bad_dtls_test.c 20 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607
  1. /*
  2. * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. /*
  10. * Unit test for Cisco DTLS1_BAD_VER session resume, as used by
  11. * AnyConnect VPN protocol.
  12. *
  13. * This is designed to exercise the code paths in
  14. * http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/dtls.c
  15. * which have frequently been affected by regressions in DTLS1_BAD_VER
  16. * support.
  17. *
  18. * Note that unlike other SSL tests, we don't test against our own SSL
  19. * server method. Firstly because we don't have one; we *only* support
  20. * DTLS1_BAD_VER as a client. And secondly because even if that were
  21. * fixed up it's the wrong thing to test against - because if changes
  22. * are made in generic DTLS code which don't take DTLS1_BAD_VER into
  23. * account, there's plenty of scope for making those changes such that
  24. * they break *both* the client and the server in the same way.
  25. *
  26. * So we handle the server side manually. In a session resume there isn't
  27. * much to be done anyway.
  28. */
  29. #include <string.h>
  30. #include <openssl/core_names.h>
  31. #include <openssl/params.h>
  32. #include <openssl/opensslconf.h>
  33. #include <openssl/bio.h>
  34. #include <openssl/crypto.h>
  35. #include <openssl/evp.h>
  36. #include <openssl/ssl.h>
  37. #include <openssl/err.h>
  38. #include <openssl/rand.h>
  39. #include <openssl/kdf.h>
  40. #include "internal/packet.h"
  41. #include "internal/nelem.h"
  42. #include "testutil.h"
  43. /* For DTLS1_BAD_VER packets the MAC doesn't include the handshake header */
  44. #define MAC_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH)
  45. static unsigned char client_random[SSL3_RANDOM_SIZE];
  46. static unsigned char server_random[SSL3_RANDOM_SIZE];
  47. /* These are all generated locally, sized purely according to our own whim */
  48. static unsigned char session_id[32];
  49. static unsigned char master_secret[48];
  50. static unsigned char cookie[20];
  51. /* We've hard-coded the cipher suite; we know it's 104 bytes */
  52. static unsigned char key_block[104];
  53. #define mac_key (key_block + 20)
  54. #define dec_key (key_block + 40)
  55. #define enc_key (key_block + 56)
  56. static EVP_MD_CTX *handshake_md;
  57. static int do_PRF(const void *seed1, int seed1_len,
  58. const void *seed2, int seed2_len,
  59. const void *seed3, int seed3_len,
  60. unsigned char *out, int olen)
  61. {
  62. EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
  63. size_t outlen = olen;
  64. /* No error handling. If it all screws up, the test will fail anyway */
  65. EVP_PKEY_derive_init(pctx);
  66. EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_md5_sha1());
  67. EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, master_secret, sizeof(master_secret));
  68. EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len);
  69. EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len);
  70. EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len);
  71. EVP_PKEY_derive(pctx, out, &outlen);
  72. EVP_PKEY_CTX_free(pctx);
  73. return 1;
  74. }
  75. static SSL_SESSION *client_session(void)
  76. {
  77. static unsigned char session_asn1[] = {
  78. 0x30, 0x5F, /* SEQUENCE, length 0x5F */
  79. 0x02, 0x01, 0x01, /* INTEGER, SSL_SESSION_ASN1_VERSION */
  80. 0x02, 0x02, 0x01, 0x00, /* INTEGER, DTLS1_BAD_VER */
  81. 0x04, 0x02, 0x00, 0x2F, /* OCTET_STRING, AES128-SHA */
  82. 0x04, 0x20, /* OCTET_STRING, session id */
  83. #define SS_SESSID_OFS 15 /* Session ID goes here */
  84. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  85. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  86. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  87. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  88. 0x04, 0x30, /* OCTET_STRING, master secret */
  89. #define SS_SECRET_OFS 49 /* Master secret goes here */
  90. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  91. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  92. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  93. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  94. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  95. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  96. };
  97. const unsigned char *p = session_asn1;
  98. /* Copy the randomly-generated fields into the above ASN1 */
  99. memcpy(session_asn1 + SS_SESSID_OFS, session_id, sizeof(session_id));
  100. memcpy(session_asn1 + SS_SECRET_OFS, master_secret, sizeof(master_secret));
  101. return d2i_SSL_SESSION(NULL, &p, sizeof(session_asn1));
  102. }
  103. /* Returns 1 for initial ClientHello, 2 for ClientHello with cookie */
  104. static int validate_client_hello(BIO *wbio)
  105. {
  106. PACKET pkt, pkt2;
  107. long len;
  108. unsigned char *data;
  109. int cookie_found = 0;
  110. unsigned int u = 0;
  111. if ((len = BIO_get_mem_data(wbio, (char **)&data)) < 0)
  112. return 0;
  113. if (!PACKET_buf_init(&pkt, data, len))
  114. return 0;
  115. /* Check record header type */
  116. if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
  117. return 0;
  118. /* Version */
  119. if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
  120. return 0;
  121. /* Skip the rest of the record header */
  122. if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3))
  123. return 0;
  124. /* Check it's a ClientHello */
  125. if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CLIENT_HELLO)
  126. return 0;
  127. /* Skip the rest of the handshake message header */
  128. if (!PACKET_forward(&pkt, DTLS1_HM_HEADER_LENGTH - 1))
  129. return 0;
  130. /* Check client version */
  131. if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
  132. return 0;
  133. /* Store random */
  134. if (!PACKET_copy_bytes(&pkt, client_random, SSL3_RANDOM_SIZE))
  135. return 0;
  136. /* Check session id length and content */
  137. if (!PACKET_get_length_prefixed_1(&pkt, &pkt2) ||
  138. !PACKET_equal(&pkt2, session_id, sizeof(session_id)))
  139. return 0;
  140. /* Check cookie */
  141. if (!PACKET_get_length_prefixed_1(&pkt, &pkt2))
  142. return 0;
  143. if (PACKET_remaining(&pkt2)) {
  144. if (!PACKET_equal(&pkt2, cookie, sizeof(cookie)))
  145. return 0;
  146. cookie_found = 1;
  147. }
  148. /* Skip ciphers */
  149. if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u))
  150. return 0;
  151. /* Skip compression */
  152. if (!PACKET_get_1(&pkt, &u) || !PACKET_forward(&pkt, u))
  153. return 0;
  154. /* Skip extensions */
  155. if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u))
  156. return 0;
  157. /* Now we are at the end */
  158. if (PACKET_remaining(&pkt))
  159. return 0;
  160. /* Update handshake MAC for second ClientHello (with cookie) */
  161. if (cookie_found && !EVP_DigestUpdate(handshake_md, data + MAC_OFFSET,
  162. len - MAC_OFFSET))
  163. return 0;
  164. (void)BIO_reset(wbio);
  165. return 1 + cookie_found;
  166. }
  167. static int send_hello_verify(BIO *rbio)
  168. {
  169. static unsigned char hello_verify[] = {
  170. 0x16, /* Handshake */
  171. 0x01, 0x00, /* DTLS1_BAD_VER */
  172. 0x00, 0x00, /* Epoch 0 */
  173. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Seq# 0 */
  174. 0x00, 0x23, /* Length */
  175. 0x03, /* Hello Verify */
  176. 0x00, 0x00, 0x17, /* Length */
  177. 0x00, 0x00, /* Seq# 0 */
  178. 0x00, 0x00, 0x00, /* Fragment offset */
  179. 0x00, 0x00, 0x17, /* Fragment length */
  180. 0x01, 0x00, /* DTLS1_BAD_VER */
  181. 0x14, /* Cookie length */
  182. #define HV_COOKIE_OFS 28 /* Cookie goes here */
  183. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  184. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  185. 0x00, 0x00, 0x00, 0x00,
  186. };
  187. memcpy(hello_verify + HV_COOKIE_OFS, cookie, sizeof(cookie));
  188. BIO_write(rbio, hello_verify, sizeof(hello_verify));
  189. return 1;
  190. }
  191. static int send_server_hello(BIO *rbio)
  192. {
  193. static unsigned char server_hello[] = {
  194. 0x16, /* Handshake */
  195. 0x01, 0x00, /* DTLS1_BAD_VER */
  196. 0x00, 0x00, /* Epoch 0 */
  197. 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, /* Seq# 1 */
  198. 0x00, 0x52, /* Length */
  199. 0x02, /* Server Hello */
  200. 0x00, 0x00, 0x46, /* Length */
  201. 0x00, 0x01, /* Seq# */
  202. 0x00, 0x00, 0x00, /* Fragment offset */
  203. 0x00, 0x00, 0x46, /* Fragment length */
  204. 0x01, 0x00, /* DTLS1_BAD_VER */
  205. #define SH_RANDOM_OFS 27 /* Server random goes here */
  206. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  207. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  208. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  209. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  210. 0x20, /* Session ID length */
  211. #define SH_SESSID_OFS 60 /* Session ID goes here */
  212. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  213. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  214. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  215. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  216. 0x00, 0x2f, /* Cipher suite AES128-SHA */
  217. 0x00, /* Compression null */
  218. };
  219. static unsigned char change_cipher_spec[] = {
  220. 0x14, /* Change Cipher Spec */
  221. 0x01, 0x00, /* DTLS1_BAD_VER */
  222. 0x00, 0x00, /* Epoch 0 */
  223. 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, /* Seq# 2 */
  224. 0x00, 0x03, /* Length */
  225. 0x01, 0x00, 0x02, /* Message */
  226. };
  227. memcpy(server_hello + SH_RANDOM_OFS, server_random, sizeof(server_random));
  228. memcpy(server_hello + SH_SESSID_OFS, session_id, sizeof(session_id));
  229. if (!EVP_DigestUpdate(handshake_md, server_hello + MAC_OFFSET,
  230. sizeof(server_hello) - MAC_OFFSET))
  231. return 0;
  232. BIO_write(rbio, server_hello, sizeof(server_hello));
  233. BIO_write(rbio, change_cipher_spec, sizeof(change_cipher_spec));
  234. return 1;
  235. }
  236. /* Create header, HMAC, pad, encrypt and send a record */
  237. static int send_record(BIO *rbio, unsigned char type, uint64_t seqnr,
  238. const void *msg, size_t len)
  239. {
  240. /* Note that the order of the record header fields on the wire,
  241. * and in the HMAC, is different. So we just keep them in separate
  242. * variables and handle them individually. */
  243. static unsigned char epoch[2] = { 0x00, 0x01 };
  244. static unsigned char seq[6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
  245. static unsigned char ver[2] = { 0x01, 0x00 }; /* DTLS1_BAD_VER */
  246. unsigned char lenbytes[2];
  247. EVP_MAC *hmac = NULL;
  248. EVP_MAC_CTX *ctx = NULL;
  249. EVP_CIPHER_CTX *enc_ctx = NULL;
  250. unsigned char iv[16];
  251. unsigned char pad;
  252. unsigned char *enc;
  253. OSSL_PARAM params[2];
  254. int ret = 0;
  255. seq[0] = (seqnr >> 40) & 0xff;
  256. seq[1] = (seqnr >> 32) & 0xff;
  257. seq[2] = (seqnr >> 24) & 0xff;
  258. seq[3] = (seqnr >> 16) & 0xff;
  259. seq[4] = (seqnr >> 8) & 0xff;
  260. seq[5] = seqnr & 0xff;
  261. pad = 15 - ((len + SHA_DIGEST_LENGTH) % 16);
  262. enc = OPENSSL_malloc(len + SHA_DIGEST_LENGTH + 1 + pad);
  263. if (enc == NULL)
  264. return 0;
  265. /* Copy record to encryption buffer */
  266. memcpy(enc, msg, len);
  267. /* Append HMAC to data */
  268. if (!TEST_ptr(hmac = EVP_MAC_fetch(NULL, "HMAC", NULL))
  269. || !TEST_ptr(ctx = EVP_MAC_CTX_new(hmac)))
  270. goto end;
  271. params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
  272. "SHA1", 0);
  273. params[1] = OSSL_PARAM_construct_end();
  274. lenbytes[0] = (unsigned char)(len >> 8);
  275. lenbytes[1] = (unsigned char)(len);
  276. if (!EVP_MAC_init(ctx, mac_key, 20, params)
  277. || !EVP_MAC_update(ctx, epoch, 2)
  278. || !EVP_MAC_update(ctx, seq, 6)
  279. || !EVP_MAC_update(ctx, &type, 1)
  280. || !EVP_MAC_update(ctx, ver, 2) /* Version */
  281. || !EVP_MAC_update(ctx, lenbytes, 2) /* Length */
  282. || !EVP_MAC_update(ctx, enc, len) /* Finally the data itself */
  283. || !EVP_MAC_final(ctx, enc + len, NULL, SHA_DIGEST_LENGTH))
  284. goto end;
  285. /* Append padding bytes */
  286. len += SHA_DIGEST_LENGTH;
  287. do {
  288. enc[len++] = pad;
  289. } while (len % 16);
  290. /* Generate IV, and encrypt */
  291. if (!TEST_true(RAND_bytes(iv, sizeof(iv)))
  292. || !TEST_ptr(enc_ctx = EVP_CIPHER_CTX_new())
  293. || !TEST_true(EVP_CipherInit_ex(enc_ctx, EVP_aes_128_cbc(), NULL,
  294. enc_key, iv, 1))
  295. || !TEST_int_ge(EVP_Cipher(enc_ctx, enc, enc, len), 0))
  296. goto end;
  297. /* Finally write header (from fragmented variables), IV and encrypted record */
  298. BIO_write(rbio, &type, 1);
  299. BIO_write(rbio, ver, 2);
  300. BIO_write(rbio, epoch, 2);
  301. BIO_write(rbio, seq, 6);
  302. lenbytes[0] = (unsigned char)((len + sizeof(iv)) >> 8);
  303. lenbytes[1] = (unsigned char)(len + sizeof(iv));
  304. BIO_write(rbio, lenbytes, 2);
  305. BIO_write(rbio, iv, sizeof(iv));
  306. BIO_write(rbio, enc, len);
  307. ret = 1;
  308. end:
  309. EVP_MAC_free(hmac);
  310. EVP_MAC_CTX_free(ctx);
  311. EVP_CIPHER_CTX_free(enc_ctx);
  312. OPENSSL_free(enc);
  313. return ret;
  314. }
  315. static int send_finished(SSL *s, BIO *rbio)
  316. {
  317. static unsigned char finished_msg[DTLS1_HM_HEADER_LENGTH +
  318. TLS1_FINISH_MAC_LENGTH] = {
  319. 0x14, /* Finished */
  320. 0x00, 0x00, 0x0c, /* Length */
  321. 0x00, 0x03, /* Seq# 3 */
  322. 0x00, 0x00, 0x00, /* Fragment offset */
  323. 0x00, 0x00, 0x0c, /* Fragment length */
  324. /* Finished MAC (12 bytes) */
  325. };
  326. unsigned char handshake_hash[EVP_MAX_MD_SIZE];
  327. /* Derive key material */
  328. do_PRF(TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
  329. server_random, SSL3_RANDOM_SIZE,
  330. client_random, SSL3_RANDOM_SIZE,
  331. key_block, sizeof(key_block));
  332. /* Generate Finished MAC */
  333. if (!EVP_DigestFinal_ex(handshake_md, handshake_hash, NULL))
  334. return 0;
  335. do_PRF(TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
  336. handshake_hash, EVP_MD_CTX_get_size(handshake_md),
  337. NULL, 0,
  338. finished_msg + DTLS1_HM_HEADER_LENGTH, TLS1_FINISH_MAC_LENGTH);
  339. return send_record(rbio, SSL3_RT_HANDSHAKE, 0,
  340. finished_msg, sizeof(finished_msg));
  341. }
  342. static int validate_ccs(BIO *wbio)
  343. {
  344. PACKET pkt;
  345. long len;
  346. unsigned char *data;
  347. unsigned int u;
  348. len = BIO_get_mem_data(wbio, (char **)&data);
  349. if (len < 0)
  350. return 0;
  351. if (!PACKET_buf_init(&pkt, data, len))
  352. return 0;
  353. /* Check record header type */
  354. if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_CHANGE_CIPHER_SPEC)
  355. return 0;
  356. /* Version */
  357. if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
  358. return 0;
  359. /* Skip the rest of the record header */
  360. if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3))
  361. return 0;
  362. /* Check ChangeCipherSpec message */
  363. if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CCS)
  364. return 0;
  365. /* A DTLS1_BAD_VER ChangeCipherSpec also contains the
  366. * handshake sequence number (which is 2 here) */
  367. if (!PACKET_get_net_2(&pkt, &u) || u != 0x0002)
  368. return 0;
  369. /* Now check the Finished packet */
  370. if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
  371. return 0;
  372. if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
  373. return 0;
  374. /* Check epoch is now 1 */
  375. if (!PACKET_get_net_2(&pkt, &u) || u != 0x0001)
  376. return 0;
  377. /* That'll do for now. If OpenSSL accepted *our* Finished packet
  378. * then it's evidently remembered that DTLS1_BAD_VER doesn't
  379. * include the handshake header in the MAC. There's not a lot of
  380. * point in implementing decryption here, just to check that it
  381. * continues to get it right for one more packet. */
  382. return 1;
  383. }
  384. #define NODROP(x) { x##UL, 0 }
  385. #define DROP(x) { x##UL, 1 }
  386. static struct {
  387. uint64_t seq;
  388. int drop;
  389. } tests[] = {
  390. NODROP(1), NODROP(3), NODROP(2),
  391. NODROP(0x1234), NODROP(0x1230), NODROP(0x1235),
  392. NODROP(0xffff), NODROP(0x10001), NODROP(0xfffe), NODROP(0x10000),
  393. DROP(0x10001), DROP(0xff), NODROP(0x100000), NODROP(0x800000), NODROP(0x7fffe1),
  394. NODROP(0xffffff), NODROP(0x1000000), NODROP(0xfffffe), DROP(0xffffff), NODROP(0x1000010),
  395. NODROP(0xfffffd), NODROP(0x1000011), DROP(0x12), NODROP(0x1000012),
  396. NODROP(0x1ffffff), NODROP(0x2000000), DROP(0x1ff00fe), NODROP(0x2000001),
  397. NODROP(0x20fffff), NODROP(0x2105500), DROP(0x20ffffe), NODROP(0x21054ff),
  398. NODROP(0x211ffff), DROP(0x2110000), NODROP(0x2120000)
  399. /* The last test should be NODROP, because a DROP wouldn't get tested. */
  400. };
  401. static int test_bad_dtls(void)
  402. {
  403. SSL_SESSION *sess = NULL;
  404. SSL_CTX *ctx = NULL;
  405. SSL *con = NULL;
  406. BIO *rbio = NULL;
  407. BIO *wbio = NULL;
  408. time_t now = 0;
  409. int testresult = 0;
  410. int ret;
  411. int i;
  412. RAND_bytes(session_id, sizeof(session_id));
  413. RAND_bytes(master_secret, sizeof(master_secret));
  414. RAND_bytes(cookie, sizeof(cookie));
  415. RAND_bytes(server_random + 4, sizeof(server_random) - 4);
  416. now = time(NULL);
  417. memcpy(server_random, &now, sizeof(now));
  418. sess = client_session();
  419. if (!TEST_ptr(sess))
  420. goto end;
  421. handshake_md = EVP_MD_CTX_new();
  422. if (!TEST_ptr(handshake_md)
  423. || !TEST_true(EVP_DigestInit_ex(handshake_md, EVP_md5_sha1(),
  424. NULL)))
  425. goto end;
  426. ctx = SSL_CTX_new(DTLS_client_method());
  427. if (!TEST_ptr(ctx)
  428. || !TEST_true(SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER))
  429. || !TEST_true(SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER))
  430. || !TEST_true(SSL_CTX_set_options(ctx,
  431. SSL_OP_LEGACY_SERVER_CONNECT))
  432. || !TEST_true(SSL_CTX_set_cipher_list(ctx, "AES128-SHA")))
  433. goto end;
  434. con = SSL_new(ctx);
  435. if (!TEST_ptr(con)
  436. || !TEST_true(SSL_set_session(con, sess)))
  437. goto end;
  438. SSL_SESSION_free(sess);
  439. rbio = BIO_new(BIO_s_mem());
  440. wbio = BIO_new(BIO_s_mem());
  441. if (!TEST_ptr(rbio)
  442. || !TEST_ptr(wbio))
  443. goto end;
  444. SSL_set_bio(con, rbio, wbio);
  445. if (!TEST_true(BIO_up_ref(rbio))) {
  446. /*
  447. * We can't up-ref but we assigned ownership to con, so we shouldn't
  448. * free in the "end" block
  449. */
  450. rbio = wbio = NULL;
  451. goto end;
  452. }
  453. if (!TEST_true(BIO_up_ref(wbio))) {
  454. wbio = NULL;
  455. goto end;
  456. }
  457. SSL_set_connect_state(con);
  458. /* Send initial ClientHello */
  459. ret = SSL_do_handshake(con);
  460. if (!TEST_int_le(ret, 0)
  461. || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
  462. || !TEST_int_eq(validate_client_hello(wbio), 1)
  463. || !TEST_true(send_hello_verify(rbio)))
  464. goto end;
  465. ret = SSL_do_handshake(con);
  466. if (!TEST_int_le(ret, 0)
  467. || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
  468. || !TEST_int_eq(validate_client_hello(wbio), 2)
  469. || !TEST_true(send_server_hello(rbio)))
  470. goto end;
  471. ret = SSL_do_handshake(con);
  472. if (!TEST_int_le(ret, 0)
  473. || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
  474. || !TEST_true(send_finished(con, rbio)))
  475. goto end;
  476. ret = SSL_do_handshake(con);
  477. if (!TEST_int_gt(ret, 0)
  478. || !TEST_true(validate_ccs(wbio)))
  479. goto end;
  480. /* While we're here and crafting packets by hand, we might as well do a
  481. bit of a stress test on the DTLS record replay handling. Not Cisco-DTLS
  482. specific but useful anyway for the general case. It's been broken
  483. before, and in fact was broken even for a basic 0, 2, 1 test case
  484. when this test was first added.... */
  485. for (i = 0; i < (int)OSSL_NELEM(tests); i++) {
  486. uint64_t recv_buf[2];
  487. if (!TEST_true(send_record(rbio, SSL3_RT_APPLICATION_DATA, tests[i].seq,
  488. &tests[i].seq, sizeof(uint64_t)))) {
  489. TEST_error("Failed to send data seq #0x%x%08x (%d)\n",
  490. (unsigned int)(tests[i].seq >> 32), (unsigned int)tests[i].seq, i);
  491. goto end;
  492. }
  493. if (tests[i].drop)
  494. continue;
  495. ret = SSL_read(con, recv_buf, 2 * sizeof(uint64_t));
  496. if (!TEST_int_eq(ret, (int)sizeof(uint64_t))) {
  497. TEST_error("SSL_read failed or wrong size on seq#0x%x%08x (%d)\n",
  498. (unsigned int)(tests[i].seq >> 32), (unsigned int)tests[i].seq, i);
  499. goto end;
  500. }
  501. if (!TEST_true(recv_buf[0] == tests[i].seq))
  502. goto end;
  503. }
  504. /* The last test cannot be DROP() */
  505. if (!TEST_false(tests[i-1].drop))
  506. goto end;
  507. testresult = 1;
  508. end:
  509. BIO_free(rbio);
  510. BIO_free(wbio);
  511. SSL_free(con);
  512. SSL_CTX_free(ctx);
  513. EVP_MD_CTX_free(handshake_md);
  514. return testresult;
  515. }
  516. int setup_tests(void)
  517. {
  518. ADD_TEST(test_bad_dtls);
  519. return 1;
  520. }