openssl/test/dtlstest.c

/*
 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/bio.h>
#include <openssl/crypto.h>
#include <openssl/ssl.h>
#include <openssl/err.h>

#include "ssltestlib.h"
#include "testutil.h"
#include "test_main_custom.h"

static char *cert = NULL;
static char *privkey = NULL;

#define NUM_TESTS   2


#define DUMMY_CERT_STATUS_LEN  12

static unsigned char certstatus[] = {
    SSL3_RT_HANDSHAKE, /* Content type */
    0xfe, 0xfd, /* Record version */
    0, 1, /* Epoch */
    0, 0, 0, 0, 0, 0x0f, /* Record sequence number */
    0, DTLS1_HM_HEADER_LENGTH + DUMMY_CERT_STATUS_LEN - 2,
    SSL3_MT_CERTIFICATE_STATUS, /* Cert Status handshake message type */
    0, 0, DUMMY_CERT_STATUS_LEN, /* Message len */
    0, 5, /* Message sequence */
    0, 0, 0, /* Fragment offset */
    0, 0, DUMMY_CERT_STATUS_LEN - 2, /* Fragment len */
    0x80, 0x80, 0x80, 0x80, 0x80,
    0x80, 0x80, 0x80, 0x80, 0x80 /* Dummy data */
};

#define RECORD_SEQUENCE 10

static int test_dtls_unprocessed(int testidx)
{
    SSL_CTX *sctx = NULL, *cctx = NULL;
    SSL *serverssl1 = NULL, *clientssl1 = NULL;
    BIO *c_to_s_fbio, *c_to_s_mempacket;
    int testresult = 0;

    printf("Starting Test %d\n", testidx);

    if (!create_ssl_ctx_pair(DTLS_server_method(), DTLS_client_method(), &sctx,
                             &cctx, cert, privkey)) {
        printf("Unable to create SSL_CTX pair\n");
        return 0;
    }

    if (!SSL_CTX_set_cipher_list(cctx, "AES128-SHA")) {
        printf("Failed setting cipher list\n");
    }

    c_to_s_fbio = BIO_new(bio_f_tls_dump_filter());
    if (c_to_s_fbio == NULL) {
        printf("Failed to create filter BIO\n");
        goto end;
    }

    /* BIO is freed by create_ssl_connection on error */
    if (!create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, NULL,
                               c_to_s_fbio)) {
        printf("Unable to create SSL objects\n");
        ERR_print_errors_fp(stdout);
        goto end;
    }

    if (testidx == 1)
        certstatus[RECORD_SEQUENCE] = 0xff;

    /*
     * Inject a dummy record from the next epoch. In test 0, this should never
     * get used because the message sequence number is too big. In test 1 we set
     * the record sequence number to be way off in the future. This should not
     * have an impact on the record replay protection because the record should
     * be dropped before it is marked as arrived
     */
    c_to_s_mempacket = SSL_get_wbio(clientssl1);
    c_to_s_mempacket = BIO_next(c_to_s_mempacket);
    mempacket_test_inject(c_to_s_mempacket, (char *)certstatus,
                          sizeof(certstatus), 1, INJECT_PACKET_IGNORE_REC_SEQ);

    if (!create_ssl_connection(serverssl1, clientssl1)) {
        printf("Unable to create SSL connection\n");
        ERR_print_errors_fp(stdout);
        goto end;
    }

    testresult = 1;
 end:
    SSL_free(serverssl1);
    SSL_free(clientssl1);
    SSL_CTX_free(sctx);
    SSL_CTX_free(cctx);

    return testresult;
}

int test_main(int argc, char *argv[])
{
    int testresult = 1;

    if (argc != 3) {
        printf("Invalid argument count\n");
        return 1;
    }

    cert = argv[1];
    privkey = argv[2];

    ADD_ALL_TESTS(test_dtls_unprocessed, NUM_TESTS);

    testresult = run_tests(argv[0]);

    bio_f_tls_dump_filter_free();
    bio_s_mempacket_test_free();

    return testresult;
}
Add a DTLS unprocesed records test Add a test to inject a record from the next epoch during the handshake and make sure it doesn't get processed immediately. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-04 13:59:06 +00:00			`/*`
			`* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.`
			`*`
			`* Licensed under the OpenSSL license (the "License"). You may not use`
			`* this file except in compliance with the License. You can obtain a copy`
			`* in the file LICENSE in the source distribution or at`
			`* https://www.openssl.org/source/license.html`
			`*/`

			`#include <openssl/bio.h>`
			`#include <openssl/crypto.h>`
			`#include <openssl/ssl.h>`
			`#include <openssl/err.h>`

			`#include "ssltestlib.h"`
			`#include "testutil.h"`
Add main() test methods to reduce test boilerplate. Simple tests only need to implement register_tests(). Tests that need a custom main() should implement test_main(). This will be wrapped in a main() that performs common setup/teardown (currently crypto-mdebug). Note that for normal development, enable-asan is usually sufficient for detecting leaks, and more versatile. enable-crypto-mdebug is stricter as it will also insist that all static variables be freed. This is useful for debugging library init/deinit; however, it also means that test_main() must free everything it allocates. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-11-07 15:53:15 +00:00			`#include "test_main_custom.h"`
Add a DTLS unprocesed records test Add a test to inject a record from the next epoch during the handshake and make sure it doesn't get processed immediately. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-04 13:59:06 +00:00
			`static char *cert = NULL;`
			`static char *privkey = NULL;`

Add DTLS replay protection test Injects a record from epoch 1 during epoch 0 handshake, with a record sequence number in the future, to test that the record replay protection feature works as expected. This is described more fully in the next commit. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-05 08:50:55 +00:00			`#define NUM_TESTS 2`

Add a DTLS unprocesed records test Add a test to inject a record from the next epoch during the handshake and make sure it doesn't get processed immediately. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-04 13:59:06 +00:00
			`#define DUMMY_CERT_STATUS_LEN 12`

Fix some clang warnings Clang was complaining about some unused functions. Moving the stack declaration to the header seems to sort it. Also the certstatus variable in dtlstest needed to be declared static. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-19 10:34:21 +00:00			`static unsigned char certstatus[] = {`
Add a DTLS unprocesed records test Add a test to inject a record from the next epoch during the handshake and make sure it doesn't get processed immediately. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-04 13:59:06 +00:00			`SSL3_RT_HANDSHAKE, /* Content type */`
			`0xfe, 0xfd, /* Record version */`
			`0, 1, /* Epoch */`
			`0, 0, 0, 0, 0, 0x0f, /* Record sequence number */`
			`0, DTLS1_HM_HEADER_LENGTH + DUMMY_CERT_STATUS_LEN - 2,`
			`SSL3_MT_CERTIFICATE_STATUS, /* Cert Status handshake message type */`
			`0, 0, DUMMY_CERT_STATUS_LEN, /* Message len */`
			`0, 5, /* Message sequence */`
			`0, 0, 0, /* Fragment offset */`
			`0, 0, DUMMY_CERT_STATUS_LEN - 2, /* Fragment len */`
			`0x80, 0x80, 0x80, 0x80, 0x80,`
			`0x80, 0x80, 0x80, 0x80, 0x80 /* Dummy data */`
			`};`

Add DTLS replay protection test Injects a record from epoch 1 during epoch 0 handshake, with a record sequence number in the future, to test that the record replay protection feature works as expected. This is described more fully in the next commit. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-05 08:50:55 +00:00			`#define RECORD_SEQUENCE 10`

			`static int test_dtls_unprocessed(int testidx)`
Add a DTLS unprocesed records test Add a test to inject a record from the next epoch during the handshake and make sure it doesn't get processed immediately. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-04 13:59:06 +00:00			`{`
			`SSL_CTX sctx = NULL, cctx = NULL;`
			`SSL serverssl1 = NULL, clientssl1 = NULL;`
			`BIO c_to_s_fbio, c_to_s_mempacket;`
			`int testresult = 0;`

Add DTLS replay protection test Injects a record from epoch 1 during epoch 0 handshake, with a record sequence number in the future, to test that the record replay protection feature works as expected. This is described more fully in the next commit. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-05 08:50:55 +00:00			`printf("Starting Test %d\n", testidx);`

Add a DTLS unprocesed records test Add a test to inject a record from the next epoch during the handshake and make sure it doesn't get processed immediately. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-04 13:59:06 +00:00			`if (!create_ssl_ctx_pair(DTLS_server_method(), DTLS_client_method(), &sctx,`
			`&cctx, cert, privkey)) {`
			`printf("Unable to create SSL_CTX pair\n");`
			`return 0;`
			`}`

Choose a ciphersuite for testing that won't be affected by "no-*" options The previous ciphersuite broke in no-ec builds. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-08-22 09:42:08 +00:00			`if (!SSL_CTX_set_cipher_list(cctx, "AES128-SHA")) {`
Add a DTLS unprocesed records test Add a test to inject a record from the next epoch during the handshake and make sure it doesn't get processed immediately. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-04 13:59:06 +00:00			`printf("Failed setting cipher list\n");`
			`}`

			`c_to_s_fbio = BIO_new(bio_f_tls_dump_filter());`
			`if (c_to_s_fbio == NULL) {`
			`printf("Failed to create filter BIO\n");`
			`goto end;`
			`}`

			`/* BIO is freed by create_ssl_connection on error */`
			`if (!create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, NULL,`
			`c_to_s_fbio)) {`
			`printf("Unable to create SSL objects\n");`
			`ERR_print_errors_fp(stdout);`
			`goto end;`
			`}`

Add DTLS replay protection test Injects a record from epoch 1 during epoch 0 handshake, with a record sequence number in the future, to test that the record replay protection feature works as expected. This is described more fully in the next commit. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-05 08:50:55 +00:00			`if (testidx == 1)`
			`certstatus[RECORD_SEQUENCE] = 0xff;`

Add a DTLS unprocesed records test Add a test to inject a record from the next epoch during the handshake and make sure it doesn't get processed immediately. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-04 13:59:06 +00:00			`/*`
Add DTLS replay protection test Injects a record from epoch 1 during epoch 0 handshake, with a record sequence number in the future, to test that the record replay protection feature works as expected. This is described more fully in the next commit. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-05 08:50:55 +00:00			`* Inject a dummy record from the next epoch. In test 0, this should never`
			`* get used because the message sequence number is too big. In test 1 we set`
			`* the record sequence number to be way off in the future. This should not`
			`* have an impact on the record replay protection because the record should`
			`* be dropped before it is marked as arrived`
Add a DTLS unprocesed records test Add a test to inject a record from the next epoch during the handshake and make sure it doesn't get processed immediately. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-04 13:59:06 +00:00			`*/`
			`c_to_s_mempacket = SSL_get_wbio(clientssl1);`
			`c_to_s_mempacket = BIO_next(c_to_s_mempacket);`
			`mempacket_test_inject(c_to_s_mempacket, (char *)certstatus,`
			`sizeof(certstatus), 1, INJECT_PACKET_IGNORE_REC_SEQ);`

			`if (!create_ssl_connection(serverssl1, clientssl1)) {`
			`printf("Unable to create SSL connection\n");`
			`ERR_print_errors_fp(stdout);`
			`goto end;`
			`}`

			`testresult = 1;`
			`end:`
			`SSL_free(serverssl1);`
			`SSL_free(clientssl1);`
			`SSL_CTX_free(sctx);`
			`SSL_CTX_free(cctx);`

			`return testresult;`
			`}`

Add main() test methods to reduce test boilerplate. Simple tests only need to implement register_tests(). Tests that need a custom main() should implement test_main(). This will be wrapped in a main() that performs common setup/teardown (currently crypto-mdebug). Note that for normal development, enable-asan is usually sufficient for detecting leaks, and more versatile. enable-crypto-mdebug is stricter as it will also insist that all static variables be freed. This is useful for debugging library init/deinit; however, it also means that test_main() must free everything it allocates. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-11-07 15:53:15 +00:00			`int test_main(int argc, char *argv[])`
Add a DTLS unprocesed records test Add a test to inject a record from the next epoch during the handshake and make sure it doesn't get processed immediately. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-04 13:59:06 +00:00			`{`
			`int testresult = 1;`

			`if (argc != 3) {`
			`printf("Invalid argument count\n");`
			`return 1;`
			`}`

			`cert = argv[1];`
			`privkey = argv[2];`

Add DTLS replay protection test Injects a record from epoch 1 during epoch 0 handshake, with a record sequence number in the future, to test that the record replay protection feature works as expected. This is described more fully in the next commit. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-05 08:50:55 +00:00			`ADD_ALL_TESTS(test_dtls_unprocessed, NUM_TESTS);`
Add a DTLS unprocesed records test Add a test to inject a record from the next epoch during the handshake and make sure it doesn't get processed immediately. Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-07-04 13:59:06 +00:00
			`testresult = run_tests(argv[0]);`

			`bio_f_tls_dump_filter_free();`
			`bio_s_mempacket_test_free();`

			`return testresult;`
			`}`