]>
Commit | Line | Data |
---|---|---|
16938284 | 1 | /* |
33388b44 | 2 | * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. |
16938284 | 3 | * |
909f1a2e | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
16938284 DW |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
8 | */ | |
9 | ||
10 | /* | |
11 | * Unit test for Cisco DTLS1_BAD_VER session resume, as used by | |
12 | * AnyConnect VPN protocol. | |
13 | * | |
14 | * This is designed to exercise the code paths in | |
15 | * http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/dtls.c | |
16 | * which have frequently been affected by regressions in DTLS1_BAD_VER | |
17 | * support. | |
18 | * | |
19 | * Note that unlike other SSL tests, we don't test against our own SSL | |
20 | * server method. Firstly because we don't have one; we *only* support | |
21 | * DTLS1_BAD_VER as a client. And secondly because even if that were | |
d68a0eaf | 22 | * fixed up it's the wrong thing to test against - because if changes |
16938284 DW |
23 | * are made in generic DTLS code which don't take DTLS1_BAD_VER into |
24 | * account, there's plenty of scope for making those changes such that | |
25 | * they break *both* the client and the server in the same way. | |
26 | * | |
27 | * So we handle the server side manually. In a session resume there isn't | |
28 | * much to be done anyway. | |
29 | */ | |
30 | #include <string.h> | |
31 | ||
a76ce286 P |
32 | #include <openssl/core_names.h> |
33 | #include <openssl/params.h> | |
16938284 DW |
34 | #include <openssl/opensslconf.h> |
35 | #include <openssl/bio.h> | |
36 | #include <openssl/crypto.h> | |
37 | #include <openssl/evp.h> | |
38 | #include <openssl/ssl.h> | |
39 | #include <openssl/err.h> | |
40 | #include <openssl/rand.h> | |
41 | #include <openssl/kdf.h> | |
0d345f0e | 42 | #include "internal/packet.h" |
176db6dc | 43 | #include "internal/nelem.h" |
829b2b85 MC |
44 | #include "testutil.h" |
45 | ||
16938284 DW |
46 | /* For DTLS1_BAD_VER packets the MAC doesn't include the handshake header */ |
47 | #define MAC_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH) | |
48 | ||
49 | static unsigned char client_random[SSL3_RANDOM_SIZE]; | |
50 | static unsigned char server_random[SSL3_RANDOM_SIZE]; | |
51 | ||
52 | /* These are all generated locally, sized purely according to our own whim */ | |
53 | static unsigned char session_id[32]; | |
54 | static unsigned char master_secret[48]; | |
55 | static unsigned char cookie[20]; | |
56 | ||
57 | /* We've hard-coded the cipher suite; we know it's 104 bytes */ | |
58 | static unsigned char key_block[104]; | |
59 | #define mac_key (key_block + 20) | |
60 | #define dec_key (key_block + 40) | |
61 | #define enc_key (key_block + 56) | |
62 | ||
63 | static EVP_MD_CTX *handshake_md; | |
64 | ||
65 | static int do_PRF(const void *seed1, int seed1_len, | |
66 | const void *seed2, int seed2_len, | |
67 | const void *seed3, int seed3_len, | |
68 | unsigned char *out, int olen) | |
69 | { | |
70 | EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); | |
71 | size_t outlen = olen; | |
72 | ||
73 | /* No error handling. If it all screws up, the test will fail anyway */ | |
74 | EVP_PKEY_derive_init(pctx); | |
75 | EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_md5_sha1()); | |
76 | EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, master_secret, sizeof(master_secret)); | |
77 | EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len); | |
78 | EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len); | |
79 | EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len); | |
80 | EVP_PKEY_derive(pctx, out, &outlen); | |
81 | EVP_PKEY_CTX_free(pctx); | |
82 | return 1; | |
83 | } | |
84 | ||
85 | static SSL_SESSION *client_session(void) | |
86 | { | |
87 | static unsigned char session_asn1[] = { | |
88 | 0x30, 0x5F, /* SEQUENCE, length 0x5F */ | |
89 | 0x02, 0x01, 0x01, /* INTEGER, SSL_SESSION_ASN1_VERSION */ | |
90 | 0x02, 0x02, 0x01, 0x00, /* INTEGER, DTLS1_BAD_VER */ | |
91 | 0x04, 0x02, 0x00, 0x2F, /* OCTET_STRING, AES128-SHA */ | |
92 | 0x04, 0x20, /* OCTET_STRING, session id */ | |
93 | #define SS_SESSID_OFS 15 /* Session ID goes here */ | |
94 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
95 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
96 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
97 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
98 | 0x04, 0x30, /* OCTET_STRING, master secret */ | |
99 | #define SS_SECRET_OFS 49 /* Master secret goes here */ | |
100 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
101 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
102 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
103 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
104 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
105 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
106 | }; | |
107 | const unsigned char *p = session_asn1; | |
108 | ||
109 | /* Copy the randomly-generated fields into the above ASN1 */ | |
110 | memcpy(session_asn1 + SS_SESSID_OFS, session_id, sizeof(session_id)); | |
111 | memcpy(session_asn1 + SS_SECRET_OFS, master_secret, sizeof(master_secret)); | |
112 | ||
113 | return d2i_SSL_SESSION(NULL, &p, sizeof(session_asn1)); | |
114 | } | |
115 | ||
16938284 DW |
116 | /* Returns 1 for initial ClientHello, 2 for ClientHello with cookie */ |
117 | static int validate_client_hello(BIO *wbio) | |
118 | { | |
eb633d03 | 119 | PACKET pkt, pkt2; |
16938284 DW |
120 | long len; |
121 | unsigned char *data; | |
122 | int cookie_found = 0; | |
165cc51f | 123 | unsigned int u = 0; |
16938284 DW |
124 | |
125 | len = BIO_get_mem_data(wbio, (char **)&data); | |
126 | if (!PACKET_buf_init(&pkt, data, len)) | |
127 | return 0; | |
128 | ||
129 | /* Check record header type */ | |
130 | if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE) | |
131 | return 0; | |
132 | /* Version */ | |
133 | if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER) | |
134 | return 0; | |
135 | /* Skip the rest of the record header */ | |
136 | if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3)) | |
137 | return 0; | |
138 | ||
139 | /* Check it's a ClientHello */ | |
140 | if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CLIENT_HELLO) | |
141 | return 0; | |
142 | /* Skip the rest of the handshake message header */ | |
143 | if (!PACKET_forward(&pkt, DTLS1_HM_HEADER_LENGTH - 1)) | |
144 | return 0; | |
145 | ||
146 | /* Check client version */ | |
147 | if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER) | |
148 | return 0; | |
149 | ||
150 | /* Store random */ | |
151 | if (!PACKET_copy_bytes(&pkt, client_random, SSL3_RANDOM_SIZE)) | |
152 | return 0; | |
153 | ||
154 | /* Check session id length and content */ | |
eb633d03 DW |
155 | if (!PACKET_get_length_prefixed_1(&pkt, &pkt2) || |
156 | !PACKET_equal(&pkt2, session_id, sizeof(session_id))) | |
16938284 DW |
157 | return 0; |
158 | ||
159 | /* Check cookie */ | |
eb633d03 | 160 | if (!PACKET_get_length_prefixed_1(&pkt, &pkt2)) |
16938284 | 161 | return 0; |
eb633d03 DW |
162 | if (PACKET_remaining(&pkt2)) { |
163 | if (!PACKET_equal(&pkt2, cookie, sizeof(cookie))) | |
16938284 DW |
164 | return 0; |
165 | cookie_found = 1; | |
166 | } | |
167 | ||
168 | /* Skip ciphers */ | |
169 | if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u)) | |
170 | return 0; | |
171 | ||
172 | /* Skip compression */ | |
173 | if (!PACKET_get_1(&pkt, &u) || !PACKET_forward(&pkt, u)) | |
174 | return 0; | |
175 | ||
176 | /* Skip extensions */ | |
177 | if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u)) | |
178 | return 0; | |
179 | ||
180 | /* Now we are at the end */ | |
181 | if (PACKET_remaining(&pkt)) | |
182 | return 0; | |
183 | ||
184 | /* Update handshake MAC for second ClientHello (with cookie) */ | |
185 | if (cookie_found && !EVP_DigestUpdate(handshake_md, data + MAC_OFFSET, | |
186 | len - MAC_OFFSET)) | |
829b2b85 | 187 | return 0; |
16938284 DW |
188 | |
189 | (void)BIO_reset(wbio); | |
190 | ||
191 | return 1 + cookie_found; | |
192 | } | |
193 | ||
194 | static int send_hello_verify(BIO *rbio) | |
195 | { | |
196 | static unsigned char hello_verify[] = { | |
197 | 0x16, /* Handshake */ | |
198 | 0x01, 0x00, /* DTLS1_BAD_VER */ | |
199 | 0x00, 0x00, /* Epoch 0 */ | |
200 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Seq# 0 */ | |
201 | 0x00, 0x23, /* Length */ | |
202 | 0x03, /* Hello Verify */ | |
203 | 0x00, 0x00, 0x17, /* Length */ | |
204 | 0x00, 0x00, /* Seq# 0 */ | |
205 | 0x00, 0x00, 0x00, /* Fragment offset */ | |
206 | 0x00, 0x00, 0x17, /* Fragment length */ | |
207 | 0x01, 0x00, /* DTLS1_BAD_VER */ | |
208 | 0x14, /* Cookie length */ | |
209 | #define HV_COOKIE_OFS 28 /* Cookie goes here */ | |
210 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
211 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
212 | 0x00, 0x00, 0x00, 0x00, | |
213 | }; | |
214 | ||
215 | memcpy(hello_verify + HV_COOKIE_OFS, cookie, sizeof(cookie)); | |
216 | ||
217 | BIO_write(rbio, hello_verify, sizeof(hello_verify)); | |
218 | ||
219 | return 1; | |
220 | } | |
221 | ||
222 | static int send_server_hello(BIO *rbio) | |
223 | { | |
224 | static unsigned char server_hello[] = { | |
225 | 0x16, /* Handshake */ | |
226 | 0x01, 0x00, /* DTLS1_BAD_VER */ | |
227 | 0x00, 0x00, /* Epoch 0 */ | |
228 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, /* Seq# 1 */ | |
229 | 0x00, 0x52, /* Length */ | |
230 | 0x02, /* Server Hello */ | |
231 | 0x00, 0x00, 0x46, /* Length */ | |
232 | 0x00, 0x01, /* Seq# */ | |
233 | 0x00, 0x00, 0x00, /* Fragment offset */ | |
234 | 0x00, 0x00, 0x46, /* Fragment length */ | |
235 | 0x01, 0x00, /* DTLS1_BAD_VER */ | |
236 | #define SH_RANDOM_OFS 27 /* Server random goes here */ | |
237 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
238 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
239 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
240 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
241 | 0x20, /* Session ID length */ | |
242 | #define SH_SESSID_OFS 60 /* Session ID goes here */ | |
243 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
244 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
245 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
246 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
247 | 0x00, 0x2f, /* Cipher suite AES128-SHA */ | |
248 | 0x00, /* Compression null */ | |
249 | }; | |
250 | static unsigned char change_cipher_spec[] = { | |
251 | 0x14, /* Change Cipher Spec */ | |
252 | 0x01, 0x00, /* DTLS1_BAD_VER */ | |
253 | 0x00, 0x00, /* Epoch 0 */ | |
254 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, /* Seq# 2 */ | |
255 | 0x00, 0x03, /* Length */ | |
256 | 0x01, 0x00, 0x02, /* Message */ | |
257 | }; | |
258 | ||
259 | memcpy(server_hello + SH_RANDOM_OFS, server_random, sizeof(server_random)); | |
260 | memcpy(server_hello + SH_SESSID_OFS, session_id, sizeof(session_id)); | |
261 | ||
262 | if (!EVP_DigestUpdate(handshake_md, server_hello + MAC_OFFSET, | |
263 | sizeof(server_hello) - MAC_OFFSET)) | |
829b2b85 | 264 | return 0; |
16938284 DW |
265 | |
266 | BIO_write(rbio, server_hello, sizeof(server_hello)); | |
267 | BIO_write(rbio, change_cipher_spec, sizeof(change_cipher_spec)); | |
268 | ||
269 | return 1; | |
270 | } | |
271 | ||
272 | /* Create header, HMAC, pad, encrypt and send a record */ | |
829b2b85 | 273 | static int send_record(BIO *rbio, unsigned char type, uint64_t seqnr, |
16938284 DW |
274 | const void *msg, size_t len) |
275 | { | |
276 | /* Note that the order of the record header fields on the wire, | |
277 | * and in the HMAC, is different. So we just keep them in separate | |
278 | * variables and handle them individually. */ | |
279 | static unsigned char epoch[2] = { 0x00, 0x01 }; | |
280 | static unsigned char seq[6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; | |
281 | static unsigned char ver[2] = { 0x01, 0x00 }; /* DTLS1_BAD_VER */ | |
282 | unsigned char lenbytes[2]; | |
a76ce286 P |
283 | EVP_MAC *hmac; |
284 | EVP_MAC_CTX *ctx; | |
16938284 DW |
285 | EVP_CIPHER_CTX *enc_ctx; |
286 | unsigned char iv[16]; | |
287 | unsigned char pad; | |
288 | unsigned char *enc; | |
a76ce286 | 289 | OSSL_PARAM params[3]; |
16938284 | 290 | |
16938284 DW |
291 | seq[0] = (seqnr >> 40) & 0xff; |
292 | seq[1] = (seqnr >> 32) & 0xff; | |
16938284 DW |
293 | seq[2] = (seqnr >> 24) & 0xff; |
294 | seq[3] = (seqnr >> 16) & 0xff; | |
295 | seq[4] = (seqnr >> 8) & 0xff; | |
296 | seq[5] = seqnr & 0xff; | |
297 | ||
298 | pad = 15 - ((len + SHA_DIGEST_LENGTH) % 16); | |
299 | enc = OPENSSL_malloc(len + SHA_DIGEST_LENGTH + 1 + pad); | |
300 | if (enc == NULL) | |
301 | return 0; | |
302 | ||
303 | /* Copy record to encryption buffer */ | |
304 | memcpy(enc, msg, len); | |
305 | ||
306 | /* Append HMAC to data */ | |
a76ce286 | 307 | hmac = EVP_MAC_fetch(NULL, "HMAC", NULL); |
d9c2fd51 | 308 | ctx = EVP_MAC_new_ctx(hmac); |
a76ce286 P |
309 | EVP_MAC_free(hmac); |
310 | params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, | |
311 | "SHA1", 0); | |
312 | params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, | |
313 | mac_key, 20); | |
314 | params[2] = OSSL_PARAM_construct_end(); | |
d9c2fd51 | 315 | EVP_MAC_set_ctx_params(ctx, params); |
a76ce286 P |
316 | EVP_MAC_init(ctx); |
317 | EVP_MAC_update(ctx, epoch, 2); | |
318 | EVP_MAC_update(ctx, seq, 6); | |
319 | EVP_MAC_update(ctx, &type, 1); | |
320 | EVP_MAC_update(ctx, ver, 2); /* Version */ | |
3a63c0ed AP |
321 | lenbytes[0] = (unsigned char)(len >> 8); |
322 | lenbytes[1] = (unsigned char)(len); | |
a76ce286 P |
323 | EVP_MAC_update(ctx, lenbytes, 2); /* Length */ |
324 | EVP_MAC_update(ctx, enc, len); /* Finally the data itself */ | |
325 | EVP_MAC_final(ctx, enc + len, NULL, SHA_DIGEST_LENGTH); | |
d9c2fd51 | 326 | EVP_MAC_free_ctx(ctx); |
16938284 DW |
327 | |
328 | /* Append padding bytes */ | |
329 | len += SHA_DIGEST_LENGTH; | |
330 | do { | |
331 | enc[len++] = pad; | |
332 | } while (len % 16); | |
333 | ||
334 | /* Generate IV, and encrypt */ | |
335 | RAND_bytes(iv, sizeof(iv)); | |
336 | enc_ctx = EVP_CIPHER_CTX_new(); | |
337 | EVP_CipherInit_ex(enc_ctx, EVP_aes_128_cbc(), NULL, enc_key, iv, 1); | |
338 | EVP_Cipher(enc_ctx, enc, enc, len); | |
339 | EVP_CIPHER_CTX_free(enc_ctx); | |
340 | ||
341 | /* Finally write header (from fragmented variables), IV and encrypted record */ | |
342 | BIO_write(rbio, &type, 1); | |
343 | BIO_write(rbio, ver, 2); | |
344 | BIO_write(rbio, epoch, 2); | |
345 | BIO_write(rbio, seq, 6); | |
3a63c0ed AP |
346 | lenbytes[0] = (unsigned char)((len + sizeof(iv)) >> 8); |
347 | lenbytes[1] = (unsigned char)(len + sizeof(iv)); | |
16938284 DW |
348 | BIO_write(rbio, lenbytes, 2); |
349 | ||
350 | BIO_write(rbio, iv, sizeof(iv)); | |
351 | BIO_write(rbio, enc, len); | |
352 | ||
353 | OPENSSL_free(enc); | |
354 | return 1; | |
355 | } | |
356 | ||
357 | static int send_finished(SSL *s, BIO *rbio) | |
358 | { | |
359 | static unsigned char finished_msg[DTLS1_HM_HEADER_LENGTH + | |
360 | TLS1_FINISH_MAC_LENGTH] = { | |
361 | 0x14, /* Finished */ | |
362 | 0x00, 0x00, 0x0c, /* Length */ | |
363 | 0x00, 0x03, /* Seq# 3 */ | |
364 | 0x00, 0x00, 0x00, /* Fragment offset */ | |
365 | 0x00, 0x00, 0x0c, /* Fragment length */ | |
366 | /* Finished MAC (12 bytes) */ | |
367 | }; | |
368 | unsigned char handshake_hash[EVP_MAX_MD_SIZE]; | |
369 | ||
370 | /* Derive key material */ | |
371 | do_PRF(TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, | |
372 | server_random, SSL3_RANDOM_SIZE, | |
373 | client_random, SSL3_RANDOM_SIZE, | |
374 | key_block, sizeof(key_block)); | |
375 | ||
376 | /* Generate Finished MAC */ | |
377 | if (!EVP_DigestFinal_ex(handshake_md, handshake_hash, NULL)) | |
829b2b85 | 378 | return 0; |
16938284 DW |
379 | |
380 | do_PRF(TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, | |
381 | handshake_hash, EVP_MD_CTX_size(handshake_md), | |
382 | NULL, 0, | |
383 | finished_msg + DTLS1_HM_HEADER_LENGTH, TLS1_FINISH_MAC_LENGTH); | |
384 | ||
385 | return send_record(rbio, SSL3_RT_HANDSHAKE, 0, | |
386 | finished_msg, sizeof(finished_msg)); | |
387 | } | |
388 | ||
389 | static int validate_ccs(BIO *wbio) | |
390 | { | |
391 | PACKET pkt; | |
392 | long len; | |
393 | unsigned char *data; | |
394 | unsigned int u; | |
395 | ||
396 | len = BIO_get_mem_data(wbio, (char **)&data); | |
397 | if (!PACKET_buf_init(&pkt, data, len)) | |
398 | return 0; | |
399 | ||
400 | /* Check record header type */ | |
401 | if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_CHANGE_CIPHER_SPEC) | |
402 | return 0; | |
403 | /* Version */ | |
404 | if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER) | |
405 | return 0; | |
406 | /* Skip the rest of the record header */ | |
407 | if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3)) | |
408 | return 0; | |
409 | ||
410 | /* Check ChangeCipherSpec message */ | |
411 | if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CCS) | |
412 | return 0; | |
413 | /* A DTLS1_BAD_VER ChangeCipherSpec also contains the | |
414 | * handshake sequence number (which is 2 here) */ | |
415 | if (!PACKET_get_net_2(&pkt, &u) || u != 0x0002) | |
416 | return 0; | |
417 | ||
418 | /* Now check the Finished packet */ | |
419 | if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE) | |
420 | return 0; | |
421 | if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER) | |
422 | return 0; | |
423 | ||
424 | /* Check epoch is now 1 */ | |
425 | if (!PACKET_get_net_2(&pkt, &u) || u != 0x0001) | |
426 | return 0; | |
427 | ||
428 | /* That'll do for now. If OpenSSL accepted *our* Finished packet | |
429 | * then it's evidently remembered that DTLS1_BAD_VER doesn't | |
430 | * include the handshake header in the MAC. There's not a lot of | |
431 | * point in implementing decryption here, just to check that it | |
432 | * continues to get it right for one more packet. */ | |
433 | ||
434 | return 1; | |
435 | } | |
436 | ||
437 | #define NODROP(x) { x##UL, 0 } | |
438 | #define DROP(x) { x##UL, 1 } | |
439 | ||
440 | static struct { | |
829b2b85 | 441 | uint64_t seq; |
16938284 DW |
442 | int drop; |
443 | } tests[] = { | |
444 | NODROP(1), NODROP(3), NODROP(2), | |
445 | NODROP(0x1234), NODROP(0x1230), NODROP(0x1235), | |
446 | NODROP(0xffff), NODROP(0x10001), NODROP(0xfffe), NODROP(0x10000), | |
447 | DROP(0x10001), DROP(0xff), NODROP(0x100000), NODROP(0x800000), NODROP(0x7fffe1), | |
448 | NODROP(0xffffff), NODROP(0x1000000), NODROP(0xfffffe), DROP(0xffffff), NODROP(0x1000010), | |
449 | NODROP(0xfffffd), NODROP(0x1000011), DROP(0x12), NODROP(0x1000012), | |
450 | NODROP(0x1ffffff), NODROP(0x2000000), DROP(0x1ff00fe), NODROP(0x2000001), | |
451 | NODROP(0x20fffff), NODROP(0x2105500), DROP(0x20ffffe), NODROP(0x21054ff), | |
452 | NODROP(0x211ffff), DROP(0x2110000), NODROP(0x2120000) | |
453 | /* The last test should be NODROP, because a DROP wouldn't get tested. */ | |
454 | }; | |
455 | ||
829b2b85 | 456 | static int test_bad_dtls(void) |
16938284 | 457 | { |
829b2b85 MC |
458 | SSL_SESSION *sess = NULL; |
459 | SSL_CTX *ctx = NULL; | |
460 | SSL *con = NULL; | |
461 | BIO *rbio = NULL; | |
462 | BIO *wbio = NULL; | |
af5883fe | 463 | time_t now = 0; |
16938284 DW |
464 | int testresult = 0; |
465 | int ret; | |
466 | int i; | |
467 | ||
16938284 DW |
468 | RAND_bytes(session_id, sizeof(session_id)); |
469 | RAND_bytes(master_secret, sizeof(master_secret)); | |
470 | RAND_bytes(cookie, sizeof(cookie)); | |
471 | RAND_bytes(server_random + 4, sizeof(server_random) - 4); | |
af5883fe MK |
472 | |
473 | now = time(NULL); | |
474 | memcpy(server_random, &now, sizeof(now)); | |
16938284 DW |
475 | |
476 | sess = client_session(); | |
829b2b85 | 477 | if (!TEST_ptr(sess)) |
16938284 | 478 | goto end; |
16938284 DW |
479 | |
480 | handshake_md = EVP_MD_CTX_new(); | |
829b2b85 MC |
481 | if (!TEST_ptr(handshake_md) |
482 | || !TEST_true(EVP_DigestInit_ex(handshake_md, EVP_md5_sha1(), | |
483 | NULL))) | |
16938284 | 484 | goto end; |
16938284 DW |
485 | |
486 | ctx = SSL_CTX_new(DTLS_client_method()); | |
829b2b85 MC |
487 | if (!TEST_ptr(ctx) |
488 | || !TEST_true(SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER)) | |
489 | || !TEST_true(SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER)) | |
490 | || !TEST_true(SSL_CTX_set_cipher_list(ctx, "AES128-SHA"))) | |
491 | goto end; | |
16938284 DW |
492 | |
493 | con = SSL_new(ctx); | |
829b2b85 MC |
494 | if (!TEST_ptr(con) |
495 | || !TEST_true(SSL_set_session(con, sess))) | |
496 | goto end; | |
16938284 DW |
497 | SSL_SESSION_free(sess); |
498 | ||
499 | rbio = BIO_new(BIO_s_mem()); | |
500 | wbio = BIO_new(BIO_s_mem()); | |
501 | ||
829b2b85 MC |
502 | if (!TEST_ptr(rbio) |
503 | || !TEST_ptr(wbio)) | |
504 | goto end; | |
16938284 DW |
505 | |
506 | SSL_set_bio(con, rbio, wbio); | |
829b2b85 MC |
507 | |
508 | if (!TEST_true(BIO_up_ref(rbio))) { | |
509 | /* | |
510 | * We can't up-ref but we assigned ownership to con, so we shouldn't | |
511 | * free in the "end" block | |
512 | */ | |
513 | rbio = wbio = NULL; | |
514 | goto end; | |
515 | } | |
516 | ||
517 | if (!TEST_true(BIO_up_ref(wbio))) { | |
518 | wbio = NULL; | |
519 | goto end; | |
520 | } | |
521 | ||
16938284 DW |
522 | SSL_set_connect_state(con); |
523 | ||
524 | /* Send initial ClientHello */ | |
525 | ret = SSL_do_handshake(con); | |
829b2b85 MC |
526 | if (!TEST_int_le(ret, 0) |
527 | || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ) | |
528 | || !TEST_int_eq(validate_client_hello(wbio), 1) | |
529 | || !TEST_true(send_hello_verify(rbio))) | |
530 | goto end; | |
16938284 | 531 | |
16938284 | 532 | ret = SSL_do_handshake(con); |
829b2b85 MC |
533 | if (!TEST_int_le(ret, 0) |
534 | || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ) | |
535 | || !TEST_int_eq(validate_client_hello(wbio), 2) | |
536 | || !TEST_true(send_server_hello(rbio))) | |
537 | goto end; | |
538 | ||
16938284 | 539 | ret = SSL_do_handshake(con); |
829b2b85 MC |
540 | if (!TEST_int_le(ret, 0) |
541 | || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ) | |
542 | || !TEST_true(send_finished(con, rbio))) | |
543 | goto end; | |
544 | ||
16938284 | 545 | ret = SSL_do_handshake(con); |
829b2b85 MC |
546 | if (!TEST_int_gt(ret, 0) |
547 | || !TEST_true(validate_ccs(wbio))) | |
548 | goto end; | |
16938284 DW |
549 | |
550 | /* While we're here and crafting packets by hand, we might as well do a | |
551 | bit of a stress test on the DTLS record replay handling. Not Cisco-DTLS | |
552 | specific but useful anyway for the general case. It's been broken | |
553 | before, and in fact was broken even for a basic 0, 2, 1 test case | |
554 | when this test was first added.... */ | |
555 | for (i = 0; i < (int)OSSL_NELEM(tests); i++) { | |
829b2b85 | 556 | uint64_t recv_buf[2]; |
16938284 | 557 | |
829b2b85 MC |
558 | if (!TEST_true(send_record(rbio, SSL3_RT_APPLICATION_DATA, tests[i].seq, |
559 | &tests[i].seq, sizeof(uint64_t)))) { | |
d1186c30 TS |
560 | TEST_error("Failed to send data seq #0x%x%08x (%d)\n", |
561 | (unsigned int)(tests[i].seq >> 32), (unsigned int)tests[i].seq, i); | |
829b2b85 | 562 | goto end; |
16938284 DW |
563 | } |
564 | ||
565 | if (tests[i].drop) | |
566 | continue; | |
567 | ||
829b2b85 MC |
568 | ret = SSL_read(con, recv_buf, 2 * sizeof(uint64_t)); |
569 | if (!TEST_int_eq(ret, (int)sizeof(uint64_t))) { | |
d1186c30 TS |
570 | TEST_error("SSL_read failed or wrong size on seq#0x%x%08x (%d)\n", |
571 | (unsigned int)(tests[i].seq >> 32), (unsigned int)tests[i].seq, i); | |
829b2b85 | 572 | goto end; |
16938284 | 573 | } |
829b2b85 MC |
574 | if (!TEST_true(recv_buf[0] == tests[i].seq)) |
575 | goto end; | |
16938284 | 576 | } |
16938284 | 577 | |
829b2b85 MC |
578 | /* The last test cannot be DROP() */ |
579 | if (!TEST_false(tests[i-1].drop)) | |
580 | goto end; | |
581 | ||
582 | testresult = 1; | |
583 | ||
584 | end: | |
585 | BIO_free(rbio); | |
586 | BIO_free(wbio); | |
16938284 | 587 | SSL_free(con); |
16938284 | 588 | SSL_CTX_free(ctx); |
16938284 | 589 | EVP_MD_CTX_free(handshake_md); |
16938284 | 590 | |
829b2b85 MC |
591 | return testresult; |
592 | } | |
16938284 | 593 | |
ad887416 | 594 | int setup_tests(void) |
829b2b85 MC |
595 | { |
596 | ADD_TEST(test_bad_dtls); | |
ad887416 | 597 | return 1; |
16938284 | 598 | } |