mirror of
https://github.com/openssl/openssl.git
synced 2024-12-21 06:09:35 +08:00
6c0ac9b99f
The "bad DTLS" tests run into trouble due to the special behavior for that "bad" version, and the SSL record tests need to set the -legacy_server_connect flag to allow an SSLv2 ClientHello to work against any TLS server (since SSLv2 ClientHello messages cannot carry extensions as would be needed in order to negotiate the use of the renegitiation_info extension). Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15127)
608 lines
20 KiB
C
608 lines
20 KiB
C
/*
|
|
* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
/*
|
|
* Unit test for Cisco DTLS1_BAD_VER session resume, as used by
|
|
* AnyConnect VPN protocol.
|
|
*
|
|
* This is designed to exercise the code paths in
|
|
* http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/dtls.c
|
|
* which have frequently been affected by regressions in DTLS1_BAD_VER
|
|
* support.
|
|
*
|
|
* Note that unlike other SSL tests, we don't test against our own SSL
|
|
* server method. Firstly because we don't have one; we *only* support
|
|
* DTLS1_BAD_VER as a client. And secondly because even if that were
|
|
* fixed up it's the wrong thing to test against - because if changes
|
|
* are made in generic DTLS code which don't take DTLS1_BAD_VER into
|
|
* account, there's plenty of scope for making those changes such that
|
|
* they break *both* the client and the server in the same way.
|
|
*
|
|
* So we handle the server side manually. In a session resume there isn't
|
|
* much to be done anyway.
|
|
*/
|
|
#include <string.h>
|
|
|
|
#include <openssl/core_names.h>
|
|
#include <openssl/params.h>
|
|
#include <openssl/opensslconf.h>
|
|
#include <openssl/bio.h>
|
|
#include <openssl/crypto.h>
|
|
#include <openssl/evp.h>
|
|
#include <openssl/ssl.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/rand.h>
|
|
#include <openssl/kdf.h>
|
|
#include "internal/packet.h"
|
|
#include "internal/nelem.h"
|
|
#include "testutil.h"
|
|
|
|
/* For DTLS1_BAD_VER packets the MAC doesn't include the handshake header */
|
|
#define MAC_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH)
|
|
|
|
static unsigned char client_random[SSL3_RANDOM_SIZE];
|
|
static unsigned char server_random[SSL3_RANDOM_SIZE];
|
|
|
|
/* These are all generated locally, sized purely according to our own whim */
|
|
static unsigned char session_id[32];
|
|
static unsigned char master_secret[48];
|
|
static unsigned char cookie[20];
|
|
|
|
/* We've hard-coded the cipher suite; we know it's 104 bytes */
|
|
static unsigned char key_block[104];
|
|
#define mac_key (key_block + 20)
|
|
#define dec_key (key_block + 40)
|
|
#define enc_key (key_block + 56)
|
|
|
|
static EVP_MD_CTX *handshake_md;
|
|
|
|
static int do_PRF(const void *seed1, int seed1_len,
|
|
const void *seed2, int seed2_len,
|
|
const void *seed3, int seed3_len,
|
|
unsigned char *out, int olen)
|
|
{
|
|
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
|
|
size_t outlen = olen;
|
|
|
|
/* No error handling. If it all screws up, the test will fail anyway */
|
|
EVP_PKEY_derive_init(pctx);
|
|
EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_md5_sha1());
|
|
EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, master_secret, sizeof(master_secret));
|
|
EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len);
|
|
EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len);
|
|
EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len);
|
|
EVP_PKEY_derive(pctx, out, &outlen);
|
|
EVP_PKEY_CTX_free(pctx);
|
|
return 1;
|
|
}
|
|
|
|
static SSL_SESSION *client_session(void)
|
|
{
|
|
static unsigned char session_asn1[] = {
|
|
0x30, 0x5F, /* SEQUENCE, length 0x5F */
|
|
0x02, 0x01, 0x01, /* INTEGER, SSL_SESSION_ASN1_VERSION */
|
|
0x02, 0x02, 0x01, 0x00, /* INTEGER, DTLS1_BAD_VER */
|
|
0x04, 0x02, 0x00, 0x2F, /* OCTET_STRING, AES128-SHA */
|
|
0x04, 0x20, /* OCTET_STRING, session id */
|
|
#define SS_SESSID_OFS 15 /* Session ID goes here */
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x04, 0x30, /* OCTET_STRING, master secret */
|
|
#define SS_SECRET_OFS 49 /* Master secret goes here */
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
};
|
|
const unsigned char *p = session_asn1;
|
|
|
|
/* Copy the randomly-generated fields into the above ASN1 */
|
|
memcpy(session_asn1 + SS_SESSID_OFS, session_id, sizeof(session_id));
|
|
memcpy(session_asn1 + SS_SECRET_OFS, master_secret, sizeof(master_secret));
|
|
|
|
return d2i_SSL_SESSION(NULL, &p, sizeof(session_asn1));
|
|
}
|
|
|
|
/* Returns 1 for initial ClientHello, 2 for ClientHello with cookie */
|
|
static int validate_client_hello(BIO *wbio)
|
|
{
|
|
PACKET pkt, pkt2;
|
|
long len;
|
|
unsigned char *data;
|
|
int cookie_found = 0;
|
|
unsigned int u = 0;
|
|
|
|
if ((len = BIO_get_mem_data(wbio, (char **)&data)) < 0)
|
|
return 0;
|
|
if (!PACKET_buf_init(&pkt, data, len))
|
|
return 0;
|
|
|
|
/* Check record header type */
|
|
if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
|
|
return 0;
|
|
/* Version */
|
|
if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
|
|
return 0;
|
|
/* Skip the rest of the record header */
|
|
if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3))
|
|
return 0;
|
|
|
|
/* Check it's a ClientHello */
|
|
if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CLIENT_HELLO)
|
|
return 0;
|
|
/* Skip the rest of the handshake message header */
|
|
if (!PACKET_forward(&pkt, DTLS1_HM_HEADER_LENGTH - 1))
|
|
return 0;
|
|
|
|
/* Check client version */
|
|
if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
|
|
return 0;
|
|
|
|
/* Store random */
|
|
if (!PACKET_copy_bytes(&pkt, client_random, SSL3_RANDOM_SIZE))
|
|
return 0;
|
|
|
|
/* Check session id length and content */
|
|
if (!PACKET_get_length_prefixed_1(&pkt, &pkt2) ||
|
|
!PACKET_equal(&pkt2, session_id, sizeof(session_id)))
|
|
return 0;
|
|
|
|
/* Check cookie */
|
|
if (!PACKET_get_length_prefixed_1(&pkt, &pkt2))
|
|
return 0;
|
|
if (PACKET_remaining(&pkt2)) {
|
|
if (!PACKET_equal(&pkt2, cookie, sizeof(cookie)))
|
|
return 0;
|
|
cookie_found = 1;
|
|
}
|
|
|
|
/* Skip ciphers */
|
|
if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u))
|
|
return 0;
|
|
|
|
/* Skip compression */
|
|
if (!PACKET_get_1(&pkt, &u) || !PACKET_forward(&pkt, u))
|
|
return 0;
|
|
|
|
/* Skip extensions */
|
|
if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u))
|
|
return 0;
|
|
|
|
/* Now we are at the end */
|
|
if (PACKET_remaining(&pkt))
|
|
return 0;
|
|
|
|
/* Update handshake MAC for second ClientHello (with cookie) */
|
|
if (cookie_found && !EVP_DigestUpdate(handshake_md, data + MAC_OFFSET,
|
|
len - MAC_OFFSET))
|
|
return 0;
|
|
|
|
(void)BIO_reset(wbio);
|
|
|
|
return 1 + cookie_found;
|
|
}
|
|
|
|
static int send_hello_verify(BIO *rbio)
|
|
{
|
|
static unsigned char hello_verify[] = {
|
|
0x16, /* Handshake */
|
|
0x01, 0x00, /* DTLS1_BAD_VER */
|
|
0x00, 0x00, /* Epoch 0 */
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Seq# 0 */
|
|
0x00, 0x23, /* Length */
|
|
0x03, /* Hello Verify */
|
|
0x00, 0x00, 0x17, /* Length */
|
|
0x00, 0x00, /* Seq# 0 */
|
|
0x00, 0x00, 0x00, /* Fragment offset */
|
|
0x00, 0x00, 0x17, /* Fragment length */
|
|
0x01, 0x00, /* DTLS1_BAD_VER */
|
|
0x14, /* Cookie length */
|
|
#define HV_COOKIE_OFS 28 /* Cookie goes here */
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00,
|
|
};
|
|
|
|
memcpy(hello_verify + HV_COOKIE_OFS, cookie, sizeof(cookie));
|
|
|
|
BIO_write(rbio, hello_verify, sizeof(hello_verify));
|
|
|
|
return 1;
|
|
}
|
|
|
|
static int send_server_hello(BIO *rbio)
|
|
{
|
|
static unsigned char server_hello[] = {
|
|
0x16, /* Handshake */
|
|
0x01, 0x00, /* DTLS1_BAD_VER */
|
|
0x00, 0x00, /* Epoch 0 */
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x01, /* Seq# 1 */
|
|
0x00, 0x52, /* Length */
|
|
0x02, /* Server Hello */
|
|
0x00, 0x00, 0x46, /* Length */
|
|
0x00, 0x01, /* Seq# */
|
|
0x00, 0x00, 0x00, /* Fragment offset */
|
|
0x00, 0x00, 0x46, /* Fragment length */
|
|
0x01, 0x00, /* DTLS1_BAD_VER */
|
|
#define SH_RANDOM_OFS 27 /* Server random goes here */
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x20, /* Session ID length */
|
|
#define SH_SESSID_OFS 60 /* Session ID goes here */
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x2f, /* Cipher suite AES128-SHA */
|
|
0x00, /* Compression null */
|
|
};
|
|
static unsigned char change_cipher_spec[] = {
|
|
0x14, /* Change Cipher Spec */
|
|
0x01, 0x00, /* DTLS1_BAD_VER */
|
|
0x00, 0x00, /* Epoch 0 */
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x02, /* Seq# 2 */
|
|
0x00, 0x03, /* Length */
|
|
0x01, 0x00, 0x02, /* Message */
|
|
};
|
|
|
|
memcpy(server_hello + SH_RANDOM_OFS, server_random, sizeof(server_random));
|
|
memcpy(server_hello + SH_SESSID_OFS, session_id, sizeof(session_id));
|
|
|
|
if (!EVP_DigestUpdate(handshake_md, server_hello + MAC_OFFSET,
|
|
sizeof(server_hello) - MAC_OFFSET))
|
|
return 0;
|
|
|
|
BIO_write(rbio, server_hello, sizeof(server_hello));
|
|
BIO_write(rbio, change_cipher_spec, sizeof(change_cipher_spec));
|
|
|
|
return 1;
|
|
}
|
|
|
|
/* Create header, HMAC, pad, encrypt and send a record */
|
|
static int send_record(BIO *rbio, unsigned char type, uint64_t seqnr,
|
|
const void *msg, size_t len)
|
|
{
|
|
/* Note that the order of the record header fields on the wire,
|
|
* and in the HMAC, is different. So we just keep them in separate
|
|
* variables and handle them individually. */
|
|
static unsigned char epoch[2] = { 0x00, 0x01 };
|
|
static unsigned char seq[6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
|
|
static unsigned char ver[2] = { 0x01, 0x00 }; /* DTLS1_BAD_VER */
|
|
unsigned char lenbytes[2];
|
|
EVP_MAC *hmac = NULL;
|
|
EVP_MAC_CTX *ctx = NULL;
|
|
EVP_CIPHER_CTX *enc_ctx = NULL;
|
|
unsigned char iv[16];
|
|
unsigned char pad;
|
|
unsigned char *enc;
|
|
OSSL_PARAM params[2];
|
|
int ret = 0;
|
|
|
|
seq[0] = (seqnr >> 40) & 0xff;
|
|
seq[1] = (seqnr >> 32) & 0xff;
|
|
seq[2] = (seqnr >> 24) & 0xff;
|
|
seq[3] = (seqnr >> 16) & 0xff;
|
|
seq[4] = (seqnr >> 8) & 0xff;
|
|
seq[5] = seqnr & 0xff;
|
|
|
|
pad = 15 - ((len + SHA_DIGEST_LENGTH) % 16);
|
|
enc = OPENSSL_malloc(len + SHA_DIGEST_LENGTH + 1 + pad);
|
|
if (enc == NULL)
|
|
return 0;
|
|
|
|
/* Copy record to encryption buffer */
|
|
memcpy(enc, msg, len);
|
|
|
|
/* Append HMAC to data */
|
|
if (!TEST_ptr(hmac = EVP_MAC_fetch(NULL, "HMAC", NULL))
|
|
|| !TEST_ptr(ctx = EVP_MAC_CTX_new(hmac)))
|
|
goto end;
|
|
params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
|
|
"SHA1", 0);
|
|
params[1] = OSSL_PARAM_construct_end();
|
|
lenbytes[0] = (unsigned char)(len >> 8);
|
|
lenbytes[1] = (unsigned char)(len);
|
|
if (!EVP_MAC_init(ctx, mac_key, 20, params)
|
|
|| !EVP_MAC_update(ctx, epoch, 2)
|
|
|| !EVP_MAC_update(ctx, seq, 6)
|
|
|| !EVP_MAC_update(ctx, &type, 1)
|
|
|| !EVP_MAC_update(ctx, ver, 2) /* Version */
|
|
|| !EVP_MAC_update(ctx, lenbytes, 2) /* Length */
|
|
|| !EVP_MAC_update(ctx, enc, len) /* Finally the data itself */
|
|
|| !EVP_MAC_final(ctx, enc + len, NULL, SHA_DIGEST_LENGTH))
|
|
goto end;
|
|
|
|
/* Append padding bytes */
|
|
len += SHA_DIGEST_LENGTH;
|
|
do {
|
|
enc[len++] = pad;
|
|
} while (len % 16);
|
|
|
|
/* Generate IV, and encrypt */
|
|
if (!TEST_true(RAND_bytes(iv, sizeof(iv)))
|
|
|| !TEST_ptr(enc_ctx = EVP_CIPHER_CTX_new())
|
|
|| !TEST_true(EVP_CipherInit_ex(enc_ctx, EVP_aes_128_cbc(), NULL,
|
|
enc_key, iv, 1))
|
|
|| !TEST_int_ge(EVP_Cipher(enc_ctx, enc, enc, len), 0))
|
|
goto end;
|
|
|
|
/* Finally write header (from fragmented variables), IV and encrypted record */
|
|
BIO_write(rbio, &type, 1);
|
|
BIO_write(rbio, ver, 2);
|
|
BIO_write(rbio, epoch, 2);
|
|
BIO_write(rbio, seq, 6);
|
|
lenbytes[0] = (unsigned char)((len + sizeof(iv)) >> 8);
|
|
lenbytes[1] = (unsigned char)(len + sizeof(iv));
|
|
BIO_write(rbio, lenbytes, 2);
|
|
|
|
BIO_write(rbio, iv, sizeof(iv));
|
|
BIO_write(rbio, enc, len);
|
|
ret = 1;
|
|
end:
|
|
EVP_MAC_free(hmac);
|
|
EVP_MAC_CTX_free(ctx);
|
|
EVP_CIPHER_CTX_free(enc_ctx);
|
|
OPENSSL_free(enc);
|
|
return ret;
|
|
}
|
|
|
|
static int send_finished(SSL *s, BIO *rbio)
|
|
{
|
|
static unsigned char finished_msg[DTLS1_HM_HEADER_LENGTH +
|
|
TLS1_FINISH_MAC_LENGTH] = {
|
|
0x14, /* Finished */
|
|
0x00, 0x00, 0x0c, /* Length */
|
|
0x00, 0x03, /* Seq# 3 */
|
|
0x00, 0x00, 0x00, /* Fragment offset */
|
|
0x00, 0x00, 0x0c, /* Fragment length */
|
|
/* Finished MAC (12 bytes) */
|
|
};
|
|
unsigned char handshake_hash[EVP_MAX_MD_SIZE];
|
|
|
|
/* Derive key material */
|
|
do_PRF(TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
|
|
server_random, SSL3_RANDOM_SIZE,
|
|
client_random, SSL3_RANDOM_SIZE,
|
|
key_block, sizeof(key_block));
|
|
|
|
/* Generate Finished MAC */
|
|
if (!EVP_DigestFinal_ex(handshake_md, handshake_hash, NULL))
|
|
return 0;
|
|
|
|
do_PRF(TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
|
|
handshake_hash, EVP_MD_CTX_size(handshake_md),
|
|
NULL, 0,
|
|
finished_msg + DTLS1_HM_HEADER_LENGTH, TLS1_FINISH_MAC_LENGTH);
|
|
|
|
return send_record(rbio, SSL3_RT_HANDSHAKE, 0,
|
|
finished_msg, sizeof(finished_msg));
|
|
}
|
|
|
|
static int validate_ccs(BIO *wbio)
|
|
{
|
|
PACKET pkt;
|
|
long len;
|
|
unsigned char *data;
|
|
unsigned int u;
|
|
|
|
len = BIO_get_mem_data(wbio, (char **)&data);
|
|
if (len < 0)
|
|
return 0;
|
|
|
|
if (!PACKET_buf_init(&pkt, data, len))
|
|
return 0;
|
|
|
|
/* Check record header type */
|
|
if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_CHANGE_CIPHER_SPEC)
|
|
return 0;
|
|
/* Version */
|
|
if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
|
|
return 0;
|
|
/* Skip the rest of the record header */
|
|
if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3))
|
|
return 0;
|
|
|
|
/* Check ChangeCipherSpec message */
|
|
if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CCS)
|
|
return 0;
|
|
/* A DTLS1_BAD_VER ChangeCipherSpec also contains the
|
|
* handshake sequence number (which is 2 here) */
|
|
if (!PACKET_get_net_2(&pkt, &u) || u != 0x0002)
|
|
return 0;
|
|
|
|
/* Now check the Finished packet */
|
|
if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
|
|
return 0;
|
|
if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
|
|
return 0;
|
|
|
|
/* Check epoch is now 1 */
|
|
if (!PACKET_get_net_2(&pkt, &u) || u != 0x0001)
|
|
return 0;
|
|
|
|
/* That'll do for now. If OpenSSL accepted *our* Finished packet
|
|
* then it's evidently remembered that DTLS1_BAD_VER doesn't
|
|
* include the handshake header in the MAC. There's not a lot of
|
|
* point in implementing decryption here, just to check that it
|
|
* continues to get it right for one more packet. */
|
|
|
|
return 1;
|
|
}
|
|
|
|
#define NODROP(x) { x##UL, 0 }
|
|
#define DROP(x) { x##UL, 1 }
|
|
|
|
static struct {
|
|
uint64_t seq;
|
|
int drop;
|
|
} tests[] = {
|
|
NODROP(1), NODROP(3), NODROP(2),
|
|
NODROP(0x1234), NODROP(0x1230), NODROP(0x1235),
|
|
NODROP(0xffff), NODROP(0x10001), NODROP(0xfffe), NODROP(0x10000),
|
|
DROP(0x10001), DROP(0xff), NODROP(0x100000), NODROP(0x800000), NODROP(0x7fffe1),
|
|
NODROP(0xffffff), NODROP(0x1000000), NODROP(0xfffffe), DROP(0xffffff), NODROP(0x1000010),
|
|
NODROP(0xfffffd), NODROP(0x1000011), DROP(0x12), NODROP(0x1000012),
|
|
NODROP(0x1ffffff), NODROP(0x2000000), DROP(0x1ff00fe), NODROP(0x2000001),
|
|
NODROP(0x20fffff), NODROP(0x2105500), DROP(0x20ffffe), NODROP(0x21054ff),
|
|
NODROP(0x211ffff), DROP(0x2110000), NODROP(0x2120000)
|
|
/* The last test should be NODROP, because a DROP wouldn't get tested. */
|
|
};
|
|
|
|
static int test_bad_dtls(void)
|
|
{
|
|
SSL_SESSION *sess = NULL;
|
|
SSL_CTX *ctx = NULL;
|
|
SSL *con = NULL;
|
|
BIO *rbio = NULL;
|
|
BIO *wbio = NULL;
|
|
time_t now = 0;
|
|
int testresult = 0;
|
|
int ret;
|
|
int i;
|
|
|
|
RAND_bytes(session_id, sizeof(session_id));
|
|
RAND_bytes(master_secret, sizeof(master_secret));
|
|
RAND_bytes(cookie, sizeof(cookie));
|
|
RAND_bytes(server_random + 4, sizeof(server_random) - 4);
|
|
|
|
now = time(NULL);
|
|
memcpy(server_random, &now, sizeof(now));
|
|
|
|
sess = client_session();
|
|
if (!TEST_ptr(sess))
|
|
goto end;
|
|
|
|
handshake_md = EVP_MD_CTX_new();
|
|
if (!TEST_ptr(handshake_md)
|
|
|| !TEST_true(EVP_DigestInit_ex(handshake_md, EVP_md5_sha1(),
|
|
NULL)))
|
|
goto end;
|
|
|
|
ctx = SSL_CTX_new(DTLS_client_method());
|
|
if (!TEST_ptr(ctx)
|
|
|| !TEST_true(SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER))
|
|
|| !TEST_true(SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER))
|
|
|| !TEST_true(SSL_CTX_set_options(ctx,
|
|
SSL_OP_LEGACY_SERVER_CONNECT))
|
|
|| !TEST_true(SSL_CTX_set_cipher_list(ctx, "AES128-SHA")))
|
|
goto end;
|
|
|
|
con = SSL_new(ctx);
|
|
if (!TEST_ptr(con)
|
|
|| !TEST_true(SSL_set_session(con, sess)))
|
|
goto end;
|
|
SSL_SESSION_free(sess);
|
|
|
|
rbio = BIO_new(BIO_s_mem());
|
|
wbio = BIO_new(BIO_s_mem());
|
|
|
|
if (!TEST_ptr(rbio)
|
|
|| !TEST_ptr(wbio))
|
|
goto end;
|
|
|
|
SSL_set_bio(con, rbio, wbio);
|
|
|
|
if (!TEST_true(BIO_up_ref(rbio))) {
|
|
/*
|
|
* We can't up-ref but we assigned ownership to con, so we shouldn't
|
|
* free in the "end" block
|
|
*/
|
|
rbio = wbio = NULL;
|
|
goto end;
|
|
}
|
|
|
|
if (!TEST_true(BIO_up_ref(wbio))) {
|
|
wbio = NULL;
|
|
goto end;
|
|
}
|
|
|
|
SSL_set_connect_state(con);
|
|
|
|
/* Send initial ClientHello */
|
|
ret = SSL_do_handshake(con);
|
|
if (!TEST_int_le(ret, 0)
|
|
|| !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
|
|
|| !TEST_int_eq(validate_client_hello(wbio), 1)
|
|
|| !TEST_true(send_hello_verify(rbio)))
|
|
goto end;
|
|
|
|
ret = SSL_do_handshake(con);
|
|
if (!TEST_int_le(ret, 0)
|
|
|| !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
|
|
|| !TEST_int_eq(validate_client_hello(wbio), 2)
|
|
|| !TEST_true(send_server_hello(rbio)))
|
|
goto end;
|
|
|
|
ret = SSL_do_handshake(con);
|
|
if (!TEST_int_le(ret, 0)
|
|
|| !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
|
|
|| !TEST_true(send_finished(con, rbio)))
|
|
goto end;
|
|
|
|
ret = SSL_do_handshake(con);
|
|
if (!TEST_int_gt(ret, 0)
|
|
|| !TEST_true(validate_ccs(wbio)))
|
|
goto end;
|
|
|
|
/* While we're here and crafting packets by hand, we might as well do a
|
|
bit of a stress test on the DTLS record replay handling. Not Cisco-DTLS
|
|
specific but useful anyway for the general case. It's been broken
|
|
before, and in fact was broken even for a basic 0, 2, 1 test case
|
|
when this test was first added.... */
|
|
for (i = 0; i < (int)OSSL_NELEM(tests); i++) {
|
|
uint64_t recv_buf[2];
|
|
|
|
if (!TEST_true(send_record(rbio, SSL3_RT_APPLICATION_DATA, tests[i].seq,
|
|
&tests[i].seq, sizeof(uint64_t)))) {
|
|
TEST_error("Failed to send data seq #0x%x%08x (%d)\n",
|
|
(unsigned int)(tests[i].seq >> 32), (unsigned int)tests[i].seq, i);
|
|
goto end;
|
|
}
|
|
|
|
if (tests[i].drop)
|
|
continue;
|
|
|
|
ret = SSL_read(con, recv_buf, 2 * sizeof(uint64_t));
|
|
if (!TEST_int_eq(ret, (int)sizeof(uint64_t))) {
|
|
TEST_error("SSL_read failed or wrong size on seq#0x%x%08x (%d)\n",
|
|
(unsigned int)(tests[i].seq >> 32), (unsigned int)tests[i].seq, i);
|
|
goto end;
|
|
}
|
|
if (!TEST_true(recv_buf[0] == tests[i].seq))
|
|
goto end;
|
|
}
|
|
|
|
/* The last test cannot be DROP() */
|
|
if (!TEST_false(tests[i-1].drop))
|
|
goto end;
|
|
|
|
testresult = 1;
|
|
|
|
end:
|
|
BIO_free(rbio);
|
|
BIO_free(wbio);
|
|
SSL_free(con);
|
|
SSL_CTX_free(ctx);
|
|
EVP_MD_CTX_free(handshake_md);
|
|
|
|
return testresult;
|
|
}
|
|
|
|
int setup_tests(void)
|
|
{
|
|
ADD_TEST(test_bad_dtls);
|
|
return 1;
|
|
}
|