1 /* 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <openssl/bio.h> 11 #include <openssl/crypto.h> 12 #include <openssl/ssl.h> 13 #include <openssl/err.h> 14 15 #include "ssltestlib.h" 16 #include "testutil.h" 17 18 static char *cert = NULL; 19 static char *privkey = NULL; 20 21 #define NUM_TESTS 2 22 23 24 #define DUMMY_CERT_STATUS_LEN 12 25 26 static unsigned char certstatus[] = { 27 SSL3_RT_HANDSHAKE, /* Content type */ 28 0xfe, 0xfd, /* Record version */ 29 0, 1, /* Epoch */ 30 0, 0, 0, 0, 0, 0x0f, /* Record sequence number */ 31 0, DTLS1_HM_HEADER_LENGTH + DUMMY_CERT_STATUS_LEN - 2, 32 SSL3_MT_CERTIFICATE_STATUS, /* Cert Status handshake message type */ 33 0, 0, DUMMY_CERT_STATUS_LEN, /* Message len */ 34 0, 5, /* Message sequence */ 35 0, 0, 0, /* Fragment offset */ 36 0, 0, DUMMY_CERT_STATUS_LEN - 2, /* Fragment len */ 37 0x80, 0x80, 0x80, 0x80, 0x80, 38 0x80, 0x80, 0x80, 0x80, 0x80 /* Dummy data */ 39 }; 40 41 #define RECORD_SEQUENCE 10 42 43 static int test_dtls_unprocessed(int testidx) 44 { 45 SSL_CTX *sctx = NULL, *cctx = NULL; 46 SSL *serverssl1 = NULL, *clientssl1 = NULL; 47 BIO *c_to_s_fbio, *c_to_s_mempacket; 48 int testresult = 0; 49 50 printf("Starting Test %d\n", testidx); 51 52 if (!create_ssl_ctx_pair(DTLS_server_method(), DTLS_client_method(), 53 DTLS1_VERSION, DTLS_MAX_VERSION, &sctx, &cctx, 54 cert, privkey)) { 55 printf("Unable to create SSL_CTX pair\n"); 56 return 0; 57 } 58 59 if (!SSL_CTX_set_cipher_list(cctx, "AES128-SHA")) { 60 printf("Failed setting cipher list\n"); 61 } 62 63 c_to_s_fbio = BIO_new(bio_f_tls_dump_filter()); 64 if (c_to_s_fbio == NULL) { 65 printf("Failed to create filter BIO\n"); 66 goto end; 67 } 68 69 /* BIO is freed by create_ssl_connection on error */ 70 if (!create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, NULL, 71 c_to_s_fbio)) { 72 printf("Unable to create SSL objects\n"); 73 ERR_print_errors_fp(stdout); 74 goto end; 75 } 76 77 if (testidx == 1) 78 certstatus[RECORD_SEQUENCE] = 0xff; 79 80 /* 81 * Inject a dummy record from the next epoch. In test 0, this should never 82 * get used because the message sequence number is too big. In test 1 we set 83 * the record sequence number to be way off in the future. This should not 84 * have an impact on the record replay protection because the record should 85 * be dropped before it is marked as arrived 86 */ 87 c_to_s_mempacket = SSL_get_wbio(clientssl1); 88 c_to_s_mempacket = BIO_next(c_to_s_mempacket); 89 mempacket_test_inject(c_to_s_mempacket, (char *)certstatus, 90 sizeof(certstatus), 1, INJECT_PACKET_IGNORE_REC_SEQ); 91 92 if (!create_ssl_connection(serverssl1, clientssl1)) { 93 printf("Unable to create SSL connection\n"); 94 ERR_print_errors_fp(stdout); 95 goto end; 96 } 97 98 testresult = 1; 99 end: 100 SSL_free(serverssl1); 101 SSL_free(clientssl1); 102 SSL_CTX_free(sctx); 103 SSL_CTX_free(cctx); 104 105 return testresult; 106 } 107 108 int main(int argc, char *argv[]) 109 { 110 BIO *err = NULL; 111 int testresult = 1; 112 113 if (argc != 3) { 114 printf("Invalid argument count\n"); 115 return 1; 116 } 117 118 cert = argv[1]; 119 privkey = argv[2]; 120 121 err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); 122 123 CRYPTO_set_mem_debug(1); 124 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); 125 126 ADD_ALL_TESTS(test_dtls_unprocessed, NUM_TESTS); 127 128 testresult = run_tests(argv[0]); 129 130 bio_f_tls_dump_filter_free(); 131 bio_s_mempacket_test_free(); 132 133 #ifndef OPENSSL_NO_CRYPTO_MDEBUG 134 if (CRYPTO_mem_leaks(err) <= 0) 135 testresult = 1; 136 #endif 137 BIO_free(err); 138 139 if (!testresult) 140 printf("PASS\n"); 141 142 return testresult; 143 } 144