Add tests for ssl_set_dtls_badmac_limit()

This commit is contained in:
Manuel Pégourié-Gonnard 2014-10-14 19:36:36 +02:00 committed by Paul Bakker
parent b0643d152d
commit e698f59a25
2 changed files with 64 additions and 6 deletions

View file

@ -126,6 +126,7 @@ int main( int argc, char *argv[] )
#define DFL_ANTI_REPLAY -1 #define DFL_ANTI_REPLAY -1
#define DFL_HS_TO_MIN 0 #define DFL_HS_TO_MIN 0
#define DFL_HS_TO_MAX 0 #define DFL_HS_TO_MAX 0
#define DFL_BADMAC_LIMIT -1
#define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \ #define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
"02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \ "02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
@ -192,6 +193,7 @@ struct options
int anti_replay; /* Use anti-replay for DTLS? -1 for default */ int anti_replay; /* Use anti-replay for DTLS? -1 for default */
uint32_t hs_to_min; /* Initial value of DTLS handshake timer */ uint32_t hs_to_min; /* Initial value of DTLS handshake timer */
uint32_t hs_to_max; /* Max value of DTLS handshake timer */ uint32_t hs_to_max; /* Max value of DTLS handshake timer */
int badmac_limit; /* Limit of records with bad MAC */
} opt; } opt;
static void my_debug( void *ctx, int level, const char *str ) static void my_debug( void *ctx, int level, const char *str )
@ -325,11 +327,18 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
#if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY) #if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
#define USAGE_ANTI_REPLAY \ #define USAGE_ANTI_REPLAY \
" anti_replay=0/1 default: (library default = enabled)\n" " anti_replay=0/1 default: (library default: enabled)\n"
#else #else
#define USAGE_ANTI_REPLAY "" #define USAGE_ANTI_REPLAY ""
#endif #endif
#if defined(POLARSSL_SSL_DTLS_BADMAC_LIMIT)
#define USAGE_BADMAC_LIMIT \
" badmac_limit=%%d default: (library default: disabled)\n"
#else
#define USAGE_BADMAC_LIMIT ""
#endif
#if defined(POLARSSL_SSL_PROTO_DTLS) #if defined(POLARSSL_SSL_PROTO_DTLS)
#define USAGE_DTLS \ #define USAGE_DTLS \
" dtls=%%d default: 0 (TLS)\n" \ " dtls=%%d default: 0 (TLS)\n" \
@ -352,6 +361,7 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
USAGE_DTLS \ USAGE_DTLS \
USAGE_COOKIES \ USAGE_COOKIES \
USAGE_ANTI_REPLAY \ USAGE_ANTI_REPLAY \
USAGE_BADMAC_LIMIT \
"\n" \ "\n" \
" auth_mode=%%s default: \"optional\"\n" \ " auth_mode=%%s default: \"optional\"\n" \
" options: none, optional, required\n" \ " options: none, optional, required\n" \
@ -772,6 +782,7 @@ int main( int argc, char *argv[] )
opt.anti_replay = DFL_ANTI_REPLAY; opt.anti_replay = DFL_ANTI_REPLAY;
opt.hs_to_min = DFL_HS_TO_MIN; opt.hs_to_min = DFL_HS_TO_MIN;
opt.hs_to_max = DFL_HS_TO_MAX; opt.hs_to_max = DFL_HS_TO_MAX;
opt.badmac_limit = DFL_BADMAC_LIMIT;
for( i = 1; i < argc; i++ ) for( i = 1; i < argc; i++ )
{ {
@ -1003,6 +1014,12 @@ int main( int argc, char *argv[] )
if( opt.anti_replay < 0 || opt.anti_replay > 1) if( opt.anti_replay < 0 || opt.anti_replay > 1)
goto usage; goto usage;
} }
else if( strcmp( p, "badmac_limit" ) == 0 )
{
opt.badmac_limit = atoi( q );
if( opt.badmac_limit < 0 )
goto usage;
}
else if( strcmp( p, "hs_timeout" ) == 0 ) else if( strcmp( p, "hs_timeout" ) == 0 )
{ {
if( ( p = strchr( q, '-' ) ) == NULL ) if( ( p = strchr( q, '-' ) ) == NULL )
@ -1458,9 +1475,12 @@ int main( int argc, char *argv[] )
#if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY) #if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
if( opt.anti_replay != DFL_ANTI_REPLAY ) if( opt.anti_replay != DFL_ANTI_REPLAY )
{
ssl_set_dtls_anti_replay( &ssl, opt.anti_replay ); ssl_set_dtls_anti_replay( &ssl, opt.anti_replay );
} #endif
#if defined(POLARSSL_SSL_DTLS_BADMAC_LIMIT)
if( opt.badmac_limit != DFL_BADMAC_LIMIT )
ssl_set_dtls_badmac_limit( &ssl, opt.badmac_limit );
#endif #endif
} }
#endif /* POLARSSL_SSL_PROTO_DTLS */ #endif /* POLARSSL_SSL_PROTO_DTLS */

View file

@ -2250,15 +2250,53 @@ run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
-s "Extra-header:" \ -s "Extra-header:" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK"
run_test "DTLS proxy: inject invalid AD record" \ run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
-p "$P_PXY bad_ad=1" \ -p "$P_PXY bad_ad=1" \
"$P_SRV dtls=1 debug_level=1" \ "$P_SRV dtls=1 debug_level=1" \
"$P_CLI dtls=1 debug_level=1" \ "$P_CLI dtls=1 debug_level=1 read_timeout=100" \
0 \ 0 \
-c "discarding invalid record" \ -c "discarding invalid record" \
-s "discarding invalid record" \ -s "discarding invalid record" \
-s "Extra-header:" \ -s "Extra-header:" \
-c "HTTP/1.0 200 OK" -c "HTTP/1.0 200 OK" \
-S "too many records with bad MAC" \
-S "Verification of the message MAC failed"
run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
-p "$P_PXY bad_ad=1" \
"$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
"$P_CLI dtls=1 debug_level=1 read_timeout=100" \
1 \
-C "discarding invalid record" \
-S "discarding invalid record" \
-S "Extra-header:" \
-C "HTTP/1.0 200 OK" \
-s "too many records with bad MAC" \
-s "Verification of the message MAC failed"
run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
-p "$P_PXY bad_ad=1" \
"$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
"$P_CLI dtls=1 debug_level=1 read_timeout=100" \
0 \
-c "discarding invalid record" \
-s "discarding invalid record" \
-s "Extra-header:" \
-c "HTTP/1.0 200 OK" \
-S "too many records with bad MAC" \
-S "Verification of the message MAC failed"
run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
-p "$P_PXY bad_ad=1" \
"$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
"$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
1 \
-c "discarding invalid record" \
-s "discarding invalid record" \
-s "Extra-header:" \
-c "HTTP/1.0 200 OK" \
-s "too many records with bad MAC" \
-s "Verification of the message MAC failed"
run_test "DTLS proxy: delay ChangeCipherSpec" \ run_test "DTLS proxy: delay ChangeCipherSpec" \
-p "$P_PXY delay_ccs=1" \ -p "$P_PXY delay_ccs=1" \