Add known answer tests for TLS 1.3 record protection

This commit adds four known answer tests for TLS 1.3 record protection
from the following sources:

- RFC 8448 "Example Handshake Traces for TLS 1.3"
- tls13.ulfheim.net "The New Illustrated TLS Connection"

It extends the test coverage of the existing record protection tests
in the following ways:

- The existing record protection tests hand-craft record transform
  structures; the new tests use the function

     mbedtls_ssl_tls13_populate_transform()

  from library source to create an TLS 1.3 transform from raw
  key material and connection information.
- The existing record protection tests only check that encryption
  and decryption are inverse to each other; as such, they don't
  catch non-compliant implementations of encryption and decryption
  which happen to be inverse to each other. By adding a known answer
  test for TLS 1.3 record protection, can gain confidence that our
  implementation is indeed standards-compliant.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>

tests/suites/test_suite_ssl.data

@@ -6021,6 +6021,61 @@ SSL TLS 1.3 Key schedule: Handshake secrets derivation helper
 # Vector from RFC 8448
 ssl_tls1_3_derive_handshake_secrets:MBEDTLS_MD_SHA256:"005cb112fd8eb4ccc623bb88a07c64b3ede1605363fc7d0df8c7ce4ff0fb4ae6":"f736cb34fe25e701551bee6fd24c1cc7102a7daf9405cb15d97aafe16f757d03":"2faac08f851d35fea3604fcb4de82dc62c9b164a70974d0462e27f1ab278700f":"fe927ae271312e8bf0275b581c54eef020450dc4ecffaa05a1a35d27518e7803"
 
+SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #1
+# - Server App Key: 0b6d22c8ff68097ea871c672073773bf
+# - Server App IV:  1b13dd9f8d8f17091d34b349
+# - Client App Key: 49134b95328f279f0183860589ac6707
+# - Client App IV:  bc4dd5f7b98acff85466261d
+# - App data payload: 70696e67
+# - Complete record:  1703030015c74061535eb12f5f25a781957874742ab7fb305dd5
+ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"70696e67":"c74061535eb12f5f25a781957874742ab7fb305dd5"
+
+SSL TLS 1.3 Record Encryption, tls13.ulfheim.net Example #2
+# - Server App Key: 0b6d22c8ff68097ea871c672073773bf
+# - Server App IV:  1b13dd9f8d8f17091d34b349
+# - Client App Key: 49134b95328f279f0183860589ac6707
+# - Client App IV:  bc4dd5f7b98acff85466261d
+# - App data payload: 706f6e67
+# - Complete record:  1703030015370e5f168afa7fb16b663ecdfca3dbb81931a90ca7
+ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:"0b6d22c8ff68097ea871c672073773bf":"1b13dd9f8d8f17091d34b349":"49134b95328f279f0183860589ac6707":"bc4dd5f7b98acff85466261d":"706f6e67":"370e5f168afa7fb16b663ecdfca3dbb81931a90ca7"
+
+SSL TLS 1.3 Record Encryption RFC 8448 Example #1
+# Application Data record sent by Client in 1-RTT example of RFC 8448, Section 3
+# - Server App Key: 9f 02 28 3b 6c 9c 07 ef c2 6b b9 f2 ac 92 e3 56
+# - Server App IV:  cf 78 2b 88 dd 83 54 9a ad f1 e9 84
+# - Client App Key: 17 42 2d da 59 6e d5 d9 ac d8 90 e3 c6 3f 50 51
+# - Client App IV:  5b 78 92 3d ee 08 57 90 33 e5 23 d9
+# - App data payload: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
+#                     10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
+#                     20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
+#                     30 31
+# - Complete record:  17 03 03 00 43 a2 3f 70 54 b6 2c 94 d0 af fa fe
+#                     82 28 ba 55 cb ef ac ea 42 f9 14 aa 66 bc ab 3f
+#                     2b 98 19 a8 a5 b4 6b 39 5b d5 4a 9a 20 44 1e 2b
+#                     62 97 4e 1f 5a 62 92 a2 97 70 14 bd 1e 3d ea e6
+#                     3a ee bb 21 69 49 15 e4
+ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_CLIENT:0:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"a23f7054b62c94d0affafe8228ba55cbefacea42f914aa66bcab3f2b9819a8a5b46b395bd54a9a20441e2b62974e1f5a6292a2977014bd1e3deae63aeebb21694915e4"
+
+SSL TLS 1.3 Record Encryption RFC 8448 Example #2
+# Application Data record sent by Server in 1-RTT example of RFC 8448, Section 3
+# - Server App Key: 9f 02 28 3b 6c 9c 07 ef c2 6b b9 f2 ac 92 e3 56
+# - Server App IV:  cf 78 2b 88 dd 83 54 9a ad f1 e9 84
+# - Client App Key: 17 42 2d da 59 6e d5 d9 ac d8 90 e3 c6 3f 50 51
+# - Client App IV:  5b 78 92 3d ee 08 57 90 33 e5 23 d9
+# - App data payload: 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
+#                     10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
+#                     20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
+#                     30 31
+# - Complete record:  17 03 03 00 43 2e 93 7e 11 ef 4a c7 40 e5 38 ad
+#                     36 00 5f c4 a4 69 32 fc 32 25 d0 5f 82 aa 1b 36
+#                     e3 0e fa f9 7d 90 e6 df fc 60 2d cb 50 1a 59 a8
+#                     fc c4 9c 4b f2 e5 f0 a2 1c 00 47 c2 ab f3 32 54
+#                     0d d0 32 e1 67 c2 95 5d
+ssl_tls1_3_record_protection:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:MBEDTLS_SSL_IS_SERVER:1:"9f02283b6c9c07efc26bb9f2ac92e356":"cf782b88dd83549aadf1e984":"17422dda596ed5d9acd890e3c63f5051":"5b78923dee08579033e523d9":"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031":"2e937e11ef4ac740e538ad36005fc4a46932fc3225d05f82aa1b36e30efaf97d90e6dffc602dcb501a59a8fcc49c4bf2e5f0a21c0047c2abf332540dd032e167c2955d"
+
+SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE
+ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
+
 SSL TLS 1.3 Key schedule: Application secrets derivation helper
 # Vector from RFC 8448
 ssl_tls1_3_derive_application_secrets:MBEDTLS_MD_SHA256:"e2d32d4ed66dd37897a0e80c84107503ce58bf8aad4cb55a5002d77ecb890ece":"b0aeffc46a2cfe33114e6fd7d51f9f04b1ca3c497dab08934a774a9d9ad7dbf3":"2abbf2b8e381d23dbebe1dd2a7d16a8bf484cb4950d23fb7fb7fa8547062d9a1":"cc21f1bf8feb7dd5fa505bd9c4b468a9984d554a993dc49e6d285598fb672691":"3fd93d4ffddc98e64b14dd107aedf8ee4add23f4510f58a4592d0b201bee56b4"

tests/suites/test_suite_ssl.function

@@ -3943,6 +3943,92 @@ void ssl_tls1_3_create_psk_binder( int hash_alg,
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+void ssl_tls1_3_record_protection( int ciphersuite,
+                                   int endpoint,
+                                   int ctr,
+                                   data_t *server_write_key,
+                                   data_t *server_write_iv,
+                                   data_t *client_write_key,
+                                   data_t *client_write_iv,
+                                   data_t *plaintext,
+                                   data_t *ciphertext )
+{
+    mbedtls_ssl_key_set keys;
+    mbedtls_ssl_transform transform_send;
+    mbedtls_ssl_transform transform_recv;
+    mbedtls_record rec;
+    unsigned char *buf = NULL;
+    int other_endpoint;
+
+    TEST_ASSERT( endpoint == MBEDTLS_SSL_IS_CLIENT ||
+                 endpoint == MBEDTLS_SSL_IS_SERVER );
+
+    if( endpoint == MBEDTLS_SSL_IS_SERVER )
+        other_endpoint = MBEDTLS_SSL_IS_CLIENT;
+    if( endpoint == MBEDTLS_SSL_IS_CLIENT )
+        other_endpoint = MBEDTLS_SSL_IS_SERVER;
+
+    TEST_ASSERT( server_write_key->len == client_write_key->len );
+    TEST_ASSERT( server_write_iv->len  == client_write_iv->len  );
+
+    memcpy( keys.client_write_key,
+            client_write_key->x, client_write_key->len );
+    memcpy( keys.client_write_iv,
+            client_write_iv->x, client_write_iv->len );
+    memcpy( keys.server_write_key,
+            server_write_key->x, server_write_key->len );
+    memcpy( keys.server_write_iv,
+            server_write_iv->x, server_write_iv->len );
+
+    keys.key_len = server_write_key->len;
+    keys.iv_len  = server_write_iv->len;
+
+    mbedtls_ssl_transform_init( &transform_recv );
+    mbedtls_ssl_transform_init( &transform_send );
+
+    TEST_ASSERT( mbedtls_ssl_tls13_populate_transform(
+                     &transform_send, endpoint,
+                     ciphersuite, &keys, NULL ) == 0 );
+    TEST_ASSERT( mbedtls_ssl_tls13_populate_transform(
+                     &transform_recv, other_endpoint,
+                     ciphersuite, &keys, NULL ) == 0 );
+
+    ASSERT_ALLOC( buf, ciphertext->len );
+    rec.type   = MBEDTLS_SSL_MSG_APPLICATION_DATA;
+    mbedtls_ssl_write_version( MBEDTLS_SSL_MAJOR_VERSION_3,
+                               MBEDTLS_SSL_MINOR_VERSION_3,
+                               MBEDTLS_SSL_TRANSPORT_STREAM,
+                               rec.ver );
+
+    /* Copy plaintext into record structure */
+    rec.buf = buf;
+    rec.buf_len = ciphertext->len;
+    rec.data_offset = 0;
+    TEST_ASSERT( plaintext->len <= ciphertext->len );
+    memcpy( rec.buf + rec.data_offset, plaintext->x, plaintext->len );
+    rec.data_len = plaintext->len;
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
+    rec.cid_len = 0;
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
+
+    memset( &rec.ctr[0], 0, 8 );
+    rec.ctr[7] = ctr;
+
+    TEST_ASSERT( mbedtls_ssl_encrypt_buf( NULL, &transform_send, &rec,
+                                          NULL, NULL ) == 0 );
+    ASSERT_COMPARE( rec.buf + rec.data_offset, rec.data_len,
+                    ciphertext->x, ciphertext->len );
+
+    TEST_ASSERT( mbedtls_ssl_decrypt_buf( NULL, &transform_recv, &rec ) == 0 );
+    ASSERT_COMPARE( rec.buf + rec.data_offset, rec.data_len,
+                    plaintext->x, plaintext->len );
+
+    mbedtls_ssl_transform_free( &transform_send );
+    mbedtls_ssl_transform_free( &transform_recv );
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
 void ssl_tls1_3_key_evolution( int hash_alg,
                                data_t *secret,