Add tests for ssl_set_dtls_badmac_limit()
This commit is contained in:
parent
b0643d152d
commit
e698f59a25
2 changed files with 64 additions and 6 deletions
|
@ -126,6 +126,7 @@ int main( int argc, char *argv[] )
|
||||||
#define DFL_ANTI_REPLAY -1
|
#define DFL_ANTI_REPLAY -1
|
||||||
#define DFL_HS_TO_MIN 0
|
#define DFL_HS_TO_MIN 0
|
||||||
#define DFL_HS_TO_MAX 0
|
#define DFL_HS_TO_MAX 0
|
||||||
|
#define DFL_BADMAC_LIMIT -1
|
||||||
|
|
||||||
#define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
|
#define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
|
||||||
"02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
|
"02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
|
||||||
|
@ -192,6 +193,7 @@ struct options
|
||||||
int anti_replay; /* Use anti-replay for DTLS? -1 for default */
|
int anti_replay; /* Use anti-replay for DTLS? -1 for default */
|
||||||
uint32_t hs_to_min; /* Initial value of DTLS handshake timer */
|
uint32_t hs_to_min; /* Initial value of DTLS handshake timer */
|
||||||
uint32_t hs_to_max; /* Max value of DTLS handshake timer */
|
uint32_t hs_to_max; /* Max value of DTLS handshake timer */
|
||||||
|
int badmac_limit; /* Limit of records with bad MAC */
|
||||||
} opt;
|
} opt;
|
||||||
|
|
||||||
static void my_debug( void *ctx, int level, const char *str )
|
static void my_debug( void *ctx, int level, const char *str )
|
||||||
|
@ -325,11 +327,18 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
|
#if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
|
||||||
#define USAGE_ANTI_REPLAY \
|
#define USAGE_ANTI_REPLAY \
|
||||||
" anti_replay=0/1 default: (library default = enabled)\n"
|
" anti_replay=0/1 default: (library default: enabled)\n"
|
||||||
#else
|
#else
|
||||||
#define USAGE_ANTI_REPLAY ""
|
#define USAGE_ANTI_REPLAY ""
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_DTLS_BADMAC_LIMIT)
|
||||||
|
#define USAGE_BADMAC_LIMIT \
|
||||||
|
" badmac_limit=%%d default: (library default: disabled)\n"
|
||||||
|
#else
|
||||||
|
#define USAGE_BADMAC_LIMIT ""
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_PROTO_DTLS)
|
#if defined(POLARSSL_SSL_PROTO_DTLS)
|
||||||
#define USAGE_DTLS \
|
#define USAGE_DTLS \
|
||||||
" dtls=%%d default: 0 (TLS)\n" \
|
" dtls=%%d default: 0 (TLS)\n" \
|
||||||
|
@ -352,6 +361,7 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
|
||||||
USAGE_DTLS \
|
USAGE_DTLS \
|
||||||
USAGE_COOKIES \
|
USAGE_COOKIES \
|
||||||
USAGE_ANTI_REPLAY \
|
USAGE_ANTI_REPLAY \
|
||||||
|
USAGE_BADMAC_LIMIT \
|
||||||
"\n" \
|
"\n" \
|
||||||
" auth_mode=%%s default: \"optional\"\n" \
|
" auth_mode=%%s default: \"optional\"\n" \
|
||||||
" options: none, optional, required\n" \
|
" options: none, optional, required\n" \
|
||||||
|
@ -772,6 +782,7 @@ int main( int argc, char *argv[] )
|
||||||
opt.anti_replay = DFL_ANTI_REPLAY;
|
opt.anti_replay = DFL_ANTI_REPLAY;
|
||||||
opt.hs_to_min = DFL_HS_TO_MIN;
|
opt.hs_to_min = DFL_HS_TO_MIN;
|
||||||
opt.hs_to_max = DFL_HS_TO_MAX;
|
opt.hs_to_max = DFL_HS_TO_MAX;
|
||||||
|
opt.badmac_limit = DFL_BADMAC_LIMIT;
|
||||||
|
|
||||||
for( i = 1; i < argc; i++ )
|
for( i = 1; i < argc; i++ )
|
||||||
{
|
{
|
||||||
|
@ -1003,6 +1014,12 @@ int main( int argc, char *argv[] )
|
||||||
if( opt.anti_replay < 0 || opt.anti_replay > 1)
|
if( opt.anti_replay < 0 || opt.anti_replay > 1)
|
||||||
goto usage;
|
goto usage;
|
||||||
}
|
}
|
||||||
|
else if( strcmp( p, "badmac_limit" ) == 0 )
|
||||||
|
{
|
||||||
|
opt.badmac_limit = atoi( q );
|
||||||
|
if( opt.badmac_limit < 0 )
|
||||||
|
goto usage;
|
||||||
|
}
|
||||||
else if( strcmp( p, "hs_timeout" ) == 0 )
|
else if( strcmp( p, "hs_timeout" ) == 0 )
|
||||||
{
|
{
|
||||||
if( ( p = strchr( q, '-' ) ) == NULL )
|
if( ( p = strchr( q, '-' ) ) == NULL )
|
||||||
|
@ -1458,9 +1475,12 @@ int main( int argc, char *argv[] )
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
|
#if defined(POLARSSL_SSL_DTLS_ANTI_REPLAY)
|
||||||
if( opt.anti_replay != DFL_ANTI_REPLAY )
|
if( opt.anti_replay != DFL_ANTI_REPLAY )
|
||||||
{
|
|
||||||
ssl_set_dtls_anti_replay( &ssl, opt.anti_replay );
|
ssl_set_dtls_anti_replay( &ssl, opt.anti_replay );
|
||||||
}
|
#endif
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_DTLS_BADMAC_LIMIT)
|
||||||
|
if( opt.badmac_limit != DFL_BADMAC_LIMIT )
|
||||||
|
ssl_set_dtls_badmac_limit( &ssl, opt.badmac_limit );
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
#endif /* POLARSSL_SSL_PROTO_DTLS */
|
#endif /* POLARSSL_SSL_PROTO_DTLS */
|
||||||
|
|
|
@ -2250,15 +2250,53 @@ run_test "DTLS proxy: duplicate every packet, server anti-replay off" \
|
||||||
-s "Extra-header:" \
|
-s "Extra-header:" \
|
||||||
-c "HTTP/1.0 200 OK"
|
-c "HTTP/1.0 200 OK"
|
||||||
|
|
||||||
run_test "DTLS proxy: inject invalid AD record" \
|
run_test "DTLS proxy: inject invalid AD record, default badmac_limit" \
|
||||||
-p "$P_PXY bad_ad=1" \
|
-p "$P_PXY bad_ad=1" \
|
||||||
"$P_SRV dtls=1 debug_level=1" \
|
"$P_SRV dtls=1 debug_level=1" \
|
||||||
"$P_CLI dtls=1 debug_level=1" \
|
"$P_CLI dtls=1 debug_level=1 read_timeout=100" \
|
||||||
0 \
|
0 \
|
||||||
-c "discarding invalid record" \
|
-c "discarding invalid record" \
|
||||||
-s "discarding invalid record" \
|
-s "discarding invalid record" \
|
||||||
-s "Extra-header:" \
|
-s "Extra-header:" \
|
||||||
-c "HTTP/1.0 200 OK"
|
-c "HTTP/1.0 200 OK" \
|
||||||
|
-S "too many records with bad MAC" \
|
||||||
|
-S "Verification of the message MAC failed"
|
||||||
|
|
||||||
|
run_test "DTLS proxy: inject invalid AD record, badmac_limit 1" \
|
||||||
|
-p "$P_PXY bad_ad=1" \
|
||||||
|
"$P_SRV dtls=1 debug_level=1 badmac_limit=1" \
|
||||||
|
"$P_CLI dtls=1 debug_level=1 read_timeout=100" \
|
||||||
|
1 \
|
||||||
|
-C "discarding invalid record" \
|
||||||
|
-S "discarding invalid record" \
|
||||||
|
-S "Extra-header:" \
|
||||||
|
-C "HTTP/1.0 200 OK" \
|
||||||
|
-s "too many records with bad MAC" \
|
||||||
|
-s "Verification of the message MAC failed"
|
||||||
|
|
||||||
|
run_test "DTLS proxy: inject invalid AD record, badmac_limit 2" \
|
||||||
|
-p "$P_PXY bad_ad=1" \
|
||||||
|
"$P_SRV dtls=1 debug_level=1 badmac_limit=2" \
|
||||||
|
"$P_CLI dtls=1 debug_level=1 read_timeout=100" \
|
||||||
|
0 \
|
||||||
|
-c "discarding invalid record" \
|
||||||
|
-s "discarding invalid record" \
|
||||||
|
-s "Extra-header:" \
|
||||||
|
-c "HTTP/1.0 200 OK" \
|
||||||
|
-S "too many records with bad MAC" \
|
||||||
|
-S "Verification of the message MAC failed"
|
||||||
|
|
||||||
|
run_test "DTLS proxy: inject invalid AD record, badmac_limit 2, exchanges 2"\
|
||||||
|
-p "$P_PXY bad_ad=1" \
|
||||||
|
"$P_SRV dtls=1 debug_level=1 badmac_limit=2 exchanges=2" \
|
||||||
|
"$P_CLI dtls=1 debug_level=1 read_timeout=100 exchanges=2" \
|
||||||
|
1 \
|
||||||
|
-c "discarding invalid record" \
|
||||||
|
-s "discarding invalid record" \
|
||||||
|
-s "Extra-header:" \
|
||||||
|
-c "HTTP/1.0 200 OK" \
|
||||||
|
-s "too many records with bad MAC" \
|
||||||
|
-s "Verification of the message MAC failed"
|
||||||
|
|
||||||
run_test "DTLS proxy: delay ChangeCipherSpec" \
|
run_test "DTLS proxy: delay ChangeCipherSpec" \
|
||||||
-p "$P_PXY delay_ccs=1" \
|
-p "$P_PXY delay_ccs=1" \
|
||||||
|
|
Loading…
Reference in a new issue