Add test for server-initiated renego
Just assuming the HelloRequest isn't lost for now
This commit is contained in:
parent
a9d7d03e30
commit
ba958b8bdc
3 changed files with 49 additions and 4 deletions
|
@ -2961,9 +2961,12 @@ static int ssl_parse_record_header( ssl_context *ssl )
|
|||
return( POLARSSL_ERR_SSL_INVALID_RECORD );
|
||||
}
|
||||
|
||||
/* Drop unexpected ApplicationData records */
|
||||
/* Drop unexpected ApplicationData records,
|
||||
* except at the beginning of renegotiations */
|
||||
if( ssl->in_msgtype == SSL_MSG_APPLICATION_DATA &&
|
||||
ssl->state != SSL_HANDSHAKE_OVER )
|
||||
ssl->state != SSL_HANDSHAKE_OVER &&
|
||||
! ( ssl->renegotiation == SSL_RENEGOTIATION &&
|
||||
ssl->state == SSL_SERVER_HELLO ) )
|
||||
{
|
||||
SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
|
||||
return( POLARSSL_ERR_SSL_INVALID_RECORD );
|
||||
|
@ -5839,8 +5842,10 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
|
|||
ssl->in_offt = ssl->in_msg;
|
||||
|
||||
#if defined(POLARSSL_TIMING_C)
|
||||
/* We're going to return something now, cancel timer */
|
||||
ssl_set_timer( ssl, 0 );
|
||||
/* We're going to return something now, cancel timer,
|
||||
* except if handshake (renegotiation) is in progress */
|
||||
if( ssl->state == SSL_HANDSHAKE_OVER )
|
||||
ssl_set_timer( ssl, 0 );
|
||||
#endif
|
||||
}
|
||||
|
||||
|
|
|
@ -95,6 +95,7 @@ int main( void )
|
|||
" drop packets larger than N bytes\n" \
|
||||
" bad_ad=0/1 default: 0 (don't add bad ApplicationData)\n" \
|
||||
" protect_hvr=0/1 default: 0 (don't protect HelloVerifyRequest)\n" \
|
||||
" protect_len=%%d default: (don't protect packets of this size)\n" \
|
||||
"\n" \
|
||||
" seed=%%d default: (use current time)\n" \
|
||||
"\n"
|
||||
|
@ -116,6 +117,7 @@ static struct options
|
|||
int mtu; /* drop packets larger than this */
|
||||
int bad_ad; /* inject corrupted ApplicationData record */
|
||||
int protect_hvr; /* never drop or delay HelloVerifyRequest */
|
||||
int protect_len; /* never drop/delay packet of the given size*/
|
||||
|
||||
unsigned int seed; /* seed for "random" events */
|
||||
} opt;
|
||||
|
@ -207,6 +209,12 @@ static void get_options( int argc, char *argv[] )
|
|||
if( opt.protect_hvr < 0 || opt.protect_hvr > 1 )
|
||||
exit_usage( p, q );
|
||||
}
|
||||
else if( strcmp( p, "protect_len" ) == 0 )
|
||||
{
|
||||
opt.protect_len = atoi( q );
|
||||
if( opt.protect_len < 0 )
|
||||
exit_usage( p, q );
|
||||
}
|
||||
else if( strcmp( p, "seed" ) == 0 )
|
||||
{
|
||||
opt.seed = atoi( q );
|
||||
|
@ -416,6 +424,7 @@ int handle_message( const char *way, int dst, int src )
|
|||
strcmp( cur.type, "ApplicationData" ) != 0 &&
|
||||
! ( opt.protect_hvr &&
|
||||
strcmp( cur.type, "HelloVerifyRequest" ) == 0 ) &&
|
||||
cur.len != (size_t) opt.protect_len &&
|
||||
dropped[id] < DROP_MAX &&
|
||||
rand() % opt.drop == 0 ) )
|
||||
{
|
||||
|
@ -428,6 +437,7 @@ int handle_message( const char *way, int dst, int src )
|
|||
! ( opt.protect_hvr &&
|
||||
strcmp( cur.type, "HelloVerifyRequest" ) == 0 ) &&
|
||||
prev.dst == 0 &&
|
||||
cur.len != (size_t) opt.protect_len &&
|
||||
dropped[id] < DROP_MAX &&
|
||||
rand() % opt.delay == 0 ) )
|
||||
{
|
||||
|
|
|
@ -2360,6 +2360,36 @@ run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \
|
|||
-s "Extra-header:" \
|
||||
-c "HTTP/1.0 200 OK"
|
||||
|
||||
needs_more_time 4
|
||||
run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \
|
||||
-p "$P_PXY drop=5 delay=5 duplicate=5 protect_len=41" \
|
||||
"$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
|
||||
psk=abc123 renegotiate=1 renegotiation=1 exchanges=2 \
|
||||
debug_level=2" \
|
||||
"$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
|
||||
renegotiation=1 exchanges=2 debug_level=2 \
|
||||
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
|
||||
0 \
|
||||
-c "=> renegotiate" \
|
||||
-s "=> renegotiate" \
|
||||
-s "Extra-header:" \
|
||||
-c "HTTP/1.0 200 OK"
|
||||
|
||||
needs_more_time 4
|
||||
run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \
|
||||
-p "$P_PXY drop=5 delay=5 duplicate=5 protect_len=41" \
|
||||
"$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \
|
||||
psk=abc123 renegotiate=1 renegotiation=1 exchanges=2 \
|
||||
debug_level=2 nbio=2" \
|
||||
"$P_CLI dtls=1 hs_timeout=250-10000 tickets=0 psk=abc123 \
|
||||
renegotiation=1 exchanges=2 debug_level=2 nbio=2 \
|
||||
force_ciphersuite=TLS-PSK-WITH-AES-128-CCM-8" \
|
||||
0 \
|
||||
-c "=> renegotiate" \
|
||||
-s "=> renegotiate" \
|
||||
-s "Extra-header:" \
|
||||
-c "HTTP/1.0 200 OK"
|
||||
|
||||
needs_more_time 3
|
||||
run_test "DTLS proxy: 3d, openssl server" \
|
||||
-p "$P_PXY drop=5 delay=5 duplicate=5 protect_hvr=1" \
|
||||
|
|
Loading…
Reference in a new issue