Add DTLS test to check 6 byte record ctr is cmp

Add a test to ssl-opt.sh to ensure that in DTLS a 6 byte record counter
is compared in ssl_check_ctr_renegotiate() instead of a 8 byte one as in
the TLS case. Because currently there are no testing facilities to check
that renegotiation routines are triggered after X number of input/output
messages, the test consists on setting a renegotiation period that
cannot be represented in 6 bytes, but whose least-significant byte is 2.
If the library behaves correctly, the renegotiation routines will be
executed after two exchanged.
This commit is contained in:
Andres AG 2017-01-19 16:30:57 +00:00
parent 18c5c59b5b
commit 692ad84e5c
2 changed files with 34 additions and 6 deletions

View file

@ -63,6 +63,8 @@ int main( void )
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <stdint.h>
#include <inttypes.h>
#if !defined(_WIN32) #if !defined(_WIN32)
#include <signal.h> #include <signal.h>
@ -113,7 +115,7 @@ int main( void )
#define DFL_ALLOW_LEGACY -2 #define DFL_ALLOW_LEGACY -2
#define DFL_RENEGOTIATE 0 #define DFL_RENEGOTIATE 0
#define DFL_RENEGO_DELAY -2 #define DFL_RENEGO_DELAY -2
#define DFL_RENEGO_PERIOD -1 #define DFL_RENEGO_PERIOD ( (uint64_t)-1 )
#define DFL_EXCHANGES 1 #define DFL_EXCHANGES 1
#define DFL_MIN_VERSION -1 #define DFL_MIN_VERSION -1
#define DFL_MAX_VERSION -1 #define DFL_MAX_VERSION -1
@ -292,7 +294,7 @@ int main( void )
" renegotiation=%%d default: 0 (disabled)\n" \ " renegotiation=%%d default: 0 (disabled)\n" \
" renegotiate=%%d default: 0 (disabled)\n" \ " renegotiate=%%d default: 0 (disabled)\n" \
" renego_delay=%%d default: -2 (library default)\n" \ " renego_delay=%%d default: -2 (library default)\n" \
" renego_period=%%d default: (library default)\n" " renego_period=%%d default: (2^64 - 1 for TLS, 2^48 - 1 for DTLS)\n"
#else #else
#define USAGE_RENEGO "" #define USAGE_RENEGO ""
#endif #endif
@ -351,6 +353,19 @@ int main( void )
" force_ciphersuite=<name> default: all enabled\n" \ " force_ciphersuite=<name> default: all enabled\n" \
" acceptable ciphersuite names:\n" " acceptable ciphersuite names:\n"
#define PUT_UINT64_BE(out_be,in_le,i) \
{ \
(out_be)[(i) + 0] = (unsigned char)( ( (in_le) >> 56 ) & 0xFF ); \
(out_be)[(i) + 1] = (unsigned char)( ( (in_le) >> 48 ) & 0xFF ); \
(out_be)[(i) + 2] = (unsigned char)( ( (in_le) >> 40 ) & 0xFF ); \
(out_be)[(i) + 3] = (unsigned char)( ( (in_le) >> 32 ) & 0xFF ); \
(out_be)[(i) + 4] = (unsigned char)( ( (in_le) >> 24 ) & 0xFF ); \
(out_be)[(i) + 5] = (unsigned char)( ( (in_le) >> 16 ) & 0xFF ); \
(out_be)[(i) + 6] = (unsigned char)( ( (in_le) >> 8 ) & 0xFF ); \
(out_be)[(i) + 7] = (unsigned char)( ( (in_le) >> 0 ) & 0xFF ); \
}
/* /*
* global options * global options
*/ */
@ -377,7 +392,7 @@ struct options
int allow_legacy; /* allow legacy renegotiation */ int allow_legacy; /* allow legacy renegotiation */
int renegotiate; /* attempt renegotiation? */ int renegotiate; /* attempt renegotiation? */
int renego_delay; /* delay before enforcing renegotiation */ int renego_delay; /* delay before enforcing renegotiation */
int renego_period; /* period for automatic renegotiation */ uint64_t renego_period; /* period for automatic renegotiation */
int exchanges; /* number of data exchanges */ int exchanges; /* number of data exchanges */
int min_version; /* minimum protocol version accepted */ int min_version; /* minimum protocol version accepted */
int max_version; /* maximum protocol version accepted */ int max_version; /* maximum protocol version accepted */
@ -1041,8 +1056,8 @@ int main( int argc, char *argv[] )
} }
else if( strcmp( p, "renego_period" ) == 0 ) else if( strcmp( p, "renego_period" ) == 0 )
{ {
opt.renego_period = atoi( q ); if( sscanf( q, "%" SCNu64, &opt.renego_period ) != 1 ||
if( opt.renego_period < 2 || opt.renego_period > 255 ) opt.renego_period < 2 )
goto usage; goto usage;
} }
else if( strcmp( p, "exchanges" ) == 0 ) else if( strcmp( p, "exchanges" ) == 0 )
@ -1757,7 +1772,7 @@ int main( int argc, char *argv[] )
if( opt.renego_period != DFL_RENEGO_PERIOD ) if( opt.renego_period != DFL_RENEGO_PERIOD )
{ {
renego_period[7] = opt.renego_period; PUT_UINT64_BE( renego_period, opt.renego_period, 0 );
mbedtls_ssl_conf_renegotiation_period( &conf, renego_period ); mbedtls_ssl_conf_renegotiation_period( &conf, renego_period );
} }
#endif #endif

View file

@ -1601,6 +1601,19 @@ run_test "Renegotiation: DTLS, server-initiated" \
-s "=> renegotiate" \ -s "=> renegotiate" \
-s "write hello request" -s "write hello request"
run_test "Renegotiation: DTLS, renego_period overflow" \
"$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \
"$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \
0 \
-c "client hello, adding renegotiation extension" \
-s "received TLS_EMPTY_RENEGOTIATION_INFO" \
-s "found renegotiation extension" \
-s "server hello, secure renegotiation extension" \
-s "record counter limit reached: renegotiate" \
-c "=> renegotiate" \
-s "=> renegotiate" \
-s "write hello request" \
requires_gnutls requires_gnutls
run_test "Renegotiation: DTLS, gnutls server, client-initiated" \ run_test "Renegotiation: DTLS, gnutls server, client-initiated" \
"$G_SRV -u --mtu 4096" \ "$G_SRV -u --mtu 4096" \