Skip to main content
  • Home
  • login
  • Browse the archive

    swh mirror partner logo
swh logo
SoftwareHeritage
Software
Heritage
Mirror
Features
  • Search

  • Downloads

  • Save code now

  • Add forge now

  • Help

swh:1:snp:dc2a5002442a00b1c0eda7c65d04ea7455e166cd
  • Code
  • Branches (204)
  • Releases (207)
    • Branches
    • Releases
    • HEAD
    • refs/heads/OpenSSL-engine-0_9_6-stable
    • refs/heads/OpenSSL-fips-0_9_7-stable
    • refs/heads/OpenSSL-fips-0_9_8-stable
    • refs/heads/OpenSSL-fips-1_2-stable
    • refs/heads/OpenSSL-fips-2_0-dev
    • refs/heads/OpenSSL-fips-2_0-stable
    • refs/heads/OpenSSL-fips2-0_9_7-stable
    • refs/heads/OpenSSL_0_9_6-stable
    • refs/heads/OpenSSL_0_9_7-stable
    • refs/heads/OpenSSL_0_9_8-stable
    • refs/heads/OpenSSL_0_9_8fg-stable
    • refs/heads/OpenSSL_1_0_0-stable
    • refs/heads/OpenSSL_1_0_1-stable
    • refs/heads/OpenSSL_1_0_2-stable
    • refs/heads/OpenSSL_1_1_0-stable
    • refs/heads/OpenSSL_1_1_1-stable
    • refs/heads/SSLeay
    • refs/heads/feature/dtls-1.3
    • refs/heads/feature/ech
    • refs/heads/feature/quic-server
    • refs/heads/master
    • refs/heads/openssl-3.0
    • refs/heads/openssl-3.1
    • refs/heads/openssl-3.2
    • refs/heads/openssl-3.3
    • refs/heads/openssl-3.4
    • refs/heads/tls1.3-draft-18
    • refs/heads/tls1.3-draft-19
    • refs/tags/AFTER_COMPAQ_PATCH
    • refs/tags/BEFORE_COMPAQ_PATCH
    • refs/tags/BEFORE_engine
    • refs/tags/BEN_FIPS_TEST_1
    • refs/tags/BEN_FIPS_TEST_2
    • refs/tags/BEN_FIPS_TEST_3
    • refs/tags/BEN_FIPS_TEST_4
    • refs/tags/BEN_FIPS_TEST_5
    • refs/tags/BEN_FIPS_TEST_6
    • refs/tags/BEN_FIPS_TEST_7
    • refs/tags/BEN_FIPS_TEST_8
    • refs/tags/FIPS_098_TEST_1
    • refs/tags/FIPS_098_TEST_2
    • refs/tags/FIPS_098_TEST_3
    • refs/tags/FIPS_098_TEST_4
    • refs/tags/FIPS_098_TEST_5
    • refs/tags/FIPS_098_TEST_6
    • refs/tags/FIPS_098_TEST_7
    • refs/tags/FIPS_098_TEST_8
    • refs/tags/FIPS_TEST_10
    • refs/tags/FIPS_TEST_9
    • refs/tags/LEVITTE_after_const
    • refs/tags/LEVITTE_before_const
    • refs/tags/OpenSSL-engine-0_9_6
    • refs/tags/OpenSSL-engine-0_9_6-beta1
    • refs/tags/OpenSSL-engine-0_9_6-beta2
    • refs/tags/OpenSSL-engine-0_9_6-beta3
    • refs/tags/OpenSSL-engine-0_9_6a
    • refs/tags/OpenSSL-engine-0_9_6a-beta1
    • refs/tags/OpenSSL-engine-0_9_6a-beta2
    • refs/tags/OpenSSL-engine-0_9_6a-beta3
    • refs/tags/OpenSSL-engine-0_9_6b
    • refs/tags/OpenSSL-engine-0_9_6c
    • refs/tags/OpenSSL-engine-0_9_6d
    • refs/tags/OpenSSL-engine-0_9_6d-beta1
    • refs/tags/OpenSSL-engine-0_9_6e
    • refs/tags/OpenSSL-engine-0_9_6f
    • refs/tags/OpenSSL-engine-0_9_6g
    • refs/tags/OpenSSL-engine-0_9_6h
    • refs/tags/OpenSSL-engine-0_9_6i
    • refs/tags/OpenSSL-engine-0_9_6j
    • refs/tags/OpenSSL-engine-0_9_6k
    • refs/tags/OpenSSL-engine-0_9_6l
    • refs/tags/OpenSSL-engine-0_9_6m
    • refs/tags/OpenSSL-fips-1_2_0
    • refs/tags/OpenSSL-fips-1_2_1
    • refs/tags/OpenSSL-fips-1_2_2
    • refs/tags/OpenSSL-fips-1_2_3
    • refs/tags/OpenSSL-fips-2_0
    • refs/tags/OpenSSL-fips-2_0-pl1
    • refs/tags/OpenSSL-fips-2_0-rc1
    • refs/tags/OpenSSL-fips-2_0-rc2
    • refs/tags/OpenSSL-fips-2_0-rc3
    • refs/tags/OpenSSL-fips-2_0-rc4
    • refs/tags/OpenSSL-fips-2_0-rc5
    • refs/tags/OpenSSL-fips-2_0-rc6
    • refs/tags/OpenSSL-fips-2_0-rc7
    • refs/tags/OpenSSL-fips-2_0-rc8
    • refs/tags/OpenSSL-fips-2_0-rc9
    • refs/tags/OpenSSL-fips-2_0_1
    • refs/tags/OpenSSL_0_9_1c
    • refs/tags/OpenSSL_0_9_2b
    • refs/tags/OpenSSL_0_9_3
    • refs/tags/OpenSSL_0_9_3a
    • refs/tags/OpenSSL_0_9_3beta1
    • refs/tags/OpenSSL_0_9_3beta2
    • refs/tags/OpenSSL_0_9_4
    • refs/tags/OpenSSL_0_9_5
    • refs/tags/OpenSSL_0_9_5a
    • refs/tags/OpenSSL_0_9_5a-beta1
    • refs/tags/OpenSSL_0_9_5a-beta2
    • refs/tags/OpenSSL_0_9_5beta1
    • refs/tags/OpenSSL_0_9_5beta2
    • refs/tags/OpenSSL_0_9_6
    • refs/tags/OpenSSL_0_9_6-beta1
    • refs/tags/OpenSSL_0_9_6-beta2
    • refs/tags/OpenSSL_0_9_6-beta3
    • refs/tags/OpenSSL_0_9_6a
    • refs/tags/OpenSSL_0_9_6a-beta1
    • refs/tags/OpenSSL_0_9_6a-beta2
    • refs/tags/OpenSSL_0_9_6a-beta3
    • refs/tags/OpenSSL_0_9_6b
    • refs/tags/OpenSSL_0_9_6c
    • refs/tags/OpenSSL_0_9_6d
    • refs/tags/OpenSSL_0_9_6d-beta1
    • refs/tags/OpenSSL_0_9_6e
    • refs/tags/OpenSSL_0_9_6f
    • refs/tags/OpenSSL_0_9_6g
    • refs/tags/OpenSSL_0_9_6h
    • refs/tags/OpenSSL_0_9_6i
    • refs/tags/OpenSSL_0_9_6j
    • refs/tags/OpenSSL_0_9_6k
    • refs/tags/OpenSSL_0_9_6l
    • refs/tags/OpenSSL_0_9_6m
    • refs/tags/OpenSSL_0_9_7
    • refs/tags/OpenSSL_0_9_7-beta1
    • refs/tags/OpenSSL_0_9_7-beta2
    • refs/tags/OpenSSL_0_9_7-beta3
    • refs/tags/OpenSSL_0_9_7-beta4
    • refs/tags/OpenSSL_0_9_7-beta5
    • refs/tags/OpenSSL_0_9_7-beta6
    • refs/tags/OpenSSL_0_9_7a
    • refs/tags/OpenSSL_0_9_7b
    • refs/tags/OpenSSL_0_9_7c
    • refs/tags/OpenSSL_0_9_7d
    • refs/tags/OpenSSL_0_9_7e
    • refs/tags/OpenSSL_0_9_7f
    • refs/tags/OpenSSL_0_9_7g
    • refs/tags/OpenSSL_0_9_7h
    • refs/tags/OpenSSL_0_9_7i
    • refs/tags/OpenSSL_0_9_7j
    • refs/tags/OpenSSL_0_9_7k
    • refs/tags/OpenSSL_0_9_7l
    • refs/tags/OpenSSL_0_9_7m
    • refs/tags/OpenSSL_0_9_8
    • refs/tags/OpenSSL_0_9_8-beta1
    • refs/tags/OpenSSL_0_9_8-beta2
    • refs/tags/OpenSSL_0_9_8-beta3
    • refs/tags/OpenSSL_0_9_8-beta4
    • refs/tags/OpenSSL_0_9_8-beta5
    • refs/tags/OpenSSL_0_9_8-beta6
    • refs/tags/OpenSSL_0_9_8a
    • refs/tags/OpenSSL_0_9_8b
    • refs/tags/OpenSSL_0_9_8c
    • refs/tags/OpenSSL_0_9_8d
    • refs/tags/OpenSSL_0_9_8e
    • refs/tags/OpenSSL_0_9_8f
    • refs/tags/OpenSSL_0_9_8g
    • refs/tags/OpenSSL_0_9_8h
    • refs/tags/OpenSSL_0_9_8i
    • refs/tags/OpenSSL_0_9_8j
    • refs/tags/OpenSSL_0_9_8k
    • refs/tags/OpenSSL_0_9_8l
    • refs/tags/OpenSSL_0_9_8m
    • refs/tags/OpenSSL_0_9_8m-beta1
    • refs/tags/OpenSSL_0_9_8n
    • refs/tags/OpenSSL_0_9_8o
    • refs/tags/OpenSSL_0_9_8p
    • refs/tags/OpenSSL_0_9_8q
    • refs/tags/OpenSSL_0_9_8r
    • refs/tags/OpenSSL_0_9_8s
    • refs/tags/OpenSSL_0_9_8t
    • refs/tags/OpenSSL_0_9_8u
    • refs/tags/OpenSSL_0_9_8v
    • refs/tags/OpenSSL_0_9_8w
    • refs/tags/OpenSSL_0_9_8x
    • refs/tags/OpenSSL_1_0_0
    • refs/tags/OpenSSL_1_0_0-beta1
    • refs/tags/OpenSSL_1_0_0-beta2
    • refs/tags/OpenSSL_1_0_0-beta3
    • refs/tags/OpenSSL_1_0_0-beta4
    • refs/tags/OpenSSL_1_0_0-beta5
    • refs/tags/OpenSSL_1_0_0a
    • refs/tags/OpenSSL_1_0_0b
    • refs/tags/OpenSSL_1_0_0c
    • refs/tags/OpenSSL_1_0_0d
    • refs/tags/OpenSSL_1_0_0e
    • refs/tags/OpenSSL_1_0_0f
    • refs/tags/OpenSSL_1_0_0g
    • refs/tags/OpenSSL_1_0_0h
    • refs/tags/OpenSSL_1_0_0i
    • refs/tags/OpenSSL_1_0_0j
    • refs/tags/OpenSSL_1_0_1
    • refs/tags/OpenSSL_1_0_1-beta1
    • refs/tags/OpenSSL_1_0_1-beta2
    • refs/tags/OpenSSL_1_0_1-beta3
    • refs/tags/OpenSSL_1_0_1a
    • refs/tags/OpenSSL_1_0_1b
    • refs/tags/OpenSSL_1_0_1c
    • refs/tags/OpenSSL_FIPS_1_0
    • refs/tags/SSLeay_0_8_1b
    • refs/tags/SSLeay_0_9_0b
    • refs/tags/SSLeay_0_9_1b
    • refs/tags/STATE_after_zlib
    • refs/tags/STATE_before_zlib
    • refs/tags/rsaref
    • openssl-3.4.0-alpha1
    • openssl-3.3.2
    • openssl-3.3.1
    • openssl-3.3.0-beta1
    • openssl-3.3.0-alpha1
    • openssl-3.3.0
    • openssl-3.2.3
    • openssl-3.2.2
    • openssl-3.2.1
    • openssl-3.2.0-beta1
    • openssl-3.2.0-alpha2
    • openssl-3.2.0-alpha1
    • openssl-3.2.0
    • openssl-3.1.7
    • openssl-3.1.6
    • openssl-3.1.5
    • openssl-3.1.4
    • openssl-3.1.3
    • openssl-3.1.2
    • openssl-3.1.1
    • openssl-3.1.0-beta1
    • openssl-3.1.0-alpha1
    • openssl-3.1.0
    • openssl-3.0.9
    • openssl-3.0.8
    • openssl-3.0.7
    • openssl-3.0.6
    • openssl-3.0.5
    • openssl-3.0.4
    • openssl-3.0.3
    • openssl-3.0.2
    • openssl-3.0.15
    • openssl-3.0.14
    • openssl-3.0.13
    • openssl-3.0.12
    • openssl-3.0.11
    • openssl-3.0.10
    • openssl-3.0.1
    • openssl-3.0.0-beta2
    • openssl-3.0.0-beta1
    • openssl-3.0.0-alpha9
    • openssl-3.0.0-alpha8
    • openssl-3.0.0-alpha7
    • openssl-3.0.0-alpha6
    • openssl-3.0.0-alpha5
    • openssl-3.0.0-alpha4
    • openssl-3.0.0-alpha3
    • openssl-3.0.0-alpha2
    • openssl-3.0.0-alpha17
    • openssl-3.0.0-alpha16
    • openssl-3.0.0-alpha15
    • openssl-3.0.0-alpha14
    • openssl-3.0.0-alpha13
    • openssl-3.0.0-alpha12
    • openssl-3.0.0-alpha11
    • openssl-3.0.0-alpha10
    • openssl-3.0.0-alpha1
    • openssl-3.0.0
    • master-pre-reformat
    • master-pre-auto-reformat
    • master-post-reformat
    • master-post-auto-reformat
    • OpenSSL_1_1_1w
    • OpenSSL_1_1_1v
    • OpenSSL_1_1_1u
    • OpenSSL_1_1_1t
    • OpenSSL_1_1_1s
    • OpenSSL_1_1_1r
    • OpenSSL_1_1_1q
    • OpenSSL_1_1_1p
    • OpenSSL_1_1_1o
    • OpenSSL_1_1_1n
    • OpenSSL_1_1_1m
    • OpenSSL_1_1_1l
    • OpenSSL_1_1_1k
    • OpenSSL_1_1_1j
    • OpenSSL_1_1_1i
    • OpenSSL_1_1_1h
    • OpenSSL_1_1_1g
    • OpenSSL_1_1_1f
    • OpenSSL_1_1_1e
    • OpenSSL_1_1_1d
    • OpenSSL_1_1_1c
    • OpenSSL_1_1_1b
    • OpenSSL_1_1_1a
    • OpenSSL_1_1_1-pre9
    • OpenSSL_1_1_1-pre8
    • OpenSSL_1_1_1-pre7
    • OpenSSL_1_1_1-pre6
    • OpenSSL_1_1_1-pre5
    • OpenSSL_1_1_1-pre4
    • OpenSSL_1_1_1-pre3
    • OpenSSL_1_1_1-pre2
    • OpenSSL_1_1_1-pre1
    • OpenSSL_1_1_1
    • OpenSSL_1_1_0l
    • OpenSSL_1_1_0k
    • OpenSSL_1_1_0j
    • OpenSSL_1_1_0i
    • OpenSSL_1_1_0h
    • OpenSSL_1_1_0g
    • OpenSSL_1_1_0f
    • OpenSSL_1_1_0e
    • OpenSSL_1_1_0d
    • OpenSSL_1_1_0c
    • OpenSSL_1_1_0b
    • OpenSSL_1_1_0a
    • OpenSSL_1_1_0-pre6
    • OpenSSL_1_1_0-pre5
    • OpenSSL_1_1_0-pre4
    • OpenSSL_1_1_0-pre3
    • OpenSSL_1_1_0-pre2
    • OpenSSL_1_1_0-pre1
    • OpenSSL_1_1_0
    • OpenSSL_1_0_2u
    • OpenSSL_1_0_2t
    • OpenSSL_1_0_2s
    • OpenSSL_1_0_2r
    • OpenSSL_1_0_2q
    • OpenSSL_1_0_2p
    • OpenSSL_1_0_2o
    • OpenSSL_1_0_2n
    • OpenSSL_1_0_2m
    • OpenSSL_1_0_2l
    • OpenSSL_1_0_2k
    • OpenSSL_1_0_2j
    • OpenSSL_1_0_2i
    • OpenSSL_1_0_2h
    • OpenSSL_1_0_2g
    • OpenSSL_1_0_2f
    • OpenSSL_1_0_2e
    • OpenSSL_1_0_2d
    • OpenSSL_1_0_2c
    • OpenSSL_1_0_2b
    • OpenSSL_1_0_2a
    • OpenSSL_1_0_2-pre-reformat
    • OpenSSL_1_0_2-pre-auto-reformat
    • OpenSSL_1_0_2-post-reformat
    • OpenSSL_1_0_2-post-auto-reformat
    • OpenSSL_1_0_2-beta3
    • OpenSSL_1_0_2-beta2
    • OpenSSL_1_0_2-beta1
    • OpenSSL_1_0_2
    • OpenSSL_1_0_1u
    • OpenSSL_1_0_1t
    • OpenSSL_1_0_1s
    • OpenSSL_1_0_1r
    • OpenSSL_1_0_1q
    • OpenSSL_1_0_1p
    • OpenSSL_1_0_1o
    • OpenSSL_1_0_1n
    • OpenSSL_1_0_1m
    • OpenSSL_1_0_1l
    • OpenSSL_1_0_1k
    • OpenSSL_1_0_1j
    • OpenSSL_1_0_1i
    • OpenSSL_1_0_1h
    • OpenSSL_1_0_1g
    • OpenSSL_1_0_1f
    • OpenSSL_1_0_1e
    • OpenSSL_1_0_1d
    • OpenSSL_1_0_1-pre-reformat
    • OpenSSL_1_0_1-pre-auto-reformat
    • OpenSSL_1_0_1-post-reformat
    • OpenSSL_1_0_1-post-auto-reformat
    • OpenSSL_1_0_0t
    • OpenSSL_1_0_0s
    • OpenSSL_1_0_0r
    • OpenSSL_1_0_0q
    • OpenSSL_1_0_0p
    • OpenSSL_1_0_0o
    • OpenSSL_1_0_0n
    • OpenSSL_1_0_0m
    • OpenSSL_1_0_0l
    • OpenSSL_1_0_0k
    • OpenSSL_1_0_0-pre-reformat
    • OpenSSL_1_0_0-pre-auto-reformat
    • OpenSSL_1_0_0-post-reformat
    • OpenSSL_1_0_0-post-auto-reformat
    • OpenSSL_0_9_8zh
    • OpenSSL_0_9_8zg
    • OpenSSL_0_9_8zf
    • OpenSSL_0_9_8ze
    • OpenSSL_0_9_8zd
    • OpenSSL_0_9_8zc
    • OpenSSL_0_9_8zb
    • OpenSSL_0_9_8za
    • OpenSSL_0_9_8y
    • OpenSSL_0_9_8-pre-reformat
    • OpenSSL_0_9_8-pre-auto-reformat
    • OpenSSL_0_9_8-post-reformat
    • OpenSSL_0_9_8-post-auto-reformat
    • OpenSSL-fips-2_0_9
    • OpenSSL-fips-2_0_8
    • OpenSSL-fips-2_0_7
    • OpenSSL-fips-2_0_6
    • OpenSSL-fips-2_0_5
    • OpenSSL-fips-2_0_4
    • OpenSSL-fips-2_0_3
    • OpenSSL-fips-2_0_2
    • OpenSSL-fips-2_0_16
    • OpenSSL-fips-2_0_15
    • OpenSSL-fips-2_0_14
    • OpenSSL-fips-2_0_13
    • OpenSSL-fips-2_0_12
    • OpenSSL-fips-2_0_11
    • OpenSSL-fips-2_0_10
  • f2023fb
  • /
  • test
  • /
  • bad_dtls_test.c
Raw File
Permalinks

To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.

  • content
  • directory
  • revision
  • snapshot
  • release
content badge Iframe embedding
swh:1:cnt:d2d6a6b426b64b1a161868ce91faacd21334b9f5
directory badge Iframe embedding
swh:1:dir:de8c7c431320492fe3de77316774cbe06af6b66e
revision badge
swh:1:rev:38778b78e02e7eb721880ee9e33e0c398e1e677f
snapshot badge
swh:1:snp:dc2a5002442a00b1c0eda7c65d04ea7455e166cd
release badge
swh:1:rel:87cf17259c59f5276de4bc4ef8cce3cc59b77572
Tip revision: 38778b78e02e7eb721880ee9e33e0c398e1e677f authored by Matt Caswell on 25 June 2020, 13:58:16 UTC
Prepare for release of 3.0 alpha 4
Tip revision: 38778b7
bad_dtls_test.c
/*
 * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * Unit test for Cisco DTLS1_BAD_VER session resume, as used by
 * AnyConnect VPN protocol.
 *
 * This is designed to exercise the code paths in
 * http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/dtls.c
 * which have frequently been affected by regressions in DTLS1_BAD_VER
 * support.
 *
 * Note that unlike other SSL tests, we don't test against our own SSL
 * server method. Firstly because we don't have one; we *only* support
 * DTLS1_BAD_VER as a client. And secondly because even if that were
 * fixed up it's the wrong thing to test against - because if changes
 * are made in generic DTLS code which don't take DTLS1_BAD_VER into
 * account, there's plenty of scope for making those changes such that
 * they break *both* the client and the server in the same way.
 *
 * So we handle the server side manually. In a session resume there isn't
 * much to be done anyway.
 */
#include <string.h>

#include <openssl/core_names.h>
#include <openssl/params.h>
#include <openssl/opensslconf.h>
#include <openssl/bio.h>
#include <openssl/crypto.h>
#include <openssl/evp.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/kdf.h>
#include "internal/packet.h"
#include "internal/nelem.h"
#include "testutil.h"

/* For DTLS1_BAD_VER packets the MAC doesn't include the handshake header */
#define MAC_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH)

static unsigned char client_random[SSL3_RANDOM_SIZE];
static unsigned char server_random[SSL3_RANDOM_SIZE];

/* These are all generated locally, sized purely according to our own whim */
static unsigned char session_id[32];
static unsigned char master_secret[48];
static unsigned char cookie[20];

/* We've hard-coded the cipher suite; we know it's 104 bytes */
static unsigned char key_block[104];
#define mac_key (key_block + 20)
#define dec_key (key_block + 40)
#define enc_key (key_block + 56)

static EVP_MD_CTX *handshake_md;

static int do_PRF(const void *seed1, int seed1_len,
                  const void *seed2, int seed2_len,
                  const void *seed3, int seed3_len,
                  unsigned char *out, int olen)
{
    EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
    size_t outlen = olen;

    /* No error handling. If it all screws up, the test will fail anyway */
    EVP_PKEY_derive_init(pctx);
    EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_md5_sha1());
    EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, master_secret, sizeof(master_secret));
    EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len);
    EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len);
    EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len);
    EVP_PKEY_derive(pctx, out, &outlen);
    EVP_PKEY_CTX_free(pctx);
    return 1;
}

static SSL_SESSION *client_session(void)
{
    static unsigned char session_asn1[] = {
        0x30, 0x5F,              /* SEQUENCE, length 0x5F */
        0x02, 0x01, 0x01,        /* INTEGER, SSL_SESSION_ASN1_VERSION */
        0x02, 0x02, 0x01, 0x00,  /* INTEGER, DTLS1_BAD_VER */
        0x04, 0x02, 0x00, 0x2F,  /* OCTET_STRING, AES128-SHA */
        0x04, 0x20,              /* OCTET_STRING, session id */
#define SS_SESSID_OFS 15 /* Session ID goes here */
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x04, 0x30,              /* OCTET_STRING, master secret */
#define SS_SECRET_OFS 49 /* Master secret goes here */
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    };
    const unsigned char *p = session_asn1;

    /* Copy the randomly-generated fields into the above ASN1 */
    memcpy(session_asn1 + SS_SESSID_OFS, session_id, sizeof(session_id));
    memcpy(session_asn1 + SS_SECRET_OFS, master_secret, sizeof(master_secret));

    return d2i_SSL_SESSION(NULL, &p, sizeof(session_asn1));
}

/* Returns 1 for initial ClientHello, 2 for ClientHello with cookie */
static int validate_client_hello(BIO *wbio)
{
    PACKET pkt, pkt2;
    long len;
    unsigned char *data;
    int cookie_found = 0;
    unsigned int u = 0;

    len = BIO_get_mem_data(wbio, (char **)&data);
    if (!PACKET_buf_init(&pkt, data, len))
        return 0;

    /* Check record header type */
    if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
        return 0;
    /* Version */
    if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
        return 0;
    /* Skip the rest of the record header */
    if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3))
        return 0;

    /* Check it's a ClientHello */
    if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CLIENT_HELLO)
        return 0;
    /* Skip the rest of the handshake message header */
    if (!PACKET_forward(&pkt, DTLS1_HM_HEADER_LENGTH - 1))
        return 0;

    /* Check client version */
    if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
        return 0;

    /* Store random */
    if (!PACKET_copy_bytes(&pkt, client_random, SSL3_RANDOM_SIZE))
        return 0;

    /* Check session id length and content */
    if (!PACKET_get_length_prefixed_1(&pkt, &pkt2) ||
        !PACKET_equal(&pkt2, session_id, sizeof(session_id)))
        return 0;

    /* Check cookie */
    if (!PACKET_get_length_prefixed_1(&pkt, &pkt2))
        return 0;
    if (PACKET_remaining(&pkt2)) {
        if (!PACKET_equal(&pkt2, cookie, sizeof(cookie)))
            return 0;
        cookie_found = 1;
    }

    /* Skip ciphers */
    if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u))
        return 0;

    /* Skip compression */
    if (!PACKET_get_1(&pkt, &u) || !PACKET_forward(&pkt, u))
        return 0;

    /* Skip extensions */
    if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u))
        return 0;

    /* Now we are at the end */
    if (PACKET_remaining(&pkt))
        return 0;

    /* Update handshake MAC for second ClientHello (with cookie) */
    if (cookie_found && !EVP_DigestUpdate(handshake_md, data + MAC_OFFSET,
                                          len - MAC_OFFSET))
        return 0;

    (void)BIO_reset(wbio);

    return 1 + cookie_found;
}

static int send_hello_verify(BIO *rbio)
{
    static unsigned char hello_verify[] = {
        0x16, /* Handshake */
        0x01, 0x00, /* DTLS1_BAD_VER */
        0x00, 0x00, /* Epoch 0 */
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Seq# 0 */
        0x00, 0x23, /* Length */
        0x03, /* Hello Verify */
        0x00, 0x00, 0x17, /* Length */
        0x00, 0x00, /* Seq# 0 */
        0x00, 0x00, 0x00, /* Fragment offset */
        0x00, 0x00, 0x17, /* Fragment length */
        0x01, 0x00, /* DTLS1_BAD_VER */
        0x14, /* Cookie length */
#define HV_COOKIE_OFS 28 /* Cookie goes here */
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00,
    };

    memcpy(hello_verify + HV_COOKIE_OFS, cookie, sizeof(cookie));

    BIO_write(rbio, hello_verify, sizeof(hello_verify));

    return 1;
}

static int send_server_hello(BIO *rbio)
{
    static unsigned char server_hello[] = {
        0x16, /* Handshake */
        0x01, 0x00, /* DTLS1_BAD_VER */
        0x00, 0x00, /* Epoch 0 */
        0x00, 0x00, 0x00, 0x00, 0x00, 0x01, /* Seq# 1 */
        0x00, 0x52, /* Length */
        0x02, /* Server Hello */
        0x00, 0x00, 0x46, /* Length */
        0x00, 0x01, /* Seq# */
        0x00, 0x00, 0x00, /* Fragment offset */
        0x00, 0x00, 0x46, /* Fragment length */
        0x01, 0x00, /* DTLS1_BAD_VER */
#define SH_RANDOM_OFS 27 /* Server random goes here */
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x20, /* Session ID length */
#define SH_SESSID_OFS 60 /* Session ID goes here */
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x2f, /* Cipher suite AES128-SHA */
        0x00, /* Compression null */
    };
    static unsigned char change_cipher_spec[] = {
        0x14, /* Change Cipher Spec */
        0x01, 0x00, /* DTLS1_BAD_VER */
        0x00, 0x00, /* Epoch 0 */
        0x00, 0x00, 0x00, 0x00, 0x00, 0x02, /* Seq# 2 */
        0x00, 0x03, /* Length */
        0x01, 0x00, 0x02, /* Message */
    };

    memcpy(server_hello + SH_RANDOM_OFS, server_random, sizeof(server_random));
    memcpy(server_hello + SH_SESSID_OFS, session_id, sizeof(session_id));

    if (!EVP_DigestUpdate(handshake_md, server_hello + MAC_OFFSET,
                          sizeof(server_hello) - MAC_OFFSET))
        return 0;

    BIO_write(rbio, server_hello, sizeof(server_hello));
    BIO_write(rbio, change_cipher_spec, sizeof(change_cipher_spec));

    return 1;
}

/* Create header, HMAC, pad, encrypt and send a record */
static int send_record(BIO *rbio, unsigned char type, uint64_t seqnr,
                       const void *msg, size_t len)
{
    /* Note that the order of the record header fields on the wire,
     * and in the HMAC, is different. So we just keep them in separate
     * variables and handle them individually. */
    static unsigned char epoch[2] = { 0x00, 0x01 };
    static unsigned char seq[6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
    static unsigned char ver[2] = { 0x01, 0x00 }; /* DTLS1_BAD_VER */
    unsigned char lenbytes[2];
    EVP_MAC *hmac;
    EVP_MAC_CTX *ctx;
    EVP_CIPHER_CTX *enc_ctx;
    unsigned char iv[16];
    unsigned char pad;
    unsigned char *enc;
    OSSL_PARAM params[3];

    seq[0] = (seqnr >> 40) & 0xff;
    seq[1] = (seqnr >> 32) & 0xff;
    seq[2] = (seqnr >> 24) & 0xff;
    seq[3] = (seqnr >> 16) & 0xff;
    seq[4] = (seqnr >> 8) & 0xff;
    seq[5] = seqnr & 0xff;

    pad = 15 - ((len + SHA_DIGEST_LENGTH) % 16);
    enc = OPENSSL_malloc(len + SHA_DIGEST_LENGTH + 1 + pad);
    if (enc == NULL)
        return 0;

    /* Copy record to encryption buffer */
    memcpy(enc, msg, len);

    /* Append HMAC to data */
    hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
    ctx = EVP_MAC_new_ctx(hmac);
    EVP_MAC_free(hmac);
    params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
                                                 "SHA1", 0);
    params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
                                                  mac_key, 20);
    params[2] = OSSL_PARAM_construct_end();
    EVP_MAC_set_ctx_params(ctx, params);
    EVP_MAC_init(ctx);
    EVP_MAC_update(ctx, epoch, 2);
    EVP_MAC_update(ctx, seq, 6);
    EVP_MAC_update(ctx, &type, 1);
    EVP_MAC_update(ctx, ver, 2); /* Version */
    lenbytes[0] = (unsigned char)(len >> 8);
    lenbytes[1] = (unsigned char)(len);
    EVP_MAC_update(ctx, lenbytes, 2); /* Length */
    EVP_MAC_update(ctx, enc, len); /* Finally the data itself */
    EVP_MAC_final(ctx, enc + len, NULL, SHA_DIGEST_LENGTH);
    EVP_MAC_free_ctx(ctx);

    /* Append padding bytes */
    len += SHA_DIGEST_LENGTH;
    do {
        enc[len++] = pad;
    } while (len % 16);

    /* Generate IV, and encrypt */
    RAND_bytes(iv, sizeof(iv));
    enc_ctx = EVP_CIPHER_CTX_new();
    EVP_CipherInit_ex(enc_ctx, EVP_aes_128_cbc(), NULL, enc_key, iv, 1);
    EVP_Cipher(enc_ctx, enc, enc, len);
    EVP_CIPHER_CTX_free(enc_ctx);

    /* Finally write header (from fragmented variables), IV and encrypted record */
    BIO_write(rbio, &type, 1);
    BIO_write(rbio, ver, 2);
    BIO_write(rbio, epoch, 2);
    BIO_write(rbio, seq, 6);
    lenbytes[0] = (unsigned char)((len + sizeof(iv)) >> 8);
    lenbytes[1] = (unsigned char)(len + sizeof(iv));
    BIO_write(rbio, lenbytes, 2);

    BIO_write(rbio, iv, sizeof(iv));
    BIO_write(rbio, enc, len);

    OPENSSL_free(enc);
    return 1;
}

static int send_finished(SSL *s, BIO *rbio)
{
    static unsigned char finished_msg[DTLS1_HM_HEADER_LENGTH +
                                      TLS1_FINISH_MAC_LENGTH] = {
        0x14, /* Finished */
        0x00, 0x00, 0x0c, /* Length */
        0x00, 0x03, /* Seq# 3 */
        0x00, 0x00, 0x00, /* Fragment offset */
        0x00, 0x00, 0x0c, /* Fragment length */
        /* Finished MAC (12 bytes) */
    };
    unsigned char handshake_hash[EVP_MAX_MD_SIZE];

    /* Derive key material */
    do_PRF(TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
           server_random, SSL3_RANDOM_SIZE,
           client_random, SSL3_RANDOM_SIZE,
           key_block, sizeof(key_block));

    /* Generate Finished MAC */
    if (!EVP_DigestFinal_ex(handshake_md, handshake_hash, NULL))
        return 0;

    do_PRF(TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
           handshake_hash, EVP_MD_CTX_size(handshake_md),
           NULL, 0,
           finished_msg + DTLS1_HM_HEADER_LENGTH, TLS1_FINISH_MAC_LENGTH);

    return send_record(rbio, SSL3_RT_HANDSHAKE, 0,
                       finished_msg, sizeof(finished_msg));
}

static int validate_ccs(BIO *wbio)
{
    PACKET pkt;
    long len;
    unsigned char *data;
    unsigned int u;

    len = BIO_get_mem_data(wbio, (char **)&data);
    if (!PACKET_buf_init(&pkt, data, len))
        return 0;

    /* Check record header type */
    if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_CHANGE_CIPHER_SPEC)
        return 0;
    /* Version */
    if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
        return 0;
    /* Skip the rest of the record header */
    if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3))
        return 0;

    /* Check ChangeCipherSpec message */
    if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CCS)
        return 0;
    /* A DTLS1_BAD_VER ChangeCipherSpec also contains the
     * handshake sequence number (which is 2 here) */
    if (!PACKET_get_net_2(&pkt, &u) || u != 0x0002)
        return 0;

    /* Now check the Finished packet */
    if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
        return 0;
    if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
        return 0;

    /* Check epoch is now 1 */
    if (!PACKET_get_net_2(&pkt, &u) || u != 0x0001)
        return 0;

    /* That'll do for now. If OpenSSL accepted *our* Finished packet
     * then it's evidently remembered that DTLS1_BAD_VER doesn't
     * include the handshake header in the MAC. There's not a lot of
     * point in implementing decryption here, just to check that it
     * continues to get it right for one more packet. */

    return 1;
}

#define NODROP(x) { x##UL, 0 }
#define DROP(x)   { x##UL, 1 }

static struct {
    uint64_t seq;
    int drop;
} tests[] = {
    NODROP(1), NODROP(3), NODROP(2),
    NODROP(0x1234), NODROP(0x1230), NODROP(0x1235),
    NODROP(0xffff), NODROP(0x10001), NODROP(0xfffe), NODROP(0x10000),
    DROP(0x10001), DROP(0xff), NODROP(0x100000), NODROP(0x800000), NODROP(0x7fffe1),
    NODROP(0xffffff), NODROP(0x1000000), NODROP(0xfffffe), DROP(0xffffff), NODROP(0x1000010),
    NODROP(0xfffffd), NODROP(0x1000011), DROP(0x12), NODROP(0x1000012),
    NODROP(0x1ffffff), NODROP(0x2000000), DROP(0x1ff00fe), NODROP(0x2000001),
    NODROP(0x20fffff), NODROP(0x2105500), DROP(0x20ffffe), NODROP(0x21054ff),
    NODROP(0x211ffff), DROP(0x2110000), NODROP(0x2120000)
    /* The last test should be NODROP, because a DROP wouldn't get tested. */
};

static int test_bad_dtls(void)
{
    SSL_SESSION *sess = NULL;
    SSL_CTX *ctx = NULL;
    SSL *con = NULL;
    BIO *rbio = NULL;
    BIO *wbio = NULL;
    time_t now = 0;
    int testresult = 0;
    int ret;
    int i;

    RAND_bytes(session_id, sizeof(session_id));
    RAND_bytes(master_secret, sizeof(master_secret));
    RAND_bytes(cookie, sizeof(cookie));
    RAND_bytes(server_random + 4, sizeof(server_random) - 4);

    now = time(NULL);
    memcpy(server_random, &now, sizeof(now));

    sess = client_session();
    if (!TEST_ptr(sess))
        goto end;

    handshake_md = EVP_MD_CTX_new();
    if (!TEST_ptr(handshake_md)
            || !TEST_true(EVP_DigestInit_ex(handshake_md, EVP_md5_sha1(),
                                            NULL)))
        goto end;

    ctx = SSL_CTX_new(DTLS_client_method());
    if (!TEST_ptr(ctx)
            || !TEST_true(SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER))
            || !TEST_true(SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER))
            || !TEST_true(SSL_CTX_set_cipher_list(ctx, "AES128-SHA")))
        goto end;

    con = SSL_new(ctx);
    if (!TEST_ptr(con)
            || !TEST_true(SSL_set_session(con, sess)))
        goto end;
    SSL_SESSION_free(sess);

    rbio = BIO_new(BIO_s_mem());
    wbio = BIO_new(BIO_s_mem());

    if (!TEST_ptr(rbio)
            || !TEST_ptr(wbio))
        goto end;

    SSL_set_bio(con, rbio, wbio);

    if (!TEST_true(BIO_up_ref(rbio))) {
        /*
         * We can't up-ref but we assigned ownership to con, so we shouldn't
         * free in the "end" block
         */
        rbio = wbio = NULL;
        goto end;
    }

    if (!TEST_true(BIO_up_ref(wbio))) {
        wbio = NULL;
        goto end;
    }

    SSL_set_connect_state(con);

    /* Send initial ClientHello */
    ret = SSL_do_handshake(con);
    if (!TEST_int_le(ret, 0)
            || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
            || !TEST_int_eq(validate_client_hello(wbio), 1)
            || !TEST_true(send_hello_verify(rbio)))
        goto end;

    ret = SSL_do_handshake(con);
    if (!TEST_int_le(ret, 0)
            || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
            || !TEST_int_eq(validate_client_hello(wbio), 2)
            || !TEST_true(send_server_hello(rbio)))
        goto end;

    ret = SSL_do_handshake(con);
    if (!TEST_int_le(ret, 0)
            || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
            || !TEST_true(send_finished(con, rbio)))
        goto end;

    ret = SSL_do_handshake(con);
    if (!TEST_int_gt(ret, 0)
            || !TEST_true(validate_ccs(wbio)))
        goto end;

    /* While we're here and crafting packets by hand, we might as well do a
       bit of a stress test on the DTLS record replay handling. Not Cisco-DTLS
       specific but useful anyway for the general case. It's been broken
       before, and in fact was broken even for a basic 0, 2, 1 test case
       when this test was first added.... */
    for (i = 0; i < (int)OSSL_NELEM(tests); i++) {
        uint64_t recv_buf[2];

        if (!TEST_true(send_record(rbio, SSL3_RT_APPLICATION_DATA, tests[i].seq,
                                   &tests[i].seq, sizeof(uint64_t)))) {
            TEST_error("Failed to send data seq #0x%x%08x (%d)\n",
                       (unsigned int)(tests[i].seq >> 32), (unsigned int)tests[i].seq, i);
            goto end;
        }

        if (tests[i].drop)
            continue;

        ret = SSL_read(con, recv_buf, 2 * sizeof(uint64_t));
        if (!TEST_int_eq(ret, (int)sizeof(uint64_t))) {
            TEST_error("SSL_read failed or wrong size on seq#0x%x%08x (%d)\n",
                       (unsigned int)(tests[i].seq >> 32), (unsigned int)tests[i].seq, i);
            goto end;
        }
        if (!TEST_true(recv_buf[0] == tests[i].seq))
            goto end;
    }

    /* The last test cannot be DROP() */
    if (!TEST_false(tests[i-1].drop))
        goto end;

    testresult = 1;

 end:
    BIO_free(rbio);
    BIO_free(wbio);
    SSL_free(con);
    SSL_CTX_free(ctx);
    EVP_MD_CTX_free(handshake_md);

    return testresult;
}

int setup_tests(void)
{
    ADD_TEST(test_bad_dtls);
    return 1;
}

ENEA — Copyright (C), ENEA. License: GNU AGPLv3+.
Legal notes  ::  JavaScript license information ::  Web API

back to top