]>
Commit | Line | Data |
---|---|---|
16938284 | 1 | /* |
8020d79b | 2 | * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. |
16938284 | 3 | * |
909f1a2e | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
16938284 DW |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | /* | |
11 | * Unit test for Cisco DTLS1_BAD_VER session resume, as used by | |
12 | * AnyConnect VPN protocol. | |
13 | * | |
14 | * This is designed to exercise the code paths in | |
15 | * http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/dtls.c | |
16 | * which have frequently been affected by regressions in DTLS1_BAD_VER | |
17 | * support. | |
18 | * | |
19 | * Note that unlike other SSL tests, we don't test against our own SSL | |
20 | * server method. Firstly because we don't have one; we *only* support | |
21 | * DTLS1_BAD_VER as a client. And secondly because even if that were | |
d68a0eaf | 22 | * fixed up it's the wrong thing to test against - because if changes |
16938284 DW |
23 | * are made in generic DTLS code which don't take DTLS1_BAD_VER into |
24 | * account, there's plenty of scope for making those changes such that | |
25 | * they break *both* the client and the server in the same way. | |
26 | * | |
27 | * So we handle the server side manually. In a session resume there isn't | |
28 | * much to be done anyway. | |
29 | */ | |
30 | #include <string.h> | |
31 | ||
a76ce286 P |
32 | #include <openssl/core_names.h> |
33 | #include <openssl/params.h> | |
16938284 DW |
34 | #include <openssl/opensslconf.h> |
35 | #include <openssl/bio.h> | |
36 | #include <openssl/crypto.h> | |
37 | #include <openssl/evp.h> | |
38 | #include <openssl/ssl.h> | |
39 | #include <openssl/err.h> | |
40 | #include <openssl/rand.h> | |
41 | #include <openssl/kdf.h> | |
0d345f0e | 42 | #include "internal/packet.h" |
176db6dc | 43 | #include "internal/nelem.h" |
829b2b85 MC |
44 | #include "testutil.h" |
45 | ||
16938284 DW |
46 | /* For DTLS1_BAD_VER packets the MAC doesn't include the handshake header */ |
47 | #define MAC_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH) | |
48 | ||
49 | static unsigned char client_random[SSL3_RANDOM_SIZE]; | |
50 | static unsigned char server_random[SSL3_RANDOM_SIZE]; | |
51 | ||
52 | /* These are all generated locally, sized purely according to our own whim */ | |
53 | static unsigned char session_id[32]; | |
54 | static unsigned char master_secret[48]; | |
55 | static unsigned char cookie[20]; | |
56 | ||
57 | /* We've hard-coded the cipher suite; we know it's 104 bytes */ | |
58 | static unsigned char key_block[104]; | |
59 | #define mac_key (key_block + 20) | |
60 | #define dec_key (key_block + 40) | |
61 | #define enc_key (key_block + 56) | |
62 | ||
63 | static EVP_MD_CTX *handshake_md; | |
64 | ||
65 | static int do_PRF(const void *seed1, int seed1_len, | |
66 | const void *seed2, int seed2_len, | |
67 | const void *seed3, int seed3_len, | |
68 | unsigned char *out, int olen) | |
69 | { | |
70 | EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); | |
71 | size_t outlen = olen; | |
72 | ||
73 | /* No error handling. If it all screws up, the test will fail anyway */ | |
74 | EVP_PKEY_derive_init(pctx); | |
75 | EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_md5_sha1()); | |
76 | EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, master_secret, sizeof(master_secret)); | |
77 | EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len); | |
78 | EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len); | |
79 | EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len); | |
80 | EVP_PKEY_derive(pctx, out, &outlen); | |
81 | EVP_PKEY_CTX_free(pctx); | |
82 | return 1; | |
83 | } | |
84 | ||
85 | static SSL_SESSION *client_session(void) | |
86 | { | |
87 | static unsigned char session_asn1[] = { | |
88 | 0x30, 0x5F, /* SEQUENCE, length 0x5F */ | |
89 | 0x02, 0x01, 0x01, /* INTEGER, SSL_SESSION_ASN1_VERSION */ | |
90 | 0x02, 0x02, 0x01, 0x00, /* INTEGER, DTLS1_BAD_VER */ | |
91 | 0x04, 0x02, 0x00, 0x2F, /* OCTET_STRING, AES128-SHA */ | |
92 | 0x04, 0x20, /* OCTET_STRING, session id */ | |
93 | #define SS_SESSID_OFS 15 /* Session ID goes here */ | |
94 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
95 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
96 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
97 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
98 | 0x04, 0x30, /* OCTET_STRING, master secret */ | |
99 | #define SS_SECRET_OFS 49 /* Master secret goes here */ | |
100 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
101 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
102 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
103 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
104 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
105 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
106 | }; | |
107 | const unsigned char *p = session_asn1; | |
108 | ||
109 | /* Copy the randomly-generated fields into the above ASN1 */ | |
110 | memcpy(session_asn1 + SS_SESSID_OFS, session_id, sizeof(session_id)); | |
111 | memcpy(session_asn1 + SS_SECRET_OFS, master_secret, sizeof(master_secret)); | |
112 | ||
113 | return d2i_SSL_SESSION(NULL, &p, sizeof(session_asn1)); | |
114 | } | |
115 | ||
16938284 DW |
116 | /* Returns 1 for initial ClientHello, 2 for ClientHello with cookie */ |
117 | static int validate_client_hello(BIO *wbio) | |
118 | { | |
eb633d03 | 119 | PACKET pkt, pkt2; |
16938284 DW |
120 | long len; |
121 | unsigned char *data; | |
122 | int cookie_found = 0; | |
165cc51f | 123 | unsigned int u = 0; |
16938284 | 124 | |
fe10fa75 P |
125 | if ((len = BIO_get_mem_data(wbio, (char **)&data)) < 0) |
126 | return 0; | |
16938284 DW |
127 | if (!PACKET_buf_init(&pkt, data, len)) |
128 | return 0; | |
129 | ||
130 | /* Check record header type */ | |
131 | if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE) | |
132 | return 0; | |
133 | /* Version */ | |
134 | if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER) | |
135 | return 0; | |
136 | /* Skip the rest of the record header */ | |
137 | if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3)) | |
138 | return 0; | |
139 | ||
140 | /* Check it's a ClientHello */ | |
141 | if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CLIENT_HELLO) | |
142 | return 0; | |
143 | /* Skip the rest of the handshake message header */ | |
144 | if (!PACKET_forward(&pkt, DTLS1_HM_HEADER_LENGTH - 1)) | |
145 | return 0; | |
146 | ||
147 | /* Check client version */ | |
148 | if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER) | |
149 | return 0; | |
150 | ||
151 | /* Store random */ | |
152 | if (!PACKET_copy_bytes(&pkt, client_random, SSL3_RANDOM_SIZE)) | |
153 | return 0; | |
154 | ||
155 | /* Check session id length and content */ | |
eb633d03 DW |
156 | if (!PACKET_get_length_prefixed_1(&pkt, &pkt2) || |
157 | !PACKET_equal(&pkt2, session_id, sizeof(session_id))) | |
16938284 DW |
158 | return 0; |
159 | ||
160 | /* Check cookie */ | |
eb633d03 | 161 | if (!PACKET_get_length_prefixed_1(&pkt, &pkt2)) |
16938284 | 162 | return 0; |
eb633d03 DW |
163 | if (PACKET_remaining(&pkt2)) { |
164 | if (!PACKET_equal(&pkt2, cookie, sizeof(cookie))) | |
16938284 DW |
165 | return 0; |
166 | cookie_found = 1; | |
167 | } | |
168 | ||
169 | /* Skip ciphers */ | |
170 | if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u)) | |
171 | return 0; | |
172 | ||
173 | /* Skip compression */ | |
174 | if (!PACKET_get_1(&pkt, &u) || !PACKET_forward(&pkt, u)) | |
175 | return 0; | |
176 | ||
177 | /* Skip extensions */ | |
178 | if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u)) | |
179 | return 0; | |
180 | ||
181 | /* Now we are at the end */ | |
182 | if (PACKET_remaining(&pkt)) | |
183 | return 0; | |
184 | ||
185 | /* Update handshake MAC for second ClientHello (with cookie) */ | |
186 | if (cookie_found && !EVP_DigestUpdate(handshake_md, data + MAC_OFFSET, | |
187 | len - MAC_OFFSET)) | |
829b2b85 | 188 | return 0; |
16938284 DW |
189 | |
190 | (void)BIO_reset(wbio); | |
191 | ||
192 | return 1 + cookie_found; | |
193 | } | |
194 | ||
195 | static int send_hello_verify(BIO *rbio) | |
196 | { | |
197 | static unsigned char hello_verify[] = { | |
198 | 0x16, /* Handshake */ | |
199 | 0x01, 0x00, /* DTLS1_BAD_VER */ | |
200 | 0x00, 0x00, /* Epoch 0 */ | |
201 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Seq# 0 */ | |
202 | 0x00, 0x23, /* Length */ | |
203 | 0x03, /* Hello Verify */ | |
204 | 0x00, 0x00, 0x17, /* Length */ | |
205 | 0x00, 0x00, /* Seq# 0 */ | |
206 | 0x00, 0x00, 0x00, /* Fragment offset */ | |
207 | 0x00, 0x00, 0x17, /* Fragment length */ | |
208 | 0x01, 0x00, /* DTLS1_BAD_VER */ | |
209 | 0x14, /* Cookie length */ | |
210 | #define HV_COOKIE_OFS 28 /* Cookie goes here */ | |
211 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
212 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
213 | 0x00, 0x00, 0x00, 0x00, | |
214 | }; | |
215 | ||
216 | memcpy(hello_verify + HV_COOKIE_OFS, cookie, sizeof(cookie)); | |
217 | ||
218 | BIO_write(rbio, hello_verify, sizeof(hello_verify)); | |
219 | ||
220 | return 1; | |
221 | } | |
222 | ||
223 | static int send_server_hello(BIO *rbio) | |
224 | { | |
225 | static unsigned char server_hello[] = { | |
226 | 0x16, /* Handshake */ | |
227 | 0x01, 0x00, /* DTLS1_BAD_VER */ | |
228 | 0x00, 0x00, /* Epoch 0 */ | |
229 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, /* Seq# 1 */ | |
230 | 0x00, 0x52, /* Length */ | |
231 | 0x02, /* Server Hello */ | |
232 | 0x00, 0x00, 0x46, /* Length */ | |
233 | 0x00, 0x01, /* Seq# */ | |
234 | 0x00, 0x00, 0x00, /* Fragment offset */ | |
235 | 0x00, 0x00, 0x46, /* Fragment length */ | |
236 | 0x01, 0x00, /* DTLS1_BAD_VER */ | |
237 | #define SH_RANDOM_OFS 27 /* Server random goes here */ | |
238 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
239 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
240 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
241 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
242 | 0x20, /* Session ID length */ | |
243 | #define SH_SESSID_OFS 60 /* Session ID goes here */ | |
244 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
245 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
246 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
247 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
248 | 0x00, 0x2f, /* Cipher suite AES128-SHA */ | |
249 | 0x00, /* Compression null */ | |
250 | }; | |
251 | static unsigned char change_cipher_spec[] = { | |
252 | 0x14, /* Change Cipher Spec */ | |
253 | 0x01, 0x00, /* DTLS1_BAD_VER */ | |
254 | 0x00, 0x00, /* Epoch 0 */ | |
255 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, /* Seq# 2 */ | |
256 | 0x00, 0x03, /* Length */ | |
257 | 0x01, 0x00, 0x02, /* Message */ | |
258 | }; | |
259 | ||
260 | memcpy(server_hello + SH_RANDOM_OFS, server_random, sizeof(server_random)); | |
261 | memcpy(server_hello + SH_SESSID_OFS, session_id, sizeof(session_id)); | |
262 | ||
263 | if (!EVP_DigestUpdate(handshake_md, server_hello + MAC_OFFSET, | |
264 | sizeof(server_hello) - MAC_OFFSET)) | |
829b2b85 | 265 | return 0; |
16938284 DW |
266 | |
267 | BIO_write(rbio, server_hello, sizeof(server_hello)); | |
268 | BIO_write(rbio, change_cipher_spec, sizeof(change_cipher_spec)); | |
269 | ||
270 | return 1; | |
271 | } | |
272 | ||
273 | /* Create header, HMAC, pad, encrypt and send a record */ | |
829b2b85 | 274 | static int send_record(BIO *rbio, unsigned char type, uint64_t seqnr, |
16938284 DW |
275 | const void *msg, size_t len) |
276 | { | |
277 | /* Note that the order of the record header fields on the wire, | |
278 | * and in the HMAC, is different. So we just keep them in separate | |
279 | * variables and handle them individually. */ | |
280 | static unsigned char epoch[2] = { 0x00, 0x01 }; | |
281 | static unsigned char seq[6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; | |
282 | static unsigned char ver[2] = { 0x01, 0x00 }; /* DTLS1_BAD_VER */ | |
283 | unsigned char lenbytes[2]; | |
92b3e62f P |
284 | EVP_MAC *hmac = NULL; |
285 | EVP_MAC_CTX *ctx = NULL; | |
3352a4f6 | 286 | EVP_CIPHER_CTX *enc_ctx = NULL; |
16938284 DW |
287 | unsigned char iv[16]; |
288 | unsigned char pad; | |
289 | unsigned char *enc; | |
77e4ae58 | 290 | OSSL_PARAM params[2]; |
3352a4f6 | 291 | int ret = 0; |
16938284 | 292 | |
16938284 DW |
293 | seq[0] = (seqnr >> 40) & 0xff; |
294 | seq[1] = (seqnr >> 32) & 0xff; | |
16938284 DW |
295 | seq[2] = (seqnr >> 24) & 0xff; |
296 | seq[3] = (seqnr >> 16) & 0xff; | |
297 | seq[4] = (seqnr >> 8) & 0xff; | |
298 | seq[5] = seqnr & 0xff; | |
299 | ||
300 | pad = 15 - ((len + SHA_DIGEST_LENGTH) % 16); | |
301 | enc = OPENSSL_malloc(len + SHA_DIGEST_LENGTH + 1 + pad); | |
302 | if (enc == NULL) | |
303 | return 0; | |
304 | ||
305 | /* Copy record to encryption buffer */ | |
306 | memcpy(enc, msg, len); | |
307 | ||
308 | /* Append HMAC to data */ | |
92b3e62f P |
309 | if (!TEST_ptr(hmac = EVP_MAC_fetch(NULL, "HMAC", NULL)) |
310 | || !TEST_ptr(ctx = EVP_MAC_CTX_new(hmac))) | |
311 | goto end; | |
a76ce286 P |
312 | params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, |
313 | "SHA1", 0); | |
77e4ae58 | 314 | params[1] = OSSL_PARAM_construct_end(); |
3a63c0ed AP |
315 | lenbytes[0] = (unsigned char)(len >> 8); |
316 | lenbytes[1] = (unsigned char)(len); | |
3352a4f6 P |
317 | if (!EVP_MAC_init(ctx, mac_key, 20, params) |
318 | || !EVP_MAC_update(ctx, epoch, 2) | |
319 | || !EVP_MAC_update(ctx, seq, 6) | |
320 | || !EVP_MAC_update(ctx, &type, 1) | |
321 | || !EVP_MAC_update(ctx, ver, 2) /* Version */ | |
322 | || !EVP_MAC_update(ctx, lenbytes, 2) /* Length */ | |
323 | || !EVP_MAC_update(ctx, enc, len) /* Finally the data itself */ | |
324 | || !EVP_MAC_final(ctx, enc + len, NULL, SHA_DIGEST_LENGTH)) | |
325 | goto end; | |
16938284 DW |
326 | |
327 | /* Append padding bytes */ | |
328 | len += SHA_DIGEST_LENGTH; | |
329 | do { | |
330 | enc[len++] = pad; | |
331 | } while (len % 16); | |
332 | ||
333 | /* Generate IV, and encrypt */ | |
3352a4f6 P |
334 | if (!TEST_true(RAND_bytes(iv, sizeof(iv))) |
335 | || !TEST_ptr(enc_ctx = EVP_CIPHER_CTX_new()) | |
336 | || !TEST_true(EVP_CipherInit_ex(enc_ctx, EVP_aes_128_cbc(), NULL, | |
337 | enc_key, iv, 1)) | |
338 | || !TEST_int_ge(EVP_Cipher(enc_ctx, enc, enc, len), 0)) | |
339 | goto end; | |
16938284 DW |
340 | |
341 | /* Finally write header (from fragmented variables), IV and encrypted record */ | |
342 | BIO_write(rbio, &type, 1); | |
343 | BIO_write(rbio, ver, 2); | |
344 | BIO_write(rbio, epoch, 2); | |
345 | BIO_write(rbio, seq, 6); | |
3a63c0ed AP |
346 | lenbytes[0] = (unsigned char)((len + sizeof(iv)) >> 8); |
347 | lenbytes[1] = (unsigned char)(len + sizeof(iv)); | |
16938284 DW |
348 | BIO_write(rbio, lenbytes, 2); |
349 | ||
350 | BIO_write(rbio, iv, sizeof(iv)); | |
351 | BIO_write(rbio, enc, len); | |
3352a4f6 P |
352 | ret = 1; |
353 | end: | |
92b3e62f | 354 | EVP_MAC_free(hmac); |
3352a4f6 P |
355 | EVP_MAC_CTX_free(ctx); |
356 | EVP_CIPHER_CTX_free(enc_ctx); | |
16938284 | 357 | OPENSSL_free(enc); |
3352a4f6 | 358 | return ret; |
16938284 DW |
359 | } |
360 | ||
361 | static int send_finished(SSL *s, BIO *rbio) | |
362 | { | |
363 | static unsigned char finished_msg[DTLS1_HM_HEADER_LENGTH + | |
364 | TLS1_FINISH_MAC_LENGTH] = { | |
365 | 0x14, /* Finished */ | |
366 | 0x00, 0x00, 0x0c, /* Length */ | |
367 | 0x00, 0x03, /* Seq# 3 */ | |
368 | 0x00, 0x00, 0x00, /* Fragment offset */ | |
369 | 0x00, 0x00, 0x0c, /* Fragment length */ | |
370 | /* Finished MAC (12 bytes) */ | |
371 | }; | |
372 | unsigned char handshake_hash[EVP_MAX_MD_SIZE]; | |
373 | ||
374 | /* Derive key material */ | |
375 | do_PRF(TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, | |
376 | server_random, SSL3_RANDOM_SIZE, | |
377 | client_random, SSL3_RANDOM_SIZE, | |
378 | key_block, sizeof(key_block)); | |
379 | ||
380 | /* Generate Finished MAC */ | |
381 | if (!EVP_DigestFinal_ex(handshake_md, handshake_hash, NULL)) | |
829b2b85 | 382 | return 0; |
16938284 DW |
383 | |
384 | do_PRF(TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, | |
385 | handshake_hash, EVP_MD_CTX_size(handshake_md), | |
386 | NULL, 0, | |
387 | finished_msg + DTLS1_HM_HEADER_LENGTH, TLS1_FINISH_MAC_LENGTH); | |
388 | ||
389 | return send_record(rbio, SSL3_RT_HANDSHAKE, 0, | |
390 | finished_msg, sizeof(finished_msg)); | |
391 | } | |
392 | ||
393 | static int validate_ccs(BIO *wbio) | |
394 | { | |
395 | PACKET pkt; | |
396 | long len; | |
397 | unsigned char *data; | |
398 | unsigned int u; | |
399 | ||
400 | len = BIO_get_mem_data(wbio, (char **)&data); | |
fe10fa75 P |
401 | if (len < 0) |
402 | return 0; | |
403 | ||
16938284 DW |
404 | if (!PACKET_buf_init(&pkt, data, len)) |
405 | return 0; | |
406 | ||
407 | /* Check record header type */ | |
408 | if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_CHANGE_CIPHER_SPEC) | |
409 | return 0; | |
410 | /* Version */ | |
411 | if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER) | |
412 | return 0; | |
413 | /* Skip the rest of the record header */ | |
414 | if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3)) | |
415 | return 0; | |
416 | ||
417 | /* Check ChangeCipherSpec message */ | |
418 | if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CCS) | |
419 | return 0; | |
420 | /* A DTLS1_BAD_VER ChangeCipherSpec also contains the | |
421 | * handshake sequence number (which is 2 here) */ | |
422 | if (!PACKET_get_net_2(&pkt, &u) || u != 0x0002) | |
423 | return 0; | |
424 | ||
425 | /* Now check the Finished packet */ | |
426 | if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE) | |
427 | return 0; | |
428 | if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER) | |
429 | return 0; | |
430 | ||
431 | /* Check epoch is now 1 */ | |
432 | if (!PACKET_get_net_2(&pkt, &u) || u != 0x0001) | |
433 | return 0; | |
434 | ||
435 | /* That'll do for now. If OpenSSL accepted *our* Finished packet | |
436 | * then it's evidently remembered that DTLS1_BAD_VER doesn't | |
437 | * include the handshake header in the MAC. There's not a lot of | |
438 | * point in implementing decryption here, just to check that it | |
439 | * continues to get it right for one more packet. */ | |
440 | ||
441 | return 1; | |
442 | } | |
443 | ||
444 | #define NODROP(x) { x##UL, 0 } | |
445 | #define DROP(x) { x##UL, 1 } | |
446 | ||
447 | static struct { | |
829b2b85 | 448 | uint64_t seq; |
16938284 DW |
449 | int drop; |
450 | } tests[] = { | |
451 | NODROP(1), NODROP(3), NODROP(2), | |
452 | NODROP(0x1234), NODROP(0x1230), NODROP(0x1235), | |
453 | NODROP(0xffff), NODROP(0x10001), NODROP(0xfffe), NODROP(0x10000), | |
454 | DROP(0x10001), DROP(0xff), NODROP(0x100000), NODROP(0x800000), NODROP(0x7fffe1), | |
455 | NODROP(0xffffff), NODROP(0x1000000), NODROP(0xfffffe), DROP(0xffffff), NODROP(0x1000010), | |
456 | NODROP(0xfffffd), NODROP(0x1000011), DROP(0x12), NODROP(0x1000012), | |
457 | NODROP(0x1ffffff), NODROP(0x2000000), DROP(0x1ff00fe), NODROP(0x2000001), | |
458 | NODROP(0x20fffff), NODROP(0x2105500), DROP(0x20ffffe), NODROP(0x21054ff), | |
459 | NODROP(0x211ffff), DROP(0x2110000), NODROP(0x2120000) | |
460 | /* The last test should be NODROP, because a DROP wouldn't get tested. */ | |
461 | }; | |
462 | ||
829b2b85 | 463 | static int test_bad_dtls(void) |
16938284 | 464 | { |
829b2b85 MC |
465 | SSL_SESSION *sess = NULL; |
466 | SSL_CTX *ctx = NULL; | |
467 | SSL *con = NULL; | |
468 | BIO *rbio = NULL; | |
469 | BIO *wbio = NULL; | |
af5883fe | 470 | time_t now = 0; |
16938284 DW |
471 | int testresult = 0; |
472 | int ret; | |
473 | int i; | |
474 | ||
16938284 DW |
475 | RAND_bytes(session_id, sizeof(session_id)); |
476 | RAND_bytes(master_secret, sizeof(master_secret)); | |
477 | RAND_bytes(cookie, sizeof(cookie)); | |
478 | RAND_bytes(server_random + 4, sizeof(server_random) - 4); | |
af5883fe MK |
479 | |
480 | now = time(NULL); | |
481 | memcpy(server_random, &now, sizeof(now)); | |
16938284 DW |
482 | |
483 | sess = client_session(); | |
829b2b85 | 484 | if (!TEST_ptr(sess)) |
16938284 | 485 | goto end; |
16938284 DW |
486 | |
487 | handshake_md = EVP_MD_CTX_new(); | |
829b2b85 MC |
488 | if (!TEST_ptr(handshake_md) |
489 | || !TEST_true(EVP_DigestInit_ex(handshake_md, EVP_md5_sha1(), | |
490 | NULL))) | |
16938284 | 491 | goto end; |
16938284 DW |
492 | |
493 | ctx = SSL_CTX_new(DTLS_client_method()); | |
829b2b85 MC |
494 | if (!TEST_ptr(ctx) |
495 | || !TEST_true(SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER)) | |
496 | || !TEST_true(SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER)) | |
6c0ac9b9 BK |
497 | || !TEST_true(SSL_CTX_set_options(ctx, |
498 | SSL_OP_LEGACY_SERVER_CONNECT)) | |
829b2b85 MC |
499 | || !TEST_true(SSL_CTX_set_cipher_list(ctx, "AES128-SHA"))) |
500 | goto end; | |
16938284 DW |
501 | |
502 | con = SSL_new(ctx); | |
829b2b85 MC |
503 | if (!TEST_ptr(con) |
504 | || !TEST_true(SSL_set_session(con, sess))) | |
505 | goto end; | |
16938284 DW |
506 | SSL_SESSION_free(sess); |
507 | ||
508 | rbio = BIO_new(BIO_s_mem()); | |
509 | wbio = BIO_new(BIO_s_mem()); | |
510 | ||
829b2b85 MC |
511 | if (!TEST_ptr(rbio) |
512 | || !TEST_ptr(wbio)) | |
513 | goto end; | |
16938284 DW |
514 | |
515 | SSL_set_bio(con, rbio, wbio); | |
829b2b85 MC |
516 | |
517 | if (!TEST_true(BIO_up_ref(rbio))) { | |
518 | /* | |
519 | * We can't up-ref but we assigned ownership to con, so we shouldn't | |
520 | * free in the "end" block | |
521 | */ | |
522 | rbio = wbio = NULL; | |
523 | goto end; | |
524 | } | |
525 | ||
526 | if (!TEST_true(BIO_up_ref(wbio))) { | |
527 | wbio = NULL; | |
528 | goto end; | |
529 | } | |
530 | ||
16938284 DW |
531 | SSL_set_connect_state(con); |
532 | ||
533 | /* Send initial ClientHello */ | |
534 | ret = SSL_do_handshake(con); | |
829b2b85 MC |
535 | if (!TEST_int_le(ret, 0) |
536 | || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ) | |
537 | || !TEST_int_eq(validate_client_hello(wbio), 1) | |
538 | || !TEST_true(send_hello_verify(rbio))) | |
539 | goto end; | |
16938284 | 540 | |
16938284 | 541 | ret = SSL_do_handshake(con); |
829b2b85 MC |
542 | if (!TEST_int_le(ret, 0) |
543 | || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ) | |
544 | || !TEST_int_eq(validate_client_hello(wbio), 2) | |
545 | || !TEST_true(send_server_hello(rbio))) | |
546 | goto end; | |
547 | ||
16938284 | 548 | ret = SSL_do_handshake(con); |
829b2b85 MC |
549 | if (!TEST_int_le(ret, 0) |
550 | || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ) | |
551 | || !TEST_true(send_finished(con, rbio))) | |
552 | goto end; | |
553 | ||
16938284 | 554 | ret = SSL_do_handshake(con); |
829b2b85 MC |
555 | if (!TEST_int_gt(ret, 0) |
556 | || !TEST_true(validate_ccs(wbio))) | |
557 | goto end; | |
16938284 DW |
558 | |
559 | /* While we're here and crafting packets by hand, we might as well do a | |
560 | bit of a stress test on the DTLS record replay handling. Not Cisco-DTLS | |
561 | specific but useful anyway for the general case. It's been broken | |
562 | before, and in fact was broken even for a basic 0, 2, 1 test case | |
563 | when this test was first added.... */ | |
564 | for (i = 0; i < (int)OSSL_NELEM(tests); i++) { | |
829b2b85 | 565 | uint64_t recv_buf[2]; |
16938284 | 566 | |
829b2b85 MC |
567 | if (!TEST_true(send_record(rbio, SSL3_RT_APPLICATION_DATA, tests[i].seq, |
568 | &tests[i].seq, sizeof(uint64_t)))) { | |
d1186c30 TS |
569 | TEST_error("Failed to send data seq #0x%x%08x (%d)\n", |
570 | (unsigned int)(tests[i].seq >> 32), (unsigned int)tests[i].seq, i); | |
829b2b85 | 571 | goto end; |
16938284 DW |
572 | } |
573 | ||
574 | if (tests[i].drop) | |
575 | continue; | |
576 | ||
829b2b85 MC |
577 | ret = SSL_read(con, recv_buf, 2 * sizeof(uint64_t)); |
578 | if (!TEST_int_eq(ret, (int)sizeof(uint64_t))) { | |
d1186c30 TS |
579 | TEST_error("SSL_read failed or wrong size on seq#0x%x%08x (%d)\n", |
580 | (unsigned int)(tests[i].seq >> 32), (unsigned int)tests[i].seq, i); | |
829b2b85 | 581 | goto end; |
16938284 | 582 | } |
829b2b85 MC |
583 | if (!TEST_true(recv_buf[0] == tests[i].seq)) |
584 | goto end; | |
16938284 | 585 | } |
16938284 | 586 | |
829b2b85 MC |
587 | /* The last test cannot be DROP() */ |
588 | if (!TEST_false(tests[i-1].drop)) | |
589 | goto end; | |
590 | ||
591 | testresult = 1; | |
592 | ||
593 | end: | |
594 | BIO_free(rbio); | |
595 | BIO_free(wbio); | |
16938284 | 596 | SSL_free(con); |
16938284 | 597 | SSL_CTX_free(ctx); |
16938284 | 598 | EVP_MD_CTX_free(handshake_md); |
16938284 | 599 | |
829b2b85 MC |
600 | return testresult; |
601 | } | |
16938284 | 602 | |
ad887416 | 603 | int setup_tests(void) |
829b2b85 MC |
604 | { |
605 | ADD_TEST(test_bad_dtls); | |
ad887416 | 606 | return 1; |
16938284 | 607 | } |