diff options
| author | Matt Caswell <matt@openssl.org> | 2016-07-05 09:50:55 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2016-08-19 13:52:40 +0100 |
| commit | ac9fc67a488427bc3e987f5a4c235e8fbeedf711 (patch) | |
| tree | 9b98f52369983f50702e83086ff92db24d4e6d07 /test | |
| parent | 738ad946ddf7cbb839447981304df89f5f83b18b (diff) | |
Add DTLS replay protection test
Injects a record from epoch 1 during epoch 0 handshake, with a record
sequence number in the future, to test that the record replay protection
feature works as expected. This is described more fully in the next commit.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'test')
| -rw-r--r-- | test/dtlstest.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/test/dtlstest.c b/test/dtlstest.c index c2aa7ee71a..06db5d28bd 100644 --- a/test/dtlstest.c +++ b/test/dtlstest.c @@ -18,6 +18,8 @@ static char *cert = NULL; static char *privkey = NULL; +#define NUM_TESTS 2 + #define DUMMY_CERT_STATUS_LEN 12 @@ -36,13 +38,17 @@ unsigned char certstatus[] = { 0x80, 0x80, 0x80, 0x80, 0x80 /* Dummy data */ }; -static int test_dtls_unprocessed(void) +#define RECORD_SEQUENCE 10 + +static int test_dtls_unprocessed(int testidx) { SSL_CTX *sctx = NULL, *cctx = NULL; SSL *serverssl1 = NULL, *clientssl1 = NULL; BIO *c_to_s_fbio, *c_to_s_mempacket; int testresult = 0; + printf("Starting Test %d\n", testidx); + if (!create_ssl_ctx_pair(DTLS_server_method(), DTLS_client_method(), &sctx, &cctx, cert, privkey)) { printf("Unable to create SSL_CTX pair\n"); @@ -67,9 +73,15 @@ static int test_dtls_unprocessed(void) goto end; } + if (testidx == 1) + certstatus[RECORD_SEQUENCE] = 0xff; + /* - * Inject a dummy record from the next epoch. This should never get used - * because the message sequence number is too big + * Inject a dummy record from the next epoch. In test 0, this should never + * get used because the message sequence number is too big. In test 1 we set + * the record sequence number to be way off in the future. This should not + * have an impact on the record replay protection because the record should + * be dropped before it is marked as arrived */ c_to_s_mempacket = SSL_get_wbio(clientssl1); c_to_s_mempacket = BIO_next(c_to_s_mempacket); @@ -110,7 +122,7 @@ int main(int argc, char *argv[]) CRYPTO_set_mem_debug(1); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); - ADD_TEST(test_dtls_unprocessed); + ADD_ALL_TESTS(test_dtls_unprocessed, NUM_TESTS); testresult = run_tests(argv[0]); |