]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/bad_dtls_test.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Teach ssl_test_new how to test the FIPS module
[thirdparty/openssl.git] / test / bad_dtls_test.c
1 /*
2 * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * Unit test for Cisco DTLS1_BAD_VER session resume, as used by
12 * AnyConnect VPN protocol.
13 *
14 * This is designed to exercise the code paths in
15 * http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/dtls.c
16 * which have frequently been affected by regressions in DTLS1_BAD_VER
17 * support.
18 *
19 * Note that unlike other SSL tests, we don't test against our own SSL
20 * server method. Firstly because we don't have one; we *only* support
21 * DTLS1_BAD_VER as a client. And secondly because even if that were
22 * fixed up it's the wrong thing to test against - because if changes
23 * are made in generic DTLS code which don't take DTLS1_BAD_VER into
24 * account, there's plenty of scope for making those changes such that
25 * they break *both* the client and the server in the same way.
26 *
27 * So we handle the server side manually. In a session resume there isn't
28 * much to be done anyway.
29 */
30 #include <string.h>
31
32 #include <openssl/core_names.h>
33 #include <openssl/params.h>
34 #include <openssl/opensslconf.h>
35 #include <openssl/bio.h>
36 #include <openssl/crypto.h>
37 #include <openssl/evp.h>
38 #include <openssl/ssl.h>
39 #include <openssl/err.h>
40 #include <openssl/rand.h>
41 #include <openssl/kdf.h>
42 #include "internal/packet.h"
43 #include "internal/nelem.h"
44 #include "testutil.h"
45
46 /* For DTLS1_BAD_VER packets the MAC doesn't include the handshake header */
47 #define MAC_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH)
48
49 static unsigned char client_random[SSL3_RANDOM_SIZE];
50 static unsigned char server_random[SSL3_RANDOM_SIZE];
51
52 /* These are all generated locally, sized purely according to our own whim */
53 static unsigned char session_id[32];
54 static unsigned char master_secret[48];
55 static unsigned char cookie[20];
56
57 /* We've hard-coded the cipher suite; we know it's 104 bytes */
58 static unsigned char key_block[104];
59 #define mac_key (key_block + 20)
60 #define dec_key (key_block + 40)
61 #define enc_key (key_block + 56)
62
63 static EVP_MD_CTX *handshake_md;
64
65 static int do_PRF(const void *seed1, int seed1_len,
66 const void *seed2, int seed2_len,
67 const void *seed3, int seed3_len,
68 unsigned char *out, int olen)
69 {
70 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
71 size_t outlen = olen;
72
73 /* No error handling. If it all screws up, the test will fail anyway */
74 EVP_PKEY_derive_init(pctx);
75 EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_md5_sha1());
76 EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, master_secret, sizeof(master_secret));
77 EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len);
78 EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len);
79 EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len);
80 EVP_PKEY_derive(pctx, out, &outlen);
81 EVP_PKEY_CTX_free(pctx);
82 return 1;
83 }
84
85 static SSL_SESSION *client_session(void)
86 {
87 static unsigned char session_asn1[] = {
88 0x30, 0x5F, /* SEQUENCE, length 0x5F */
89 0x02, 0x01, 0x01, /* INTEGER, SSL_SESSION_ASN1_VERSION */
90 0x02, 0x02, 0x01, 0x00, /* INTEGER, DTLS1_BAD_VER */
91 0x04, 0x02, 0x00, 0x2F, /* OCTET_STRING, AES128-SHA */
92 0x04, 0x20, /* OCTET_STRING, session id */
93 #define SS_SESSID_OFS 15 /* Session ID goes here */
94 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
95 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
96 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
97 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
98 0x04, 0x30, /* OCTET_STRING, master secret */
99 #define SS_SECRET_OFS 49 /* Master secret goes here */
100 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
101 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
102 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
103 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
104 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
105 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
106 };
107 const unsigned char *p = session_asn1;
108
109 /* Copy the randomly-generated fields into the above ASN1 */
110 memcpy(session_asn1 + SS_SESSID_OFS, session_id, sizeof(session_id));
111 memcpy(session_asn1 + SS_SECRET_OFS, master_secret, sizeof(master_secret));
112
113 return d2i_SSL_SESSION(NULL, &p, sizeof(session_asn1));
114 }
115
116 /* Returns 1 for initial ClientHello, 2 for ClientHello with cookie */
117 static int validate_client_hello(BIO *wbio)
118 {
119 PACKET pkt, pkt2;
120 long len;
121 unsigned char *data;
122 int cookie_found = 0;
123 unsigned int u = 0;
124
125 len = BIO_get_mem_data(wbio, (char **)&data);
126 if (!PACKET_buf_init(&pkt, data, len))
127 return 0;
128
129 /* Check record header type */
130 if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
131 return 0;
132 /* Version */
133 if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
134 return 0;
135 /* Skip the rest of the record header */
136 if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3))
137 return 0;
138
139 /* Check it's a ClientHello */
140 if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CLIENT_HELLO)
141 return 0;
142 /* Skip the rest of the handshake message header */
143 if (!PACKET_forward(&pkt, DTLS1_HM_HEADER_LENGTH - 1))
144 return 0;
145
146 /* Check client version */
147 if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
148 return 0;
149
150 /* Store random */
151 if (!PACKET_copy_bytes(&pkt, client_random, SSL3_RANDOM_SIZE))
152 return 0;
153
154 /* Check session id length and content */
155 if (!PACKET_get_length_prefixed_1(&pkt, &pkt2) ||
156 !PACKET_equal(&pkt2, session_id, sizeof(session_id)))
157 return 0;
158
159 /* Check cookie */
160 if (!PACKET_get_length_prefixed_1(&pkt, &pkt2))
161 return 0;
162 if (PACKET_remaining(&pkt2)) {
163 if (!PACKET_equal(&pkt2, cookie, sizeof(cookie)))
164 return 0;
165 cookie_found = 1;
166 }
167
168 /* Skip ciphers */
169 if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u))
170 return 0;
171
172 /* Skip compression */
173 if (!PACKET_get_1(&pkt, &u) || !PACKET_forward(&pkt, u))
174 return 0;
175
176 /* Skip extensions */
177 if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u))
178 return 0;
179
180 /* Now we are at the end */
181 if (PACKET_remaining(&pkt))
182 return 0;
183
184 /* Update handshake MAC for second ClientHello (with cookie) */
185 if (cookie_found && !EVP_DigestUpdate(handshake_md, data + MAC_OFFSET,
186 len - MAC_OFFSET))
187 return 0;
188
189 (void)BIO_reset(wbio);
190
191 return 1 + cookie_found;
192 }
193
194 static int send_hello_verify(BIO *rbio)
195 {
196 static unsigned char hello_verify[] = {
197 0x16, /* Handshake */
198 0x01, 0x00, /* DTLS1_BAD_VER */
199 0x00, 0x00, /* Epoch 0 */
200 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Seq# 0 */
201 0x00, 0x23, /* Length */
202 0x03, /* Hello Verify */
203 0x00, 0x00, 0x17, /* Length */
204 0x00, 0x00, /* Seq# 0 */
205 0x00, 0x00, 0x00, /* Fragment offset */
206 0x00, 0x00, 0x17, /* Fragment length */
207 0x01, 0x00, /* DTLS1_BAD_VER */
208 0x14, /* Cookie length */
209 #define HV_COOKIE_OFS 28 /* Cookie goes here */
210 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
211 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
212 0x00, 0x00, 0x00, 0x00,
213 };
214
215 memcpy(hello_verify + HV_COOKIE_OFS, cookie, sizeof(cookie));
216
217 BIO_write(rbio, hello_verify, sizeof(hello_verify));
218
219 return 1;
220 }
221
222 static int send_server_hello(BIO *rbio)
223 {
224 static unsigned char server_hello[] = {
225 0x16, /* Handshake */
226 0x01, 0x00, /* DTLS1_BAD_VER */
227 0x00, 0x00, /* Epoch 0 */
228 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, /* Seq# 1 */
229 0x00, 0x52, /* Length */
230 0x02, /* Server Hello */
231 0x00, 0x00, 0x46, /* Length */
232 0x00, 0x01, /* Seq# */
233 0x00, 0x00, 0x00, /* Fragment offset */
234 0x00, 0x00, 0x46, /* Fragment length */
235 0x01, 0x00, /* DTLS1_BAD_VER */
236 #define SH_RANDOM_OFS 27 /* Server random goes here */
237 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
238 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
239 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
240 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
241 0x20, /* Session ID length */
242 #define SH_SESSID_OFS 60 /* Session ID goes here */
243 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
244 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
245 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
246 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
247 0x00, 0x2f, /* Cipher suite AES128-SHA */
248 0x00, /* Compression null */
249 };
250 static unsigned char change_cipher_spec[] = {
251 0x14, /* Change Cipher Spec */
252 0x01, 0x00, /* DTLS1_BAD_VER */
253 0x00, 0x00, /* Epoch 0 */
254 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, /* Seq# 2 */
255 0x00, 0x03, /* Length */
256 0x01, 0x00, 0x02, /* Message */
257 };
258
259 memcpy(server_hello + SH_RANDOM_OFS, server_random, sizeof(server_random));
260 memcpy(server_hello + SH_SESSID_OFS, session_id, sizeof(session_id));
261
262 if (!EVP_DigestUpdate(handshake_md, server_hello + MAC_OFFSET,
263 sizeof(server_hello) - MAC_OFFSET))
264 return 0;
265
266 BIO_write(rbio, server_hello, sizeof(server_hello));
267 BIO_write(rbio, change_cipher_spec, sizeof(change_cipher_spec));
268
269 return 1;
270 }
271
272 /* Create header, HMAC, pad, encrypt and send a record */
273 static int send_record(BIO *rbio, unsigned char type, uint64_t seqnr,
274 const void *msg, size_t len)
275 {
276 /* Note that the order of the record header fields on the wire,
277 * and in the HMAC, is different. So we just keep them in separate
278 * variables and handle them individually. */
279 static unsigned char epoch[2] = { 0x00, 0x01 };
280 static unsigned char seq[6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
281 static unsigned char ver[2] = { 0x01, 0x00 }; /* DTLS1_BAD_VER */
282 unsigned char lenbytes[2];
283 EVP_MAC *hmac;
284 EVP_MAC_CTX *ctx;
285 EVP_CIPHER_CTX *enc_ctx;
286 unsigned char iv[16];
287 unsigned char pad;
288 unsigned char *enc;
289 OSSL_PARAM params[3];
290
291 seq[0] = (seqnr >> 40) & 0xff;
292 seq[1] = (seqnr >> 32) & 0xff;
293 seq[2] = (seqnr >> 24) & 0xff;
294 seq[3] = (seqnr >> 16) & 0xff;
295 seq[4] = (seqnr >> 8) & 0xff;
296 seq[5] = seqnr & 0xff;
297
298 pad = 15 - ((len + SHA_DIGEST_LENGTH) % 16);
299 enc = OPENSSL_malloc(len + SHA_DIGEST_LENGTH + 1 + pad);
300 if (enc == NULL)
301 return 0;
302
303 /* Copy record to encryption buffer */
304 memcpy(enc, msg, len);
305
306 /* Append HMAC to data */
307 hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
308 ctx = EVP_MAC_CTX_new(hmac);
309 EVP_MAC_free(hmac);
310 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
311 "SHA1", 0);
312 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
313 mac_key, 20);
314 params[2] = OSSL_PARAM_construct_end();
315 EVP_MAC_CTX_set_params(ctx, params);
316 EVP_MAC_init(ctx);
317 EVP_MAC_update(ctx, epoch, 2);
318 EVP_MAC_update(ctx, seq, 6);
319 EVP_MAC_update(ctx, &type, 1);
320 EVP_MAC_update(ctx, ver, 2); /* Version */
321 lenbytes[0] = (unsigned char)(len >> 8);
322 lenbytes[1] = (unsigned char)(len);
323 EVP_MAC_update(ctx, lenbytes, 2); /* Length */
324 EVP_MAC_update(ctx, enc, len); /* Finally the data itself */
325 EVP_MAC_final(ctx, enc + len, NULL, SHA_DIGEST_LENGTH);
326 EVP_MAC_CTX_free(ctx);
327
328 /* Append padding bytes */
329 len += SHA_DIGEST_LENGTH;
330 do {
331 enc[len++] = pad;
332 } while (len % 16);
333
334 /* Generate IV, and encrypt */
335 RAND_bytes(iv, sizeof(iv));
336 enc_ctx = EVP_CIPHER_CTX_new();
337 EVP_CipherInit_ex(enc_ctx, EVP_aes_128_cbc(), NULL, enc_key, iv, 1);
338 EVP_Cipher(enc_ctx, enc, enc, len);
339 EVP_CIPHER_CTX_free(enc_ctx);
340
341 /* Finally write header (from fragmented variables), IV and encrypted record */
342 BIO_write(rbio, &type, 1);
343 BIO_write(rbio, ver, 2);
344 BIO_write(rbio, epoch, 2);
345 BIO_write(rbio, seq, 6);
346 lenbytes[0] = (unsigned char)((len + sizeof(iv)) >> 8);
347 lenbytes[1] = (unsigned char)(len + sizeof(iv));
348 BIO_write(rbio, lenbytes, 2);
349
350 BIO_write(rbio, iv, sizeof(iv));
351 BIO_write(rbio, enc, len);
352
353 OPENSSL_free(enc);
354 return 1;
355 }
356
357 static int send_finished(SSL *s, BIO *rbio)
358 {
359 static unsigned char finished_msg[DTLS1_HM_HEADER_LENGTH +
360 TLS1_FINISH_MAC_LENGTH] = {
361 0x14, /* Finished */
362 0x00, 0x00, 0x0c, /* Length */
363 0x00, 0x03, /* Seq# 3 */
364 0x00, 0x00, 0x00, /* Fragment offset */
365 0x00, 0x00, 0x0c, /* Fragment length */
366 /* Finished MAC (12 bytes) */
367 };
368 unsigned char handshake_hash[EVP_MAX_MD_SIZE];
369
370 /* Derive key material */
371 do_PRF(TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
372 server_random, SSL3_RANDOM_SIZE,
373 client_random, SSL3_RANDOM_SIZE,
374 key_block, sizeof(key_block));
375
376 /* Generate Finished MAC */
377 if (!EVP_DigestFinal_ex(handshake_md, handshake_hash, NULL))
378 return 0;
379
380 do_PRF(TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
381 handshake_hash, EVP_MD_CTX_size(handshake_md),
382 NULL, 0,
383 finished_msg + DTLS1_HM_HEADER_LENGTH, TLS1_FINISH_MAC_LENGTH);
384
385 return send_record(rbio, SSL3_RT_HANDSHAKE, 0,
386 finished_msg, sizeof(finished_msg));
387 }
388
389 static int validate_ccs(BIO *wbio)
390 {
391 PACKET pkt;
392 long len;
393 unsigned char *data;
394 unsigned int u;
395
396 len = BIO_get_mem_data(wbio, (char **)&data);
397 if (!PACKET_buf_init(&pkt, data, len))
398 return 0;
399
400 /* Check record header type */
401 if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_CHANGE_CIPHER_SPEC)
402 return 0;
403 /* Version */
404 if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
405 return 0;
406 /* Skip the rest of the record header */
407 if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3))
408 return 0;
409
410 /* Check ChangeCipherSpec message */
411 if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CCS)
412 return 0;
413 /* A DTLS1_BAD_VER ChangeCipherSpec also contains the
414 * handshake sequence number (which is 2 here) */
415 if (!PACKET_get_net_2(&pkt, &u) || u != 0x0002)
416 return 0;
417
418 /* Now check the Finished packet */
419 if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
420 return 0;
421 if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
422 return 0;
423
424 /* Check epoch is now 1 */
425 if (!PACKET_get_net_2(&pkt, &u) || u != 0x0001)
426 return 0;
427
428 /* That'll do for now. If OpenSSL accepted *our* Finished packet
429 * then it's evidently remembered that DTLS1_BAD_VER doesn't
430 * include the handshake header in the MAC. There's not a lot of
431 * point in implementing decryption here, just to check that it
432 * continues to get it right for one more packet. */
433
434 return 1;
435 }
436
437 #define NODROP(x) { x##UL, 0 }
438 #define DROP(x) { x##UL, 1 }
439
440 static struct {
441 uint64_t seq;
442 int drop;
443 } tests[] = {
444 NODROP(1), NODROP(3), NODROP(2),
445 NODROP(0x1234), NODROP(0x1230), NODROP(0x1235),
446 NODROP(0xffff), NODROP(0x10001), NODROP(0xfffe), NODROP(0x10000),
447 DROP(0x10001), DROP(0xff), NODROP(0x100000), NODROP(0x800000), NODROP(0x7fffe1),
448 NODROP(0xffffff), NODROP(0x1000000), NODROP(0xfffffe), DROP(0xffffff), NODROP(0x1000010),
449 NODROP(0xfffffd), NODROP(0x1000011), DROP(0x12), NODROP(0x1000012),
450 NODROP(0x1ffffff), NODROP(0x2000000), DROP(0x1ff00fe), NODROP(0x2000001),
451 NODROP(0x20fffff), NODROP(0x2105500), DROP(0x20ffffe), NODROP(0x21054ff),
452 NODROP(0x211ffff), DROP(0x2110000), NODROP(0x2120000)
453 /* The last test should be NODROP, because a DROP wouldn't get tested. */
454 };
455
456 static int test_bad_dtls(void)
457 {
458 SSL_SESSION *sess = NULL;
459 SSL_CTX *ctx = NULL;
460 SSL *con = NULL;
461 BIO *rbio = NULL;
462 BIO *wbio = NULL;
463 time_t now = 0;
464 int testresult = 0;
465 int ret;
466 int i;
467
468 RAND_bytes(session_id, sizeof(session_id));
469 RAND_bytes(master_secret, sizeof(master_secret));
470 RAND_bytes(cookie, sizeof(cookie));
471 RAND_bytes(server_random + 4, sizeof(server_random) - 4);
472
473 now = time(NULL);
474 memcpy(server_random, &now, sizeof(now));
475
476 sess = client_session();
477 if (!TEST_ptr(sess))
478 goto end;
479
480 handshake_md = EVP_MD_CTX_new();
481 if (!TEST_ptr(handshake_md)
482 || !TEST_true(EVP_DigestInit_ex(handshake_md, EVP_md5_sha1(),
483 NULL)))
484 goto end;
485
486 ctx = SSL_CTX_new(DTLS_client_method());
487 if (!TEST_ptr(ctx)
488 || !TEST_true(SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER))
489 || !TEST_true(SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER))
490 || !TEST_true(SSL_CTX_set_cipher_list(ctx, "AES128-SHA")))
491 goto end;
492
493 con = SSL_new(ctx);
494 if (!TEST_ptr(con)
495 || !TEST_true(SSL_set_session(con, sess)))
496 goto end;
497 SSL_SESSION_free(sess);
498
499 rbio = BIO_new(BIO_s_mem());
500 wbio = BIO_new(BIO_s_mem());
501
502 if (!TEST_ptr(rbio)
503 || !TEST_ptr(wbio))
504 goto end;
505
506 SSL_set_bio(con, rbio, wbio);
507
508 if (!TEST_true(BIO_up_ref(rbio))) {
509 /*
510 * We can't up-ref but we assigned ownership to con, so we shouldn't
511 * free in the "end" block
512 */
513 rbio = wbio = NULL;
514 goto end;
515 }
516
517 if (!TEST_true(BIO_up_ref(wbio))) {
518 wbio = NULL;
519 goto end;
520 }
521
522 SSL_set_connect_state(con);
523
524 /* Send initial ClientHello */
525 ret = SSL_do_handshake(con);
526 if (!TEST_int_le(ret, 0)
527 || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
528 || !TEST_int_eq(validate_client_hello(wbio), 1)
529 || !TEST_true(send_hello_verify(rbio)))
530 goto end;
531
532 ret = SSL_do_handshake(con);
533 if (!TEST_int_le(ret, 0)
534 || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
535 || !TEST_int_eq(validate_client_hello(wbio), 2)
536 || !TEST_true(send_server_hello(rbio)))
537 goto end;
538
539 ret = SSL_do_handshake(con);
540 if (!TEST_int_le(ret, 0)
541 || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
542 || !TEST_true(send_finished(con, rbio)))
543 goto end;
544
545 ret = SSL_do_handshake(con);
546 if (!TEST_int_gt(ret, 0)
547 || !TEST_true(validate_ccs(wbio)))
548 goto end;
549
550 /* While we're here and crafting packets by hand, we might as well do a
551 bit of a stress test on the DTLS record replay handling. Not Cisco-DTLS
552 specific but useful anyway for the general case. It's been broken
553 before, and in fact was broken even for a basic 0, 2, 1 test case
554 when this test was first added.... */
555 for (i = 0; i < (int)OSSL_NELEM(tests); i++) {
556 uint64_t recv_buf[2];
557
558 if (!TEST_true(send_record(rbio, SSL3_RT_APPLICATION_DATA, tests[i].seq,
559 &tests[i].seq, sizeof(uint64_t)))) {
560 TEST_error("Failed to send data seq #0x%x%08x (%d)\n",
561 (unsigned int)(tests[i].seq >> 32), (unsigned int)tests[i].seq, i);
562 goto end;
563 }
564
565 if (tests[i].drop)
566 continue;
567
568 ret = SSL_read(con, recv_buf, 2 * sizeof(uint64_t));
569 if (!TEST_int_eq(ret, (int)sizeof(uint64_t))) {
570 TEST_error("SSL_read failed or wrong size on seq#0x%x%08x (%d)\n",
571 (unsigned int)(tests[i].seq >> 32), (unsigned int)tests[i].seq, i);
572 goto end;
573 }
574 if (!TEST_true(recv_buf[0] == tests[i].seq))
575 goto end;
576 }
577
578 /* The last test cannot be DROP() */
579 if (!TEST_false(tests[i-1].drop))
580 goto end;
581
582 testresult = 1;
583
584 end:
585 BIO_free(rbio);
586 BIO_free(wbio);
587 SSL_free(con);
588 SSL_CTX_free(ctx);
589 EVP_MD_CTX_free(handshake_md);
590
591 return testresult;
592 }
593
594 int setup_tests(void)
595 {
596 ADD_TEST(test_bad_dtls);
597 return 1;
598 }
A mirror of the official openssl repository