QuasarApp/openssl
4
0
Fork 0
mirror of https://github.com/QuasarApp/openssl.git synced 2025-04-29 19:24:37 +00:00
Code Issues Projects Releases Wiki Activity

Convert bad_dtls_test for the new test framework

Browse Source 
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3184)
This commit is contained in:
Matt Caswell 2017-04-11 16:26:13 +01:00
parent 429223d198
commit 829b2b8543
2 changed files with 95 additions and 131 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

224
test/bad_dtls_test.c
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
* *
* Licensed under the OpenSSL license (the "License"). You may not use * Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy * this file except in compliance with the License. You can obtain a copy
@ -41,6 +41,9 @@
#include "../ssl/packet_locl.h" #include "../ssl/packet_locl.h"
#include "../e_os.h" /* for OSSL_NELEM() */ #include "../e_os.h" /* for OSSL_NELEM() */
#include "test_main.h"
#include "testutil.h"
/* For DTLS1_BAD_VER packets the MAC doesn't include the handshake header */ /* For DTLS1_BAD_VER packets the MAC doesn't include the handshake header */
#define MAC_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH) #define MAC_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH)
@ -182,7 +185,7 @@ static int validate_client_hello(BIO *wbio)
/* Update handshake MAC for second ClientHello (with cookie) */ /* Update handshake MAC for second ClientHello (with cookie) */
if (cookie_found && !EVP_DigestUpdate(handshake_md, data + MAC_OFFSET, if (cookie_found && !EVP_DigestUpdate(handshake_md, data + MAC_OFFSET,
len - MAC_OFFSET)) len - MAC_OFFSET))
printf("EVP_DigestUpdate() failed\n"); return 0;
(void)BIO_reset(wbio); (void)BIO_reset(wbio);
@ -259,7 +262,7 @@ static int send_server_hello(BIO *rbio)
if (!EVP_DigestUpdate(handshake_md, server_hello + MAC_OFFSET, if (!EVP_DigestUpdate(handshake_md, server_hello + MAC_OFFSET,
sizeof(server_hello) - MAC_OFFSET)) sizeof(server_hello) - MAC_OFFSET))
printf("EVP_DigestUpdate() failed\n"); return 0;
BIO_write(rbio, server_hello, sizeof(server_hello)); BIO_write(rbio, server_hello, sizeof(server_hello));
BIO_write(rbio, change_cipher_spec, sizeof(change_cipher_spec)); BIO_write(rbio, change_cipher_spec, sizeof(change_cipher_spec));
@ -268,7 +271,7 @@ static int send_server_hello(BIO *rbio)
} }
/* Create header, HMAC, pad, encrypt and send a record */ /* Create header, HMAC, pad, encrypt and send a record */
static int send_record(BIO *rbio, unsigned char type, unsigned long seqnr, static int send_record(BIO *rbio, unsigned char type, uint64_t seqnr,
const void *msg, size_t len) const void *msg, size_t len)
{ {
/* Note that the order of the record header fields on the wire, /* Note that the order of the record header fields on the wire,
@ -284,10 +287,8 @@ static int send_record(BIO *rbio, unsigned char type, unsigned long seqnr,
unsigned char pad; unsigned char pad;
unsigned char *enc; unsigned char *enc;
#ifdef SIXTY_FOUR_BIT_LONG
seq[0] = (seqnr >> 40) & 0xff; seq[0] = (seqnr >> 40) & 0xff;
seq[1] = (seqnr >> 32) & 0xff; seq[1] = (seqnr >> 32) & 0xff;
#endif
seq[2] = (seqnr >> 24) & 0xff; seq[2] = (seqnr >> 24) & 0xff;
seq[3] = (seqnr >> 16) & 0xff; seq[3] = (seqnr >> 16) & 0xff;
seq[4] = (seqnr >> 8) & 0xff; seq[4] = (seqnr >> 8) & 0xff;
@ -365,7 +366,7 @@ static int send_finished(SSL *s, BIO *rbio)
/* Generate Finished MAC */ /* Generate Finished MAC */
if (!EVP_DigestFinal_ex(handshake_md, handshake_hash, NULL)) if (!EVP_DigestFinal_ex(handshake_md, handshake_hash, NULL))
printf("EVP_DigestFinal_ex() failed\n"); return 0;
do_PRF(TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE, do_PRF(TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
handshake_hash, EVP_MD_CTX_size(handshake_md), handshake_hash, EVP_MD_CTX_size(handshake_md),
@ -428,7 +429,7 @@ static int validate_ccs(BIO *wbio)
#define DROP(x) { x##UL, 1 } #define DROP(x) { x##UL, 1 }
static struct { static struct {
unsigned long seq; uint64_t seq;
int drop; int drop;
} tests[] = { } tests[] = {
NODROP(1), NODROP(3), NODROP(2), NODROP(1), NODROP(3), NODROP(2),
@ -443,24 +444,18 @@ static struct {
/* The last test should be NODROP, because a DROP wouldn't get tested. */ /* The last test should be NODROP, because a DROP wouldn't get tested. */
}; };
int main(int argc, char *argv[]) static int test_bad_dtls(void)
{ {
SSL_SESSION *sess; SSL_SESSION *sess = NULL;
SSL_CTX *ctx; SSL_CTX *ctx = NULL;
SSL *con; SSL *con = NULL;
BIO *rbio; BIO *rbio = NULL;
BIO *wbio; BIO *wbio = NULL;
BIO *err;
time_t now = 0; time_t now = 0;
int testresult = 0; int testresult = 0;
int ret; int ret;
int i; int i;
err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
CRYPTO_set_mem_debug(1);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
RAND_bytes(session_id, sizeof(session_id)); RAND_bytes(session_id, sizeof(session_id));
RAND_bytes(master_secret, sizeof(master_secret)); RAND_bytes(master_secret, sizeof(master_secret));
RAND_bytes(cookie, sizeof(cookie)); RAND_bytes(cookie, sizeof(cookie));
@ -470,99 +465,78 @@ int main(int argc, char *argv[])
memcpy(server_random, &now, sizeof(now)); memcpy(server_random, &now, sizeof(now));
sess = client_session(); sess = client_session();
if (sess == NULL) { if (!TEST_ptr(sess))
printf("Failed to generate SSL_SESSION\n");
goto end; goto end;
}
handshake_md = EVP_MD_CTX_new(); handshake_md = EVP_MD_CTX_new();
if (handshake_md == NULL || if (!TEST_ptr(handshake_md)
!EVP_DigestInit_ex(handshake_md, EVP_md5_sha1(), NULL)) { || !TEST_true(EVP_DigestInit_ex(handshake_md, EVP_md5_sha1(),
printf("Failed to initialise handshake_md\n"); NULL)))
goto end; goto end;
}
ctx = SSL_CTX_new(DTLS_client_method()); ctx = SSL_CTX_new(DTLS_client_method());
if (ctx == NULL) { if (!TEST_ptr(ctx)
printf("Failed to allocate SSL_CTX\n"); || !TEST_true(SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER))
goto end_md; || !TEST_true(SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER))
} || !TEST_true(SSL_CTX_set_cipher_list(ctx, "AES128-SHA")))
if (!SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER)) { goto end;
printf("SSL_CTX_set_min_proto_version() failed\n");
goto end_ctx;
}
if (!SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER)) {
printf("SSL_CTX_set_max_proto_version() failed\n");
goto end_ctx;
}
if (!SSL_CTX_set_cipher_list(ctx, "AES128-SHA")) {
printf("SSL_CTX_set_cipher_list() failed\n");
goto end_ctx;
}
con = SSL_new(ctx); con = SSL_new(ctx);
if (!SSL_set_session(con, sess)) { if (!TEST_ptr(con)
printf("SSL_set_session() failed\n"); || !TEST_true(SSL_set_session(con, sess)))
goto end_con; goto end;
}
SSL_SESSION_free(sess); SSL_SESSION_free(sess);
rbio = BIO_new(BIO_s_mem()); rbio = BIO_new(BIO_s_mem());
wbio = BIO_new(BIO_s_mem()); wbio = BIO_new(BIO_s_mem());
BIO_set_nbio(rbio, 1); if (!TEST_ptr(rbio)
BIO_set_nbio(wbio, 1); || !TEST_ptr(wbio))
goto end;
SSL_set_bio(con, rbio, wbio); SSL_set_bio(con, rbio, wbio);
if (!TEST_true(BIO_up_ref(rbio))) {
/*
* We can't up-ref but we assigned ownership to con, so we shouldn't
* free in the "end" block
*/
rbio = wbio = NULL;
goto end;
}
if (!TEST_true(BIO_up_ref(wbio))) {
wbio = NULL;
goto end;
}
SSL_set_connect_state(con); SSL_set_connect_state(con);
/* Send initial ClientHello */ /* Send initial ClientHello */
ret = SSL_do_handshake(con); ret = SSL_do_handshake(con);
if (ret > 0 || SSL_get_error(con, ret) != SSL_ERROR_WANT_READ) { if (!TEST_int_le(ret, 0)
printf("Unexpected handshake result at initial call!\n"); || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
goto end_con; || !TEST_int_eq(validate_client_hello(wbio), 1)
} || !TEST_true(send_hello_verify(rbio)))
goto end;
if (validate_client_hello(wbio) != 1) {
printf("Initial ClientHello failed validation\n");
goto end_con;
}
if (send_hello_verify(rbio) != 1) {
printf("Failed to send HelloVerify\n");
goto end_con;
}
ret = SSL_do_handshake(con); ret = SSL_do_handshake(con);
if (ret > 0 || SSL_get_error(con, ret) != SSL_ERROR_WANT_READ) { if (!TEST_int_le(ret, 0)
printf("Unexpected handshake result after HelloVerify!\n"); || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
goto end_con; || !TEST_int_eq(validate_client_hello(wbio), 2)
} || !TEST_true(send_server_hello(rbio)))
if (validate_client_hello(wbio) != 2) { goto end;
printf("Second ClientHello failed validation\n");
goto end_con;
}
if (send_server_hello(rbio) != 1) {
printf("Failed to send ServerHello\n");
goto end_con;
}
ret = SSL_do_handshake(con); ret = SSL_do_handshake(con);
if (ret > 0 || SSL_get_error(con, ret) != SSL_ERROR_WANT_READ) { if (!TEST_int_le(ret, 0)
printf("Unexpected handshake result after ServerHello!\n"); || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
goto end_con; || !TEST_true(send_finished(con, rbio)))
} goto end;
if (send_finished(con, rbio) != 1) {
printf("Failed to send Finished\n");
goto end_con;
}
ret = SSL_do_handshake(con); ret = SSL_do_handshake(con);
if (ret < 1) { if (!TEST_int_gt(ret, 0)
printf("Handshake not successful after Finished!\n"); || !TEST_true(validate_ccs(wbio)))
goto end_con; goto end;
}
if (validate_ccs(wbio) != 1) {
printf("Failed to validate client CCS/Finished\n");
goto end_con;
}
/* While we're here and crafting packets by hand, we might as well do a /* While we're here and crafting packets by hand, we might as well do a
bit of a stress test on the DTLS record replay handling. Not Cisco-DTLS bit of a stress test on the DTLS record replay handling. Not Cisco-DTLS
@ -570,55 +544,45 @@ int main(int argc, char *argv[])
before, and in fact was broken even for a basic 0, 2, 1 test case before, and in fact was broken even for a basic 0, 2, 1 test case
when this test was first added.... */ when this test was first added.... */
for (i = 0; i < (int)OSSL_NELEM(tests); i++) { for (i = 0; i < (int)OSSL_NELEM(tests); i++) {
unsigned long recv_buf[2]; uint64_t recv_buf[2];
if (send_record(rbio, SSL3_RT_APPLICATION_DATA, tests[i].seq, if (!TEST_true(send_record(rbio, SSL3_RT_APPLICATION_DATA, tests[i].seq,
&tests[i].seq, sizeof(unsigned long)) != 1) { &tests[i].seq, sizeof(uint64_t)))) {
printf("Failed to send data seq #0x%lx (%d)\n", TEST_error("Failed to send data seq #0x%lx (%d)\n",
tests[i].seq, i); tests[i].seq, i);
goto end_con; goto end;
} }
if (tests[i].drop) if (tests[i].drop)
continue; continue;
ret = SSL_read(con, recv_buf, 2 * sizeof(unsigned long)); ret = SSL_read(con, recv_buf, 2 * sizeof(uint64_t));
if (ret != sizeof(unsigned long)) { if (!TEST_int_eq(ret, (int)sizeof(uint64_t))) {
printf("SSL_read failed or wrong size on seq#0x%lx (%d)\n", TEST_error("SSL_read failed or wrong size on seq#0x%lx (%d)\n",
tests[i].seq, i); tests[i].seq, i);
goto end_con; goto end;
}
if (recv_buf[0] != tests[i].seq) {
printf("Wrong data packet received (0x%lx not 0x%lx) at packet %d\n",
recv_buf[0], tests[i].seq, i);
goto end_con;
} }
if (!TEST_true(recv_buf[0] == tests[i].seq))
goto end;
} }
if (tests[i-1].drop) {
printf("Error: last test cannot be DROP()\n");
goto end_con;
}
testresult=1;
end_con: /* The last test cannot be DROP() */
SSL_free(con); if (!TEST_false(tests[i-1].drop))
end_ctx: goto end;
SSL_CTX_free(ctx);
end_md: testresult = 1;
EVP_MD_CTX_free(handshake_md);
end: end:
ERR_print_errors_fp(stderr); BIO_free(rbio);
BIO_free(wbio);
SSL_free(con);
SSL_CTX_free(ctx);
EVP_MD_CTX_free(handshake_md);
if (!testresult) { return testresult;
printf("Cisco BadDTLS test: FAILED\n"); }
}
void register_tests(void)
{
#ifndef OPENSSL_NO_CRYPTO_MDEBUG ADD_TEST(test_bad_dtls);
if (CRYPTO_mem_leaks(err) <= 0)
testresult = 0;
#endif
BIO_free(err);
return testresult?0:1;
} }

2
test/build.info
View File

@ -191,7 +191,7 @@ IF[{- !$disabled{tests} -}]
INCLUDE[clienthellotest]=../include INCLUDE[clienthellotest]=../include
DEPEND[clienthellotest]=../libcrypto ../libssl DEPEND[clienthellotest]=../libcrypto ../libssl
SOURCE[bad_dtls_test]=bad_dtls_test.c SOURCE[bad_dtls_test]=bad_dtls_test.c testutil.c test_main.c
INCLUDE[bad_dtls_test]=../include INCLUDE[bad_dtls_test]=../include
DEPEND[bad_dtls_test]=../libcrypto ../libssl DEPEND[bad_dtls_test]=../libcrypto ../libssl