[thirdparty/openssl.git] / test / bad_dtls_test.c

/*
 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * Unit test for Cisco DTLS1_BAD_VER session resume, as used by
 * AnyConnect VPN protocol.
 *
 * This is designed to exercise the code paths in
 * http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/dtls.c
 * which have frequently been affected by regressions in DTLS1_BAD_VER
 * support.
 *
 * Note that unlike other SSL tests, we don't test against our own SSL
 * server method. Firstly because we don't have one; we *only* support
 * DTLS1_BAD_VER as a client. And secondly because even if that were
 * fixed up it's the wrong thing to test against — because if changes
 * are made in generic DTLS code which don't take DTLS1_BAD_VER into
 * account, there's plenty of scope for making those changes such that
 * they break *both* the client and the server in the same way.
 *
 * So we handle the server side manually. In a session resume there isn't
 * much to be done anyway.
 */
#include <string.h>

#include <openssl/opensslconf.h>
#include <openssl/bio.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/kdf.h>

#include "../ssl/packet_locl.h"
#include "../e_os.h" /* for OSSL_NELEM() */

/* For DTLS1_BAD_VER packets the MAC doesn't include the handshake header */
#define MAC_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH)

static unsigned char client_random[SSL3_RANDOM_SIZE];
static unsigned char server_random[SSL3_RANDOM_SIZE];

/* These are all generated locally, sized purely according to our own whim */
static unsigned char session_id[32];
static unsigned char master_secret[48];
static unsigned char cookie[20];

/* We've hard-coded the cipher suite; we know it's 104 bytes */
static unsigned char key_block[104];
#define mac_key (key_block + 20)
#define dec_key (key_block + 40)
#define enc_key (key_block + 56)

static EVP_MD_CTX *handshake_md;

static int do_PRF(const void *seed1, int seed1_len,
                  const void *seed2, int seed2_len,
                  const void *seed3, int seed3_len,
                  unsigned char *out, int olen)
{
    EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
    size_t outlen = olen;

    /* No error handling. If it all screws up, the test will fail anyway */
    EVP_PKEY_derive_init(pctx);
    EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_md5_sha1());
    EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, master_secret, sizeof(master_secret));
    EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len);
    EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len);
    EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len);
    EVP_PKEY_derive(pctx, out, &outlen);
    EVP_PKEY_CTX_free(pctx);
    return 1;
}

static SSL_SESSION *client_session(void)
{
    static unsigned char session_asn1[] = {
        0x30, 0x5F,              /* SEQUENCE, length 0x5F */
        0x02, 0x01, 0x01,        /* INTEGER, SSL_SESSION_ASN1_VERSION */
        0x02, 0x02, 0x01, 0x00,  /* INTEGER, DTLS1_BAD_VER */
        0x04, 0x02, 0x00, 0x2F,  /* OCTET_STRING, AES128-SHA */
        0x04, 0x20,              /* OCTET_STRING, session id */
#define SS_SESSID_OFS 15 /* Session ID goes here */
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x04, 0x30,              /* OCTET_STRING, master secret */
#define SS_SECRET_OFS 49 /* Master secret goes here */
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    };
    const unsigned char *p = session_asn1;

    /* Copy the randomly-generated fields into the above ASN1 */
    memcpy(session_asn1 + SS_SESSID_OFS, session_id, sizeof(session_id));
    memcpy(session_asn1 + SS_SECRET_OFS, master_secret, sizeof(master_secret));

    return d2i_SSL_SESSION(NULL, &p, sizeof(session_asn1));
}

/* Returns 1 for initial ClientHello, 2 for ClientHello with cookie */
static int validate_client_hello(BIO *wbio)
{
    PACKET pkt, pkt2;
    long len;
    unsigned char *data;
    int cookie_found = 0;
    unsigned int u;

    len = BIO_get_mem_data(wbio, (char **)&data);
    if (!PACKET_buf_init(&pkt, data, len))
        return 0;

    /* Check record header type */
    if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
        return 0;
    /* Version */
    if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
        return 0;
    /* Skip the rest of the record header */
    if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3))
        return 0;

    /* Check it's a ClientHello */
    if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CLIENT_HELLO)
        return 0;
    /* Skip the rest of the handshake message header */
    if (!PACKET_forward(&pkt, DTLS1_HM_HEADER_LENGTH - 1))
        return 0;

    /* Check client version */
    if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
        return 0;

    /* Store random */
    if (!PACKET_copy_bytes(&pkt, client_random, SSL3_RANDOM_SIZE))
        return 0;

    /* Check session id length and content */
    if (!PACKET_get_length_prefixed_1(&pkt, &pkt2) ||
        !PACKET_equal(&pkt2, session_id, sizeof(session_id)))
        return 0;

    /* Check cookie */
    if (!PACKET_get_length_prefixed_1(&pkt, &pkt2))
        return 0;
    if (PACKET_remaining(&pkt2)) {
        if (!PACKET_equal(&pkt2, cookie, sizeof(cookie)))
            return 0;
        cookie_found = 1;
    }

    /* Skip ciphers */
    if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u))
        return 0;

    /* Skip compression */
    if (!PACKET_get_1(&pkt, &u) || !PACKET_forward(&pkt, u))
        return 0;

    /* Skip extensions */
    if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u))
        return 0;

    /* Now we are at the end */
    if (PACKET_remaining(&pkt))
        return 0;

    /* Update handshake MAC for second ClientHello (with cookie) */
    if (cookie_found && !EVP_DigestUpdate(handshake_md, data + MAC_OFFSET,
                                          len - MAC_OFFSET))
            printf("EVP_DigestUpdate() failed\n");

    (void)BIO_reset(wbio);

    return 1 + cookie_found;
}

static int send_hello_verify(BIO *rbio)
{
    static unsigned char hello_verify[] = {
        0x16, /* Handshake */
        0x01, 0x00, /* DTLS1_BAD_VER */
        0x00, 0x00, /* Epoch 0 */
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Seq# 0 */
        0x00, 0x23, /* Length */
        0x03, /* Hello Verify */
        0x00, 0x00, 0x17, /* Length */
        0x00, 0x00, /* Seq# 0 */
        0x00, 0x00, 0x00, /* Fragment offset */
        0x00, 0x00, 0x17, /* Fragment length */
        0x01, 0x00, /* DTLS1_BAD_VER */
        0x14, /* Cookie length */
#define HV_COOKIE_OFS 28 /* Cookie goes here */
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00,
    };

    memcpy(hello_verify + HV_COOKIE_OFS, cookie, sizeof(cookie));

    BIO_write(rbio, hello_verify, sizeof(hello_verify));

    return 1;
}

static int send_server_hello(BIO *rbio)
{
    static unsigned char server_hello[] = {
        0x16, /* Handshake */
        0x01, 0x00, /* DTLS1_BAD_VER */
        0x00, 0x00, /* Epoch 0 */
        0x00, 0x00, 0x00, 0x00, 0x00, 0x01, /* Seq# 1 */
        0x00, 0x52, /* Length */
        0x02, /* Server Hello */
        0x00, 0x00, 0x46, /* Length */
        0x00, 0x01, /* Seq# */
        0x00, 0x00, 0x00, /* Fragment offset */
        0x00, 0x00, 0x46, /* Fragment length */
        0x01, 0x00, /* DTLS1_BAD_VER */
#define SH_RANDOM_OFS 27 /* Server random goes here */
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x20, /* Session ID length */
#define SH_SESSID_OFS 60 /* Session ID goes here */
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x2f, /* Cipher suite AES128-SHA */
        0x00, /* Compression null */
    };
    static unsigned char change_cipher_spec[] = {
        0x14, /* Change Cipher Spec */
        0x01, 0x00, /* DTLS1_BAD_VER */
        0x00, 0x00, /* Epoch 0 */
        0x00, 0x00, 0x00, 0x00, 0x00, 0x02, /* Seq# 2 */
        0x00, 0x03, /* Length */
        0x01, 0x00, 0x02, /* Message */
    };

    memcpy(server_hello + SH_RANDOM_OFS, server_random, sizeof(server_random));
    memcpy(server_hello + SH_SESSID_OFS, session_id, sizeof(session_id));

    if (!EVP_DigestUpdate(handshake_md, server_hello + MAC_OFFSET,
                          sizeof(server_hello) - MAC_OFFSET))
        printf("EVP_DigestUpdate() failed\n");

    BIO_write(rbio, server_hello, sizeof(server_hello));
    BIO_write(rbio, change_cipher_spec, sizeof(change_cipher_spec));

    return 1;
}

/* Create header, HMAC, pad, encrypt and send a record */
static int send_record(BIO *rbio, unsigned char type, unsigned long seqnr,
                       const void *msg, size_t len)
{
    /* Note that the order of the record header fields on the wire,
     * and in the HMAC, is different. So we just keep them in separate
     * variables and handle them individually. */
    static unsigned char epoch[2] = { 0x00, 0x01 };
    static unsigned char seq[6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
    static unsigned char ver[2] = { 0x01, 0x00 }; /* DTLS1_BAD_VER */
    unsigned char lenbytes[2];
    HMAC_CTX *ctx;
    EVP_CIPHER_CTX *enc_ctx;
    unsigned char iv[16];
    unsigned char pad;
    unsigned char *enc;

#ifdef SIXTY_FOUR_BIT_LONG
    seq[0] = (seqnr >> 40) & 0xff;
    seq[1] = (seqnr >> 32) & 0xff;
#endif
    seq[2] = (seqnr >> 24) & 0xff;
    seq[3] = (seqnr >> 16) & 0xff;
    seq[4] = (seqnr >> 8) & 0xff;
    seq[5] = seqnr & 0xff;

    pad = 15 - ((len + SHA_DIGEST_LENGTH) % 16);
    enc = OPENSSL_malloc(len + SHA_DIGEST_LENGTH + 1 + pad);
    if (enc == NULL)
        return 0;

    /* Copy record to encryption buffer */
    memcpy(enc, msg, len);

    /* Append HMAC to data */
    ctx = HMAC_CTX_new();
    HMAC_Init_ex(ctx, mac_key, 20, EVP_sha1(), NULL);
    HMAC_Update(ctx, epoch, 2);
    HMAC_Update(ctx, seq, 6);
    HMAC_Update(ctx, &type, 1);
    HMAC_Update(ctx, ver, 2); /* Version */
    lenbytes[0] = len >> 8;
    lenbytes[1] = len & 0xff;
    HMAC_Update(ctx, lenbytes, 2); /* Length */
    HMAC_Update(ctx, enc, len); /* Finally the data itself */
    HMAC_Final(ctx, enc + len, NULL);
    HMAC_CTX_free(ctx);

    /* Append padding bytes */
    len += SHA_DIGEST_LENGTH;
    do {
        enc[len++] = pad;
    } while (len % 16);

    /* Generate IV, and encrypt */
    RAND_bytes(iv, sizeof(iv));
    enc_ctx = EVP_CIPHER_CTX_new();
    EVP_CipherInit_ex(enc_ctx, EVP_aes_128_cbc(), NULL, enc_key, iv, 1);
    EVP_Cipher(enc_ctx, enc, enc, len);
    EVP_CIPHER_CTX_free(enc_ctx);

    /* Finally write header (from fragmented variables), IV and encrypted record */
    BIO_write(rbio, &type, 1);
    BIO_write(rbio, ver, 2);
    BIO_write(rbio, epoch, 2);
    BIO_write(rbio, seq, 6);
    lenbytes[0] = (len + sizeof(iv)) >> 8;
    lenbytes[1] = (len + sizeof(iv)) & 0xff;
    BIO_write(rbio, lenbytes, 2);

    BIO_write(rbio, iv, sizeof(iv));
    BIO_write(rbio, enc, len);

    OPENSSL_free(enc);
    return 1;
}

static int send_finished(SSL *s, BIO *rbio)
{
    static unsigned char finished_msg[DTLS1_HM_HEADER_LENGTH +
                                      TLS1_FINISH_MAC_LENGTH] = {
        0x14, /* Finished */
        0x00, 0x00, 0x0c, /* Length */
        0x00, 0x03, /* Seq# 3 */
        0x00, 0x00, 0x00, /* Fragment offset */
        0x00, 0x00, 0x0c, /* Fragment length */
        /* Finished MAC (12 bytes) */
    };
    unsigned char handshake_hash[EVP_MAX_MD_SIZE];

    /* Derive key material */
    do_PRF(TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
           server_random, SSL3_RANDOM_SIZE,
           client_random, SSL3_RANDOM_SIZE,
           key_block, sizeof(key_block));

    /* Generate Finished MAC */
    if (!EVP_DigestFinal_ex(handshake_md, handshake_hash, NULL))
        printf("EVP_DigestFinal_ex() failed\n");

    do_PRF(TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
           handshake_hash, EVP_MD_CTX_size(handshake_md),
           NULL, 0,
           finished_msg + DTLS1_HM_HEADER_LENGTH, TLS1_FINISH_MAC_LENGTH);

    return send_record(rbio, SSL3_RT_HANDSHAKE, 0,
                       finished_msg, sizeof(finished_msg));
}

static int validate_ccs(BIO *wbio)
{
    PACKET pkt;
    long len;
    unsigned char *data;
    unsigned int u;

    len = BIO_get_mem_data(wbio, (char **)&data);
    if (!PACKET_buf_init(&pkt, data, len))
        return 0;

    /* Check record header type */
    if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_CHANGE_CIPHER_SPEC)
        return 0;
    /* Version */
    if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
        return 0;
    /* Skip the rest of the record header */
    if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3))
        return 0;

    /* Check ChangeCipherSpec message */
    if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CCS)
        return 0;
    /* A DTLS1_BAD_VER ChangeCipherSpec also contains the
     * handshake sequence number (which is 2 here) */
    if (!PACKET_get_net_2(&pkt, &u) || u != 0x0002)
        return 0;

    /* Now check the Finished packet */
    if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
        return 0;
    if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
        return 0;

    /* Check epoch is now 1 */
    if (!PACKET_get_net_2(&pkt, &u) || u != 0x0001)
        return 0;

    /* That'll do for now. If OpenSSL accepted *our* Finished packet
     * then it's evidently remembered that DTLS1_BAD_VER doesn't
     * include the handshake header in the MAC. There's not a lot of
     * point in implementing decryption here, just to check that it
     * continues to get it right for one more packet. */

    return 1;
}

#define NODROP(x) { x##UL, 0 }
#define DROP(x)   { x##UL, 1 }

static struct {
    unsigned long seq;
    int drop;
} tests[] = {
    NODROP(1), NODROP(3), NODROP(2),
    NODROP(0x1234), NODROP(0x1230), NODROP(0x1235),
    NODROP(0xffff), NODROP(0x10001), NODROP(0xfffe), NODROP(0x10000),
    DROP(0x10001), DROP(0xff), NODROP(0x100000), NODROP(0x800000), NODROP(0x7fffe1),
    NODROP(0xffffff), NODROP(0x1000000), NODROP(0xfffffe), DROP(0xffffff), NODROP(0x1000010),
    NODROP(0xfffffd), NODROP(0x1000011), DROP(0x12), NODROP(0x1000012),
    NODROP(0x1ffffff), NODROP(0x2000000), DROP(0x1ff00fe), NODROP(0x2000001),
    NODROP(0x20fffff), NODROP(0x2105500), DROP(0x20ffffe), NODROP(0x21054ff),
    NODROP(0x211ffff), DROP(0x2110000), NODROP(0x2120000)
    /* The last test should be NODROP, because a DROP wouldn't get tested. */
};

int main(int argc, char *argv[])
{
    SSL_SESSION *sess;
    SSL_CTX *ctx;
    SSL *con;
    BIO *rbio;
    BIO *wbio;
    BIO *err;
    time_t now = 0;
    int testresult = 0;
    int ret;
    int i;

    err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);

    CRYPTO_set_mem_debug(1);
    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);

    RAND_bytes(session_id, sizeof(session_id));
    RAND_bytes(master_secret, sizeof(master_secret));
    RAND_bytes(cookie, sizeof(cookie));
    RAND_bytes(server_random + 4, sizeof(server_random) - 4);

    now = time(NULL);
    memcpy(server_random, &now, sizeof(now));

    sess = client_session();
    if (sess == NULL) {
        printf("Failed to generate SSL_SESSION\n");
        goto end;
    }

    handshake_md = EVP_MD_CTX_new();
    if (handshake_md == NULL ||
        !EVP_DigestInit_ex(handshake_md, EVP_md5_sha1(), NULL)) {
        printf("Failed to initialise handshake_md\n");
        goto end;
    }

    ctx = SSL_CTX_new(DTLS_client_method());
    if (ctx == NULL) {
        printf("Failed to allocate SSL_CTX\n");
        goto end_md;
    }
    if (!SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER)) {
        printf("SSL_CTX_set_min_proto_version() failed\n");
        goto end_ctx;
    }
    if (!SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER)) {
        printf("SSL_CTX_set_max_proto_version() failed\n");
        goto end_ctx;
    }

    if (!SSL_CTX_set_cipher_list(ctx, "AES128-SHA")) {
        printf("SSL_CTX_set_cipher_list() failed\n");
        goto end_ctx;
    }

    con = SSL_new(ctx);
    if (!SSL_set_session(con, sess)) {
        printf("SSL_set_session() failed\n");
        goto end_con;
    }
    SSL_SESSION_free(sess);

    rbio = BIO_new(BIO_s_mem());
    wbio = BIO_new(BIO_s_mem());

    BIO_set_nbio(rbio, 1);
    BIO_set_nbio(wbio, 1);

    SSL_set_bio(con, rbio, wbio);
    SSL_set_connect_state(con);

    /* Send initial ClientHello */
    ret = SSL_do_handshake(con);
    if (ret > 0 || SSL_get_error(con, ret) != SSL_ERROR_WANT_READ) {
        printf("Unexpected handshake result at initial call!\n");
        goto end_con;
    }

    if (validate_client_hello(wbio) != 1) {
        printf("Initial ClientHello failed validation\n");
        goto end_con;
    }
    if (send_hello_verify(rbio) != 1) {
        printf("Failed to send HelloVerify\n");
        goto end_con;
    }
    ret = SSL_do_handshake(con);
    if (ret > 0 || SSL_get_error(con, ret) != SSL_ERROR_WANT_READ) {
        printf("Unexpected handshake result after HelloVerify!\n");
        goto end_con;
    }
    if (validate_client_hello(wbio) != 2) {
        printf("Second ClientHello failed validation\n");
        goto end_con;
    }
    if (send_server_hello(rbio) != 1) {
        printf("Failed to send ServerHello\n");
        goto end_con;
    }
    ret = SSL_do_handshake(con);
    if (ret > 0 || SSL_get_error(con, ret) != SSL_ERROR_WANT_READ) {
        printf("Unexpected handshake result after ServerHello!\n");
        goto end_con;
    }
    if (send_finished(con, rbio) != 1) {
        printf("Failed to send Finished\n");
        goto end_con;
    }
    ret = SSL_do_handshake(con);
    if (ret < 1) {
        printf("Handshake not successful after Finished!\n");
        goto end_con;
    }
    if (validate_ccs(wbio) != 1) {
        printf("Failed to validate client CCS/Finished\n");
        goto end_con;
    }

    /* While we're here and crafting packets by hand, we might as well do a
       bit of a stress test on the DTLS record replay handling. Not Cisco-DTLS
       specific but useful anyway for the general case. It's been broken
       before, and in fact was broken even for a basic 0, 2, 1 test case
       when this test was first added.... */
    for (i = 0; i < (int)OSSL_NELEM(tests); i++) {
        unsigned long recv_buf[2];

        if (send_record(rbio, SSL3_RT_APPLICATION_DATA, tests[i].seq,
                        &tests[i].seq, sizeof(unsigned long)) != 1) {
            printf("Failed to send data seq #0x%lx (%d)\n",
                   tests[i].seq, i);
            goto end_con;
        }

        if (tests[i].drop)
            continue;

        ret = SSL_read(con, recv_buf, 2 * sizeof(unsigned long));
        if (ret != sizeof(unsigned long)) {
            printf("SSL_read failed or wrong size on seq#0x%lx (%d)\n",
                   tests[i].seq, i);
            goto end_con;
        }
        if (recv_buf[0] != tests[i].seq) {
            printf("Wrong data packet received (0x%lx not 0x%lx) at packet %d\n",
                   recv_buf[0], tests[i].seq, i);
            goto end_con;
        }
    }
    if (tests[i-1].drop) {
        printf("Error: last test cannot be DROP()\n");
        goto end_con;
    }
    testresult=1;

 end_con:
    SSL_free(con);
 end_ctx:
    SSL_CTX_free(ctx);
 end_md:
    EVP_MD_CTX_free(handshake_md);
 end:
    ERR_print_errors_fp(stderr);

    if (!testresult) {
        printf("Cisco BadDTLS test: FAILED\n");
    }


#ifndef OPENSSL_NO_CRYPTO_MDEBUG
    if (CRYPTO_mem_leaks(err) <= 0)
        testresult = 0;
#endif
    BIO_free(err);

    return testresult?0:1;
}
Commit	Line	Data
16938284 DW	1	/*
	2	* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	/*
	11	* Unit test for Cisco DTLS1_BAD_VER session resume, as used by
	12	* AnyConnect VPN protocol.
	13	*
	14	* This is designed to exercise the code paths in
	15	* http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/dtls.c
	16	* which have frequently been affected by regressions in DTLS1_BAD_VER
	17	* support.
	18	*
	19	* Note that unlike other SSL tests, we don't test against our own SSL
	20	* server method. Firstly because we don't have one; we only support
	21	* DTLS1_BAD_VER as a client. And secondly because even if that were
	22	* fixed up it's the wrong thing to test against — because if changes
	23	* are made in generic DTLS code which don't take DTLS1_BAD_VER into
	24	* account, there's plenty of scope for making those changes such that
	25	* they break both the client and the server in the same way.
	26	*
	27	* So we handle the server side manually. In a session resume there isn't
	28	* much to be done anyway.
	29	*/
	30	#include <string.h>
	31
	32	#include <openssl/opensslconf.h>
	33	#include <openssl/bio.h>
	34	#include <openssl/crypto.h>
	35	#include <openssl/evp.h>
	36	#include <openssl/ssl.h>
	37	#include <openssl/err.h>
	38	#include <openssl/rand.h>
	39	#include <openssl/kdf.h>
	40
9cc76cc4 RL	41	#include "../ssl/packet_locl.h"
9cc76cc4 RL	42	#include "../e_os.h" /* for OSSL_NELEM() */
16938284 DW	43
	44	/* For DTLS1_BAD_VER packets the MAC doesn't include the handshake header */
	45	#define MAC_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH)
	46
	47	static unsigned char client_random[SSL3_RANDOM_SIZE];
	48	static unsigned char server_random[SSL3_RANDOM_SIZE];
	49
	50	/* These are all generated locally, sized purely according to our own whim */
	51	static unsigned char session_id[32];
	52	static unsigned char master_secret[48];
	53	static unsigned char cookie[20];
	54
	55	/* We've hard-coded the cipher suite; we know it's 104 bytes */
	56	static unsigned char key_block[104];
	57	#define mac_key (key_block + 20)
	58	#define dec_key (key_block + 40)
	59	#define enc_key (key_block + 56)
	60
	61	static EVP_MD_CTX *handshake_md;
	62
	63	static int do_PRF(const void *seed1, int seed1_len,
	64	const void *seed2, int seed2_len,
	65	const void *seed3, int seed3_len,
	66	unsigned char *out, int olen)
	67	{
	68	EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
	69	size_t outlen = olen;
	70
	71	/* No error handling. If it all screws up, the test will fail anyway */
	72	EVP_PKEY_derive_init(pctx);
	73	EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_md5_sha1());
	74	EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, master_secret, sizeof(master_secret));
	75	EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len);
	76	EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len);
	77	EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len);
	78	EVP_PKEY_derive(pctx, out, &outlen);
	79	EVP_PKEY_CTX_free(pctx);
	80	return 1;
	81	}
	82
	83	static SSL_SESSION *client_session(void)
	84	{
	85	static unsigned char session_asn1[] = {
	86	0x30, 0x5F, /* SEQUENCE, length 0x5F */
	87	0x02, 0x01, 0x01, /* INTEGER, SSL_SESSION_ASN1_VERSION */
	88	0x02, 0x02, 0x01, 0x00, /* INTEGER, DTLS1_BAD_VER */
	89	0x04, 0x02, 0x00, 0x2F, /* OCTET_STRING, AES128-SHA */
	90	0x04, 0x20, /* OCTET_STRING, session id */
	91	#define SS_SESSID_OFS 15 /* Session ID goes here */
	92	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	93	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	94	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	95	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	96	0x04, 0x30, /* OCTET_STRING, master secret */
	97	#define SS_SECRET_OFS 49 /* Master secret goes here */
	98	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	99	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	100	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	101	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	102	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	103	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	104	};
	105	const unsigned char *p = session_asn1;
	106
107	/* Copy the randomly-generated fields into the above ASN1 */
108	memcpy(session_asn1 + SS_SESSID_OFS, session_id, sizeof(session_id));
109	memcpy(session_asn1 + SS_SECRET_OFS, master_secret, sizeof(master_secret));
110
111	return d2i_SSL_SESSION(NULL, &p, sizeof(session_asn1));
112	}
113
16938284 DW	114	/* Returns 1 for initial ClientHello, 2 for ClientHello with cookie */
	115	static int validate_client_hello(BIO *wbio)
	116	{
eb633d03	117	PACKET pkt, pkt2;
16938284 DW	118	long len;
	119	unsigned char *data;
	120	int cookie_found = 0;
	121	unsigned int u;
	122
	123	len = BIO_get_mem_data(wbio, (char **)&data);
	124	if (!PACKET_buf_init(&pkt, data, len))
	125	return 0;
	126
	127	/* Check record header type */
	128	if (!PACKET_get_1(&pkt, &u) \|\| u != SSL3_RT_HANDSHAKE)
	129	return 0;
	130	/* Version */
	131	if (!PACKET_get_net_2(&pkt, &u) \|\| u != DTLS1_BAD_VER)
	132	return 0;
	133	/* Skip the rest of the record header */
	134	if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3))
	135	return 0;
	136
	137	/* Check it's a ClientHello */
	138	if (!PACKET_get_1(&pkt, &u) \|\| u != SSL3_MT_CLIENT_HELLO)
	139	return 0;
	140	/* Skip the rest of the handshake message header */
	141	if (!PACKET_forward(&pkt, DTLS1_HM_HEADER_LENGTH - 1))
	142	return 0;
	143
	144	/* Check client version */
	145	if (!PACKET_get_net_2(&pkt, &u) \|\| u != DTLS1_BAD_VER)
	146	return 0;
	147
	148	/* Store random */
	149	if (!PACKET_copy_bytes(&pkt, client_random, SSL3_RANDOM_SIZE))
	150	return 0;
	151
	152	/* Check session id length and content */
eb633d03 DW	153	if (!PACKET_get_length_prefixed_1(&pkt, &pkt2) \|\|
eb633d03 DW	154	!PACKET_equal(&pkt2, session_id, sizeof(session_id)))
16938284 DW	155	return 0;
	156
	157	/* Check cookie */
eb633d03	158	if (!PACKET_get_length_prefixed_1(&pkt, &pkt2))
16938284	159	return 0;
eb633d03 DW	160	if (PACKET_remaining(&pkt2)) {
eb633d03 DW	161	if (!PACKET_equal(&pkt2, cookie, sizeof(cookie)))
16938284 DW	162	return 0;
	163	cookie_found = 1;
	164	}
	165
	166	/* Skip ciphers */
	167	if (!PACKET_get_net_2(&pkt, &u) \|\| !PACKET_forward(&pkt, u))
	168	return 0;
	169
	170	/* Skip compression */
	171	if (!PACKET_get_1(&pkt, &u) \|\| !PACKET_forward(&pkt, u))
	172	return 0;
	173
	174	/* Skip extensions */
	175	if (!PACKET_get_net_2(&pkt, &u) \|\| !PACKET_forward(&pkt, u))
	176	return 0;
	177
	178	/* Now we are at the end */
	179	if (PACKET_remaining(&pkt))
	180	return 0;
	181
	182	/* Update handshake MAC for second ClientHello (with cookie) */
	183	if (cookie_found && !EVP_DigestUpdate(handshake_md, data + MAC_OFFSET,
	184	len - MAC_OFFSET))
	185	printf("EVP_DigestUpdate() failed\n");
	186
	187	(void)BIO_reset(wbio);
	188
	189	return 1 + cookie_found;
	190	}
	191
	192	static int send_hello_verify(BIO *rbio)
	193	{
	194	static unsigned char hello_verify[] = {
	195	0x16, /* Handshake */
	196	0x01, 0x00, /* DTLS1_BAD_VER */
	197	0x00, 0x00, /* Epoch 0 */
	198	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Seq# 0 */
	199	0x00, 0x23, /* Length */
	200	0x03, /* Hello Verify */
	201	0x00, 0x00, 0x17, /* Length */
	202	0x00, 0x00, /* Seq# 0 */
	203	0x00, 0x00, 0x00, /* Fragment offset */
	204	0x00, 0x00, 0x17, /* Fragment length */
	205	0x01, 0x00, /* DTLS1_BAD_VER */
	206	0x14, /* Cookie length */
	207	#define HV_COOKIE_OFS 28 /* Cookie goes here */
	208	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	209	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	210	0x00, 0x00, 0x00, 0x00,
	211	};
	212
	213	memcpy(hello_verify + HV_COOKIE_OFS, cookie, sizeof(cookie));
	214
	215	BIO_write(rbio, hello_verify, sizeof(hello_verify));
	216
	217	return 1;
	218	}
	219
	220	static int send_server_hello(BIO *rbio)
	221	{
	222	static unsigned char server_hello[] = {
	223	0x16, /* Handshake */
	224	0x01, 0x00, /* DTLS1_BAD_VER */
	225	0x00, 0x00, /* Epoch 0 */
226	0x00, 0x00, 0x00, 0x00, 0x00, 0x01, /* Seq# 1 */
227	0x00, 0x52, /* Length */
228	0x02, /* Server Hello */
229	0x00, 0x00, 0x46, /* Length */
230	0x00, 0x01, /* Seq# */
231	0x00, 0x00, 0x00, /* Fragment offset */
232	0x00, 0x00, 0x46, /* Fragment length */
233	0x01, 0x00, /* DTLS1_BAD_VER */
234	#define SH_RANDOM_OFS 27 /* Server random goes here */
235	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
236	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
237	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
238	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
239	0x20, /* Session ID length */
240	#define SH_SESSID_OFS 60 /* Session ID goes here */
241	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
242	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
243	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
244	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
245	0x00, 0x2f, /* Cipher suite AES128-SHA */
246	0x00, /* Compression null */
247	};
248	static unsigned char change_cipher_spec[] = {
249	0x14, /* Change Cipher Spec */
250	0x01, 0x00, /* DTLS1_BAD_VER */
251	0x00, 0x00, /* Epoch 0 */
252	0x00, 0x00, 0x00, 0x00, 0x00, 0x02, /* Seq# 2 */
253	0x00, 0x03, /* Length */
254	0x01, 0x00, 0x02, /* Message */
255	};
256
257	memcpy(server_hello + SH_RANDOM_OFS, server_random, sizeof(server_random));
258	memcpy(server_hello + SH_SESSID_OFS, session_id, sizeof(session_id));
259
260	if (!EVP_DigestUpdate(handshake_md, server_hello + MAC_OFFSET,
261	sizeof(server_hello) - MAC_OFFSET))
262	printf("EVP_DigestUpdate() failed\n");
263
264	BIO_write(rbio, server_hello, sizeof(server_hello));
265	BIO_write(rbio, change_cipher_spec, sizeof(change_cipher_spec));
266
267	return 1;
268	}
269
270	/* Create header, HMAC, pad, encrypt and send a record */
271	static int send_record(BIO *rbio, unsigned char type, unsigned long seqnr,
272	const void *msg, size_t len)
273	{
274	/* Note that the order of the record header fields on the wire,
275	* and in the HMAC, is different. So we just keep them in separate
276	* variables and handle them individually. */
277	static unsigned char epoch[2] = { 0x00, 0x01 };
278	static unsigned char seq[6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
279	static unsigned char ver[2] = { 0x01, 0x00 }; /* DTLS1_BAD_VER */
280	unsigned char lenbytes[2];
281	HMAC_CTX *ctx;
282	EVP_CIPHER_CTX *enc_ctx;
283	unsigned char iv[16];
284	unsigned char pad;
285	unsigned char *enc;
286
287	#ifdef SIXTY_FOUR_BIT_LONG
288	seq[0] = (seqnr >> 40) & 0xff;
289	seq[1] = (seqnr >> 32) & 0xff;
290	#endif
291	seq[2] = (seqnr >> 24) & 0xff;
292	seq[3] = (seqnr >> 16) & 0xff;
293	seq[4] = (seqnr >> 8) & 0xff;
294	seq[5] = seqnr & 0xff;
295
296	pad = 15 - ((len + SHA_DIGEST_LENGTH) % 16);
297	enc = OPENSSL_malloc(len + SHA_DIGEST_LENGTH + 1 + pad);
298	if (enc == NULL)
299	return 0;
300
301	/* Copy record to encryption buffer */
302	memcpy(enc, msg, len);
303
304	/* Append HMAC to data */
305	ctx = HMAC_CTX_new();
306	HMAC_Init_ex(ctx, mac_key, 20, EVP_sha1(), NULL);
307	HMAC_Update(ctx, epoch, 2);
308	HMAC_Update(ctx, seq, 6);
309	HMAC_Update(ctx, &type, 1);
310	HMAC_Update(ctx, ver, 2); /* Version */
311	lenbytes[0] = len >> 8;
312	lenbytes[1] = len & 0xff;
313	HMAC_Update(ctx, lenbytes, 2); /* Length */
314	HMAC_Update(ctx, enc, len); /* Finally the data itself */
315	HMAC_Final(ctx, enc + len, NULL);
316	HMAC_CTX_free(ctx);
317
318	/* Append padding bytes */
319	len += SHA_DIGEST_LENGTH;
320	do {
321	enc[len++] = pad;
322	} while (len % 16);
323
324	/* Generate IV, and encrypt */
325	RAND_bytes(iv, sizeof(iv));
326	enc_ctx = EVP_CIPHER_CTX_new();
327	EVP_CipherInit_ex(enc_ctx, EVP_aes_128_cbc(), NULL, enc_key, iv, 1);
328	EVP_Cipher(enc_ctx, enc, enc, len);
329	EVP_CIPHER_CTX_free(enc_ctx);
330
331	/* Finally write header (from fragmented variables), IV and encrypted record */
332	BIO_write(rbio, &type, 1);
333	BIO_write(rbio, ver, 2);
334	BIO_write(rbio, epoch, 2);
335	BIO_write(rbio, seq, 6);
336	lenbytes[0] = (len + sizeof(iv)) >> 8;
337	lenbytes[1] = (len + sizeof(iv)) & 0xff;
338	BIO_write(rbio, lenbytes, 2);
339
340	BIO_write(rbio, iv, sizeof(iv));
341	BIO_write(rbio, enc, len);
342
343	OPENSSL_free(enc);
344	return 1;
345	}
346
347	static int send_finished(SSL s, BIO rbio)
348	{
349	static unsigned char finished_msg[DTLS1_HM_HEADER_LENGTH +
350	TLS1_FINISH_MAC_LENGTH] = {
351	0x14, /* Finished */
352	0x00, 0x00, 0x0c, /* Length */
353	0x00, 0x03, /* Seq# 3 */
354	0x00, 0x00, 0x00, /* Fragment offset */
355	0x00, 0x00, 0x0c, /* Fragment length */
356	/* Finished MAC (12 bytes) */
357	};
358	unsigned char handshake_hash[EVP_MAX_MD_SIZE];
359
360	/* Derive key material */
361	do_PRF(TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
362	server_random, SSL3_RANDOM_SIZE,
363	client_random, SSL3_RANDOM_SIZE,
364	key_block, sizeof(key_block));
365
366	/* Generate Finished MAC */
367	if (!EVP_DigestFinal_ex(handshake_md, handshake_hash, NULL))
368	printf("EVP_DigestFinal_ex() failed\n");
369
370	do_PRF(TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
371	handshake_hash, EVP_MD_CTX_size(handshake_md),
372	NULL, 0,
373	finished_msg + DTLS1_HM_HEADER_LENGTH, TLS1_FINISH_MAC_LENGTH);
374
375	return send_record(rbio, SSL3_RT_HANDSHAKE, 0,
376	finished_msg, sizeof(finished_msg));
377	}
378
379	static int validate_ccs(BIO *wbio)
380	{
381	PACKET pkt;
382	long len;
383	unsigned char *data;
384	unsigned int u;
385
386	len = BIO_get_mem_data(wbio, (char **)&data);
387	if (!PACKET_buf_init(&pkt, data, len))
388	return 0;
389
390	/* Check record header type */
391	if (!PACKET_get_1(&pkt, &u) \|\| u != SSL3_RT_CHANGE_CIPHER_SPEC)
392	return 0;
393	/* Version */
394	if (!PACKET_get_net_2(&pkt, &u) \|\| u != DTLS1_BAD_VER)
395	return 0;
396	/* Skip the rest of the record header */
397	if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3))
398	return 0;
399
400	/* Check ChangeCipherSpec message */
401	if (!PACKET_get_1(&pkt, &u) \|\| u != SSL3_MT_CCS)
402	return 0;
403	/* A DTLS1_BAD_VER ChangeCipherSpec also contains the
404	* handshake sequence number (which is 2 here) */
405	if (!PACKET_get_net_2(&pkt, &u) \|\| u != 0x0002)
406	return 0;
407
408	/* Now check the Finished packet */
409	if (!PACKET_get_1(&pkt, &u) \|\| u != SSL3_RT_HANDSHAKE)
410	return 0;
411	if (!PACKET_get_net_2(&pkt, &u) \|\| u != DTLS1_BAD_VER)
412	return 0;
413
414	/* Check epoch is now 1 */
415	if (!PACKET_get_net_2(&pkt, &u) \|\| u != 0x0001)
416	return 0;
417
418	/* That'll do for now. If OpenSSL accepted our Finished packet
419	* then it's evidently remembered that DTLS1_BAD_VER doesn't
420	* include the handshake header in the MAC. There's not a lot of
421	* point in implementing decryption here, just to check that it
422	* continues to get it right for one more packet. */
423
424	return 1;
425	}
426
427	#define NODROP(x) { x##UL, 0 }
428	#define DROP(x) { x##UL, 1 }
429
430	static struct {
431	unsigned long seq;
432	int drop;
433	} tests[] = {
434	NODROP(1), NODROP(3), NODROP(2),
435	NODROP(0x1234), NODROP(0x1230), NODROP(0x1235),
436	NODROP(0xffff), NODROP(0x10001), NODROP(0xfffe), NODROP(0x10000),
437	DROP(0x10001), DROP(0xff), NODROP(0x100000), NODROP(0x800000), NODROP(0x7fffe1),
438	NODROP(0xffffff), NODROP(0x1000000), NODROP(0xfffffe), DROP(0xffffff), NODROP(0x1000010),
439	NODROP(0xfffffd), NODROP(0x1000011), DROP(0x12), NODROP(0x1000012),
440	NODROP(0x1ffffff), NODROP(0x2000000), DROP(0x1ff00fe), NODROP(0x2000001),
441	NODROP(0x20fffff), NODROP(0x2105500), DROP(0x20ffffe), NODROP(0x21054ff),
442	NODROP(0x211ffff), DROP(0x2110000), NODROP(0x2120000)
443	/* The last test should be NODROP, because a DROP wouldn't get tested. */
444	};
445
446	int main(int argc, char *argv[])
447	{
448	SSL_SESSION *sess;
449	SSL_CTX *ctx;
450	SSL *con;
451	BIO *rbio;
452	BIO *wbio;
453	BIO *err;
af5883fe	454	time_t now = 0;
16938284 DW	455	int testresult = 0;
	456	int ret;
	457	int i;
	458
	459	err = BIO_new_fp(stderr, BIO_NOCLOSE \| BIO_FP_TEXT);
	460
	461	CRYPTO_set_mem_debug(1);
	462	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
	463
	464	RAND_bytes(session_id, sizeof(session_id));
	465	RAND_bytes(master_secret, sizeof(master_secret));
	466	RAND_bytes(cookie, sizeof(cookie));
	467	RAND_bytes(server_random + 4, sizeof(server_random) - 4);
af5883fe MK	468
	469	now = time(NULL);
	470	memcpy(server_random, &now, sizeof(now));
16938284 DW	471
	472	sess = client_session();
	473	if (sess == NULL) {
	474	printf("Failed to generate SSL_SESSION\n");
	475	goto end;
	476	}
	477
	478	handshake_md = EVP_MD_CTX_new();
	479	if (handshake_md == NULL \|\|
	480	!EVP_DigestInit_ex(handshake_md, EVP_md5_sha1(), NULL)) {
	481	printf("Failed to initialise handshake_md\n");
	482	goto end;
	483	}
	484
	485	ctx = SSL_CTX_new(DTLS_client_method());
	486	if (ctx == NULL) {
	487	printf("Failed to allocate SSL_CTX\n");
	488	goto end_md;
	489	}
	490	if (!SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER)) {
	491	printf("SSL_CTX_set_min_proto_version() failed\n");
	492	goto end_ctx;
	493	}
	494	if (!SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER)) {
	495	printf("SSL_CTX_set_max_proto_version() failed\n");
	496	goto end_ctx;
	497	}
	498
	499	if (!SSL_CTX_set_cipher_list(ctx, "AES128-SHA")) {
	500	printf("SSL_CTX_set_cipher_list() failed\n");
	501	goto end_ctx;
	502	}
	503
	504	con = SSL_new(ctx);
	505	if (!SSL_set_session(con, sess)) {
	506	printf("SSL_set_session() failed\n");
	507	goto end_con;
	508	}
	509	SSL_SESSION_free(sess);
	510
	511	rbio = BIO_new(BIO_s_mem());
	512	wbio = BIO_new(BIO_s_mem());
	513
	514	BIO_set_nbio(rbio, 1);
	515	BIO_set_nbio(wbio, 1);
	516
	517	SSL_set_bio(con, rbio, wbio);
	518	SSL_set_connect_state(con);
	519
	520	/* Send initial ClientHello */
	521	ret = SSL_do_handshake(con);
	522	if (ret > 0 \|\| SSL_get_error(con, ret) != SSL_ERROR_WANT_READ) {
	523	printf("Unexpected handshake result at initial call!\n");
	524	goto end_con;
	525	}
	526
	527	if (validate_client_hello(wbio) != 1) {
	528	printf("Initial ClientHello failed validation\n");
	529	goto end_con;
	530	}
	531	if (send_hello_verify(rbio) != 1) {
	532	printf("Failed to send HelloVerify\n");
	533	goto end_con;
	534	}
535	ret = SSL_do_handshake(con);
536	if (ret > 0 \|\| SSL_get_error(con, ret) != SSL_ERROR_WANT_READ) {
537	printf("Unexpected handshake result after HelloVerify!\n");
538	goto end_con;
539	}
540	if (validate_client_hello(wbio) != 2) {
541	printf("Second ClientHello failed validation\n");
542	goto end_con;
543	}
544	if (send_server_hello(rbio) != 1) {
545	printf("Failed to send ServerHello\n");
546	goto end_con;
547	}
548	ret = SSL_do_handshake(con);
549	if (ret > 0 \|\| SSL_get_error(con, ret) != SSL_ERROR_WANT_READ) {
550	printf("Unexpected handshake result after ServerHello!\n");
551	goto end_con;
552	}
553	if (send_finished(con, rbio) != 1) {
554	printf("Failed to send Finished\n");
555	goto end_con;
556	}
557	ret = SSL_do_handshake(con);
558	if (ret < 1) {
559	printf("Handshake not successful after Finished!\n");
560	goto end_con;
561	}
562	if (validate_ccs(wbio) != 1) {
563	printf("Failed to validate client CCS/Finished\n");
564	goto end_con;
565	}
566
567	/* While we're here and crafting packets by hand, we might as well do a
568	bit of a stress test on the DTLS record replay handling. Not Cisco-DTLS
569	specific but useful anyway for the general case. It's been broken
570	before, and in fact was broken even for a basic 0, 2, 1 test case
571	when this test was first added.... */
572	for (i = 0; i < (int)OSSL_NELEM(tests); i++) {
573	unsigned long recv_buf[2];
574
575	if (send_record(rbio, SSL3_RT_APPLICATION_DATA, tests[i].seq,
576	&tests[i].seq, sizeof(unsigned long)) != 1) {
577	printf("Failed to send data seq #0x%lx (%d)\n",
578	tests[i].seq, i);
579	goto end_con;
580	}
581
582	if (tests[i].drop)
583	continue;
584
585	ret = SSL_read(con, recv_buf, 2 * sizeof(unsigned long));
586	if (ret != sizeof(unsigned long)) {
587	printf("SSL_read failed or wrong size on seq#0x%lx (%d)\n",
588	tests[i].seq, i);
589	goto end_con;
590	}
591	if (recv_buf[0] != tests[i].seq) {
592	printf("Wrong data packet received (0x%lx not 0x%lx) at packet %d\n",
593	recv_buf[0], tests[i].seq, i);
594	goto end_con;
595	}
596	}
597	if (tests[i-1].drop) {
598	printf("Error: last test cannot be DROP()\n");
599	goto end_con;
600	}
601	testresult=1;
602
603	end_con:
604	SSL_free(con);
605	end_ctx:
606	SSL_CTX_free(ctx);
607	end_md:
608	EVP_MD_CTX_free(handshake_md);
609	end:
610	ERR_print_errors_fp(stderr);
611
612	if (!testresult) {
613	printf("Cisco BadDTLS test: FAILED\n");
614	}
615
616
617	#ifndef OPENSSL_NO_CRYPTO_MDEBUG
618	if (CRYPTO_mem_leaks(err) <= 0)
619	testresult = 0;
620	#endif
621	BIO_free(err);
622
623	return testresult?0:1;
624	}