1) 00051 PAL_PRIVATE palMutexID_t g_mutex2 = NULLPTR; 00052 #endif 00053 PAL_PRIVATE palMutexID_t g_mutexHandShake1 = NULLPTR; 00054 PAL_PRIVATE bool g_retryHandshake = false; 00055 00056 #define PAL_TLS_INT32_CHECK_NOT_EQUAL_GOTO_FINISH(a, b) \ 00057 if (a != b) \ 00058 {\ 00059 PAL_LOG_ERR("Expected: %" PRId32 " , Actual: %" PRId32 " , Line: %d\n", (int32_t)a, (int32_t)b, __LINE__);\ 00060 goto finish;\ 00061 } 00062 00063 00064 //! This structre is for tests only and MUST be the same structure as in the pal_TLS.c file 00065 //! For any change done in the original structure, please make sure to change this structure too. 00066 typedef struct palTLSService 00067 { 00068 bool retryHandShake; 00069 uint64_t serverTime; 00070 palTLSHandle_t platTlsHandle; 00071 }palTLSTest_t; 00072 00073 TEST_GROUP(pal_tls); 00074 00075 TEST_SETUP(pal_tls) 00076 { 00077 palStatus_t status = PAL_SUCCESS; 00078 00079 // This time is used as current time during tests. It needs to be a time when the test server certificate is valid. 00080 // (by default, connects to bootstrap server) 00081 // Running following one-liner in bash should output suitable date, one day before certificate expiration. 00082 // 00083 // Get cert from remote // parse the cert // extract expiration date // to timestamp // subtract one day // echo it, use date to produce the human readable comment 00084 // openssl s_client -showcerts -connect bootstrap.us-east-1.mbedcloud.com:5684 2>/dev/null | openssl x509 -text | sed -n "s/Not After : \(.*\)/\1/p" | date -f - +%s | { read num; ((sum=num-86400)); echo "uint64_t currentTime = $sum; // `date -R -u --date=@$sum`"; } 00085 uint64_t currentTime = 1546497053; // Thu, 03 Jan 2019 06:30:53 +0000 00086 00087 //init pal 00088 status = pal_init(); 00089 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00090 00091 #ifdef MBED_CONF_MBED_CLOUD_CLIENT_EXTERNAL_SST_SUPPORT 00092 #if !PAL_USE_HW_TRNG 00093 // If no hardware trng - entropy must be injected for random to work 00094 uint8_t entropy_buf[48] = { 0 }; 00095 status = pal_osEntropyInject(entropy_buf, sizeof(entropy_buf)); 00096 TEST_ASSERT(status == PAL_SUCCESS || status == PAL_ERR_ENTROPY_EXISTS); 00097 #endif 00098 00099 // Reset storage before pal_initTime since there might be CMAC lefovers 00100 // in internal flash which might fail storage access in pal_initTime 00101 pal_SSTReset (); 00102 #else 00103 sotp_reset(); 00104 #endif //MBED_CONF_MBED_CLOUD_CLIENT_EXTERNAL_SST_SUPPORT 00105 00106 // Initialize the time module, as this test uses time functionality 00107 status = pal_initTime(); 00108 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00109 00110 // Initialize the time module 00111 status = pal_initTime(); 00112 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00113 00114 if (g_palTestTLSInterfaceCTX == NULL) 00115 { 00116 PAL_LOG_ERR("error: net interface not configutred correctly"); 00117 } 00118 else 00119 { 00120 status = pal_registerNetworkInterface(g_palTestTLSInterfaceCTX, &g_interfaceCTXIndex); 00121 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00122 } 00123 00124 g_socket = 0; 00125 00126 status = pal_osSetTime(currentTime); 00127 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00128 00129 } 00130 00131 TEST_TEAR_DOWN(pal_tls) 00132 { 00133 palStatus_t status = PAL_SUCCESS; 00134 if (0 != g_socket) 00135 { 00136 pal_close(&g_socket); 00137 } 00138 00139 #ifdef MBED_CONF_MBED_CLOUD_CLIENT_EXTERNAL_SST_SUPPORT 00140 // Reset storage before pal_initTime since there might be CMAC lefovers 00141 // in internal flash which might fail storage access in pal_initTime 00142 pal_SSTReset (); 00143 #else 00144 sotp_reset(); 00145 #endif //MBED_CONF_MBED_CLOUD_CLIENT_EXTERNAL_SST_SUPPORT 00146 00147 pal_destroy(); 00148 } 00149 00150 /** 00151 * @brief Test TLS cofiguration initialization and uninitialization. 00152 * 00153 * 00154 * | # | Step | Expected | 00155 * |---|--------------------------------|-------------| 00156 * | 1 | Initialize TLS configuration using `pal_initTLSConfiguration`. | PAL_SUCCESS | 00157 * | 2 | Uninitialize TLS configuration using `pal_tlsConfigurationFree`. | PAL_SUCCESS | 00158 */ 00159 TEST(pal_tls, tlsConfiguration) 00160 { 00161 palStatus_t status = PAL_SUCCESS; 00162 palTLSConfHandle_t palTLSConf = NULLPTR; 00163 palTLSTransportMode_t transportationMode = PAL_TLS_MODE; 00164 /*#1*/ 00165 status = pal_initTLSConfiguration(&palTLSConf, transportationMode); 00166 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00167 TEST_ASSERT_TRUE(NULLPTR != palTLSConf); 00168 /*#2*/ 00169 status = pal_tlsConfigurationFree(&palTLSConf); 00170 TEST_ASSERT_EQUAL_HEX(NULLPTR, palTLSConf); 00171 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00172 } 00173 00174 int palTestEntropySource(void *data, unsigned char *output, size_t len, size_t *olen) 00175 { 00176 palStatus_t status = PAL_SUCCESS; 00177 (void)data; 00178 00179 status = pal_osRandomBuffer(output, len); 00180 if (PAL_SUCCESS == status) 00181 { 00182 *olen = len; 00183 } 00184 else 00185 { 00186 return -1; 00187 } 00188 return 0; 00189 } 00190 00191 struct server_address 00192 { 00193 char hostname[HOSTNAME_STR_MAX_LEN]; 00194 uint16_t port; 00195 }; 00196 00197 static void parseServerAddress(struct server_address *data, const char* const url) 00198 { 00199 const char* start; 00200 size_t str_len; 00201 00202 data->port = 0; 00203 00204 // Extract hostname from url 00205 start = strchr(url, ':'); 00206 if (start != NULL && *(start+1) == '/') 00207 { 00208 start = start + 3; 00209 } 00210 else 00211 { 00212 start = url; 00213 } 00214 00215 const char* end = strchr(start, ':'); 00216 if (end == NULL) 00217 { 00218 end = strchr(start, '/'); 00219 if (end == NULL) 00220 { 00221 end = start + strlen(start); 00222 } 00223 } 00224 else 00225 { 00226 data->port = atoi(end+1); 00227 } 00228 00229 str_len = end-start; 00230 00231 TEST_ASSERT_TRUE(str_len > 0 && str_len < HOSTNAME_STR_MAX_LEN); 00232 00233 TEST_ASSERT_EQUAL_PTR(data->hostname, strncpy(data->hostname, start, str_len)); 00234 data->hostname[str_len] = '\0'; 00235 } 00236 00237 static void handshakeUDP(bool socketNonBlocking) 00238 { 00239 palStatus_t status = PAL_SUCCESS; 00240 palTLSConfHandle_t palTLSConf = NULLPTR; 00241 palTLSHandle_t palTLSHandle = NULLPTR; 00242 palTLSTransportMode_t transportationMode = PAL_DTLS_MODE; 00243 palSocketAddress_t socketAddr = {0}; 00244 palSocketLength_t addressLength = 0; 00245 char serverResponse[PAL_TLS_RESPONSE_SIZE] = {0}; 00246 uint32_t actualLen = 0; 00247 uint32_t written = 0; 00248 #if (PAL_ENABLE_X509 == 1) 00249 palX509_t pubKey = {(const void*)PAL_TLS_TEST_DEVICE_CERTIFICATE,MAX_CERTIFICATE_SIZE}; 00250 palPrivateKey_t prvKey = {(const void*)PAL_TLS_TEST_DEVICE_PRIVATE_KEY,MAX_CERTIFICATE_SIZE}; 00251 palX509_t caCert = { (const void*)PAL_TLS_TEST_SERVER_CA,MAX_CERTIFICATE_SIZE}; 00252 #elif (PAL_ENABLE_PSK == 1) 00253 const char* identity = PAL_TEST_PSK_IDENTITY; 00254 const char psk[]= PAL_TEST_PSK; 00255 #endif 00256 palTLSSocket_t tlsSocket = {g_socket, &socketAddr, 0, transportationMode}; 00257 int32_t verifyResult = 0; 00258 struct server_address server; 00259 00260 /*#1*/ 00261 status = pal_socket(PAL_AF_INET, PAL_SOCK_DGRAM, socketNonBlocking, 0, &g_socket); 00262 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00263 /*#2*/ 00264 00265 parseServerAddress(&server, PAL_TLS_TEST_SERVER_ADDRESS_UDP); 00266 00267 status = pal_getAddressInfo(server.hostname, &socketAddr, &addressLength); 00268 if ((PAL_ERR_SOCKET_DNS_ERROR == status) || (PAL_ERR_SOCKET_INVALID_ADDRESS_FAMILY == status)) 00269 { 00270 PAL_LOG_ERR("error: address lookup returned an address not supported by current configuration cant continue test ( IPv6 add for IPv4 only configuration or IPv4 for IPv6 only configuration or error)"); 00271 status = pal_close(&g_socket); 00272 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00273 return; 00274 } 00275 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00276 00277 tlsSocket.addressLength = addressLength; 00278 tlsSocket.socket = g_socket; 00279 /*#3*/ 00280 status = pal_setSockAddrPort(&socketAddr, server.port); 00281 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00282 /*#4*/ 00283 status = pal_initTLSConfiguration(&palTLSConf, transportationMode); 00284 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00285 /*#5*/ 00286 status = pal_initTLS(palTLSConf, &palTLSHandle); 00287 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00288 00289 // This code commented out to prevent massive prints from mbedTLS, if you want to see logs from client side, just uncomment them. 00290 //status = pal_sslSetDebugging(palTLSConf, true); 00291 //TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00292 #if (PAL_ENABLE_X509 == 1) 00293 /*#6*/ 00294 status = pal_setOwnCertAndPrivateKey(palTLSConf, &pubKey, &prvKey); 00295 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00296 /*#7*/ 00297 status = pal_setCAChain(palTLSConf, &caCert, NULL); 00298 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00299 #elif (PAL_ENABLE_PSK == 1) 00300 /*#6 + #7*/ 00301 status = pal_setPSK(palTLSConf, (const unsigned char*)identity, strlen(identity), (const unsigned char*)psk, sizeof(psk)); 00302 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00303 #endif 00304 /*#8*/ 00305 status = pal_tlsSetSocket(palTLSConf, &tlsSocket); 00306 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00307 /*#9*/ 00308 00309 status = pal_setHandShakeTimeOut(palTLSConf, 30000); 00310 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00311 /*#10*/ 00312 00313 do 00314 { 00315 status = pal_handShake(palTLSHandle, palTLSConf); 00316 } 00317 while (PAL_ERR_TLS_WANT_READ == status || PAL_ERR_TLS_WANT_WRITE == status); 00318 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00319 00320 /*#11*/ 00321 status = pal_sslGetVerifyResultExtended(palTLSHandle, &verifyResult); 00322 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00323 /*#12*/ 00324 status = pal_sslWrite(palTLSHandle, PAL_TLS_UDP_REQUEST_MESSAGE, sizeof(PAL_TLS_UDP_REQUEST_MESSAGE), &written); 00325 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00326 /*#13*/ 00327 pal_osDelay(PAL_TLS_RESPONSE_WAIT_MS); 00328 /*#14*/ 00329 do 00330 { 00331 status = pal_sslRead(palTLSHandle, serverResponse, PAL_TLS_RESPONSE_SIZE, &actualLen); 00332 }while (PAL_ERR_TLS_WANT_READ == status); 00333 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00334 00335 #ifdef PAL_TLS_RESPONSE_MESSAGE 00336 TEST_ASSERT_EQUAL(PAL_TLS_RESPONSE_SIZE, actualLen); 00337 TEST_ASSERT_EQUAL_HEX8_ARRAY(PAL_TLS_RESPONSE_MESSAGE, serverResponse, PAL_TLS_RESPONSE_SIZE); 00338 #endif 00339 00340 /*#15*/ 00341 status = pal_freeTLS(&palTLSHandle); 00342 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00343 /*#16*/ 00344 status = pal_tlsConfigurationFree(&palTLSConf); 00345 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00346 /*#17*/ 00347 status = pal_close(&g_socket); 00348 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00349 } 00350 00351 00352 static void handshakeTCP(bool socketNonBlocking) 00353 { 00354 palStatus_t status = PAL_SUCCESS; 00355 palTLSConfHandle_t palTLSConf = NULLPTR; 00356 palTLSHandle_t palTLSHandle = NULLPTR; 00357 palTLSTransportMode_t transportationMode = PAL_TLS_MODE; 00358 palSocketAddress_t socketAddr = {0}; 00359 palSocketLength_t addressLength = 0; 00360 char serverResponse[PAL_TLS_RESPONSE_SIZE] = {0}; 00361 uint32_t actualLen = 0; 00362 uint32_t written = 0; 00363 #if (PAL_ENABLE_X509 == 1) 00364 palX509_t pubKey = {(const void*)PAL_TLS_TEST_DEVICE_CERTIFICATE, MAX_CERTIFICATE_SIZE}; 00365 palPrivateKey_t prvKey = {(const void*)PAL_TLS_TEST_DEVICE_PRIVATE_KEY, MAX_CERTIFICATE_SIZE}; 00366 palX509_t caCert = { (const void*)PAL_TLS_TEST_SERVER_CA, MAX_CERTIFICATE_SIZE }; 00367 #elif (PAL_ENABLE_PSK == 1) 00368 const char* identity = PAL_TEST_PSK_IDENTITY; 00369 const char psk[]= PAL_TEST_PSK; 00370 #endif 00371 palTLSSocket_t tlsSocket = { g_socket, &socketAddr, 0, transportationMode }; 00372 uint64_t curTimeInSec, timePassedInSec; 00373 const uint64_t minSecSinceEpoch = PAL_MIN_SEC_FROM_EPOCH + 1; //At least 47 years passed from 1.1.1970 in seconds 00374 int32_t verifyResult = 0; 00375 struct server_address server; 00376 00377 /*#1*/ 00378 status = pal_socket(PAL_AF_INET, PAL_SOCK_STREAM, socketNonBlocking, 0, &g_socket); 00379 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00380 /*#2*/ 00381 parseServerAddress(&server, PAL_TLS_TEST_SERVER_ADDRESS_TCP); 00382 00383 status = pal_getAddressInfo(server.hostname, &socketAddr, &addressLength); 00384 00385 if ((PAL_ERR_SOCKET_DNS_ERROR == status) || (PAL_ERR_SOCKET_INVALID_ADDRESS_FAMILY == status)) 00386 { 00387 PAL_LOG_ERR("error: address lookup returned an address not supported by current configuration cant continue test ( IPv6 add for IPv4 only configuration or IPv4 for IPv6 only configuration or error)"); 00388 status = pal_close(&g_socket); 00389 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00390 return; 00391 } 00392 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00393 00394 tlsSocket.addressLength = addressLength; 00395 tlsSocket.socket = g_socket; 00396 /*#3*/ 00397 status = pal_setSockAddrPort(&socketAddr, server.port); 00398 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00399 00400 /*#4*/ 00401 status = pal_connect(g_socket, &socketAddr, addressLength); 00402 if (PAL_ERR_SOCKET_IN_PROGRES == status) 00403 { 00404 pal_osDelay(400); 00405 } 00406 else 00407 { 00408 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00409 } 00410 /*#5*/ 00411 status = pal_initTLSConfiguration(&palTLSConf, transportationMode); 00412 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00413 TEST_ASSERT_NOT_EQUAL(palTLSConf, NULLPTR); 00414 /*#6*/ 00415 status = pal_initTLS(palTLSConf, &palTLSHandle); 00416 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00417 00418 // This code commented out to prevent massive prints from mbedTLS, if you want to see logs from client side, just uncomment them. 00419 //status = pal_sslSetDebugging(palTLSConf, true); 00420 //TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00421 #if (PAL_ENABLE_X509 == 1) 00422 /*#7*/ 00423 status = pal_setOwnCertAndPrivateKey(palTLSConf, &pubKey, &prvKey); 00424 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00425 /*#8*/ 00426 status = pal_setCAChain(palTLSConf, &caCert, NULL); 00427 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00428 #elif (PAL_ENABLE_PSK == 1) 00429 /*#7 + 8*/ 00430 status = pal_setPSK(palTLSConf, (const unsigned char*)identity, strlen(identity), (const unsigned char*)psk, sizeof(psk)); 00431 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00432 #endif 00433 /*#9*/ 00434 status = pal_tlsSetSocket(palTLSConf, &tlsSocket); 00435 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00436 /*#10*/ 00437 if (true == socketNonBlocking) 00438 { 00439 status = pal_osSetTime(minSecSinceEpoch); 00440 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); // More than current epoch time -> success 00441 do 00442 { 00443 curTimeInSec = pal_osGetTime(); 00444 TEST_ASSERT_TRUE(curTimeInSec >= minSecSinceEpoch); 00445 timePassedInSec = curTimeInSec - minSecSinceEpoch; 00446 status = pal_handShake(palTLSHandle, palTLSConf); 00447 } 00448 while ( (PAL_ERR_TLS_WANT_READ == status || PAL_ERR_TLS_WANT_WRITE == status) && 00449 (timePassedInSec < PAL_SECONDS_PER_MIN)); //2 minutes to wait for handshake 00450 } 00451 else //blocking 00452 { 00453 status = pal_handShake(palTLSHandle, palTLSConf); 00454 } 00455 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00456 00457 /*#11*/ 00458 status = pal_sslGetVerifyResultExtended(palTLSHandle, &verifyResult); 00459 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00460 /*#12*/ 00461 status = pal_sslWrite(palTLSHandle, PAL_TLS_REQUEST_MESSAGE, sizeof(PAL_TLS_REQUEST_MESSAGE), &written); 00462 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00463 /*#13*/ 00464 pal_osDelay(PAL_TLS_RESPONSE_WAIT_MS); 00465 /*#14*/ 00466 status = pal_sslRead(palTLSHandle, serverResponse, PAL_TLS_RESPONSE_SIZE, &actualLen); 00467 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00468 00469 #ifdef PAL_TLS_RESPONSE_MESSAGE 00470 TEST_ASSERT_EQUAL(PAL_TLS_RESPONSE_SIZE, actualLen); 00471 TEST_ASSERT_EQUAL_HEX8_ARRAY(PAL_TLS_RESPONSE_MESSAGE, serverResponse, PAL_TLS_RESPONSE_SIZE); 00472 #endif 00473 00474 /*#15*/ 00475 status = pal_freeTLS(&palTLSHandle); 00476 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00477 /*#16*/ 00478 status = pal_tlsConfigurationFree(&palTLSConf); 00479 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00480 /*#17*/ 00481 status = pal_close(&g_socket); 00482 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00483 00484 } 00485 00486 /** 00487 * @brief Test TLS initialization and uninitialization. 00488 * 00489 * 00490 * | # | Step | Expected | 00491 * |---|--------------------------------|-------------| 00492 * | 1 | Initialize TLS configuration using `pal_initTLSConfiguration`. | PAL_SUCCESS | 00493 * | 2 | Initialize TLS context using `pal_initTLS`. | PAL_SUCCESS | 00494 * | 3 | Add a NULL entropy source using `pal_addEntropySource`. | PAL_ERR_INVALID_ARGUMENT | 00495 * | 4 | Add a valid entropy source using `pal_addEntropySource`. | PAL_SUCCESS | 00496 * | 5 | Uninitialize TLS context using `pal_freeTLS`. | PAL_SUCCESS | 00497 * | 6 | Uninitialize TLS configuration using `pal_tlsConfigurationFree`. | PAL_SUCCESS | 00498 */ 00499 TEST(pal_tls, tlsInitTLS) 00500 { 00501 palStatus_t status = PAL_SUCCESS; 00502 palTLSConfHandle_t palTLSConf = NULLPTR; 00503 palTLSHandle_t palTLSHandle = NULLPTR; 00504 palTLSTransportMode_t transportationMode = PAL_TLS_MODE; 00505 /*#1*/ 00506 status = pal_initTLSConfiguration(&palTLSConf, transportationMode); 00507 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00508 /*#2*/ 00509 status = pal_initTLS(palTLSConf, &palTLSHandle); 00510 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00511 #ifdef DEBUG 00512 /*#3*/ 00513 status = pal_addEntropySource(NULL); 00514 TEST_ASSERT_EQUAL_HEX(PAL_ERR_INVALID_ARGUMENT , status); 00515 #endif 00516 /*#4*/ 00517 status = pal_addEntropySource(palTestEntropySource); 00518 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00519 /*#5*/ 00520 status = pal_freeTLS(&palTLSHandle); 00521 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00522 /*#6*/ 00523 status = pal_tlsConfigurationFree(&palTLSConf); 00524 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00525 } 00526 00527 00528 /** 00529 * @brief Test TLS initialization and uninitialization with additional keys. 00530 * 00531 * 00532 * | # | Step | Expected | 00533 * |---|--------------------------------|-------------| 00534 * | 1 | Initialize TLS configuration using `pal_initTLSConfiguration`. | PAL_SUCCESS | 00535 * | 2 | Add keys to the configuration using `pal_setOwnCertAndPrivateKey`. | PAL_SUCCESS | 00536 * | 3 | Initialize TLS context using `pal_initTLS`. | PAL_SUCCESS | 00537 * | 4 | Uninitialize TLS context using `pal_freeTLS`. | PAL_SUCCESS | 00538 * | 5 | Uninitialize TLS configuration using `pal_tlsConfigurationFree`. | PAL_SUCCESS | 00539 */ 00540 TEST(pal_tls, tlsPrivateAndPublicKeys) 00541 { 00542 #if (PAL_ENABLE_X509 == 1) 00543 palStatus_t status = PAL_SUCCESS; 00544 palTLSConfHandle_t palTLSConf = NULLPTR; 00545 palTLSHandle_t palTLSHandle = NULLPTR; 00546 palTLSTransportMode_t transportationMode = PAL_TLS_MODE; 00547 palX509_t pubKey = {(const void*)PAL_TLS_TEST_DEVICE_CERTIFICATE, MAX_CERTIFICATE_SIZE}; 00548 palPrivateKey_t prvKey = {(const void*)PAL_TLS_TEST_DEVICE_PRIVATE_KEY, MAX_CERTIFICATE_SIZE}; 00549 00550 /*#1*/ 00551 status = pal_initTLSConfiguration(&palTLSConf, transportationMode); 00552 TEST_ASSERT_NOT_EQUAL(palTLSConf, NULLPTR); 00553 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00554 /*#2*/ 00555 status = pal_setOwnCertAndPrivateKey(palTLSConf, &pubKey, &prvKey); 00556 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00557 /*#3*/ 00558 status = pal_initTLS(palTLSConf, &palTLSHandle); 00559 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00560 /*#4*/ 00561 status = pal_freeTLS(&palTLSHandle); 00562 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00563 /*#5*/ 00564 status = pal_tlsConfigurationFree(&palTLSConf); 00565 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00566 #else 00567 TEST_IGNORE_MESSAGE("Ignored, PAL_ENABLE_X509 not set"); 00568 #endif 00569 } 00570 00571 00572 /** 00573 * @brief Test TLS initialization and uninitialization with additional certificate and pre-shared keys. 00574 * 00575 * 00576 * | # | Step | Expected | 00577 * |---|--------------------------------|-------------| 00578 * | 1 | Initialize TLS configuration using `pal_initTLSConfiguration`. | PAL_SUCCESS | 00579 * | 2 | Set pre-shared keys to the configuration using `pal_setPSK`. | PAL_SUCCESS | 00580 * | 3 | Initialize TLS context using `pal_initTLS`. | PAL_SUCCESS 00581 * | 4 | Uninitialize TLS context using `pal_freeTLS`. |PAL_SUCCESS | 00582 * | 5 | Uninitialize TLS configuration using `pal_tlsConfigurationFree`. | PAL_SUCCESS | 00583 */ 00584 TEST(pal_tls, tlsCACertandPSK) 00585 { 00586 #if (PAL_ENABLE_PSK == 1) 00587 palStatus_t status = PAL_SUCCESS; 00588 palTLSConfHandle_t palTLSConf = NULLPTR; 00589 palTLSHandle_t palTLSHandle = NULLPTR; 00590 palTLSTransportMode_t transportationMode = PAL_TLS_MODE; 00591 /*#1*/ 00592 status = pal_initTLSConfiguration(&palTLSConf, transportationMode); 00593 TEST_ASSERT_NOT_EQUAL(palTLSConf, NULLPTR); 00594 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00595 /*#2*/ 00596 status = pal_setPSK(palTLSConf, g_psk_id, sizeof(g_psk_id) - 1, g_psk, sizeof(g_psk)); 00597 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00598 /*#3*/ 00599 status = pal_initTLS(palTLSConf, &palTLSHandle); 00600 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00601 /*#4*/ 00602 status = pal_freeTLS(&palTLSHandle); 00603 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00604 /*#5*/ 00605 status = pal_tlsConfigurationFree(&palTLSConf); 00606 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00607 #else 00608 TEST_IGNORE_MESSAGE("Ignored, PAL_ENABLE_PSK not set"); 00609 #endif 00610 } 00611 00612 00613 /** 00614 * @brief Test TLS handshake (TCP blocking). 00615 * 00616 * 00617 * | # | Step | Expected | 00618 * |---|--------------------------------|-------------| 00619 * | 1 | Create a TCP (blocking) socket. | PAL_SUCCESS | 00620 * | 2 | Perform a DNS lookup on the server address. | PAL_SUCCESS | 00621 * | 3 | Set the server port. | PAL_SUCCESS | 00622 * | 4 | Connect the TCP socket to the server. | PAL_SUCCESS | 00623 * | 5 | Initialize the TLS configuration using `pal_initTLSConfiguration`. | PAL_SUCCESS | 00624 * | 6 | Initialize the TLS context using `pal_initTLS`. | PAL_SUCCESS | 00625 * | 7 | Set the certificate and keys to the configuration using `pal_setOwnCertAndPrivateKey`.| PAL_SUCCESS | 00626 * | 8 | Set the certificate chain to the configuration using `pal_setCAChain`. | PAL_SUCCESS | 00627 * | 9 | Set the socket chain to the configuration using `pal_tlsSetSocket`. | PAL_SUCCESS | 00628 * | 10 | Perform a TLS handshake with the server using `pal_handShaket`. | PAL_SUCCESS | 00629 * | 11 | Verify the handshake result using `pal_sslGetVerifyResult`. | PAL_SUCCESS | 00630 * | 12 | Write data over open TLS connection using `pal_sslWrite`. | PAL_SUCCESS | 00631 * | 13 | Wait for the response. | PAL_SUCCESS | 00632 * | 14 | Read data from the open TLS connection using `pal_sslRead`. | PAL_SUCCESS | 00633 * | 15 | Uninitialize the TLS context using `pal_freeTLS`. | PAL_SUCCESS | 00634 * | 16 | Uninitialize the TLS configuration using `pal_tlsConfigurationFree`. | PAL_SUCCESS | 00635 * | 17 | Close the TCP socket. | PAL_SUCCESS | 00636 */ 00637 TEST(pal_tls, tlsHandshakeTCP) 00638 { 00639 TEST_IGNORE_MESSAGE("Ignored, Linux PAL tests don't get credentials from mbed_cloud_dev_credentials.c"); 00640 handshakeTCP(false); 00641 } 00642 00643 /** 00644 * @brief Test TLS handshake (TCP non-blocking). 00645 * 00646 * 00647 * | # | Step | Expected | 00648 * |---|--------------------------------|-------------| 00649 * | 1 | Create a TCP (non-blocking) socket. | PAL_SUCCESS | 00650 * | 2 | Perform a DNS lookup on the server address. | PAL_SUCCESS | 00651 * | 3 | Set the server port. | PAL_SUCCESS | 00652 * | 4 | Connect the TCP socket to the server. | PAL_SUCCESS | 00653 * | 5 | Initialize the TLS configuration using `pal_initTLSConfiguration`. | PAL_SUCCESS | 00654 * | 6 | Initialize the TLS context using `pal_initTLS`. | PAL_SUCCESS | 00655 * | 7 | Set the certificate and keys to the configuration using `pal_setOwnCertAndPrivateKey`.| PAL_SUCCESS | 00656 * | 8 | Set the certificate chain to the configuration using `pal_setCAChain`. | PAL_SUCCESS | 00657 * | 9 | Set the socket chain to the configuration using `pal_tlsSetSocket`. | PAL_SUCCESS | 00658 * | 10 | Perform a TLS handshake with the server using `pal_handShaket` in a loop. | PAL_SUCCESS | 00659 * | 11 | Verify the handshake result using `pal_sslGetVerifyResult`. | PAL_SUCCESS | 00660 * | 12 | Write data over the open TLS connection using `pal_sslWrite`. | PAL_SUCCESS | 00661 * | 13 | Wait for the response. | PAL_SUCCESS | 00662 * | 14 | Read data from the open TLS connection using `pal_sslRead`. | PAL_SUCCESS | 00663 * | 15 | Uninitialize the TLS context using `pal_freeTLS`. | PAL_SUCCESS | 00664 * | 16 | Uninitialize the TLS configuration using `pal_tlsConfigurationFree`. | PAL_SUCCESS | 00665 * | 17 | Close the TCP socket. | PAL_SUCCESS | 00666 */ 00667 TEST(pal_tls, tlsHandshakeTCP_nonBlocking) 00668 { 00669 TEST_IGNORE_MESSAGE("Ignored, Linux PAL tests don't get credentials from mbed_cloud_dev_credentials.c"); 00670 handshakeTCP(true); 00671 } 00672 00673 /** 00674 * @brief Test (D)TLS handshake (UDP -blocking). 00675 * 00676 * 00677 * | # | Step | Expected | 00678 * |---|--------------------------------|-------------| 00679 * | 1 | Create a UDP (blocking) socket. | PAL_SUCCESS | 00680 * | 2 | Perform a DNS lookup on the server address. | PAL_SUCCESS | 00681 * | 3 | Set the server port. | PAL_SUCCESS | 00682 * | 4 | Initialize the TLS configuration using `pal_initTLSConfiguration`. | PAL_SUCCESS | 00683 * | 5 | Initialize the TLS context using `pal_initTLS`. | PAL_SUCCESS | 00684 * | 6 | Set the certificate and keys to the configuration using `pal_setOwnCertAndPrivateKey`.| PAL_SUCCESS | 00685 * | 7 | Set the certificate chain to the configuration using `pal_setCAChain`. | PAL_SUCCESS | 00686 * | 8 | Set the socket chain to the configuration using `pal_tlsSetSocket`. | PAL_SUCCESS | 00687 * | 9 | Set the timeout for the handshake using `pal_setHandShakeTimeOut`. | PAL_SUCCESS | 00688 * | 10 | Perform a TLS handshake with the server using `pal_handShaket` in a loop. | PAL_SUCCESS | 00689 * | 11 | Verify the handshake result using `pal_sslGetVerifyResult`. | PAL_SUCCESS | 00690 * | 12 | Write data over the open TLS connection using `pal_sslWrite`. | PAL_SUCCESS | 00691 * | 13 | Wait for the response. | PAL_SUCCESS | 00692 * | 14 | Read data from the open TLS connection using `pal_sslRead`. | PAL_SUCCESS | 00693 * | 15 | Uninitialize the TLS context using `pal_freeTLS`. | PAL_SUCCESS | 00694 * | 16 | Uninitialize the TLS configuration using `pal_tlsConfigurationFree`. | PAL_SUCCESS | 00695 * | 17 | Close the UDP socket. | PAL_SUCCESS | 00696 */ 00697 TEST(pal_tls, tlsHandshakeUDP) 00698 { 00699 TEST_IGNORE_MESSAGE("Ignored, Linux PAL tests don't get credentials from mbed_cloud_dev_credentials.c"); 00700 handshakeUDP(false); 00701 } 00702 00703 /** 00704 * @brief Test (D)TLS handshake (UDP -NonBlocking). 00705 * 00706 * 00707 * | # | Step | Expected | 00708 * |---|--------------------------------|-------------| 00709 * | 1 | Create a UDP (blocking) socket. | PAL_SUCCESS | 00710 * | 2 | Perform a DNS lookup on the server address. | PAL_SUCCESS | 00711 * | 3 | Set the server port. | PAL_SUCCESS | 00712 * | 4 | Initialize the TLS configuration using `pal_initTLSConfiguration`. | PAL_SUCCESS | 00713 * | 5 | Initialize the TLS context using `pal_initTLS`. | PAL_SUCCESS | 00714 * | 6 | Set the certificate and keys to the configuration using `pal_setOwnCertAndPrivateKey`.| PAL_SUCCESS | 00715 * | 7 | Set the certificate chain to the configuration using `pal_setCAChain`. | PAL_SUCCESS | 00716 * | 8 | Set the socket chain to the configuration using `pal_tlsSetSocket`. | PAL_SUCCESS | 00717 * | 9 | Set the timeout for the handshake using `pal_setHandShakeTimeOut`. | PAL_SUCCESS | 00718 * | 10 | Perform a TLS handshake with the server using `pal_handShaket` in a loop. | PAL_SUCCESS | 00719 * | 11 | Verify the handshake result using `pal_sslGetVerifyResult`. | PAL_SUCCESS | 00720 * | 12 | Write data over the open TLS connection using `pal_sslWrite`. | PAL_SUCCESS | 00721 * | 13 | Wait for the response. | PAL_SUCCESS | 00722 * | 14 | Read data from the open TLS connection using `pal_sslRead`. | PAL_SUCCESS | 00723 * | 15 | Uninitialize the TLS context using `pal_freeTLS`. | PAL_SUCCESS | 00724 * | 16 | Uninitialize the TLS configuration using `pal_tlsConfigurationFree`. | PAL_SUCCESS | 00725 * | 17 | Close the UDP socket. | PAL_SUCCESS | 00726 */ 00727 TEST(pal_tls, tlsHandshakeUDP_NonBlocking) 00728 { 00729 TEST_IGNORE_MESSAGE("Ignored, Linux PAL tests don't get credentials from mbed_cloud_dev_credentials.c"); 00730 handshakeUDP(true); 00731 } 00732 00733 /** 00734 * @brief Test (D)TLS handshake (UDP non-blocking) with a very short timeout to see if you get a timeout. 00735 * 00736 * 00737 * | # | Step | Expected | 00738 * |---|--------------------------------|-------------| 00739 * | 1 | Create a UDP (blocking) socket. | PAL_SUCCESS | 00740 * | 2 | Perform a DNS lookup on server adderss. | PAL_SUCCESS | 00741 * | 3 | Set the server port. | PAL_SUCCESS | 00742 * | 4 | Initialize the TLS configuration using `pal_initTLSConfiguration`. | PAL_SUCCESS | 00743 * | 5 | Initialize the TLS context using `pal_initTLS`. | PAL_SUCCESS | 00744 * | 6 | Set the certificate and keys to the configuration using `pal_setOwnCertAndPrivateKey`.| PAL_SUCCESS | 00745 * | 7 | Set the certificate chain to the configuration using `pal_setCAChain`. | PAL_SUCCESS | 00746 * | 8 | Set the socket chain to the configuration using `pal_tlsSetSocket`. | PAL_SUCCESS | 00747 * | 9 | Set a short timeout for the handshake using `pal_setHandShakeTimeOut`. | PAL_SUCCESS | 00748 * | 10 | Perform a TLS handshake with the server using `pal_handShaket` in a loop. | PAL_ERR_TIMEOUT_EXPIRED | 00749 * | 11 | Uninitialize the TLS context using `pal_freeTLS`. | PAL_SUCCESS | 00750 * | 12 | Uninitialize the TLS configuration using `pal_tlsConfigurationFree`. | PAL_SUCCESS | 00751 */ 00752 TEST(pal_tls, tlsHandshakeUDPTimeOut) 00753 { 00754 TEST_IGNORE_MESSAGE("Ignored, Linux PAL tests don't get credentials from mbed_cloud_dev_credentials.c"); 00755 palStatus_t status = PAL_SUCCESS; 00756 palTLSConfHandle_t palTLSConf = NULLPTR; 00757 palTLSHandle_t palTLSHandle = NULLPTR; 00758 palTLSTransportMode_t transportationMode = PAL_DTLS_MODE; 00759 palSocketAddress_t socketAddr = { 0 }; 00760 palSocketLength_t addressLength = 0; 00761 #if (PAL_ENABLE_X509 == 1) 00762 palX509_t pubKey = {(const void*)PAL_TLS_TEST_DEVICE_CERTIFICATE, MAX_CERTIFICATE_SIZE}; 00763 palPrivateKey_t prvKey = {(const void*)PAL_TLS_TEST_DEVICE_PRIVATE_KEY, MAX_CERTIFICATE_SIZE}; 00764 palX509_t caCert = { (const void*)PAL_TLS_TEST_SERVER_CA, MAX_CERTIFICATE_SIZE }; 00765 #elif (PAL_ENABLE_PSK == 1) 00766 const char* identity = PAL_TEST_PSK_IDENTITY; 00767 const char psk[]= PAL_TEST_PSK; 00768 #endif 00769 palTLSSocket_t tlsSocket = { g_socket, &socketAddr, 0, transportationMode }; 00770 struct server_address server; 00771 00772 uint64_t curTimeInSec; 00773 const uint64_t minSecSinceEpoch = PAL_MIN_SEC_FROM_EPOCH + 1; //At least 47 years passed from 1.1.1970 in seconds 00774 00775 /*#1*/ 00776 status = pal_socket(PAL_AF_INET, PAL_SOCK_DGRAM, false, 0, &g_socket); 00777 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00778 00779 /*#2*/ 00780 parseServerAddress(&server, PAL_TLS_TEST_SERVER_ADDRESS_UDP); 00781 status = pal_getAddressInfo(server.hostname, &socketAddr, &addressLength); 00782 if ((PAL_ERR_SOCKET_DNS_ERROR == status) || (PAL_ERR_SOCKET_INVALID_ADDRESS_FAMILY == status)) 00783 { 00784 PAL_LOG_ERR("error: address lookup returned an address not supported by current configuration cant continue test ( IPv6 add for IPv4 only configuration or IPv4 for IPv6 only configuration or error)"); 00785 status = pal_close(&g_socket); 00786 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00787 return; 00788 } 00789 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00790 00791 tlsSocket.addressLength = addressLength; 00792 tlsSocket.socket = g_socket; 00793 /*#3*/ 00794 status = pal_setSockAddrPort(&socketAddr, DTLS_SERVER_PORT_TIMEOUT); 00795 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00796 /*#4*/ 00797 status = pal_initTLSConfiguration(&palTLSConf, transportationMode); 00798 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00799 /*#5*/ 00800 status = pal_initTLS(palTLSConf, &palTLSHandle); 00801 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00802 00803 // This code commented out to prevent massive prints from mbedTLS, if you want to see logs from client side, just uncomment them. 00804 //status = pal_sslSetDebugging(palTLSConf, true); 00805 //TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00806 #if (PAL_ENABLE_X509 == 1) 00807 /*#6*/ 00808 status = pal_setOwnCertAndPrivateKey(palTLSConf, &pubKey, &prvKey); 00809 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00810 /*#7*/ 00811 status = pal_setCAChain(palTLSConf, &caCert, NULL); 00812 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00813 #elif (PAL_ENABLE_PSK == 1) 00814 /*#6 + #7*/ 00815 status = pal_setPSK(palTLSConf, (const unsigned char*)identity, strlen(identity), (const unsigned char*)psk, sizeof(psk)); 00816 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00817 #endif 00818 /*#8*/ 00819 status = pal_tlsSetSocket(palTLSConf, &tlsSocket); 00820 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00821 /*#9*/ 00822 status = pal_setHandShakeTimeOut(palTLSConf, 100); 00823 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00824 00825 status = pal_osSetTime(minSecSinceEpoch); 00826 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); // More than current epoch time -> success 00827 /*#10*/ 00828 do 00829 { 00830 status = pal_handShake(palTLSHandle, palTLSConf); 00831 } 00832 while (PAL_ERR_TLS_WANT_READ == status || PAL_ERR_TLS_WANT_WRITE == status); 00833 00834 curTimeInSec = pal_osGetTime(); 00835 TEST_ASSERT_EQUAL_HEX(PAL_ERR_TIMEOUT_EXPIRED , status); 00836 TEST_ASSERT_TRUE(curTimeInSec - minSecSinceEpoch <= PAL_WAIT_TIME); //less than PAL_WAIT_TIME seconds 00837 /*#11*/ 00838 status = pal_freeTLS(&palTLSHandle); 00839 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00840 /*#12*/ 00841 status = pal_tlsConfigurationFree(&palTLSConf); 00842 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00843 status = pal_close(&g_socket); 00844 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00845 } 00846 00847 /** 00848 * @brief Test TLS handshake (TCP blocking). 00849 * 00850 * 00851 * | # | Step | Expected | 00852 * |---|--------------------------------|-------------| 00853 * | 1 | Create a TCP (blocking) socket. | PAL_SUCCESS | 00854 * | 2 | Perform a DNS lookup on the server address. | PAL_SUCCESS | 00855 * | 3 | Set the server port. | PAL_SUCCESS | 00856 * | 4 | Connect the TCP socket to the server. | PAL_SUCCESS | 00857 * | 5 | Initialize the TLS configuration using `pal_initTLSConfiguration`. | PAL_SUCCESS | 00858 * | 6 | Initialize the TLS context using `pal_initTLS`. | PAL_SUCCESS | 00859 * | 7 | Set the certificate and keys to the configuration using `pal_setOwnCertAndPrivateKey`.| PAL_SUCCESS | 00860 * | 8 | Set the certificate chain to the configuration using `pal_setCAChain`. | PAL_SUCCESS | 00861 * | 9 | Set the socket chain to the configuration using `pal_tlsSetSocket`. | PAL_SUCCESS | 00862 * | 10 | Set device time to be in future. | PAL_SUCCESS | 00863 * | 11 | Perform a TLS handshake with the server using `pal_handShaket`. | PAL_SUCCESS | 00864 * | 12 | Verify the handshake result using `pal_sslGetVerifyResult`. | PAL_SUCCESS | 00865 * | 13 | Write data over open TLS connection using `pal_sslWrite`. | PAL_SUCCESS | 00866 * | 14 | Uninitialize the TLS context using `pal_freeTLS`. | PAL_SUCCESS | 00867 * | 15 | Uninitialize the TLS configuration using `pal_tlsConfigurationFree`. | PAL_SUCCESS | 00868 * | 16 | Close the TCP socket. | PAL_SUCCESS | 00869 * | 17 | Check that time is updated. | PAL_SUCCESS | 00870 * | 18 | Verify that the storage time value was updated. | PAL_SUCCESS | 00871 */ 00872 TEST(pal_tls, tlsHandshakeTCP_FutureLWM2M) 00873 { 00874 TEST_IGNORE_MESSAGE("Ignored, Linux PAL tests don't get credentials from mbed_cloud_dev_credentials.c"); 00875 #if ((PAL_USE_SECURE_TIME == 1) && (PAL_USE_INTERNAL_FLASH == 1)) 00876 palStatus_t status = PAL_SUCCESS; 00877 palTLSConfHandle_t palTLSConf = NULLPTR; 00878 palTLSHandle_t palTLSHandle = NULLPTR; 00879 palTLSTransportMode_t transportationMode = PAL_TLS_MODE; 00880 palSocketAddress_t socketAddr = {0}; 00881 palSocketLength_t addressLength = 0; 00882 uint32_t written = 0; 00883 palX509_t pubKey = {(const void*)PAL_TLS_TEST_DEVICE_CERTIFICATE, MAX_CERTIFICATE_SIZE}; 00884 palPrivateKey_t prvKey = {(const void*)PAL_TLS_TEST_DEVICE_PRIVATE_KEY, MAX_CERTIFICATE_SIZE}; 00885 palX509_t caCert = { (const void*)PAL_TLS_TEST_SERVER_CA, MAX_CERTIFICATE_SIZE }; 00886 palTLSSocket_t tlsSocket = { g_socket, &socketAddr, 0, transportationMode }; 00887 00888 char serverResponse[PAL_TLS_RESPONSE_SIZE] = {0}; 00889 uint32_t actualLen = 0; 00890 uint64_t deviceTime = pal_osGetTime(); //get device time to update it in case of failure 00891 uint64_t currentTime = 0; 00892 size_t actualSavedTimeSize = 0; 00893 uint64_t initialTime = 0; 00894 int32_t verifyResult = 0; 00895 struct server_address server; 00896 00897 /*#1*/ 00898 status = pal_socket(PAL_AF_INET, PAL_SOCK_STREAM, false, 0, &g_socket); 00899 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00900 /*#2*/ 00901 parseServerAddress(&server, PAL_TLS_TEST_SERVER_ADDRESS_TCP); 00902 status = pal_getAddressInfo(server.hostname, &socketAddr, &addressLength); 00903 if ((PAL_ERR_SOCKET_DNS_ERROR == status) || (PAL_ERR_SOCKET_INVALID_ADDRESS_FAMILY == status)) 00904 { 00905 PAL_LOG_ERR("error: address lookup returned an address not supported by current configuration cant continue test ( IPv6 add for IPv4 only configuration or IPv4 for IPv6 only configuration or error)"); 00906 status = pal_close(&g_socket); 00907 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00908 return; 00909 } 00910 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00911 00912 tlsSocket.addressLength = addressLength; 00913 tlsSocket.socket = g_socket; 00914 /*#3*/ 00915 status = pal_setSockAddrPort(&socketAddr, server.port); 00916 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00917 /*#4*/ 00918 status = pal_connect(g_socket, &socketAddr, addressLength); 00919 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00920 /*#5*/ 00921 status = pal_initTLSConfiguration(&palTLSConf, transportationMode); 00922 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00923 /*#6*/ 00924 status = pal_initTLS(palTLSConf, &palTLSHandle); 00925 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00926 /*#7*/ 00927 status = pal_setOwnCertAndPrivateKey(palTLSConf, &pubKey, &prvKey); 00928 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00929 /*#8*/ 00930 status = pal_setCAChain(palTLSConf, &caCert, NULL); 00931 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00932 /*#9*/ 00933 status = pal_tlsSetSocket(palTLSConf, &tlsSocket); 00934 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00935 /*#10*/ 00936 00937 status = storage_rbp_write(STORAGE_RBP_SAVED_TIME_NAME, (uint8_t*)&initialTime, (uint16_t)sizeof(initialTime), false); 00938 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00939 status = pal_osSetTime(0);//back in the past to set time to the future during handhsake 00940 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00941 /*#11*/ 00942 status = pal_handShake(palTLSHandle, palTLSConf); 00943 if (PAL_SUCCESS != status) 00944 { 00945 pal_osSetTime(deviceTime); 00946 } 00947 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00948 /*#12*/ 00949 status = pal_sslGetVerifyResultExtended(palTLSHandle, &verifyResult); 00950 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00951 /*#13*/ 00952 status = pal_sslWrite(palTLSHandle, PAL_TLS_REQUEST_MESSAGE, sizeof(PAL_TLS_REQUEST_MESSAGE), &written); 00953 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00954 00955 pal_osDelay(PAL_TLS_RESPONSE_WAIT_MS); 00956 /*#14*/ 00957 status = pal_sslRead(palTLSHandle, serverResponse, PAL_TLS_RESPONSE_SIZE, &actualLen); 00958 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00959 00960 #ifdef PAL_TLS_RESPONSE_MESSAGE 00961 TEST_ASSERT_EQUAL(PAL_TLS_RESPONSE_SIZE, actualLen); 00962 TEST_ASSERT_EQUAL_HEX8_ARRAY(PAL_TLS_RESPONSE_MESSAGE, serverResponse, PAL_TLS_RESPONSE_SIZE); 00963 #endif 00964 00965 /*#14*/ 00966 status = pal_freeTLS(&palTLSHandle); 00967 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00968 /*#15*/ 00969 status = pal_tlsConfigurationFree(&palTLSConf); 00970 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00971 /*#16*/ 00972 status = pal_close(&g_socket); 00973 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00974 /*#17*/ 00975 deviceTime = pal_osGetTime(); 00976 TEST_ASSERT_NOT_EQUAL(0, deviceTime); 00977 /*#18*/ 00978 status = storage_rbp_read(STORAGE_RBP_SAVED_TIME_NAME, (uint8_t*)¤tTime, sizeof(currentTime), &actualSavedTimeSize); 00979 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 00980 TEST_ASSERT_TRUE(0 != currentTime); 00981 #else 00982 TEST_IGNORE_MESSAGE("Ignored, PAL_USE_SECURE_TIME or PAL_USE_INTERNAL_FLASH not set"); 00983 #endif 00984 } 00985 00986 /** 00987 * @brief Test TLS handshake (TCP blocking) with near future time and validate that the handshake didn't update the device time (due to set time rules) 00988 * 00989 * 00990 * | # | Step | Expected | 00991 * |---|--------------------------------|-------------| 00992 * | 1 | Get saved time from storage, move backward half day and set time to RAM | PAL_SUCCESS | 00993 * | 2 | Update `STORAGE_RBP_SAVED_TIME_NAME` directly in storage to the new time from #1 | PAL_SUCCESS | 00994 * | 3 | Create a TCP (blocking) socket. | PAL_SUCCESS | 00995 * | 4 | Perform a DNS lookup on the server address. | PAL_SUCCESS | 00996 * | 5 | Set the server port. | PAL_SUCCESS | 00997 * | 6 | Connect the TCP socket to the server. | PAL_SUCCESS | 00998 * | 7 | Initialize the TLS configuration using `pal_initTLSConfiguration`. | PAL_SUCCESS | 00999 * | 8 | Initialize the TLS context using `pal_initTLS`. | PAL_SUCCESS | 01000 * | 9 | Set the certificate and keys to the configuration using `pal_setOwnCertAndPrivateKey`.| PAL_SUCCESS | 01001 * | 10 | Set the certificate chain to the configuration using `pal_setCAChain`. | PAL_SUCCESS | 01002 * | 11 | Set the socket to the configuration using `pal_tlsSetSocket`. | PAL_SUCCESS | 01003 * | 12 | Perform a TLS handshake with the server using `pal_handShake`. | PAL_SUCCESS | 01004 * | 13 | Verify the handshake result using `pal_sslGetVerifyResult`. | PAL_SUCCESS | 01005 * | 14 | Write data over open TLS connection using `pal_sslWrite`. | PAL_SUCCESS | 01006 * | 15 | Uninitialize the TLS context using `pal_freeTLS`. | PAL_SUCCESS | 01007 * | 16 | Uninitialize the TLS configuration using `pal_tlsConfigurationFree`. | PAL_SUCCESS | 01008 * | 17 | Verify that the time was NOT updated during the handshake. | PAL_SUCCESS | 01009 */ 01010 TEST(pal_tls, tlsHandshakeTCP_FutureLWM2M_NoTimeUpdate) 01011 { 01012 TEST_IGNORE_MESSAGE("Ignored, Linux PAL tests don't get credentials from mbed_cloud_dev_credentials.c"); 01013 #if ((PAL_USE_SECURE_TIME == 1) && (PAL_USE_INTERNAL_FLASH == 1)) 01014 palStatus_t status = PAL_SUCCESS; 01015 palTLSConfHandle_t palTLSConf = NULLPTR; 01016 palTLSHandle_t palTLSHandle = NULLPTR; 01017 palTLSTransportMode_t transportationMode = PAL_TLS_MODE; 01018 palSocketAddress_t socketAddr = { 0 }; 01019 palSocketLength_t addressLength = 0; 01020 uint32_t written = 0; 01021 char serverResponse[PAL_TLS_RESPONSE_SIZE] = {0}; 01022 uint32_t actualLen = 0; 01023 palX509_t pubKey = {(const void*)PAL_TLS_TEST_DEVICE_CERTIFICATE, MAX_CERTIFICATE_SIZE}; 01024 palPrivateKey_t prvKey = {(const void*)PAL_TLS_TEST_DEVICE_PRIVATE_KEY, MAX_CERTIFICATE_SIZE}; 01025 palX509_t caCert = { (const void*)PAL_TLS_TEST_SERVER_CA, MAX_CERTIFICATE_SIZE }; 01026 palTLSSocket_t tlsSocket = { g_socket, &socketAddr, 0, transportationMode }; 01027 uint64_t currentTime = 0; 01028 uint64_t tmpTime = 0; 01029 uint64_t updatedTime = 0; 01030 size_t actualSavedTimeSize = 0; 01031 int32_t verifyResult = 0; 01032 struct server_address server; 01033 01034 parseServerAddress(&server, PAL_TLS_TEST_SERVER_ADDRESS_TCP); 01035 01036 //save valid time since the storage was cleared during TEST_SETUP 01037 uint64_t valid_time = PAL_MIN_SEC_FROM_EPOCH + PAL_SECONDS_PER_DAY * 100; 01038 status = storage_rbp_write(STORAGE_RBP_SAVED_TIME_NAME, (uint8_t *)&valid_time, sizeof(uint64_t), false); 01039 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01040 01041 01042 /*#1*/ 01043 status = storage_rbp_read(STORAGE_RBP_SAVED_TIME_NAME, (uint8_t*)&tmpTime, sizeof(tmpTime), &actualSavedTimeSize); 01044 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01045 01046 currentTime = tmpTime - (PAL_SECONDS_PER_DAY / 2); //going back half day to simulate future server by half day (in order to prevent time update) 01047 status = pal_osSetTime(currentTime); 01048 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01049 /*#2*/ 01050 status = storage_rbp_write(STORAGE_RBP_SAVED_TIME_NAME, (uint8_t*)¤tTime, (uint16_t)sizeof(currentTime), false); 01051 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01052 01053 /*#3*/ 01054 status = pal_socket(PAL_AF_INET, PAL_SOCK_STREAM, false, 0, &g_socket); 01055 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01056 /*#4*/ 01057 status = pal_getAddressInfo(server.hostname, &socketAddr, &addressLength); 01058 if ((PAL_ERR_SOCKET_DNS_ERROR == status) || (PAL_ERR_SOCKET_INVALID_ADDRESS_FAMILY == status)) 01059 { 01060 PAL_LOG_ERR("error: address lookup returned an address not supported by current configuration cant continue test ( IPv6 add for IPv4 only configuration or IPv4 for IPv6 only configuration or error)"); 01061 status = pal_close(&g_socket); 01062 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01063 return; 01064 } 01065 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01066 /*#5*/ 01067 status = pal_setSockAddrPort(&socketAddr, server.port); 01068 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01069 01070 tlsSocket.addressLength = addressLength; 01071 tlsSocket.socket = g_socket; 01072 01073 /*#6*/ 01074 status = pal_connect(g_socket, &socketAddr, addressLength); 01075 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01076 /*#7*/ 01077 status = pal_initTLSConfiguration(&palTLSConf, transportationMode); 01078 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01079 /*#8*/ 01080 status = pal_initTLS(palTLSConf, &palTLSHandle); 01081 if (PAL_SUCCESS != status) 01082 { 01083 pal_freeTLS(&palTLSHandle); 01084 pal_tlsConfigurationFree(&palTLSConf); 01085 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01086 } 01087 01088 /*#9*/ 01089 status = pal_setOwnCertAndPrivateKey(palTLSConf, &pubKey, &prvKey); 01090 if (PAL_SUCCESS != status) 01091 { 01092 pal_freeTLS(&palTLSHandle); 01093 pal_tlsConfigurationFree(&palTLSConf); 01094 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01095 } 01096 /*#10*/ 01097 status = pal_setCAChain(palTLSConf, &caCert, NULL); 01098 if (PAL_SUCCESS != status) 01099 { 01100 pal_freeTLS(&palTLSHandle); 01101 pal_tlsConfigurationFree(&palTLSConf); 01102 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01103 } 01104 /*#11*/ 01105 status = pal_tlsSetSocket(palTLSConf, &tlsSocket); 01106 if (PAL_SUCCESS != status) 01107 { 01108 pal_freeTLS(&palTLSHandle); 01109 pal_tlsConfigurationFree(&palTLSConf); 01110 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01111 } 01112 /*#12*/ 01113 status = pal_handShake(palTLSHandle, palTLSConf); 01114 if (PAL_SUCCESS != status) 01115 { 01116 pal_freeTLS(&palTLSHandle); 01117 pal_tlsConfigurationFree(&palTLSConf); 01118 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01119 } 01120 /*#13*/ 01121 status = pal_sslGetVerifyResultExtended(palTLSHandle, &verifyResult); 01122 if (PAL_SUCCESS != status) 01123 { 01124 pal_freeTLS(&palTLSHandle); 01125 pal_tlsConfigurationFree(&palTLSConf); 01126 TEST_ASSERT_TRUE(PAL_ERR_X509_BADCERT_EXPIRED & verifyResult); 01127 } 01128 /*#14*/ 01129 status = pal_sslWrite(palTLSHandle, PAL_TLS_REQUEST_MESSAGE, sizeof(PAL_TLS_REQUEST_MESSAGE), &written); 01130 if (PAL_SUCCESS != status) 01131 { 01132 pal_freeTLS(&palTLSHandle); 01133 pal_tlsConfigurationFree(&palTLSConf); 01134 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01135 } 01136 01137 pal_osDelay(PAL_TLS_RESPONSE_WAIT_MS); 01138 /*#14*/ 01139 status = pal_sslRead(palTLSHandle, serverResponse, PAL_TLS_RESPONSE_SIZE, &actualLen); 01140 if (PAL_SUCCESS != status) 01141 { 01142 pal_freeTLS(&palTLSHandle); 01143 pal_tlsConfigurationFree(&palTLSConf); 01144 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01145 } 01146 01147 #ifdef PAL_TLS_RESPONSE_MESSAGE 01148 TEST_ASSERT_EQUAL(PAL_TLS_RESPONSE_SIZE, actualLen); 01149 TEST_ASSERT_EQUAL_HEX8_ARRAY(PAL_TLS_RESPONSE_MESSAGE, serverResponse, PAL_TLS_RESPONSE_SIZE); 01150 #endif 01151 01152 /*#15*/ 01153 status = pal_freeTLS(&palTLSHandle); 01154 if (PAL_SUCCESS != status) 01155 { 01156 pal_tlsConfigurationFree(&palTLSConf); 01157 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01158 } 01159 /*#16*/ 01160 status = pal_tlsConfigurationFree(&palTLSConf); 01161 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01162 01163 status = pal_close(&g_socket); 01164 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01165 01166 /*#17*/ 01167 status = storage_rbp_read(STORAGE_RBP_SAVED_TIME_NAME, (uint8_t*)&updatedTime, sizeof(updatedTime), &actualSavedTimeSize); 01168 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01169 TEST_ASSERT_EQUAL_HEX(currentTime, updatedTime); 01170 #else 01171 TEST_IGNORE_MESSAGE("Ignored, PAL_USE_SECURE_TIME or PAL_USE_INTERNAL_FLASH not set"); 01172 #endif 01173 } 01174 01175 01176 /** 01177 * @brief Test TLS handshake (TCP blocking) with future time to make handshake to fail due to bad cert time from server. 01178 * 01179 * 01180 * | # | Step | Expected | 01181 * |---|--------------------------------|-------------| 01182 * | 1 | Create a TCP (blocking) socket. | PAL_SUCCESS | 01183 * | 2 | Perform a DNS lookup on the server address. | PAL_SUCCESS | 01184 * | 3 | Set the server port. | PAL_SUCCESS | 01185 * | 4 | Connect the TCP socket to the server. | PAL_SUCCESS | 01186 * | 5 | Initialize the TLS configuration using `pal_initTLSConfiguration`. | PAL_SUCCESS | 01187 * | 6 | Initialize the TLS context using `pal_initTLS`. | PAL_SUCCESS | 01188 * | 7 | Set the certificate and keys to the configuration using `pal_setOwnCertAndPrivateKey`.| PAL_SUCCESS | 01189 * | 8 | Set the certificate chain to the configuration using `pal_setCAChain`. | PAL_SUCCESS | 01190 * | 9 | Set the socket chain to the configuration using `pal_tlsSetSocket`. | PAL_SUCCESS | 01191 * | 10 | Setsystem time to be far in the future `pal_osSetTime`. | PAL_SUCCESS | 01192 * | 11 | Perform a TLS handshake with the server using `pal_handShake`. | PAL_ERR_X509_CERT_VERIFY_FAILED | 01193 * | 12 | Verify the handshake result using `pal_sslGetVerifyResult`. | PAL_ERR_X509_BADCERT_EXPIRED | 01194 * | 13 | Set tme back to the original time before the test. | PAL_SUCCESS | 01195 * | 14 | Uninitialize the TLS context using `pal_freeTLS`. | PAL_SUCCESS | 01196 * | 15 | Uninitialize the TLS configuration using `pal_tlsConfigurationFree`. | PAL_SUCCESS | 01197 * | 16 | Verify that the storage time value was not changed. | PAL_SUCCESS | 01198 */ 01199 TEST(pal_tls, tlsHandshakeTCP_ExpiredLWM2MCert) 01200 { 01201 TEST_IGNORE_MESSAGE("Ignored, Linux PAL tests don't get credentials from mbed_cloud_dev_credentials.c"); 01202 #if ((PAL_USE_SECURE_TIME == 1) && (PAL_USE_INTERNAL_FLASH == 1)) 01203 palStatus_t status = PAL_SUCCESS; 01204 palTLSConfHandle_t palTLSConf = NULLPTR; 01205 palTLSHandle_t palTLSHandle = NULLPTR; 01206 palTLSTransportMode_t transportationMode = PAL_TLS_MODE; 01207 palSocketAddress_t socketAddr = {0}; 01208 palSocketLength_t addressLength = 0; 01209 palX509_t pubKey = {(const void*)PAL_TLS_TEST_DEVICE_CERTIFICATE, MAX_CERTIFICATE_SIZE}; 01210 palPrivateKey_t prvKey = {(const void*)PAL_TLS_TEST_DEVICE_PRIVATE_KEY, MAX_CERTIFICATE_SIZE}; 01211 palX509_t caCert = { (const void*)PAL_TLS_TEST_SERVER_CA, MAX_CERTIFICATE_SIZE }; 01212 palTLSSocket_t tlsSocket = { g_socket, &socketAddr, 0, transportationMode }; 01213 uint64_t futureTime = 2145542642; //Wed, 27 Dec 2037 16:04:02 GMT 01214 uint64_t currentTime = 0; 01215 size_t actualSavedTimeSize = 0; 01216 int32_t verifyResult = 0; 01217 struct server_address server; 01218 01219 /*#1*/ 01220 status = pal_socket(PAL_AF_INET, PAL_SOCK_STREAM, false, 0, &g_socket); 01221 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01222 01223 /*#2*/ 01224 parseServerAddress(&server, PAL_TLS_TEST_SERVER_ADDRESS_TCP); 01225 01226 status = pal_getAddressInfo(server.hostname, &socketAddr, &addressLength); 01227 if ((PAL_ERR_SOCKET_DNS_ERROR == status) || (PAL_ERR_SOCKET_INVALID_ADDRESS_FAMILY == status)) 01228 { 01229 PAL_LOG_ERR("error: address lookup returned an address not supported by current configuration cant continue test ( IPv6 add for IPv4 only configuration or IPv4 for IPv6 only configuration or error)"); 01230 status = pal_close(&g_socket); 01231 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01232 return; 01233 } 01234 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01235 01236 tlsSocket.addressLength = addressLength; 01237 tlsSocket.socket = g_socket; 01238 /*#3*/ 01239 status = pal_setSockAddrPort(&socketAddr, server.port); 01240 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01241 /*#4*/ 01242 status = pal_connect(g_socket, &socketAddr, addressLength); 01243 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01244 /*#5*/ 01245 status = pal_initTLSConfiguration(&palTLSConf, transportationMode); 01246 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01247 /*#6*/ 01248 status = pal_initTLS(palTLSConf, &palTLSHandle); 01249 if (PAL_SUCCESS != status) 01250 { 01251 pal_freeTLS(&palTLSHandle); 01252 pal_tlsConfigurationFree(&palTLSConf); 01253 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01254 } 01255 01256 /*#7*/ 01257 status = pal_setOwnCertAndPrivateKey(palTLSConf, &pubKey, &prvKey); 01258 if (PAL_SUCCESS != status) 01259 { 01260 pal_freeTLS(&palTLSHandle); 01261 pal_tlsConfigurationFree(&palTLSConf); 01262 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01263 } 01264 /*#8*/ 01265 status = pal_setCAChain(palTLSConf, &caCert, NULL); 01266 if (PAL_SUCCESS != status) 01267 { 01268 pal_freeTLS(&palTLSHandle); 01269 pal_tlsConfigurationFree(&palTLSConf); 01270 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01271 } 01272 /*#9*/ 01273 status = pal_tlsSetSocket(palTLSConf, &tlsSocket); 01274 if (PAL_SUCCESS != status) 01275 { 01276 pal_freeTLS(&palTLSHandle); 01277 pal_tlsConfigurationFree(&palTLSConf); 01278 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01279 } 01280 /*#10*/ 01281 status = storage_rbp_read(STORAGE_RBP_SAVED_TIME_NAME, (uint8_t*)¤tTime, sizeof(currentTime), &actualSavedTimeSize); 01282 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01283 status = pal_osSetTime(futureTime); 01284 if (PAL_SUCCESS != status) 01285 { 01286 pal_freeTLS(&palTLSHandle); 01287 pal_tlsConfigurationFree(&palTLSConf); 01288 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01289 } 01290 /*#11*/ 01291 status = pal_handShake(palTLSHandle, palTLSConf); 01292 if (PAL_ERR_X509_CERT_VERIFY_FAILED != status) 01293 { 01294 pal_osSetTime(currentTime); 01295 pal_freeTLS(&palTLSHandle); 01296 pal_tlsConfigurationFree(&palTLSConf); 01297 TEST_ASSERT_EQUAL_HEX(PAL_ERR_X509_CERT_VERIFY_FAILED, status); 01298 } 01299 /*#12*/ 01300 status = pal_sslGetVerifyResultExtended(palTLSHandle, &verifyResult); 01301 if ((PAL_ERR_X509_CERT_VERIFY_FAILED != status) || (0 == (PAL_ERR_X509_BADCERT_EXPIRED & verifyResult))) 01302 { 01303 pal_osSetTime(currentTime); 01304 pal_freeTLS(&palTLSHandle); 01305 pal_tlsConfigurationFree(&palTLSConf); 01306 TEST_ASSERT_TRUE(PAL_ERR_X509_BADCERT_EXPIRED & verifyResult); 01307 } 01308 /*#13*/ 01309 status = pal_osSetTime(currentTime); 01310 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01311 /*#14*/ 01312 status = pal_freeTLS(&palTLSHandle); 01313 if (PAL_SUCCESS != status) 01314 { 01315 pal_tlsConfigurationFree(&palTLSConf); 01316 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01317 } 01318 /*#15*/ 01319 status = pal_tlsConfigurationFree(&palTLSConf); 01320 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01321 01322 status = pal_close(&g_socket); 01323 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01324 01325 /*#16*/ 01326 status = storage_rbp_read(STORAGE_RBP_SAVED_TIME_NAME, (uint8_t*)¤tTime, sizeof(currentTime), &actualSavedTimeSize); 01327 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01328 TEST_ASSERT_TRUE(futureTime <= currentTime); 01329 #else 01330 TEST_IGNORE_MESSAGE("Ignored, PAL_USE_SECURE_TIME or PAL_USE_INTERNAL_FLASH not set"); 01331 #endif 01332 } 01333 01334 /** 01335 * @brief Test TLS handshake (TCP blocking) with future time to make handshake update the device time according to the server time. 01336 * 01337 * 01338 * | # | Step | Expected | 01339 * |---|--------------------------------|-------------| 01340 * | 1 | Create a TCP (blocking) socket. | PAL_SUCCESS | 01341 * | 2 | Perform a DNS lookup on the server address. | PAL_SUCCESS | 01342 * | 3 | Set the server port. | PAL_SUCCESS | 01343 * | 4 | Parse the CA cert. | PAL_SUCCESS | 01344 * | 5 | Get the CA cert ID. | PAL_SUCCESS | 01345 * | 6 | Set the CA cert ID into the storage. | PAL_SUCCESS | 01346 * | 7 | Connect the TCP socket to the server. | PAL_SUCCESS | 01347 * | 8 | Initialize the TLS configuration using `pal_initTLSConfiguration`. | PAL_SUCCESS | 01348 * | 9 | Initialize the TLS context using `pal_initTLS`. | PAL_SUCCESS | 01349 * | 10 | Set the certificate and keys to the configuration using `pal_setOwnCertAndPrivateKey`.| PAL_SUCCESS | 01350 * | 11 | Set the certificate chain to the configuration using `pal_setCAChain`. | PAL_SUCCESS | 01351 * | 12 | Set the socket to the configuration using `pal_tlsSetSocket`. | PAL_SUCCESS | 01352 * | 13 | Set system time to be far in the future `pal_osSetTime`. | PAL_SUCCESS | 01353 * | 14 | Perform a TLS handshake with the server using `pal_handShake`. | PAL_SUCCESS | 01354 * | 15 | Verify the handshake result using `pal_sslGetVerifyResult`. | PAL_SUCCESS | 01355 * | 16 | Write data over open TLS connection using `pal_sslWrite`. | PAL_SUCCESS | 01356 * | 17 | Uninitialize the TLS context using `pal_freeTLS`. | PAL_SUCCESS | 01357 * | 18 | Uninitialize the TLS configuration using `pal_tlsConfigurationFree`. | PAL_SUCCESS | 01358 * | 19 | Free X509 handle. | PAL_SUCCESS | 01359 * | 20 | Verify that the time updated during the handshake. | PAL_SUCCESS | 01360 */ 01361 TEST(pal_tls, tlsHandshakeTCP_ExpiredServerCert_Trusted) 01362 { 01363 TEST_IGNORE_MESSAGE("Ignored, Linux PAL tests don't get credentials from mbed_cloud_dev_credentials.c"); 01364 #if ((PAL_USE_SECURE_TIME == 1) && (PAL_USE_INTERNAL_FLASH == 1)) 01365 palStatus_t status = PAL_SUCCESS; 01366 palTLSConfHandle_t palTLSConf = NULLPTR; 01367 palTLSHandle_t palTLSHandle = NULLPTR; 01368 palTLSTransportMode_t transportationMode = PAL_TLS_MODE; 01369 palSocketAddress_t socketAddr = { 0 }; 01370 palSocketLength_t addressLength = 0; 01371 char serverResponse[PAL_TLS_RESPONSE_SIZE] = {0}; 01372 uint32_t actualLen = 0; 01373 uint32_t written = 0; 01374 palX509_t pubKey = {(const void*)PAL_TLS_TEST_DEVICE_CERTIFICATE, MAX_CERTIFICATE_SIZE}; 01375 palPrivateKey_t prvKey = {(const void*)PAL_TLS_TEST_DEVICE_PRIVATE_KEY, MAX_CERTIFICATE_SIZE}; 01376 palX509_t caCert = { (const void*)PAL_TLS_TEST_SERVER_CA, MAX_CERTIFICATE_SIZE }; 01377 palTLSSocket_t tlsSocket = { g_socket, &socketAddr, 0, transportationMode }; 01378 uint64_t futureTime = 2145542642; //Wed, 27 Dec 2037 16:04:02 GMT 01379 uint64_t updatedTime = 0; 01380 size_t actualSavedTimeSize = 0; 01381 palX509Handle_t trustedServerCA = NULLPTR; 01382 int32_t verifyResult = 0; 01383 struct server_address server; 01384 01385 /*#1*/ 01386 status = pal_socket(PAL_AF_INET, PAL_SOCK_STREAM, false, 0, &g_socket); 01387 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01388 /*#2*/ 01389 parseServerAddress(&server, PAL_TLS_TEST_SERVER_ADDRESS_TCP); 01390 status = pal_getAddressInfo(server.hostname, &socketAddr, &addressLength); 01391 if ((PAL_ERR_SOCKET_DNS_ERROR == status) || (PAL_ERR_SOCKET_INVALID_ADDRESS_FAMILY == status)) 01392 { 01393 PAL_LOG_ERR("error: address lookup returned an address not supported by current configuration cant continue test ( IPv6 add for IPv4 only configuration or IPv4 for IPv6 only configuration or error)"); 01394 status = pal_close(&g_socket); 01395 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01396 return; 01397 } 01398 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01399 /*#3*/ 01400 status = pal_setSockAddrPort(&socketAddr, server.port); 01401 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01402 01403 tlsSocket.addressLength = addressLength; 01404 tlsSocket.socket = g_socket; 01405 /*#4*/ 01406 status = pal_x509Initiate(&trustedServerCA); 01407 TEST_ASSERT_NOT_EQUAL(trustedServerCA, NULLPTR); 01408 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01409 01410 status = pal_x509CertParse(trustedServerCA, (const unsigned char *)PAL_TLS_TEST_SERVER_CA, MAX_CERTIFICATE_SIZE); 01411 if (PAL_SUCCESS != status) 01412 { 01413 pal_x509Free(&trustedServerCA); 01414 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01415 } 01416 /*#5*/ 01417 status = pal_x509CertGetAttribute(trustedServerCA, PAL_X509_CERT_ID_ATTR, g_trustedServerID, sizeof(g_trustedServerID), &g_actualServerIDSize); 01418 if (PAL_SUCCESS != status) 01419 { 01420 pal_x509Free(&trustedServerCA); 01421 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01422 } 01423 /*#6*/ 01424 status = storage_rbp_write(STORAGE_RBP_TRUSTED_TIME_SRV_ID_NAME, (uint8_t*)g_trustedServerID, g_actualServerIDSize, false); 01425 if (PAL_SUCCESS != status) 01426 { 01427 status = pal_x509Free(&trustedServerCA); 01428 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01429 } 01430 01431 /*#7*/ 01432 status = pal_connect(g_socket, &socketAddr, addressLength); 01433 if (PAL_SUCCESS != status) 01434 { 01435 pal_x509Free(&trustedServerCA); 01436 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01437 } 01438 /*#8*/ 01439 status = pal_initTLSConfiguration(&palTLSConf, transportationMode); 01440 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01441 /*#9*/ 01442 status = pal_initTLS(palTLSConf, &palTLSHandle); 01443 if (PAL_SUCCESS != status) 01444 { 01445 pal_freeTLS(&palTLSHandle); 01446 pal_tlsConfigurationFree(&palTLSConf); 01447 pal_x509Free(&trustedServerCA); 01448 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01449 } 01450 01451 /*#10*/ 01452 status = pal_setOwnCertAndPrivateKey(palTLSConf, &pubKey, &prvKey); 01453 if (PAL_SUCCESS != status) 01454 { 01455 pal_freeTLS(&palTLSHandle); 01456 pal_tlsConfigurationFree(&palTLSConf); 01457 pal_x509Free(&trustedServerCA); 01458 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01459 } 01460 /*#11*/ 01461 status = pal_setCAChain(palTLSConf, &caCert, NULL); 01462 if (PAL_SUCCESS != status) 01463 { 01464 pal_freeTLS(&palTLSHandle); 01465 pal_tlsConfigurationFree(&palTLSConf); 01466 pal_x509Free(&trustedServerCA); 01467 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01468 } 01469 /*#12*/ 01470 status = pal_tlsSetSocket(palTLSConf, &tlsSocket); 01471 if (PAL_SUCCESS != status) 01472 { 01473 pal_freeTLS(&palTLSHandle); 01474 pal_tlsConfigurationFree(&palTLSConf); 01475 pal_x509Free(&trustedServerCA); 01476 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01477 } 01478 /*#13*/ 01479 status = pal_osSetStrongTime(futureTime); 01480 if (PAL_SUCCESS != status) 01481 { 01482 pal_freeTLS(&palTLSHandle); 01483 pal_tlsConfigurationFree(&palTLSConf); 01484 pal_x509Free(&trustedServerCA); 01485 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01486 } 01487 /*#14*/ 01488 status = pal_handShake(palTLSHandle, palTLSConf); 01489 if (PAL_SUCCESS != status) 01490 { 01491 pal_freeTLS(&palTLSHandle); 01492 pal_tlsConfigurationFree(&palTLSConf); 01493 pal_x509Free(&trustedServerCA); 01494 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01495 } 01496 /*#15*/ 01497 status = pal_sslGetVerifyResultExtended(palTLSHandle, &verifyResult); 01498 if (PAL_SUCCESS != status) 01499 { 01500 pal_freeTLS(&palTLSHandle); 01501 pal_tlsConfigurationFree(&palTLSConf); 01502 pal_x509Free(&trustedServerCA); 01503 TEST_ASSERT_TRUE(PAL_ERR_X509_BADCERT_EXPIRED & verifyResult); 01504 } 01505 /*#16*/ 01506 status = pal_sslWrite(palTLSHandle, PAL_TLS_REQUEST_MESSAGE, sizeof(PAL_TLS_REQUEST_MESSAGE), &written); 01507 if (PAL_SUCCESS != status) 01508 { 01509 pal_freeTLS(&palTLSHandle); 01510 pal_tlsConfigurationFree(&palTLSConf); 01511 pal_x509Free(&trustedServerCA); 01512 TEST_ASSERT_EQUAL_HEX(PAL_ERR_X509_BADCERT_EXPIRED, status); 01513 } 01514 01515 pal_osDelay(PAL_TLS_RESPONSE_WAIT_MS); 01516 /*#14*/ 01517 status = pal_sslRead(palTLSHandle, serverResponse, PAL_TLS_RESPONSE_SIZE, &actualLen); 01518 if (PAL_SUCCESS != status) 01519 { 01520 pal_freeTLS(&palTLSHandle); 01521 pal_tlsConfigurationFree(&palTLSConf); 01522 pal_x509Free(&trustedServerCA); 01523 TEST_ASSERT_EQUAL_HEX(PAL_ERR_X509_BADCERT_EXPIRED, status); 01524 } 01525 01526 #ifdef PAL_TLS_RESPONSE_MESSAGE 01527 TEST_ASSERT_EQUAL(PAL_TLS_RESPONSE_SIZE, actualLen); 01528 TEST_ASSERT_EQUAL_HEX8_ARRAY(PAL_TLS_RESPONSE_MESSAGE, serverResponse, PAL_TLS_RESPONSE_SIZE); 01529 #endif 01530 01531 /*#17*/ 01532 status = pal_freeTLS(&palTLSHandle); 01533 if (PAL_SUCCESS != status) 01534 { 01535 pal_x509Free(&trustedServerCA); 01536 pal_tlsConfigurationFree(&palTLSConf); 01537 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01538 } 01539 /*#18*/ 01540 status = pal_tlsConfigurationFree(&palTLSConf); 01541 if (PAL_SUCCESS != status) 01542 { 01543 pal_x509Free(&trustedServerCA); 01544 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01545 } 01546 /*#19*/ 01547 status = pal_x509Free(&trustedServerCA); 01548 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01549 /*#20*/ 01550 updatedTime = pal_osGetTime(); 01551 TEST_ASSERT_TRUE(updatedTime < futureTime); 01552 01553 status = pal_close(&g_socket); 01554 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01555 01556 status = storage_rbp_read(STORAGE_RBP_SAVED_TIME_NAME, (uint8_t*)&updatedTime, sizeof(updatedTime), &actualSavedTimeSize); 01557 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01558 TEST_ASSERT_TRUE(updatedTime <= futureTime); 01559 01560 status = storage_rbp_read(STORAGE_RBP_LAST_TIME_BACK_NAME, (uint8_t*)&updatedTime, sizeof(updatedTime), &actualSavedTimeSize); 01561 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01562 TEST_ASSERT_TRUE(updatedTime <= futureTime); 01563 #else 01564 TEST_IGNORE_MESSAGE("Ignored, PAL_USE_SECURE_TIME or PAL_USE_INTERNAL_FLASH not set"); 01565 #endif 01566 } 01567 01568 /** 01569 * @brief Test TLS handshake (TCP blocking) with near future time and validate that the handshake didn't update the device time (due to set time rules) 01570 * 01571 * 01572 * | # | Step | Expected | 01573 * |---|--------------------------------|-------------| 01574 * | 1 | Get saved time from storage, move backward half day and set time to RAM | PAL_SUCCESS | 01575 * | 2 | Create a TCP (blocking) socket. | PAL_SUCCESS | 01576 * | 3 | Perform a DNS lookup on the server address. | PAL_SUCCESS | 01577 * | 4 | Set the server port. | PAL_SUCCESS | 01578 * | 5 | Parse the CA cert. | PAL_SUCCESS | 01579 * | 6 | Get the CA cert ID. | PAL_SUCCESS | 01580 * | 7 | Set the CA cert ID into the storage. | PAL_SUCCESS | 01581 * | 8 | Connect the TCP socket to the server. | PAL_SUCCESS | 01582 * | 9 | Initialize the TLS configuration using `pal_initTLSConfiguration`. | PAL_SUCCESS | 01583 * | 10 | Initialize the TLS context using `pal_initTLS`. | PAL_SUCCESS | 01584 * | 11 | Set the certificate and keys to the configuration using `pal_setOwnCertAndPrivateKey`.| PAL_SUCCESS | 01585 * | 12 | Set the certificate chain to the configuration using `pal_setCAChain`. | PAL_SUCCESS | 01586 * | 13 | Set the socket to the configuration using `pal_tlsSetSocket`. | PAL_SUCCESS | 01587 * | 14 | Perform a TLS handshake with the server using `pal_handShake`. | PAL_SUCCESS | 01588 * | 15 | Verify the handshake result using `pal_sslGetVerifyResult`. | PAL_SUCCESS | 01589 * | 16 | Write data over open TLS connection using `pal_sslWrite`. | PAL_SUCCESS | 01590 * | 17 | Uninitialize the TLS context using `pal_freeTLS`. | PAL_SUCCESS | 01591 * | 18 | Uninitialize the TLS configuration using `pal_tlsConfigurationFree`. | PAL_SUCCESS | 01592 * | 19 | Free X509 Handle. | PAL_SUCCESS | 01593 * | 20 | Verify that the time was NOT updated during the handshake. | PAL_SUCCESS | 01594 */ 01595 TEST(pal_tls, tlsHandshakeTCP_FutureTrustedServer_NoTimeUpdate) 01596 { 01597 TEST_IGNORE_MESSAGE("Ignored, Linux PAL tests don't get credentials from mbed_cloud_dev_credentials.c"); 01598 #if ((PAL_USE_SECURE_TIME == 1) && (PAL_USE_INTERNAL_FLASH == 1)) 01599 palStatus_t status = PAL_SUCCESS; 01600 palTLSConfHandle_t palTLSConf = NULLPTR; 01601 palTLSHandle_t palTLSHandle = NULLPTR; 01602 palTLSTransportMode_t transportationMode = PAL_TLS_MODE; 01603 palSocketAddress_t socketAddr = { 0 }; 01604 palSocketLength_t addressLength = 0; 01605 char serverResponse[PAL_TLS_RESPONSE_SIZE] = {0}; 01606 uint32_t actualLen = 0; 01607 uint32_t written = 0; 01608 palX509_t pubKey = {(const void*)PAL_TLS_TEST_DEVICE_CERTIFICATE, MAX_CERTIFICATE_SIZE}; 01609 palPrivateKey_t prvKey = {(const void*)PAL_TLS_TEST_DEVICE_PRIVATE_KEY, MAX_CERTIFICATE_SIZE}; 01610 palX509_t caCert = { (const void*)PAL_TLS_TEST_SERVER_CA, MAX_CERTIFICATE_SIZE }; 01611 palTLSSocket_t tlsSocket = { g_socket, &socketAddr, 0, transportationMode }; 01612 uint64_t currentTime = 0; 01613 uint64_t updatedTime = 0; 01614 size_t actualSavedTimeSize = 0; 01615 palX509Handle_t trustedServerCA = NULLPTR; 01616 int32_t verifyResult = 0; 01617 struct server_address server; 01618 01619 //save valid time since the storage was cleared during TEST_SETUP 01620 uint64_t valid_time = PAL_MIN_SEC_FROM_EPOCH + PAL_SECONDS_PER_DAY * 100; 01621 status = storage_rbp_write(STORAGE_RBP_SAVED_TIME_NAME, (uint8_t *)&valid_time, sizeof(uint64_t), false); 01622 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01623 01624 01625 /*#1*/ 01626 status = storage_rbp_read(STORAGE_RBP_SAVED_TIME_NAME, (uint8_t*)¤tTime, sizeof(currentTime), &actualSavedTimeSize); 01627 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01628 TEST_ASSERT_TRUE(0 != currentTime); 01629 01630 status = pal_osSetTime(currentTime - (PAL_SECONDS_PER_DAY / 2));//going back half day to simulate future server by half day (in order to prevent time update) 01631 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01632 /*#2*/ 01633 status = pal_socket(PAL_AF_INET, PAL_SOCK_STREAM, false, 0, &g_socket); 01634 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01635 /*#3*/ 01636 parseServerAddress(&server, PAL_TLS_TEST_SERVER_ADDRESS_TCP); 01637 status = pal_getAddressInfo(server.hostname, &socketAddr, &addressLength); 01638 if ((PAL_ERR_SOCKET_DNS_ERROR == status) || (PAL_ERR_SOCKET_INVALID_ADDRESS_FAMILY == status)) 01639 { 01640 PAL_LOG_ERR("error: address lookup returned an address not supported by current configuration cant continue test ( IPv6 add for IPv4 only configuration or IPv4 for IPv6 only configuration or error)"); 01641 status = pal_close(&g_socket); 01642 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01643 return; 01644 } 01645 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01646 /*#4*/ 01647 status = pal_setSockAddrPort(&socketAddr, server.port); 01648 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01649 01650 tlsSocket.addressLength = addressLength; 01651 tlsSocket.socket = g_socket; 01652 01653 /*#5*/ 01654 status = pal_x509Initiate(&trustedServerCA); 01655 TEST_ASSERT_NOT_EQUAL(trustedServerCA, NULLPTR); 01656 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01657 01658 status = pal_x509CertParse(trustedServerCA, (const unsigned char *)PAL_TLS_TEST_SERVER_CA, MAX_CERTIFICATE_SIZE); 01659 if (PAL_SUCCESS != status) 01660 { 01661 pal_x509Free(&trustedServerCA); 01662 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01663 } 01664 /*#6*/ 01665 status = pal_x509CertGetAttribute(trustedServerCA, PAL_X509_CERT_ID_ATTR, g_trustedServerID, sizeof(g_trustedServerID), &g_actualServerIDSize); 01666 if (PAL_SUCCESS != status) 01667 { 01668 pal_x509Free(&trustedServerCA); 01669 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01670 } 01671 /*#7*/ 01672 status = storage_rbp_write(STORAGE_RBP_TRUSTED_TIME_SRV_ID_NAME, (uint8_t*)g_trustedServerID, g_actualServerIDSize, false); 01673 if (PAL_SUCCESS != status) 01674 { 01675 status = pal_x509Free(&trustedServerCA); 01676 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01677 } 01678 01679 /*#8*/ 01680 status = pal_connect(g_socket, &socketAddr, addressLength); 01681 if (PAL_SUCCESS != status) 01682 { 01683 pal_x509Free(&trustedServerCA); 01684 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01685 } 01686 /*#9*/ 01687 status = pal_initTLSConfiguration(&palTLSConf, transportationMode); 01688 if (PAL_SUCCESS != status) 01689 { 01690 pal_x509Free(&trustedServerCA); 01691 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01692 } 01693 /*#10*/ 01694 status = pal_initTLS(palTLSConf, &palTLSHandle); 01695 if (PAL_SUCCESS != status) 01696 { 01697 pal_freeTLS(&palTLSHandle); 01698 pal_tlsConfigurationFree(&palTLSConf); 01699 pal_x509Free(&trustedServerCA); 01700 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01701 } 01702 01703 /*#11*/ 01704 status = pal_setOwnCertAndPrivateKey(palTLSConf, &pubKey, &prvKey); 01705 if (PAL_SUCCESS != status) 01706 { 01707 pal_freeTLS(&palTLSHandle); 01708 pal_tlsConfigurationFree(&palTLSConf); 01709 pal_x509Free(&trustedServerCA); 01710 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01711 } 01712 /*#12*/ 01713 status = pal_setCAChain(palTLSConf, &caCert, NULL); 01714 if (PAL_SUCCESS != status) 01715 { 01716 pal_freeTLS(&palTLSHandle); 01717 pal_tlsConfigurationFree(&palTLSConf); 01718 pal_x509Free(&trustedServerCA); 01719 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01720 } 01721 /*#13*/ 01722 status = pal_tlsSetSocket(palTLSConf, &tlsSocket); 01723 if (PAL_SUCCESS != status) 01724 { 01725 pal_freeTLS(&palTLSHandle); 01726 pal_tlsConfigurationFree(&palTLSConf); 01727 pal_x509Free(&trustedServerCA); 01728 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01729 } 01730 /*#14*/ 01731 status = pal_handShake(palTLSHandle, palTLSConf); 01732 if (PAL_SUCCESS != status) 01733 { 01734 pal_freeTLS(&palTLSHandle); 01735 pal_tlsConfigurationFree(&palTLSConf); 01736 pal_x509Free(&trustedServerCA); 01737 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01738 } 01739 /*#15*/ 01740 status = pal_sslGetVerifyResultExtended(palTLSHandle, &verifyResult); 01741 if (PAL_SUCCESS != status) 01742 { 01743 pal_freeTLS(&palTLSHandle); 01744 pal_tlsConfigurationFree(&palTLSConf); 01745 pal_x509Free(&trustedServerCA); 01746 TEST_ASSERT_TRUE(PAL_ERR_X509_BADCERT_EXPIRED & verifyResult); 01747 } 01748 /*#16*/ 01749 status = pal_sslWrite(palTLSHandle, PAL_TLS_REQUEST_MESSAGE, sizeof(PAL_TLS_REQUEST_MESSAGE), &written); 01750 if (PAL_SUCCESS != status) 01751 { 01752 pal_freeTLS(&palTLSHandle); 01753 pal_tlsConfigurationFree(&palTLSConf); 01754 pal_x509Free(&trustedServerCA); 01755 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01756 } 01757 01758 pal_osDelay(PAL_TLS_RESPONSE_WAIT_MS); 01759 /*#14*/ 01760 status = pal_sslRead(palTLSHandle, serverResponse, PAL_TLS_RESPONSE_SIZE, &actualLen); 01761 if (PAL_SUCCESS != status) 01762 { 01763 pal_freeTLS(&palTLSHandle); 01764 pal_tlsConfigurationFree(&palTLSConf); 01765 pal_x509Free(&trustedServerCA); 01766 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01767 } 01768 01769 #ifdef PAL_TLS_RESPONSE_MESSAGE 01770 TEST_ASSERT_EQUAL(PAL_TLS_RESPONSE_SIZE, actualLen); 01771 TEST_ASSERT_EQUAL_HEX8_ARRAY(PAL_TLS_RESPONSE_MESSAGE, serverResponse, PAL_TLS_RESPONSE_SIZE); 01772 #endif 01773 01774 /*#17*/ 01775 status = pal_freeTLS(&palTLSHandle); 01776 if (PAL_SUCCESS != status) 01777 { 01778 pal_tlsConfigurationFree(&palTLSConf); 01779 pal_x509Free(&trustedServerCA); 01780 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01781 } 01782 /*#18*/ 01783 status = pal_tlsConfigurationFree(&palTLSConf); 01784 if (PAL_SUCCESS != status) 01785 { 01786 pal_x509Free(&trustedServerCA); 01787 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01788 } 01789 /*#19*/ 01790 status = pal_x509Free(&trustedServerCA); 01791 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01792 01793 status = pal_close(&g_socket); 01794 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01795 01796 /*#20*/ 01797 status = storage_rbp_read(STORAGE_RBP_SAVED_TIME_NAME, (uint8_t*)&updatedTime, sizeof(updatedTime), &actualSavedTimeSize); 01798 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01799 TEST_ASSERT_EQUAL_HEX(currentTime, updatedTime); 01800 #else 01801 TEST_IGNORE_MESSAGE("Ignored, PAL_USE_SECURE_TIME or PAL_USE_INTERNAL_FLASH not set"); 01802 #endif 01803 } 01804 01805 /** 01806 * @brief Test TLS handshake (TCP blocking) with near past time and validate that the handshake didn't update the device time (due to set time rules) 01807 * 01808 * 01809 * | # | Step | Expected | 01810 * |---|--------------------------------|-------------| 01811 * | 1 | Get saved time from storage, move forward half day and set time to RAM | PAL_SUCCESS | 01812 * | 2 | Create a TCP (blocking) socket. | PAL_SUCCESS | 01813 * | 3 | Perform a DNS lookup on the server address. | PAL_SUCCESS | 01814 * | 4 | Set the server port. | PAL_SUCCESS | 01815 * | 5 | Parse the CA cert. | PAL_SUCCESS | 01816 * | 6 | Get the CA cert ID. | PAL_SUCCESS | 01817 * | 7 | Set the CA cert ID into the storage. | PAL_SUCCESS | 01818 * | 8 | Connect the TCP socket to the server. | PAL_SUCCESS | 01819 * | 9 | Initialize the TLS configuration using `pal_initTLSConfiguration`. | PAL_SUCCESS | 01820 * | 10 | Initialize the TLS context using `pal_initTLS`. | PAL_SUCCESS | 01821 * | 11 | Set the certificate and keys to the configuration using `pal_setOwnCertAndPrivateKey`.| PAL_SUCCESS | 01822 * | 12 | Set the certificate chain to the configuration using `pal_setCAChain`. | PAL_SUCCESS | 01823 * | 13 | Set the socket to the configuration using `pal_tlsSetSocket`. | PAL_SUCCESS | 01824 * | 14 | Perform a TLS handshake with the server using `pal_handShake`. | PAL_SUCCESS | 01825 * | 15 | Verify the handshake result using `pal_sslGetVerifyResult`. | PAL_SUCCESS | 01826 * | 16 | Write data over open TLS connection using `pal_sslWrite`. | PAL_SUCCESS | 01827 * | 17 | Uninitialize the TLS context using `pal_freeTLS`. | PAL_SUCCESS | 01828 * | 18 | Uninitialize the TLS configuration using `pal_tlsConfigurationFree`. | PAL_SUCCESS | 01829 * | 19 | Free X509 handle. | PAL_SUCCESS | 01830 * | 20 | Verify that the time was NOT updated during the handshake. | PAL_SUCCESS | 01831 */ 01832 TEST(pal_tls, tlsHandshakeTCP_NearPastTrustedServer_NoTimeUpdate) 01833 { 01834 TEST_IGNORE_MESSAGE("Ignored, Linux PAL tests don't get credentials from mbed_cloud_dev_credentials.c"); 01835 #if ((PAL_USE_SECURE_TIME == 1) && (PAL_USE_INTERNAL_FLASH == 1)) 01836 palStatus_t status = PAL_SUCCESS; 01837 palTLSConfHandle_t palTLSConf = NULLPTR; 01838 palTLSHandle_t palTLSHandle = NULLPTR; 01839 palTLSTransportMode_t transportationMode = PAL_TLS_MODE; 01840 palSocketAddress_t socketAddr = { 0 }; 01841 palSocketLength_t addressLength = 0; 01842 char serverResponse[PAL_TLS_RESPONSE_SIZE] = {0}; 01843 uint32_t actualLen = 0; 01844 uint32_t written = 0; 01845 palX509_t pubKey = {(const void*)PAL_TLS_TEST_DEVICE_CERTIFICATE, MAX_CERTIFICATE_SIZE}; 01846 palPrivateKey_t prvKey = {(const void*)PAL_TLS_TEST_DEVICE_PRIVATE_KEY, MAX_CERTIFICATE_SIZE}; 01847 palX509_t caCert = { (const void*)PAL_TLS_TEST_SERVER_CA, MAX_CERTIFICATE_SIZE }; 01848 palTLSSocket_t tlsSocket = { g_socket, &socketAddr, 0, transportationMode }; 01849 uint64_t currentTime = 0; 01850 uint64_t updatedTime = 0; 01851 size_t actualSavedTimeSize = 0; 01852 palX509Handle_t trustedServerCA = NULLPTR; 01853 int32_t verifyResult = 0; 01854 struct server_address server; 01855 01856 parseServerAddress(&server, PAL_TLS_TEST_SERVER_ADDRESS_TCP); 01857 01858 //save valid time since the storage was cleared during TEST_SETUP 01859 uint64_t valid_time = PAL_MIN_SEC_FROM_EPOCH + PAL_SECONDS_PER_DAY * 100; 01860 status = storage_rbp_write(STORAGE_RBP_SAVED_TIME_NAME, (uint8_t *)&valid_time, sizeof(uint64_t), false); 01861 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01862 01863 /*#1*/ 01864 status = storage_rbp_read(STORAGE_RBP_SAVED_TIME_NAME, (uint8_t*)¤tTime, sizeof(currentTime), &actualSavedTimeSize); 01865 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01866 TEST_ASSERT_TRUE(0 != currentTime); 01867 01868 status = pal_osSetTime(currentTime + (PAL_SECONDS_PER_DAY / 2)); 01869 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01870 /*#2*/ 01871 status = pal_socket(PAL_AF_INET, PAL_SOCK_STREAM, false, 0, &g_socket); 01872 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01873 /*#3*/ 01874 status = pal_getAddressInfo(server.hostname, &socketAddr, &addressLength); 01875 if ((PAL_ERR_SOCKET_DNS_ERROR == status) || (PAL_ERR_SOCKET_INVALID_ADDRESS_FAMILY == status)) 01876 { 01877 PAL_LOG_ERR("error: address lookup returned an address not supported by current configuration cant continue test ( IPv6 add for IPv4 only configuration or IPv4 for IPv6 only configuration or error)"); 01878 status = pal_close(&g_socket); 01879 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01880 return; 01881 } 01882 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01883 /*#4*/ 01884 status = pal_setSockAddrPort(&socketAddr, server.port); 01885 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01886 01887 tlsSocket.addressLength = addressLength; 01888 tlsSocket.socket = g_socket; 01889 01890 /*#5*/ 01891 status = pal_x509Initiate(&trustedServerCA); 01892 TEST_ASSERT_NOT_EQUAL(trustedServerCA, NULLPTR); 01893 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01894 01895 status = pal_x509CertParse(trustedServerCA, (const unsigned char *)PAL_TLS_TEST_SERVER_CA, MAX_CERTIFICATE_SIZE); 01896 if (PAL_SUCCESS != status) 01897 { 01898 pal_x509Free(&trustedServerCA); 01899 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01900 } 01901 /*#6*/ 01902 status = pal_x509CertGetAttribute(trustedServerCA, PAL_X509_CERT_ID_ATTR, g_trustedServerID, sizeof(g_trustedServerID), &g_actualServerIDSize); 01903 if (PAL_SUCCESS != status) 01904 { 01905 pal_x509Free(&trustedServerCA); 01906 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01907 } 01908 /*#7*/ 01909 status = storage_rbp_write(STORAGE_RBP_TRUSTED_TIME_SRV_ID_NAME, (uint8_t*)g_trustedServerID, g_actualServerIDSize, false); 01910 if (PAL_SUCCESS != status) 01911 { 01912 status = pal_x509Free(&trustedServerCA); 01913 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01914 } 01915 01916 /*#8*/ 01917 status = pal_connect(g_socket, &socketAddr, addressLength); 01918 if (PAL_SUCCESS != status) 01919 { 01920 pal_x509Free(&trustedServerCA); 01921 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01922 } 01923 /*#9*/ 01924 status = pal_initTLSConfiguration(&palTLSConf, transportationMode); 01925 if (PAL_SUCCESS != status) 01926 { 01927 pal_x509Free(&trustedServerCA); 01928 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01929 } 01930 /*#10*/ 01931 status = pal_initTLS(palTLSConf, &palTLSHandle); 01932 if (PAL_SUCCESS != status) 01933 { 01934 pal_freeTLS(&palTLSHandle); 01935 pal_tlsConfigurationFree(&palTLSConf); 01936 pal_x509Free(&trustedServerCA); 01937 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01938 } 01939 01940 /*#11*/ 01941 status = pal_setOwnCertAndPrivateKey(palTLSConf, &pubKey, &prvKey); 01942 if (PAL_SUCCESS != status) 01943 { 01944 pal_freeTLS(&palTLSHandle); 01945 pal_tlsConfigurationFree(&palTLSConf); 01946 pal_x509Free(&trustedServerCA); 01947 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01948 } 01949 /*#12*/ 01950 status = pal_setCAChain(palTLSConf, &caCert, NULL); 01951 if (PAL_SUCCESS != status) 01952 { 01953 pal_freeTLS(&palTLSHandle); 01954 pal_tlsConfigurationFree(&palTLSConf); 01955 pal_x509Free(&trustedServerCA); 01956 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01957 } 01958 /*#13*/ 01959 status = pal_tlsSetSocket(palTLSConf, &tlsSocket); 01960 if (PAL_SUCCESS != status) 01961 { 01962 pal_freeTLS(&palTLSHandle); 01963 pal_tlsConfigurationFree(&palTLSConf); 01964 pal_x509Free(&trustedServerCA); 01965 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01966 } 01967 /*#14*/ 01968 status = pal_handShake(palTLSHandle, palTLSConf); 01969 if (PAL_SUCCESS != status) 01970 { 01971 pal_freeTLS(&palTLSHandle); 01972 pal_tlsConfigurationFree(&palTLSConf); 01973 pal_x509Free(&trustedServerCA); 01974 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01975 } 01976 /*#15*/ 01977 status = pal_sslGetVerifyResultExtended(palTLSHandle, &verifyResult); 01978 if (PAL_SUCCESS != status) 01979 { 01980 pal_freeTLS(&palTLSHandle); 01981 pal_tlsConfigurationFree(&palTLSConf); 01982 pal_x509Free(&trustedServerCA); 01983 TEST_ASSERT_TRUE(PAL_ERR_X509_BADCERT_EXPIRED & verifyResult); 01984 } 01985 /*#16*/ 01986 status = pal_sslWrite(palTLSHandle, PAL_TLS_REQUEST_MESSAGE, sizeof(PAL_TLS_REQUEST_MESSAGE), &written); 01987 if (PAL_SUCCESS != status) 01988 { 01989 pal_freeTLS(&palTLSHandle); 01990 pal_tlsConfigurationFree(&palTLSConf); 01991 pal_x509Free(&trustedServerCA); 01992 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 01993 } 01994 01995 pal_osDelay(PAL_TLS_RESPONSE_WAIT_MS); 01996 /*#14*/ 01997 status = pal_sslRead(palTLSHandle, serverResponse, PAL_TLS_RESPONSE_SIZE, &actualLen); 01998 if (PAL_SUCCESS != status) 01999 { 02000 pal_freeTLS(&palTLSHandle); 02001 pal_tlsConfigurationFree(&palTLSConf); 02002 pal_x509Free(&trustedServerCA); 02003 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02004 } 02005 02006 #ifdef PAL_TLS_RESPONSE_MESSAGE 02007 TEST_ASSERT_EQUAL(PAL_TLS_RESPONSE_SIZE, actualLen); 02008 TEST_ASSERT_EQUAL_HEX8_ARRAY(PAL_TLS_RESPONSE_MESSAGE, serverResponse, PAL_TLS_RESPONSE_SIZE); 02009 #endif 02010 02011 /*#17*/ 02012 status = pal_freeTLS(&palTLSHandle); 02013 if (PAL_SUCCESS != status) 02014 { 02015 pal_tlsConfigurationFree(&palTLSConf); 02016 pal_x509Free(&trustedServerCA); 02017 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02018 } 02019 /*#18*/ 02020 status = pal_tlsConfigurationFree(&palTLSConf); 02021 if (PAL_SUCCESS != status) 02022 { 02023 pal_x509Free(&trustedServerCA); 02024 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02025 } 02026 /*#19*/ 02027 status = pal_x509Free(&trustedServerCA); 02028 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02029 02030 status = pal_close(&g_socket); 02031 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02032 /*#20*/ 02033 status = storage_rbp_read(STORAGE_RBP_SAVED_TIME_NAME, (uint8_t*)&updatedTime, sizeof(updatedTime), &actualSavedTimeSize); 02034 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02035 TEST_ASSERT_EQUAL_HEX(currentTime, updatedTime); 02036 #else 02037 TEST_IGNORE_MESSAGE("Ignored, PAL_USE_SECURE_TIME or PAL_USE_INTERNAL_FLASH not set"); 02038 #endif 02039 } 02040 02041 // Introduce helper functions to be used in TCPHandshakeWhileCertVerify_threads test. 02042 // The test is only ran if PAL_USE_SECURE_TIME and PAL_ENABLE_X509 are set so helper 02043 // functions can also be under those checks 02044 #if ((PAL_USE_SECURE_TIME == 1) && (PAL_ENABLE_X509 == 1)) 02045 static palStatus_t ThreadHandshakeTCP(bool socketNonBlocking) 02046 { 02047 palStatus_t status = PAL_SUCCESS; 02048 palStatus_t tmpStatus = PAL_SUCCESS; 02049 palTLSConfHandle_t palTLSConf = NULLPTR; 02050 palTLSHandle_t palTLSHandle = NULLPTR; 02051 palTLSTransportMode_t transportationMode = PAL_TLS_MODE; 02052 palSocketAddress_t socketAddr = {0}; 02053 palSocketLength_t addressLength = 0; 02054 char serverResponse[PAL_TLS_RESPONSE_SIZE] = {0}; 02055 uint32_t actualLen = 0; 02056 uint32_t written = 0; 02057 palSocket_t socketTCP = 0; 02058 palX509_t pubKey = {(const void*)PAL_TLS_TEST_DEVICE_CERTIFICATE, MAX_CERTIFICATE_SIZE}; 02059 palPrivateKey_t prvKey = {(const void*)PAL_TLS_TEST_DEVICE_PRIVATE_KEY, MAX_CERTIFICATE_SIZE}; 02060 palX509_t caCert = { (const void*)PAL_TLS_TEST_SERVER_CA, MAX_CERTIFICATE_SIZE }; 02061 palTLSSocket_t tlsSocket = { socketTCP, &socketAddr, 0, transportationMode }; 02062 palTLSTest_t *testTLSCtx = NULL; 02063 palStatus_t mutexStatus = PAL_SUCCESS; 02064 bool mutexWait = false; 02065 int32_t verifyResult = 0; 02066 struct server_address server; 02067 02068 mutexWait = true; 02069 /*#1*/ 02070 status = pal_socket(PAL_AF_INET, PAL_SOCK_STREAM, socketNonBlocking, 0, &socketTCP); 02071 PAL_TLS_INT32_CHECK_NOT_EQUAL_GOTO_FINISH(PAL_SUCCESS, status); 02072 /*#2*/ 02073 parseServerAddress(&server, PAL_TLS_TEST_SERVER_ADDRESS_TCP); 02074 status = pal_getAddressInfo(server.hostname, &socketAddr, &addressLength); 02075 PAL_TLS_INT32_CHECK_NOT_EQUAL_GOTO_FINISH(PAL_SUCCESS, status); 02076 02077 tlsSocket.addressLength = addressLength; 02078 tlsSocket.socket = socketTCP; 02079 /*#3*/ 02080 status = pal_setSockAddrPort(&socketAddr, server.port); 02081 PAL_TLS_INT32_CHECK_NOT_EQUAL_GOTO_FINISH(PAL_SUCCESS, status); 02082 02083 /*#4*/ 02084 status = pal_connect(socketTCP, &socketAddr, addressLength); 02085 if (PAL_ERR_SOCKET_IN_PROGRES == status) 02086 { 02087 pal_osDelay(500); 02088 } 02089 else 02090 { 02091 PAL_TLS_INT32_CHECK_NOT_EQUAL_GOTO_FINISH(PAL_SUCCESS, status); 02092 } 02093 /*#5*/ 02094 status = pal_initTLSConfiguration(&palTLSConf, transportationMode); 02095 PAL_TLS_INT32_CHECK_NOT_EQUAL_GOTO_FINISH(PAL_SUCCESS, status); 02096 TEST_ASSERT_NOT_EQUAL(palTLSConf, NULLPTR); 02097 /*#6*/ 02098 status = pal_initTLS(palTLSConf, &palTLSHandle); 02099 PAL_TLS_INT32_CHECK_NOT_EQUAL_GOTO_FINISH(PAL_SUCCESS, status); 02100 02101 // This code commented out to prevent massive prints from mbedTLS, if you want to see logs from client side, just uncomment them. 02102 //status = pal_sslSetDebugging(palTLSConf, true); 02103 //TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02104 /*#7*/ 02105 status = pal_setOwnCertAndPrivateKey(palTLSConf, &pubKey, &prvKey); 02106 PAL_TLS_INT32_CHECK_NOT_EQUAL_GOTO_FINISH(PAL_SUCCESS, status); 02107 /*#8*/ 02108 status = pal_setCAChain(palTLSConf, &caCert, NULL); 02109 PAL_TLS_INT32_CHECK_NOT_EQUAL_GOTO_FINISH(PAL_SUCCESS, status); 02110 /*#9*/ 02111 status = pal_tlsSetSocket(palTLSConf, &tlsSocket); 02112 PAL_TLS_INT32_CHECK_NOT_EQUAL_GOTO_FINISH(PAL_SUCCESS, status); 02113 /*#10*/ 02114 testTLSCtx = (palTLSTest_t*)palTLSHandle; //This casting is done to sign that we are in retry situation. 02115 if (true == socketNonBlocking) 02116 { 02117 PAL_TLS_INT32_CHECK_NOT_EQUAL_GOTO_FINISH(PAL_SUCCESS, status); // More than current epoch time -> success 02118 do 02119 { 02120 if (testTLSCtx->retryHandShake && !g_retryHandshake) 02121 { 02122 g_retryHandshake = true; 02123 if (mutexWait) 02124 { 02125 mutexStatus = pal_osMutexRelease(g_mutexHandShake1); 02126 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, mutexStatus); 02127 mutexWait = false; 02128 pal_osDelay(600); 02129 } 02130 } 02131 status = pal_handShake(palTLSHandle, palTLSConf); 02132 } 02133 while ( (PAL_ERR_TLS_WANT_READ == status) || (PAL_ERR_TLS_WANT_WRITE == status)); 02134 } 02135 else //blocking 02136 { 02137 status = pal_handShake(palTLSHandle, palTLSConf); 02138 } 02139 PAL_TLS_INT32_CHECK_NOT_EQUAL_GOTO_FINISH(PAL_SUCCESS, status); 02140 02141 /*#11*/ 02142 status = pal_sslGetVerifyResultExtended(palTLSHandle, &verifyResult); 02143 PAL_TLS_INT32_CHECK_NOT_EQUAL_GOTO_FINISH(PAL_SUCCESS, status); 02144 /*#12*/ 02145 status = pal_sslWrite(palTLSHandle, PAL_TLS_REQUEST_MESSAGE, sizeof(PAL_TLS_REQUEST_MESSAGE), &written); 02146 PAL_TLS_INT32_CHECK_NOT_EQUAL_GOTO_FINISH(PAL_SUCCESS, status); 02147 /*#13*/ 02148 pal_osDelay(PAL_TLS_RESPONSE_WAIT_MS); 02149 02150 /*#14*/ 02151 status = pal_sslRead(palTLSHandle, serverResponse, PAL_TLS_RESPONSE_SIZE, &actualLen); 02152 PAL_TLS_INT32_CHECK_NOT_EQUAL_GOTO_FINISH(PAL_SUCCESS, status); 02153 02154 #ifdef PAL_TLS_RESPONSE_MESSAGE 02155 TEST_ASSERT_EQUAL(PAL_TLS_RESPONSE_SIZE, actualLen); 02156 TEST_ASSERT_EQUAL_HEX8_ARRAY(PAL_TLS_RESPONSE_MESSAGE, serverResponse, PAL_TLS_RESPONSE_SIZE); 02157 #endif 02158 02159 finish: 02160 if (mutexWait) 02161 { 02162 mutexStatus = pal_osMutexRelease(g_mutexHandShake1); 02163 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, mutexStatus); 02164 } 02165 /*#15*/ 02166 tmpStatus = pal_freeTLS(&palTLSHandle); 02167 if (PAL_SUCCESS != tmpStatus) 02168 { 02169 PAL_LOG_ERR("Expected: %d , Actual: %d , Line: %d\n", (int)PAL_SUCCESS, (int)tmpStatus, __LINE__); 02170 } 02171 /*#16*/ 02172 tmpStatus = pal_tlsConfigurationFree(&palTLSConf); 02173 if (PAL_SUCCESS != tmpStatus) 02174 { 02175 PAL_LOG_ERR("Expected: %d , Actual: %d , Line: %d\n", (int)PAL_SUCCESS, (int)tmpStatus, __LINE__); 02176 } 02177 /*#17*/ 02178 tmpStatus = pal_close(&socketTCP); 02179 if (PAL_SUCCESS != tmpStatus) 02180 { 02181 PAL_LOG_ERR("Expected: %d , Actual: %d , Line: %d\n", (int)PAL_SUCCESS, (int)tmpStatus, __LINE__); 02182 } 02183 if (PAL_SUCCESS == status) 02184 { 02185 status = tmpStatus; 02186 } 02187 return status; 02188 02189 } 02190 02191 void pal_TCPHandshakeFunc3(void const *argument) 02192 { 02193 palStatus_t mutexStatus = PAL_SUCCESS; 02194 palStatus_t* arg = (palStatus_t*)argument; 02195 02196 mutexStatus = pal_osMutexWait(g_mutexHandShake1, PAL_RTOS_WAIT_FOREVER); 02197 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, mutexStatus); 02198 02199 mutexStatus = pal_osMutexWait(g_mutex1, PAL_RTOS_WAIT_FOREVER); 02200 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, mutexStatus); 02201 02202 *arg = ThreadHandshakeTCP(true); 02203 02204 mutexStatus = pal_osMutexRelease(g_mutex1); 02205 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, mutexStatus); 02206 } 02207 02208 void pal_CertVerify(void const *argument) 02209 { 02210 palStatus_t status = PAL_SUCCESS; 02211 palStatus_t mutexStatus = PAL_SUCCESS; 02212 palStatus_t* arg = (palStatus_t*)argument; 02213 palX509Handle_t certHandle = NULLPTR; 02214 int32_t verifyResult = 0; 02215 02216 mutexStatus = pal_osMutexWait(g_mutexHandShake1, PAL_RTOS_WAIT_FOREVER); 02217 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, mutexStatus); 02218 02219 status = pal_osMutexWait(g_mutex2, PAL_RTOS_WAIT_FOREVER); 02220 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02221 02222 status = pal_x509Initiate(&certHandle); 02223 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02224 02225 status = pal_x509CertParse(certHandle, (const void*)PAL_TLS_TEST_SERVER_CA, MAX_CERTIFICATE_SIZE); 02226 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02227 02228 PAL_LOG_INFO("Calling Cert Verify.."); 02229 *arg = pal_x509CertVerifyExtended(certHandle, certHandle, &verifyResult); 02230 TEST_ASSERT_TRUE(PAL_ERR_X509_BADCERT_FUTURE & verifyResult); 02231 02232 pal_x509Free(&certHandle); 02233 02234 mutexStatus = pal_osMutexRelease(g_mutexHandShake1); 02235 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, mutexStatus); 02236 02237 mutexStatus = pal_osMutexRelease(g_mutex2); 02238 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, mutexStatus); 02239 } 02240 02241 static void runTLSThreadTest(palThreadFuncPtr func1, palThreadFuncPtr func2, palStatus_t test1Result, palStatus_t test2Result) 02242 { 02243 palStatus_t status = PAL_SUCCESS; 02244 palThreadID_t threadID1 = NULLPTR; 02245 palThreadID_t threadID2 = NULLPTR; 02246 palStatus_t tlsArgs1 = PAL_SUCCESS; 02247 palStatus_t tlsArgs2 = PAL_SUCCESS; 02248 02249 status = pal_osMutexCreate(&g_mutexHandShake1); 02250 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02251 02252 status = pal_osMutexCreate(&g_mutex1); 02253 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02254 02255 status = pal_osMutexCreate(&g_mutex2); 02256 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02257 02258 status = pal_osMutexWait(g_mutexHandShake1, PAL_RTOS_WAIT_FOREVER); 02259 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02260 02261 status = pal_osThreadCreateWithAlloc(func1, &tlsArgs1, PAL_osPriorityHigh, 5*PAL_TEST_THREAD_STACK_SIZE, NULL, &threadID1); 02262 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02263 02264 status = pal_osMutexRelease(g_mutexHandShake1); 02265 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02266 02267 pal_osDelay(100); 02268 02269 status = pal_osThreadCreateWithAlloc(func2, &tlsArgs2, PAL_osPriorityAboveNormal, 5*PAL_TEST_THREAD_STACK_SIZE, NULL, &threadID2); 02270 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02271 02272 status = pal_osMutexWait(g_mutex1, PAL_RTOS_WAIT_FOREVER); 02273 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02274 02275 status = pal_osMutexWait(g_mutex2, PAL_RTOS_WAIT_FOREVER); 02276 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02277 02278 status = pal_osThreadTerminate(&threadID1); 02279 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02280 02281 status = pal_osThreadTerminate(&threadID2); 02282 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02283 02284 status = pal_osMutexRelease(g_mutex1); 02285 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02286 02287 status = pal_osMutexRelease(g_mutex2); 02288 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02289 02290 status = pal_osMutexDelete(&g_mutex1); 02291 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02292 02293 status = pal_osMutexDelete(&g_mutex2); 02294 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02295 02296 status = pal_osMutexDelete(&g_mutexHandShake1); 02297 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02298 02299 TEST_ASSERT_EQUAL_HEX(test1Result, tlsArgs1); 02300 TEST_ASSERT_EQUAL_HEX(test2Result, tlsArgs2); 02301 } 02302 #endif 02303 02304 02305 /** 02306 * @brief Test try to process certificate verification with future certificate validation time while processing handshake 02307 * in another thread to update the device time, we need to check that certificate verification is done against the 02308 * broken device time (0) and after handshake is done, we need to re-verify against the fixed time according to the 02309 * server time sent by the server during handshake. 02310 * 02311 * 02312 * | # | Step | Expected | 02313 * |---|--------------------------------|-------------| 02314 * | 1 | Create Thread1 to process DTLS handshake | PAL_SUCCESS | 02315 * | 1 | Create Thread2 to process TLS handshake | PAL_ERR_X509_CERT_VERIFY_FAILED | 02316 */ 02317 TEST(pal_tls, TCPHandshakeWhileCertVerify_threads) 02318 { 02319 TEST_IGNORE_MESSAGE("Ignored, Linux PAL tests don't get credentials from mbed_cloud_dev_credentials.c"); 02320 #if ((PAL_USE_SECURE_TIME == 1) && (PAL_ENABLE_X509 == 1)) 02321 palStatus_t status = PAL_SUCCESS; 02322 palX509Handle_t certHandle = NULLPTR; 02323 uint64_t systemTime = 0; 02324 palSocketAddress_t socketAddr = { 0 }; 02325 palSocketLength_t addressLength = 0; 02326 struct server_address server; 02327 02328 parseServerAddress(&server, PAL_TLS_TEST_SERVER_ADDRESS_TCP); 02329 02330 status = pal_getAddressInfo(server.hostname, &socketAddr, &addressLength); 02331 if ((PAL_ERR_SOCKET_DNS_ERROR == status) || (PAL_ERR_SOCKET_INVALID_ADDRESS_FAMILY == status)) 02332 { 02333 PAL_LOG_ERR("error: address lookup returned an address not supported by current configuration cant continue test ( IPv6 add for IPv4 only configuration or IPv4 for IPv6 only configuration or error)"); 02334 return; 02335 } 02336 02337 status = pal_osSetTime(0); 02338 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02339 02340 runTLSThreadTest(pal_TCPHandshakeFunc3, pal_CertVerify, PAL_SUCCESS, PAL_ERR_X509_CERT_VERIFY_FAILED); 02341 02342 systemTime = pal_osGetTime(); 02343 TEST_ASSERT_TRUE(0 < systemTime); 02344 02345 status = pal_x509Initiate(&certHandle); 02346 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02347 02348 status = pal_x509CertParse(certHandle, (const void*)PAL_TLS_TEST_SERVER_CA, MAX_CERTIFICATE_SIZE); 02349 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02350 02351 status = pal_x509CertVerify(certHandle, certHandle); 02352 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02353 02354 status = pal_x509Free(&certHandle); 02355 TEST_ASSERT_EQUAL_HEX(PAL_SUCCESS, status); 02356 #else 02357 TEST_IGNORE_MESSAGE("Ignored, PAL_USE_SECURE_TIME or PAL_ENABLE_X509 not set"); 02358 #endif 02359 } 02360 02361 02362 02363 02364 02365 02366 02367
Generated on Tue Jul 12 2022 20:21:02 by
1.7.2