2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * Unit test for Cisco DTLS1_BAD_VER session resume, as used by
12 * AnyConnect VPN protocol.
14 * This is designed to exercise the code paths in
15 * http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/dtls.c
16 * which have frequently been affected by regressions in DTLS1_BAD_VER
19 * Note that unlike other SSL tests, we don't test against our own SSL
20 * server method. Firstly because we don't have one; we *only* support
21 * DTLS1_BAD_VER as a client. And secondly because even if that were
22 * fixed up it's the wrong thing to test against — because if changes
23 * are made in generic DTLS code which don't take DTLS1_BAD_VER into
24 * account, there's plenty of scope for making those changes such that
25 * they break *both* the client and the server in the same way.
27 * So we handle the server side manually. In a session resume there isn't
28 * much to be done anyway.
32 #include <openssl/opensslconf.h>
33 #include <openssl/bio.h>
34 #include <openssl/crypto.h>
35 #include <openssl/evp.h>
36 #include <openssl/ssl.h>
37 #include <openssl/err.h>
38 #include <openssl/rand.h>
39 #include <openssl/kdf.h>
41 #include "../ssl/packet_locl.h"
42 #include "../e_os.h" /* for OSSL_NELEM() */
44 /* For DTLS1_BAD_VER packets the MAC doesn't include the handshake header */
45 #define MAC_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH)
47 static unsigned char client_random[SSL3_RANDOM_SIZE];
48 static unsigned char server_random[SSL3_RANDOM_SIZE];
50 /* These are all generated locally, sized purely according to our own whim */
51 static unsigned char session_id[32];
52 static unsigned char master_secret[48];
53 static unsigned char cookie[20];
55 /* We've hard-coded the cipher suite; we know it's 104 bytes */
56 static unsigned char key_block[104];
57 #define mac_key (key_block + 20)
58 #define dec_key (key_block + 40)
59 #define enc_key (key_block + 56)
61 static EVP_MD_CTX *handshake_md;
63 static int do_PRF(const void *seed1, int seed1_len,
64 const void *seed2, int seed2_len,
65 const void *seed3, int seed3_len,
66 unsigned char *out, int olen)
68 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
71 /* No error handling. If it all screws up, the test will fail anyway */
72 EVP_PKEY_derive_init(pctx);
73 EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_md5_sha1());
74 EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, master_secret, sizeof(master_secret));
75 EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len);
76 EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len);
77 EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len);
78 EVP_PKEY_derive(pctx, out, &outlen);
79 EVP_PKEY_CTX_free(pctx);
83 static SSL_SESSION *client_session(void)
85 static unsigned char session_asn1[] = {
86 0x30, 0x5F, /* SEQUENCE, length 0x5F */
87 0x02, 0x01, 0x01, /* INTEGER, SSL_SESSION_ASN1_VERSION */
88 0x02, 0x02, 0x01, 0x00, /* INTEGER, DTLS1_BAD_VER */
89 0x04, 0x02, 0x00, 0x2F, /* OCTET_STRING, AES128-SHA */
90 0x04, 0x20, /* OCTET_STRING, session id */
91 #define SS_SESSID_OFS 15 /* Session ID goes here */
92 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
93 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
94 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
95 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
96 0x04, 0x30, /* OCTET_STRING, master secret */
97 #define SS_SECRET_OFS 49 /* Master secret goes here */
98 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
99 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
100 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
101 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
102 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
103 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
105 const unsigned char *p = session_asn1;
107 /* Copy the randomly-generated fields into the above ASN1 */
108 memcpy(session_asn1 + SS_SESSID_OFS, session_id, sizeof(session_id));
109 memcpy(session_asn1 + SS_SECRET_OFS, master_secret, sizeof(master_secret));
111 return d2i_SSL_SESSION(NULL, &p, sizeof(session_asn1));
114 /* Returns 1 for initial ClientHello, 2 for ClientHello with cookie */
115 static int validate_client_hello(BIO *wbio)
120 int cookie_found = 0;
123 len = BIO_get_mem_data(wbio, (char **)&data);
124 if (!PACKET_buf_init(&pkt, data, len))
127 /* Check record header type */
128 if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
131 if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
133 /* Skip the rest of the record header */
134 if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3))
137 /* Check it's a ClientHello */
138 if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CLIENT_HELLO)
140 /* Skip the rest of the handshake message header */
141 if (!PACKET_forward(&pkt, DTLS1_HM_HEADER_LENGTH - 1))
144 /* Check client version */
145 if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
149 if (!PACKET_copy_bytes(&pkt, client_random, SSL3_RANDOM_SIZE))
152 /* Check session id length and content */
153 if (!PACKET_get_length_prefixed_1(&pkt, &pkt2) ||
154 !PACKET_equal(&pkt2, session_id, sizeof(session_id)))
158 if (!PACKET_get_length_prefixed_1(&pkt, &pkt2))
160 if (PACKET_remaining(&pkt2)) {
161 if (!PACKET_equal(&pkt2, cookie, sizeof(cookie)))
167 if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u))
170 /* Skip compression */
171 if (!PACKET_get_1(&pkt, &u) || !PACKET_forward(&pkt, u))
174 /* Skip extensions */
175 if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u))
178 /* Now we are at the end */
179 if (PACKET_remaining(&pkt))
182 /* Update handshake MAC for second ClientHello (with cookie) */
183 if (cookie_found && !EVP_DigestUpdate(handshake_md, data + MAC_OFFSET,
185 printf("EVP_DigestUpdate() failed\n");
187 (void)BIO_reset(wbio);
189 return 1 + cookie_found;
192 static int send_hello_verify(BIO *rbio)
194 static unsigned char hello_verify[] = {
195 0x16, /* Handshake */
196 0x01, 0x00, /* DTLS1_BAD_VER */
197 0x00, 0x00, /* Epoch 0 */
198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Seq# 0 */
199 0x00, 0x23, /* Length */
200 0x03, /* Hello Verify */
201 0x00, 0x00, 0x17, /* Length */
202 0x00, 0x00, /* Seq# 0 */
203 0x00, 0x00, 0x00, /* Fragment offset */
204 0x00, 0x00, 0x17, /* Fragment length */
205 0x01, 0x00, /* DTLS1_BAD_VER */
206 0x14, /* Cookie length */
207 #define HV_COOKIE_OFS 28 /* Cookie goes here */
208 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
209 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
210 0x00, 0x00, 0x00, 0x00,
213 memcpy(hello_verify + HV_COOKIE_OFS, cookie, sizeof(cookie));
215 BIO_write(rbio, hello_verify, sizeof(hello_verify));
220 static int send_server_hello(BIO *rbio)
222 static unsigned char server_hello[] = {
223 0x16, /* Handshake */
224 0x01, 0x00, /* DTLS1_BAD_VER */
225 0x00, 0x00, /* Epoch 0 */
226 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, /* Seq# 1 */
227 0x00, 0x52, /* Length */
228 0x02, /* Server Hello */
229 0x00, 0x00, 0x46, /* Length */
230 0x00, 0x01, /* Seq# */
231 0x00, 0x00, 0x00, /* Fragment offset */
232 0x00, 0x00, 0x46, /* Fragment length */
233 0x01, 0x00, /* DTLS1_BAD_VER */
234 #define SH_RANDOM_OFS 27 /* Server random goes here */
235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
236 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
237 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
238 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
239 0x20, /* Session ID length */
240 #define SH_SESSID_OFS 60 /* Session ID goes here */
241 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
242 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
243 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
244 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
245 0x00, 0x2f, /* Cipher suite AES128-SHA */
246 0x00, /* Compression null */
248 static unsigned char change_cipher_spec[] = {
249 0x14, /* Change Cipher Spec */
250 0x01, 0x00, /* DTLS1_BAD_VER */
251 0x00, 0x00, /* Epoch 0 */
252 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, /* Seq# 2 */
253 0x00, 0x03, /* Length */
254 0x01, 0x00, 0x02, /* Message */
257 memcpy(server_hello + SH_RANDOM_OFS, server_random, sizeof(server_random));
258 memcpy(server_hello + SH_SESSID_OFS, session_id, sizeof(session_id));
260 if (!EVP_DigestUpdate(handshake_md, server_hello + MAC_OFFSET,
261 sizeof(server_hello) - MAC_OFFSET))
262 printf("EVP_DigestUpdate() failed\n");
264 BIO_write(rbio, server_hello, sizeof(server_hello));
265 BIO_write(rbio, change_cipher_spec, sizeof(change_cipher_spec));
270 /* Create header, HMAC, pad, encrypt and send a record */
271 static int send_record(BIO *rbio, unsigned char type, unsigned long seqnr,
272 const void *msg, size_t len)
274 /* Note that the order of the record header fields on the wire,
275 * and in the HMAC, is different. So we just keep them in separate
276 * variables and handle them individually. */
277 static unsigned char epoch[2] = { 0x00, 0x01 };
278 static unsigned char seq[6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
279 static unsigned char ver[2] = { 0x01, 0x00 }; /* DTLS1_BAD_VER */
280 unsigned char lenbytes[2];
282 EVP_CIPHER_CTX *enc_ctx;
283 unsigned char iv[16];
287 #ifdef SIXTY_FOUR_BIT_LONG
288 seq[0] = (seqnr >> 40) & 0xff;
289 seq[1] = (seqnr >> 32) & 0xff;
291 seq[2] = (seqnr >> 24) & 0xff;
292 seq[3] = (seqnr >> 16) & 0xff;
293 seq[4] = (seqnr >> 8) & 0xff;
294 seq[5] = seqnr & 0xff;
296 pad = 15 - ((len + SHA_DIGEST_LENGTH) % 16);
297 enc = OPENSSL_malloc(len + SHA_DIGEST_LENGTH + 1 + pad);
301 /* Copy record to encryption buffer */
302 memcpy(enc, msg, len);
304 /* Append HMAC to data */
305 ctx = HMAC_CTX_new();
306 HMAC_Init_ex(ctx, mac_key, 20, EVP_sha1(), NULL);
307 HMAC_Update(ctx, epoch, 2);
308 HMAC_Update(ctx, seq, 6);
309 HMAC_Update(ctx, &type, 1);
310 HMAC_Update(ctx, ver, 2); /* Version */
311 lenbytes[0] = len >> 8;
312 lenbytes[1] = len & 0xff;
313 HMAC_Update(ctx, lenbytes, 2); /* Length */
314 HMAC_Update(ctx, enc, len); /* Finally the data itself */
315 HMAC_Final(ctx, enc + len, NULL);
318 /* Append padding bytes */
319 len += SHA_DIGEST_LENGTH;
324 /* Generate IV, and encrypt */
325 RAND_bytes(iv, sizeof(iv));
326 enc_ctx = EVP_CIPHER_CTX_new();
327 EVP_CipherInit_ex(enc_ctx, EVP_aes_128_cbc(), NULL, enc_key, iv, 1);
328 EVP_Cipher(enc_ctx, enc, enc, len);
329 EVP_CIPHER_CTX_free(enc_ctx);
331 /* Finally write header (from fragmented variables), IV and encrypted record */
332 BIO_write(rbio, &type, 1);
333 BIO_write(rbio, ver, 2);
334 BIO_write(rbio, epoch, 2);
335 BIO_write(rbio, seq, 6);
336 lenbytes[0] = (len + sizeof(iv)) >> 8;
337 lenbytes[1] = (len + sizeof(iv)) & 0xff;
338 BIO_write(rbio, lenbytes, 2);
340 BIO_write(rbio, iv, sizeof(iv));
341 BIO_write(rbio, enc, len);
347 static int send_finished(SSL *s, BIO *rbio)
349 static unsigned char finished_msg[DTLS1_HM_HEADER_LENGTH +
350 TLS1_FINISH_MAC_LENGTH] = {
352 0x00, 0x00, 0x0c, /* Length */
353 0x00, 0x03, /* Seq# 3 */
354 0x00, 0x00, 0x00, /* Fragment offset */
355 0x00, 0x00, 0x0c, /* Fragment length */
356 /* Finished MAC (12 bytes) */
358 unsigned char handshake_hash[EVP_MAX_MD_SIZE];
360 /* Derive key material */
361 do_PRF(TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
362 server_random, SSL3_RANDOM_SIZE,
363 client_random, SSL3_RANDOM_SIZE,
364 key_block, sizeof(key_block));
366 /* Generate Finished MAC */
367 if (!EVP_DigestFinal_ex(handshake_md, handshake_hash, NULL))
368 printf("EVP_DigestFinal_ex() failed\n");
370 do_PRF(TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
371 handshake_hash, EVP_MD_CTX_size(handshake_md),
373 finished_msg + DTLS1_HM_HEADER_LENGTH, TLS1_FINISH_MAC_LENGTH);
375 return send_record(rbio, SSL3_RT_HANDSHAKE, 0,
376 finished_msg, sizeof(finished_msg));
379 static int validate_ccs(BIO *wbio)
386 len = BIO_get_mem_data(wbio, (char **)&data);
387 if (!PACKET_buf_init(&pkt, data, len))
390 /* Check record header type */
391 if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_CHANGE_CIPHER_SPEC)
394 if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
396 /* Skip the rest of the record header */
397 if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3))
400 /* Check ChangeCipherSpec message */
401 if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CCS)
403 /* A DTLS1_BAD_VER ChangeCipherSpec also contains the
404 * handshake sequence number (which is 2 here) */
405 if (!PACKET_get_net_2(&pkt, &u) || u != 0x0002)
408 /* Now check the Finished packet */
409 if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
411 if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
414 /* Check epoch is now 1 */
415 if (!PACKET_get_net_2(&pkt, &u) || u != 0x0001)
418 /* That'll do for now. If OpenSSL accepted *our* Finished packet
419 * then it's evidently remembered that DTLS1_BAD_VER doesn't
420 * include the handshake header in the MAC. There's not a lot of
421 * point in implementing decryption here, just to check that it
422 * continues to get it right for one more packet. */
427 #define NODROP(x) { x##UL, 0 }
428 #define DROP(x) { x##UL, 1 }
434 NODROP(1), NODROP(3), NODROP(2),
435 NODROP(0x1234), NODROP(0x1230), NODROP(0x1235),
436 NODROP(0xffff), NODROP(0x10001), NODROP(0xfffe), NODROP(0x10000),
437 DROP(0x10001), DROP(0xff), NODROP(0x100000), NODROP(0x800000), NODROP(0x7fffe1),
438 NODROP(0xffffff), NODROP(0x1000000), NODROP(0xfffffe), DROP(0xffffff), NODROP(0x1000010),
439 NODROP(0xfffffd), NODROP(0x1000011), DROP(0x12), NODROP(0x1000012),
440 NODROP(0x1ffffff), NODROP(0x2000000), DROP(0x1ff00fe), NODROP(0x2000001),
441 NODROP(0x20fffff), NODROP(0x2105500), DROP(0x20ffffe), NODROP(0x21054ff),
442 NODROP(0x211ffff), DROP(0x2110000), NODROP(0x2120000)
443 /* The last test should be NODROP, because a DROP wouldn't get tested. */
446 int main(int argc, char *argv[])
459 err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
461 CRYPTO_set_mem_debug(1);
462 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
464 RAND_bytes(session_id, sizeof(session_id));
465 RAND_bytes(master_secret, sizeof(master_secret));
466 RAND_bytes(cookie, sizeof(cookie));
467 RAND_bytes(server_random + 4, sizeof(server_random) - 4);
470 memcpy(server_random, &now, sizeof(now));
472 sess = client_session();
474 printf("Failed to generate SSL_SESSION\n");
478 handshake_md = EVP_MD_CTX_new();
479 if (handshake_md == NULL ||
480 !EVP_DigestInit_ex(handshake_md, EVP_md5_sha1(), NULL)) {
481 printf("Failed to initialise handshake_md\n");
485 ctx = SSL_CTX_new(DTLS_client_method());
487 printf("Failed to allocate SSL_CTX\n");
490 if (!SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER)) {
491 printf("SSL_CTX_set_min_proto_version() failed\n");
494 if (!SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER)) {
495 printf("SSL_CTX_set_max_proto_version() failed\n");
499 if (!SSL_CTX_set_cipher_list(ctx, "AES128-SHA")) {
500 printf("SSL_CTX_set_cipher_list() failed\n");
505 if (!SSL_set_session(con, sess)) {
506 printf("SSL_set_session() failed\n");
509 SSL_SESSION_free(sess);
511 rbio = BIO_new(BIO_s_mem());
512 wbio = BIO_new(BIO_s_mem());
514 BIO_set_nbio(rbio, 1);
515 BIO_set_nbio(wbio, 1);
517 SSL_set_bio(con, rbio, wbio);
518 SSL_set_connect_state(con);
520 /* Send initial ClientHello */
521 ret = SSL_do_handshake(con);
522 if (ret > 0 || SSL_get_error(con, ret) != SSL_ERROR_WANT_READ) {
523 printf("Unexpected handshake result at initial call!\n");
527 if (validate_client_hello(wbio) != 1) {
528 printf("Initial ClientHello failed validation\n");
531 if (send_hello_verify(rbio) != 1) {
532 printf("Failed to send HelloVerify\n");
535 ret = SSL_do_handshake(con);
536 if (ret > 0 || SSL_get_error(con, ret) != SSL_ERROR_WANT_READ) {
537 printf("Unexpected handshake result after HelloVerify!\n");
540 if (validate_client_hello(wbio) != 2) {
541 printf("Second ClientHello failed validation\n");
544 if (send_server_hello(rbio) != 1) {
545 printf("Failed to send ServerHello\n");
548 ret = SSL_do_handshake(con);
549 if (ret > 0 || SSL_get_error(con, ret) != SSL_ERROR_WANT_READ) {
550 printf("Unexpected handshake result after ServerHello!\n");
553 if (send_finished(con, rbio) != 1) {
554 printf("Failed to send Finished\n");
557 ret = SSL_do_handshake(con);
559 printf("Handshake not successful after Finished!\n");
562 if (validate_ccs(wbio) != 1) {
563 printf("Failed to validate client CCS/Finished\n");
567 /* While we're here and crafting packets by hand, we might as well do a
568 bit of a stress test on the DTLS record replay handling. Not Cisco-DTLS
569 specific but useful anyway for the general case. It's been broken
570 before, and in fact was broken even for a basic 0, 2, 1 test case
571 when this test was first added.... */
572 for (i = 0; i < (int)OSSL_NELEM(tests); i++) {
573 unsigned long recv_buf[2];
575 if (send_record(rbio, SSL3_RT_APPLICATION_DATA, tests[i].seq,
576 &tests[i].seq, sizeof(unsigned long)) != 1) {
577 printf("Failed to send data seq #0x%lx (%d)\n",
585 ret = SSL_read(con, recv_buf, 2 * sizeof(unsigned long));
586 if (ret != sizeof(unsigned long)) {
587 printf("SSL_read failed or wrong size on seq#0x%lx (%d)\n",
591 if (recv_buf[0] != tests[i].seq) {
592 printf("Wrong data packet received (0x%lx not 0x%lx) at packet %d\n",
593 recv_buf[0], tests[i].seq, i);
597 if (tests[i-1].drop) {
598 printf("Error: last test cannot be DROP()\n");
608 EVP_MD_CTX_free(handshake_md);
610 ERR_print_errors_fp(stderr);
613 printf("Cisco BadDTLS test: FAILED\n");
617 #ifndef OPENSSL_NO_CRYPTO_MDEBUG
618 if (CRYPTO_mem_leaks(err) <= 0)
623 return testresult?0:1;