1 /* 2 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * Unit test for Cisco DTLS1_BAD_VER session resume, as used by 12 * AnyConnect VPN protocol. 13 * 14 * This is designed to exercise the code paths in 15 * http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/dtls.c 16 * which have frequently been affected by regressions in DTLS1_BAD_VER 17 * support. 18 * 19 * Note that unlike other SSL tests, we don't test against our own SSL 20 * server method. Firstly because we don't have one; we *only* support 21 * DTLS1_BAD_VER as a client. And secondly because even if that were 22 * fixed up it's the wrong thing to test against - because if changes 23 * are made in generic DTLS code which don't take DTLS1_BAD_VER into 24 * account, there's plenty of scope for making those changes such that 25 * they break *both* the client and the server in the same way. 26 * 27 * So we handle the server side manually. In a session resume there isn't 28 * much to be done anyway. 29 */ 30 #include <string.h> 31 32 #include <openssl/core_names.h> 33 #include <openssl/params.h> 34 #include <openssl/opensslconf.h> 35 #include <openssl/bio.h> 36 #include <openssl/crypto.h> 37 #include <openssl/evp.h> 38 #include <openssl/ssl.h> 39 #include <openssl/err.h> 40 #include <openssl/rand.h> 41 #include <openssl/kdf.h> 42 #include "internal/packet.h" 43 #include "internal/nelem.h" 44 #include "testutil.h" 45 46 /* For DTLS1_BAD_VER packets the MAC doesn't include the handshake header */ 47 #define MAC_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH) 48 49 static unsigned char client_random[SSL3_RANDOM_SIZE]; 50 static unsigned char server_random[SSL3_RANDOM_SIZE]; 51 52 /* These are all generated locally, sized purely according to our own whim */ 53 static unsigned char session_id[32]; 54 static unsigned char master_secret[48]; 55 static unsigned char cookie[20]; 56 57 /* We've hard-coded the cipher suite; we know it's 104 bytes */ 58 static unsigned char key_block[104]; 59 #define mac_key (key_block + 20) 60 #define dec_key (key_block + 40) 61 #define enc_key (key_block + 56) 62 63 static EVP_MD_CTX *handshake_md; 64 65 static int do_PRF(const void *seed1, int seed1_len, 66 const void *seed2, int seed2_len, 67 const void *seed3, int seed3_len, 68 unsigned char *out, int olen) 69 { 70 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); 71 size_t outlen = olen; 72 73 /* No error handling. If it all screws up, the test will fail anyway */ 74 EVP_PKEY_derive_init(pctx); 75 EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_md5_sha1()); 76 EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, master_secret, sizeof(master_secret)); 77 EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len); 78 EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len); 79 EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len); 80 EVP_PKEY_derive(pctx, out, &outlen); 81 EVP_PKEY_CTX_free(pctx); 82 return 1; 83 } 84 85 static SSL_SESSION *client_session(void) 86 { 87 static unsigned char session_asn1[] = { 88 0x30, 89 0x5F, /* SEQUENCE, length 0x5F */ 90 0x02, 91 0x01, 92 0x01, /* INTEGER, SSL_SESSION_ASN1_VERSION */ 93 0x02, 94 0x02, 95 0x01, 96 0x00, /* INTEGER, DTLS1_BAD_VER */ 97 0x04, 98 0x02, 99 0x00, 100 0x2F, /* OCTET_STRING, AES128-SHA */ 101 0x04, 102 0x20, /* OCTET_STRING, session id */ 103 #define SS_SESSID_OFS 15 /* Session ID goes here */ 104 0x00, 105 0x00, 106 0x00, 107 0x00, 108 0x00, 109 0x00, 110 0x00, 111 0x00, 112 0x00, 113 0x00, 114 0x00, 115 0x00, 116 0x00, 117 0x00, 118 0x00, 119 0x00, 120 0x00, 121 0x00, 122 0x00, 123 0x00, 124 0x00, 125 0x00, 126 0x00, 127 0x00, 128 0x00, 129 0x00, 130 0x00, 131 0x00, 132 0x00, 133 0x00, 134 0x00, 135 0x00, 136 0x04, 137 0x30, /* OCTET_STRING, master secret */ 138 #define SS_SECRET_OFS 49 /* Master secret goes here */ 139 0x00, 140 0x00, 141 0x00, 142 0x00, 143 0x00, 144 0x00, 145 0x00, 146 0x00, 147 0x00, 148 0x00, 149 0x00, 150 0x00, 151 0x00, 152 0x00, 153 0x00, 154 0x00, 155 0x00, 156 0x00, 157 0x00, 158 0x00, 159 0x00, 160 0x00, 161 0x00, 162 0x00, 163 0x00, 164 0x00, 165 0x00, 166 0x00, 167 0x00, 168 0x00, 169 0x00, 170 0x00, 171 0x00, 172 0x00, 173 0x00, 174 0x00, 175 0x00, 176 0x00, 177 0x00, 178 0x00, 179 0x00, 180 0x00, 181 0x00, 182 0x00, 183 0x00, 184 0x00, 185 0x00, 186 0x00, 187 }; 188 const unsigned char *p = session_asn1; 189 190 /* Copy the randomly-generated fields into the above ASN1 */ 191 memcpy(session_asn1 + SS_SESSID_OFS, session_id, sizeof(session_id)); 192 memcpy(session_asn1 + SS_SECRET_OFS, master_secret, sizeof(master_secret)); 193 194 return d2i_SSL_SESSION(NULL, &p, sizeof(session_asn1)); 195 } 196 197 /* Returns 1 for initial ClientHello, 2 for ClientHello with cookie */ 198 static int validate_client_hello(BIO *wbio) 199 { 200 PACKET pkt, pkt2; 201 long len; 202 unsigned char *data; 203 int cookie_found = 0; 204 unsigned int u = 0; 205 206 if ((len = BIO_get_mem_data(wbio, (char **)&data)) < 0) 207 return 0; 208 if (!PACKET_buf_init(&pkt, data, len)) 209 return 0; 210 211 /* Check record header type */ 212 if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE) 213 return 0; 214 /* Version */ 215 if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER) 216 return 0; 217 /* Skip the rest of the record header */ 218 if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3)) 219 return 0; 220 221 /* Check it's a ClientHello */ 222 if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CLIENT_HELLO) 223 return 0; 224 /* Skip the rest of the handshake message header */ 225 if (!PACKET_forward(&pkt, DTLS1_HM_HEADER_LENGTH - 1)) 226 return 0; 227 228 /* Check client version */ 229 if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER) 230 return 0; 231 232 /* Store random */ 233 if (!PACKET_copy_bytes(&pkt, client_random, SSL3_RANDOM_SIZE)) 234 return 0; 235 236 /* Check session id length and content */ 237 if (!PACKET_get_length_prefixed_1(&pkt, &pkt2) || !PACKET_equal(&pkt2, session_id, sizeof(session_id))) 238 return 0; 239 240 /* Check cookie */ 241 if (!PACKET_get_length_prefixed_1(&pkt, &pkt2)) 242 return 0; 243 if (PACKET_remaining(&pkt2)) { 244 if (!PACKET_equal(&pkt2, cookie, sizeof(cookie))) 245 return 0; 246 cookie_found = 1; 247 } 248 249 /* Skip ciphers */ 250 if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u)) 251 return 0; 252 253 /* Skip compression */ 254 if (!PACKET_get_1(&pkt, &u) || !PACKET_forward(&pkt, u)) 255 return 0; 256 257 /* Skip extensions */ 258 if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u)) 259 return 0; 260 261 /* Now we are at the end */ 262 if (PACKET_remaining(&pkt)) 263 return 0; 264 265 /* Update handshake MAC for second ClientHello (with cookie) */ 266 if (cookie_found && !EVP_DigestUpdate(handshake_md, data + MAC_OFFSET, len - MAC_OFFSET)) 267 return 0; 268 269 (void)BIO_reset(wbio); 270 271 return 1 + cookie_found; 272 } 273 274 static int send_hello_verify(BIO *rbio) 275 { 276 static unsigned char hello_verify[] = { 277 0x16, /* Handshake */ 278 0x01, 279 0x00, /* DTLS1_BAD_VER */ 280 0x00, 281 0x00, /* Epoch 0 */ 282 0x00, 283 0x00, 284 0x00, 285 0x00, 286 0x00, 287 0x00, /* Seq# 0 */ 288 0x00, 289 0x23, /* Length */ 290 0x03, /* Hello Verify */ 291 0x00, 292 0x00, 293 0x17, /* Length */ 294 0x00, 295 0x00, /* Seq# 0 */ 296 0x00, 297 0x00, 298 0x00, /* Fragment offset */ 299 0x00, 300 0x00, 301 0x17, /* Fragment length */ 302 0x01, 303 0x00, /* DTLS1_BAD_VER */ 304 0x14, /* Cookie length */ 305 #define HV_COOKIE_OFS 28 /* Cookie goes here */ 306 0x00, 307 0x00, 308 0x00, 309 0x00, 310 0x00, 311 0x00, 312 0x00, 313 0x00, 314 0x00, 315 0x00, 316 0x00, 317 0x00, 318 0x00, 319 0x00, 320 0x00, 321 0x00, 322 0x00, 323 0x00, 324 0x00, 325 0x00, 326 }; 327 328 memcpy(hello_verify + HV_COOKIE_OFS, cookie, sizeof(cookie)); 329 330 BIO_write(rbio, hello_verify, sizeof(hello_verify)); 331 332 return 1; 333 } 334 335 static int send_server_hello(BIO *rbio) 336 { 337 static unsigned char server_hello[] = { 338 0x16, /* Handshake */ 339 0x01, 340 0x00, /* DTLS1_BAD_VER */ 341 0x00, 342 0x00, /* Epoch 0 */ 343 0x00, 344 0x00, 345 0x00, 346 0x00, 347 0x00, 348 0x01, /* Seq# 1 */ 349 0x00, 350 0x52, /* Length */ 351 0x02, /* Server Hello */ 352 0x00, 353 0x00, 354 0x46, /* Length */ 355 0x00, 356 0x01, /* Seq# */ 357 0x00, 358 0x00, 359 0x00, /* Fragment offset */ 360 0x00, 361 0x00, 362 0x46, /* Fragment length */ 363 0x01, 364 0x00, /* DTLS1_BAD_VER */ 365 #define SH_RANDOM_OFS 27 /* Server random goes here */ 366 0x00, 367 0x00, 368 0x00, 369 0x00, 370 0x00, 371 0x00, 372 0x00, 373 0x00, 374 0x00, 375 0x00, 376 0x00, 377 0x00, 378 0x00, 379 0x00, 380 0x00, 381 0x00, 382 0x00, 383 0x00, 384 0x00, 385 0x00, 386 0x00, 387 0x00, 388 0x00, 389 0x00, 390 0x00, 391 0x00, 392 0x00, 393 0x00, 394 0x00, 395 0x00, 396 0x00, 397 0x00, 398 0x20, /* Session ID length */ 399 #define SH_SESSID_OFS 60 /* Session ID goes here */ 400 0x00, 401 0x00, 402 0x00, 403 0x00, 404 0x00, 405 0x00, 406 0x00, 407 0x00, 408 0x00, 409 0x00, 410 0x00, 411 0x00, 412 0x00, 413 0x00, 414 0x00, 415 0x00, 416 0x00, 417 0x00, 418 0x00, 419 0x00, 420 0x00, 421 0x00, 422 0x00, 423 0x00, 424 0x00, 425 0x00, 426 0x00, 427 0x00, 428 0x00, 429 0x00, 430 0x00, 431 0x00, 432 0x00, 433 0x2f, /* Cipher suite AES128-SHA */ 434 0x00, /* Compression null */ 435 }; 436 static unsigned char change_cipher_spec[] = { 437 0x14, /* Change Cipher Spec */ 438 0x01, 439 0x00, /* DTLS1_BAD_VER */ 440 0x00, 441 0x00, /* Epoch 0 */ 442 0x00, 443 0x00, 444 0x00, 445 0x00, 446 0x00, 447 0x02, /* Seq# 2 */ 448 0x00, 449 0x03, /* Length */ 450 0x01, 451 0x00, 452 0x02, /* Message */ 453 }; 454 455 memcpy(server_hello + SH_RANDOM_OFS, server_random, sizeof(server_random)); 456 memcpy(server_hello + SH_SESSID_OFS, session_id, sizeof(session_id)); 457 458 if (!EVP_DigestUpdate(handshake_md, server_hello + MAC_OFFSET, 459 sizeof(server_hello) - MAC_OFFSET)) 460 return 0; 461 462 BIO_write(rbio, server_hello, sizeof(server_hello)); 463 BIO_write(rbio, change_cipher_spec, sizeof(change_cipher_spec)); 464 465 return 1; 466 } 467 468 /* Create header, HMAC, pad, encrypt and send a record */ 469 static int send_record(BIO *rbio, unsigned char type, uint64_t seqnr, 470 const void *msg, size_t len) 471 { 472 /* Note that the order of the record header fields on the wire, 473 * and in the HMAC, is different. So we just keep them in separate 474 * variables and handle them individually. */ 475 static unsigned char epoch[2] = { 0x00, 0x01 }; 476 static unsigned char seq[6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 477 static unsigned char ver[2] = { 0x01, 0x00 }; /* DTLS1_BAD_VER */ 478 unsigned char lenbytes[2]; 479 EVP_MAC *hmac = NULL; 480 EVP_MAC_CTX *ctx = NULL; 481 EVP_CIPHER_CTX *enc_ctx = NULL; 482 unsigned char iv[16]; 483 unsigned char pad; 484 unsigned char *enc; 485 OSSL_PARAM params[2]; 486 int ret = 0; 487 488 seq[0] = (seqnr >> 40) & 0xff; 489 seq[1] = (seqnr >> 32) & 0xff; 490 seq[2] = (seqnr >> 24) & 0xff; 491 seq[3] = (seqnr >> 16) & 0xff; 492 seq[4] = (seqnr >> 8) & 0xff; 493 seq[5] = seqnr & 0xff; 494 495 pad = 15 - ((len + SHA_DIGEST_LENGTH) % 16); 496 enc = OPENSSL_malloc(len + SHA_DIGEST_LENGTH + 1 + pad); 497 if (enc == NULL) 498 return 0; 499 500 /* Copy record to encryption buffer */ 501 memcpy(enc, msg, len); 502 503 /* Append HMAC to data */ 504 if (!TEST_ptr(hmac = EVP_MAC_fetch(NULL, "HMAC", NULL)) 505 || !TEST_ptr(ctx = EVP_MAC_CTX_new(hmac))) 506 goto end; 507 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, 508 "SHA1", 0); 509 params[1] = OSSL_PARAM_construct_end(); 510 lenbytes[0] = (unsigned char)(len >> 8); 511 lenbytes[1] = (unsigned char)(len); 512 if (!EVP_MAC_init(ctx, mac_key, 20, params) 513 || !EVP_MAC_update(ctx, epoch, 2) 514 || !EVP_MAC_update(ctx, seq, 6) 515 || !EVP_MAC_update(ctx, &type, 1) 516 || !EVP_MAC_update(ctx, ver, 2) /* Version */ 517 || !EVP_MAC_update(ctx, lenbytes, 2) /* Length */ 518 || !EVP_MAC_update(ctx, enc, len) /* Finally the data itself */ 519 || !EVP_MAC_final(ctx, enc + len, NULL, SHA_DIGEST_LENGTH)) 520 goto end; 521 522 /* Append padding bytes */ 523 len += SHA_DIGEST_LENGTH; 524 do { 525 enc[len++] = pad; 526 } while (len % 16); 527 528 /* Generate IV, and encrypt */ 529 if (!TEST_int_gt(RAND_bytes(iv, sizeof(iv)), 0) 530 || !TEST_ptr(enc_ctx = EVP_CIPHER_CTX_new()) 531 || !TEST_true(EVP_CipherInit_ex(enc_ctx, EVP_aes_128_cbc(), NULL, 532 enc_key, iv, 1)) 533 || !TEST_int_ge(EVP_Cipher(enc_ctx, enc, enc, len), 0)) 534 goto end; 535 536 /* Finally write header (from fragmented variables), IV and encrypted record */ 537 BIO_write(rbio, &type, 1); 538 BIO_write(rbio, ver, 2); 539 BIO_write(rbio, epoch, 2); 540 BIO_write(rbio, seq, 6); 541 lenbytes[0] = (unsigned char)((len + sizeof(iv)) >> 8); 542 lenbytes[1] = (unsigned char)(len + sizeof(iv)); 543 BIO_write(rbio, lenbytes, 2); 544 545 BIO_write(rbio, iv, sizeof(iv)); 546 BIO_write(rbio, enc, len); 547 ret = 1; 548 end: 549 EVP_MAC_free(hmac); 550 EVP_MAC_CTX_free(ctx); 551 EVP_CIPHER_CTX_free(enc_ctx); 552 OPENSSL_free(enc); 553 return ret; 554 } 555 556 static int send_finished(SSL *s, BIO *rbio) 557 { 558 static unsigned char finished_msg[DTLS1_HM_HEADER_LENGTH + TLS1_FINISH_MAC_LENGTH] = { 559 0x14, /* Finished */ 560 0x00, 561 0x00, 562 0x0c, /* Length */ 563 0x00, 564 0x03, /* Seq# 3 */ 565 0x00, 566 0x00, 567 0x00, /* Fragment offset */ 568 0x00, 569 0x00, 570 0x0c, /* Fragment length */ 571 /* Finished MAC (12 bytes) */ 572 }; 573 unsigned char handshake_hash[EVP_MAX_MD_SIZE]; 574 int md_size; 575 576 /* Derive key material */ 577 do_PRF(TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, 578 server_random, SSL3_RANDOM_SIZE, 579 client_random, SSL3_RANDOM_SIZE, 580 key_block, sizeof(key_block)); 581 582 /* Generate Finished MAC */ 583 if (!EVP_DigestFinal_ex(handshake_md, handshake_hash, NULL)) 584 return 0; 585 586 md_size = EVP_MD_CTX_get_size(handshake_md); 587 if (md_size <= 0) 588 return 0; 589 do_PRF(TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, 590 handshake_hash, md_size, 591 NULL, 0, 592 finished_msg + DTLS1_HM_HEADER_LENGTH, TLS1_FINISH_MAC_LENGTH); 593 594 return send_record(rbio, SSL3_RT_HANDSHAKE, 0, 595 finished_msg, sizeof(finished_msg)); 596 } 597 598 static int validate_ccs(BIO *wbio) 599 { 600 PACKET pkt; 601 long len; 602 unsigned char *data; 603 unsigned int u; 604 605 len = BIO_get_mem_data(wbio, (char **)&data); 606 if (len < 0) 607 return 0; 608 609 if (!PACKET_buf_init(&pkt, data, len)) 610 return 0; 611 612 /* Check record header type */ 613 if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_CHANGE_CIPHER_SPEC) 614 return 0; 615 /* Version */ 616 if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER) 617 return 0; 618 /* Skip the rest of the record header */ 619 if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3)) 620 return 0; 621 622 /* Check ChangeCipherSpec message */ 623 if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CCS) 624 return 0; 625 /* A DTLS1_BAD_VER ChangeCipherSpec also contains the 626 * handshake sequence number (which is 2 here) */ 627 if (!PACKET_get_net_2(&pkt, &u) || u != 0x0002) 628 return 0; 629 630 /* Now check the Finished packet */ 631 if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE) 632 return 0; 633 if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER) 634 return 0; 635 636 /* Check epoch is now 1 */ 637 if (!PACKET_get_net_2(&pkt, &u) || u != 0x0001) 638 return 0; 639 640 /* That'll do for now. If OpenSSL accepted *our* Finished packet 641 * then it's evidently remembered that DTLS1_BAD_VER doesn't 642 * include the handshake header in the MAC. There's not a lot of 643 * point in implementing decryption here, just to check that it 644 * continues to get it right for one more packet. */ 645 646 return 1; 647 } 648 649 #define NODROP(x) { x##UL, 0 } 650 #define DROP(x) { x##UL, 1 } 651 652 static struct { 653 uint64_t seq; 654 int drop; 655 } tests[] = { 656 NODROP(1), NODROP(3), NODROP(2), 657 NODROP(0x1234), NODROP(0x1230), NODROP(0x1235), 658 NODROP(0xffff), NODROP(0x10001), NODROP(0xfffe), NODROP(0x10000), 659 DROP(0x10001), DROP(0xff), NODROP(0x100000), NODROP(0x800000), NODROP(0x7fffe1), 660 NODROP(0xffffff), NODROP(0x1000000), NODROP(0xfffffe), DROP(0xffffff), NODROP(0x1000010), 661 NODROP(0xfffffd), NODROP(0x1000011), DROP(0x12), NODROP(0x1000012), 662 NODROP(0x1ffffff), NODROP(0x2000000), DROP(0x1ff00fe), NODROP(0x2000001), 663 NODROP(0x20fffff), NODROP(0x2105500), DROP(0x20ffffe), NODROP(0x21054ff), 664 NODROP(0x211ffff), DROP(0x2110000), NODROP(0x2120000) 665 /* The last test should be NODROP, because a DROP wouldn't get tested. */ 666 }; 667 668 static int test_bad_dtls(void) 669 { 670 SSL_SESSION *sess = NULL; 671 SSL_CTX *ctx = NULL; 672 SSL *con = NULL; 673 BIO *rbio = NULL; 674 BIO *wbio = NULL; 675 time_t now = 0; 676 int testresult = 0; 677 int ret; 678 int i; 679 680 RAND_bytes(session_id, sizeof(session_id)); 681 RAND_bytes(master_secret, sizeof(master_secret)); 682 RAND_bytes(cookie, sizeof(cookie)); 683 RAND_bytes(server_random + 4, sizeof(server_random) - 4); 684 685 now = time(NULL); 686 memcpy(server_random, &now, sizeof(now)); 687 688 sess = client_session(); 689 if (!TEST_ptr(sess)) 690 goto end; 691 692 handshake_md = EVP_MD_CTX_new(); 693 if (!TEST_ptr(handshake_md) 694 || !TEST_true(EVP_DigestInit_ex(handshake_md, EVP_md5_sha1(), 695 NULL))) 696 goto end; 697 698 ctx = SSL_CTX_new(DTLS_client_method()); 699 if (!TEST_ptr(ctx) 700 || !TEST_true(SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER)) 701 || !TEST_true(SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER)) 702 || !TEST_true(SSL_CTX_set_options(ctx, 703 SSL_OP_LEGACY_SERVER_CONNECT)) 704 || !TEST_true(SSL_CTX_set_cipher_list(ctx, "AES128-SHA"))) 705 goto end; 706 707 SSL_CTX_set_security_level(ctx, 0); 708 con = SSL_new(ctx); 709 if (!TEST_ptr(con) 710 || !TEST_true(SSL_set_session(con, sess))) 711 goto end; 712 713 rbio = BIO_new(BIO_s_mem()); 714 wbio = BIO_new(BIO_s_mem()); 715 716 if (!TEST_ptr(rbio) 717 || !TEST_ptr(wbio)) 718 goto end; 719 720 SSL_set_bio(con, rbio, wbio); 721 722 if (!TEST_true(BIO_up_ref(rbio))) { 723 /* 724 * We can't up-ref but we assigned ownership to con, so we shouldn't 725 * free in the "end" block 726 */ 727 rbio = wbio = NULL; 728 goto end; 729 } 730 731 if (!TEST_true(BIO_up_ref(wbio))) { 732 wbio = NULL; 733 goto end; 734 } 735 736 SSL_set_connect_state(con); 737 738 /* Send initial ClientHello */ 739 ret = SSL_do_handshake(con); 740 if (!TEST_int_le(ret, 0) 741 || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ) 742 || !TEST_int_eq(validate_client_hello(wbio), 1) 743 || !TEST_true(send_hello_verify(rbio))) 744 goto end; 745 746 ret = SSL_do_handshake(con); 747 if (!TEST_int_le(ret, 0) 748 || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ) 749 || !TEST_int_eq(validate_client_hello(wbio), 2) 750 || !TEST_true(send_server_hello(rbio))) 751 goto end; 752 753 ret = SSL_do_handshake(con); 754 if (!TEST_int_le(ret, 0) 755 || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ) 756 || !TEST_true(send_finished(con, rbio))) 757 goto end; 758 759 ret = SSL_do_handshake(con); 760 if (!TEST_int_gt(ret, 0) 761 || !TEST_true(validate_ccs(wbio))) 762 goto end; 763 764 /* While we're here and crafting packets by hand, we might as well do a 765 bit of a stress test on the DTLS record replay handling. Not Cisco-DTLS 766 specific but useful anyway for the general case. It's been broken 767 before, and in fact was broken even for a basic 0, 2, 1 test case 768 when this test was first added.... */ 769 for (i = 0; i < (int)OSSL_NELEM(tests); i++) { 770 uint64_t recv_buf[2]; 771 772 if (!TEST_true(send_record(rbio, SSL3_RT_APPLICATION_DATA, tests[i].seq, 773 &tests[i].seq, sizeof(uint64_t)))) { 774 TEST_error("Failed to send data seq #0x%x%08x (%d)\n", 775 (unsigned int)(tests[i].seq >> 32), (unsigned int)tests[i].seq, i); 776 goto end; 777 } 778 779 if (tests[i].drop) 780 continue; 781 782 ret = SSL_read(con, recv_buf, 2 * sizeof(uint64_t)); 783 if (!TEST_int_eq(ret, (int)sizeof(uint64_t))) { 784 TEST_error("SSL_read failed or wrong size on seq#0x%x%08x (%d)\n", 785 (unsigned int)(tests[i].seq >> 32), (unsigned int)tests[i].seq, i); 786 goto end; 787 } 788 if (!TEST_true(recv_buf[0] == tests[i].seq)) 789 goto end; 790 } 791 792 /* The last test cannot be DROP() */ 793 if (!TEST_false(tests[i - 1].drop)) 794 goto end; 795 796 testresult = 1; 797 798 end: 799 SSL_SESSION_free(sess); 800 BIO_free(rbio); 801 BIO_free(wbio); 802 SSL_free(con); 803 SSL_CTX_free(ctx); 804 EVP_MD_CTX_free(handshake_md); 805 806 return testresult; 807 } 808 809 int setup_tests(void) 810 { 811 ADD_TEST(test_bad_dtls); 812 return 1; 813 } 814
Indexes created Sat Feb 28 05:31:39 UTC 2026