xref: /freebsd/crypto/openssl/test/bad_dtls_test.c (revision aa1a8ff2d6dbc51ef058f46f3db5a8bb77967145)
1 /*
2  * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * Unit test for Cisco DTLS1_BAD_VER session resume, as used by
12  * AnyConnect VPN protocol.
13  *
14  * This is designed to exercise the code paths in
15  * http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/dtls.c
16  * which have frequently been affected by regressions in DTLS1_BAD_VER
17  * support.
18  *
19  * Note that unlike other SSL tests, we don't test against our own SSL
20  * server method. Firstly because we don't have one; we *only* support
21  * DTLS1_BAD_VER as a client. And secondly because even if that were
22  * fixed up it's the wrong thing to test against - because if changes
23  * are made in generic DTLS code which don't take DTLS1_BAD_VER into
24  * account, there's plenty of scope for making those changes such that
25  * they break *both* the client and the server in the same way.
26  *
27  * So we handle the server side manually. In a session resume there isn't
28  * much to be done anyway.
29  */
30 #include <string.h>
31 
32 #include <openssl/core_names.h>
33 #include <openssl/params.h>
34 #include <openssl/opensslconf.h>
35 #include <openssl/bio.h>
36 #include <openssl/crypto.h>
37 #include <openssl/evp.h>
38 #include <openssl/ssl.h>
39 #include <openssl/err.h>
40 #include <openssl/rand.h>
41 #include <openssl/kdf.h>
42 #include "internal/packet.h"
43 #include "internal/nelem.h"
44 #include "testutil.h"
45 
46 /* For DTLS1_BAD_VER packets the MAC doesn't include the handshake header */
47 #define MAC_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH)
48 
49 static unsigned char client_random[SSL3_RANDOM_SIZE];
50 static unsigned char server_random[SSL3_RANDOM_SIZE];
51 
52 /* These are all generated locally, sized purely according to our own whim */
53 static unsigned char session_id[32];
54 static unsigned char master_secret[48];
55 static unsigned char cookie[20];
56 
57 /* We've hard-coded the cipher suite; we know it's 104 bytes */
58 static unsigned char key_block[104];
59 #define mac_key (key_block + 20)
60 #define dec_key (key_block + 40)
61 #define enc_key (key_block + 56)
62 
63 static EVP_MD_CTX *handshake_md;
64 
65 static int do_PRF(const void *seed1, int seed1_len,
66                   const void *seed2, int seed2_len,
67                   const void *seed3, int seed3_len,
68                   unsigned char *out, int olen)
69 {
70     EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
71     size_t outlen = olen;
72 
73     /* No error handling. If it all screws up, the test will fail anyway */
74     EVP_PKEY_derive_init(pctx);
75     EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_md5_sha1());
76     EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, master_secret, sizeof(master_secret));
77     EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len);
78     EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len);
79     EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len);
80     EVP_PKEY_derive(pctx, out, &outlen);
81     EVP_PKEY_CTX_free(pctx);
82     return 1;
83 }
84 
85 static SSL_SESSION *client_session(void)
86 {
87     static unsigned char session_asn1[] = {
88         0x30, 0x5F,              /* SEQUENCE, length 0x5F */
89         0x02, 0x01, 0x01,        /* INTEGER, SSL_SESSION_ASN1_VERSION */
90         0x02, 0x02, 0x01, 0x00,  /* INTEGER, DTLS1_BAD_VER */
91         0x04, 0x02, 0x00, 0x2F,  /* OCTET_STRING, AES128-SHA */
92         0x04, 0x20,              /* OCTET_STRING, session id */
93 #define SS_SESSID_OFS 15 /* Session ID goes here */
94         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
95         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
96         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
97         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
98         0x04, 0x30,              /* OCTET_STRING, master secret */
99 #define SS_SECRET_OFS 49 /* Master secret goes here */
100         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
101         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
102         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
103         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
104         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
105         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
106     };
107     const unsigned char *p = session_asn1;
108 
109     /* Copy the randomly-generated fields into the above ASN1 */
110     memcpy(session_asn1 + SS_SESSID_OFS, session_id, sizeof(session_id));
111     memcpy(session_asn1 + SS_SECRET_OFS, master_secret, sizeof(master_secret));
112 
113     return d2i_SSL_SESSION(NULL, &p, sizeof(session_asn1));
114 }
115 
116 /* Returns 1 for initial ClientHello, 2 for ClientHello with cookie */
117 static int validate_client_hello(BIO *wbio)
118 {
119     PACKET pkt, pkt2;
120     long len;
121     unsigned char *data;
122     int cookie_found = 0;
123     unsigned int u = 0;
124 
125     if ((len = BIO_get_mem_data(wbio, (char **)&data)) < 0)
126         return 0;
127     if (!PACKET_buf_init(&pkt, data, len))
128         return 0;
129 
130     /* Check record header type */
131     if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
132         return 0;
133     /* Version */
134     if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
135         return 0;
136     /* Skip the rest of the record header */
137     if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3))
138         return 0;
139 
140     /* Check it's a ClientHello */
141     if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CLIENT_HELLO)
142         return 0;
143     /* Skip the rest of the handshake message header */
144     if (!PACKET_forward(&pkt, DTLS1_HM_HEADER_LENGTH - 1))
145         return 0;
146 
147     /* Check client version */
148     if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
149         return 0;
150 
151     /* Store random */
152     if (!PACKET_copy_bytes(&pkt, client_random, SSL3_RANDOM_SIZE))
153         return 0;
154 
155     /* Check session id length and content */
156     if (!PACKET_get_length_prefixed_1(&pkt, &pkt2) ||
157         !PACKET_equal(&pkt2, session_id, sizeof(session_id)))
158         return 0;
159 
160     /* Check cookie */
161     if (!PACKET_get_length_prefixed_1(&pkt, &pkt2))
162         return 0;
163     if (PACKET_remaining(&pkt2)) {
164         if (!PACKET_equal(&pkt2, cookie, sizeof(cookie)))
165             return 0;
166         cookie_found = 1;
167     }
168 
169     /* Skip ciphers */
170     if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u))
171         return 0;
172 
173     /* Skip compression */
174     if (!PACKET_get_1(&pkt, &u) || !PACKET_forward(&pkt, u))
175         return 0;
176 
177     /* Skip extensions */
178     if (!PACKET_get_net_2(&pkt, &u) || !PACKET_forward(&pkt, u))
179         return 0;
180 
181     /* Now we are at the end */
182     if (PACKET_remaining(&pkt))
183         return 0;
184 
185     /* Update handshake MAC for second ClientHello (with cookie) */
186     if (cookie_found && !EVP_DigestUpdate(handshake_md, data + MAC_OFFSET,
187                                           len - MAC_OFFSET))
188         return 0;
189 
190     (void)BIO_reset(wbio);
191 
192     return 1 + cookie_found;
193 }
194 
195 static int send_hello_verify(BIO *rbio)
196 {
197     static unsigned char hello_verify[] = {
198         0x16, /* Handshake */
199         0x01, 0x00, /* DTLS1_BAD_VER */
200         0x00, 0x00, /* Epoch 0 */
201         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* Seq# 0 */
202         0x00, 0x23, /* Length */
203         0x03, /* Hello Verify */
204         0x00, 0x00, 0x17, /* Length */
205         0x00, 0x00, /* Seq# 0 */
206         0x00, 0x00, 0x00, /* Fragment offset */
207         0x00, 0x00, 0x17, /* Fragment length */
208         0x01, 0x00, /* DTLS1_BAD_VER */
209         0x14, /* Cookie length */
210 #define HV_COOKIE_OFS 28 /* Cookie goes here */
211         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
212         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
213         0x00, 0x00, 0x00, 0x00,
214     };
215 
216     memcpy(hello_verify + HV_COOKIE_OFS, cookie, sizeof(cookie));
217 
218     BIO_write(rbio, hello_verify, sizeof(hello_verify));
219 
220     return 1;
221 }
222 
223 static int send_server_hello(BIO *rbio)
224 {
225     static unsigned char server_hello[] = {
226         0x16, /* Handshake */
227         0x01, 0x00, /* DTLS1_BAD_VER */
228         0x00, 0x00, /* Epoch 0 */
229         0x00, 0x00, 0x00, 0x00, 0x00, 0x01, /* Seq# 1 */
230         0x00, 0x52, /* Length */
231         0x02, /* Server Hello */
232         0x00, 0x00, 0x46, /* Length */
233         0x00, 0x01, /* Seq# */
234         0x00, 0x00, 0x00, /* Fragment offset */
235         0x00, 0x00, 0x46, /* Fragment length */
236         0x01, 0x00, /* DTLS1_BAD_VER */
237 #define SH_RANDOM_OFS 27 /* Server random goes here */
238         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
239         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
240         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
241         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
242         0x20, /* Session ID length */
243 #define SH_SESSID_OFS 60 /* Session ID goes here */
244         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
245         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
246         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
247         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
248         0x00, 0x2f, /* Cipher suite AES128-SHA */
249         0x00, /* Compression null */
250     };
251     static unsigned char change_cipher_spec[] = {
252         0x14, /* Change Cipher Spec */
253         0x01, 0x00, /* DTLS1_BAD_VER */
254         0x00, 0x00, /* Epoch 0 */
255         0x00, 0x00, 0x00, 0x00, 0x00, 0x02, /* Seq# 2 */
256         0x00, 0x03, /* Length */
257         0x01, 0x00, 0x02, /* Message */
258     };
259 
260     memcpy(server_hello + SH_RANDOM_OFS, server_random, sizeof(server_random));
261     memcpy(server_hello + SH_SESSID_OFS, session_id, sizeof(session_id));
262 
263     if (!EVP_DigestUpdate(handshake_md, server_hello + MAC_OFFSET,
264                           sizeof(server_hello) - MAC_OFFSET))
265         return 0;
266 
267     BIO_write(rbio, server_hello, sizeof(server_hello));
268     BIO_write(rbio, change_cipher_spec, sizeof(change_cipher_spec));
269 
270     return 1;
271 }
272 
273 /* Create header, HMAC, pad, encrypt and send a record */
274 static int send_record(BIO *rbio, unsigned char type, uint64_t seqnr,
275                        const void *msg, size_t len)
276 {
277     /* Note that the order of the record header fields on the wire,
278      * and in the HMAC, is different. So we just keep them in separate
279      * variables and handle them individually. */
280     static unsigned char epoch[2] = { 0x00, 0x01 };
281     static unsigned char seq[6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
282     static unsigned char ver[2] = { 0x01, 0x00 }; /* DTLS1_BAD_VER */
283     unsigned char lenbytes[2];
284     EVP_MAC *hmac = NULL;
285     EVP_MAC_CTX *ctx = NULL;
286     EVP_CIPHER_CTX *enc_ctx = NULL;
287     unsigned char iv[16];
288     unsigned char pad;
289     unsigned char *enc;
290     OSSL_PARAM params[2];
291     int ret = 0;
292 
293     seq[0] = (seqnr >> 40) & 0xff;
294     seq[1] = (seqnr >> 32) & 0xff;
295     seq[2] = (seqnr >> 24) & 0xff;
296     seq[3] = (seqnr >> 16) & 0xff;
297     seq[4] = (seqnr >> 8) & 0xff;
298     seq[5] = seqnr & 0xff;
299 
300     pad = 15 - ((len + SHA_DIGEST_LENGTH) % 16);
301     enc = OPENSSL_malloc(len + SHA_DIGEST_LENGTH + 1 + pad);
302     if (enc == NULL)
303         return 0;
304 
305     /* Copy record to encryption buffer */
306     memcpy(enc, msg, len);
307 
308     /* Append HMAC to data */
309     if (!TEST_ptr(hmac = EVP_MAC_fetch(NULL, "HMAC", NULL))
310             || !TEST_ptr(ctx = EVP_MAC_CTX_new(hmac)))
311         goto end;
312     params[0] = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST,
313                                                  "SHA1", 0);
314     params[1] = OSSL_PARAM_construct_end();
315     lenbytes[0] = (unsigned char)(len >> 8);
316     lenbytes[1] = (unsigned char)(len);
317     if (!EVP_MAC_init(ctx, mac_key, 20, params)
318             || !EVP_MAC_update(ctx, epoch, 2)
319             || !EVP_MAC_update(ctx, seq, 6)
320             || !EVP_MAC_update(ctx, &type, 1)
321             || !EVP_MAC_update(ctx, ver, 2)      /* Version */
322             || !EVP_MAC_update(ctx, lenbytes, 2) /* Length */
323             || !EVP_MAC_update(ctx, enc, len)    /* Finally the data itself */
324             || !EVP_MAC_final(ctx, enc + len, NULL, SHA_DIGEST_LENGTH))
325         goto end;
326 
327     /* Append padding bytes */
328     len += SHA_DIGEST_LENGTH;
329     do {
330         enc[len++] = pad;
331     } while (len % 16);
332 
333     /* Generate IV, and encrypt */
334     if (!TEST_int_gt(RAND_bytes(iv, sizeof(iv)), 0)
335             || !TEST_ptr(enc_ctx = EVP_CIPHER_CTX_new())
336             || !TEST_true(EVP_CipherInit_ex(enc_ctx, EVP_aes_128_cbc(), NULL,
337                                             enc_key, iv, 1))
338             || !TEST_int_ge(EVP_Cipher(enc_ctx, enc, enc, len), 0))
339         goto end;
340 
341     /* Finally write header (from fragmented variables), IV and encrypted record */
342     BIO_write(rbio, &type, 1);
343     BIO_write(rbio, ver, 2);
344     BIO_write(rbio, epoch, 2);
345     BIO_write(rbio, seq, 6);
346     lenbytes[0] = (unsigned char)((len + sizeof(iv)) >> 8);
347     lenbytes[1] = (unsigned char)(len + sizeof(iv));
348     BIO_write(rbio, lenbytes, 2);
349 
350     BIO_write(rbio, iv, sizeof(iv));
351     BIO_write(rbio, enc, len);
352     ret = 1;
353  end:
354     EVP_MAC_free(hmac);
355     EVP_MAC_CTX_free(ctx);
356     EVP_CIPHER_CTX_free(enc_ctx);
357     OPENSSL_free(enc);
358     return ret;
359 }
360 
361 static int send_finished(SSL *s, BIO *rbio)
362 {
363     static unsigned char finished_msg[DTLS1_HM_HEADER_LENGTH +
364                                       TLS1_FINISH_MAC_LENGTH] = {
365         0x14, /* Finished */
366         0x00, 0x00, 0x0c, /* Length */
367         0x00, 0x03, /* Seq# 3 */
368         0x00, 0x00, 0x00, /* Fragment offset */
369         0x00, 0x00, 0x0c, /* Fragment length */
370         /* Finished MAC (12 bytes) */
371     };
372     unsigned char handshake_hash[EVP_MAX_MD_SIZE];
373 
374     /* Derive key material */
375     do_PRF(TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
376            server_random, SSL3_RANDOM_SIZE,
377            client_random, SSL3_RANDOM_SIZE,
378            key_block, sizeof(key_block));
379 
380     /* Generate Finished MAC */
381     if (!EVP_DigestFinal_ex(handshake_md, handshake_hash, NULL))
382         return 0;
383 
384     do_PRF(TLS_MD_SERVER_FINISH_CONST, TLS_MD_SERVER_FINISH_CONST_SIZE,
385            handshake_hash, EVP_MD_CTX_get_size(handshake_md),
386            NULL, 0,
387            finished_msg + DTLS1_HM_HEADER_LENGTH, TLS1_FINISH_MAC_LENGTH);
388 
389     return send_record(rbio, SSL3_RT_HANDSHAKE, 0,
390                        finished_msg, sizeof(finished_msg));
391 }
392 
393 static int validate_ccs(BIO *wbio)
394 {
395     PACKET pkt;
396     long len;
397     unsigned char *data;
398     unsigned int u;
399 
400     len = BIO_get_mem_data(wbio, (char **)&data);
401     if (len < 0)
402         return 0;
403 
404     if (!PACKET_buf_init(&pkt, data, len))
405         return 0;
406 
407     /* Check record header type */
408     if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_CHANGE_CIPHER_SPEC)
409         return 0;
410     /* Version */
411     if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
412         return 0;
413     /* Skip the rest of the record header */
414     if (!PACKET_forward(&pkt, DTLS1_RT_HEADER_LENGTH - 3))
415         return 0;
416 
417     /* Check ChangeCipherSpec message */
418     if (!PACKET_get_1(&pkt, &u) || u != SSL3_MT_CCS)
419         return 0;
420     /* A DTLS1_BAD_VER ChangeCipherSpec also contains the
421      * handshake sequence number (which is 2 here) */
422     if (!PACKET_get_net_2(&pkt, &u) || u != 0x0002)
423         return 0;
424 
425     /* Now check the Finished packet */
426     if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
427         return 0;
428     if (!PACKET_get_net_2(&pkt, &u) || u != DTLS1_BAD_VER)
429         return 0;
430 
431     /* Check epoch is now 1 */
432     if (!PACKET_get_net_2(&pkt, &u) || u != 0x0001)
433         return 0;
434 
435     /* That'll do for now. If OpenSSL accepted *our* Finished packet
436      * then it's evidently remembered that DTLS1_BAD_VER doesn't
437      * include the handshake header in the MAC. There's not a lot of
438      * point in implementing decryption here, just to check that it
439      * continues to get it right for one more packet. */
440 
441     return 1;
442 }
443 
444 #define NODROP(x) { x##UL, 0 }
445 #define DROP(x)   { x##UL, 1 }
446 
447 static struct {
448     uint64_t seq;
449     int drop;
450 } tests[] = {
451     NODROP(1), NODROP(3), NODROP(2),
452     NODROP(0x1234), NODROP(0x1230), NODROP(0x1235),
453     NODROP(0xffff), NODROP(0x10001), NODROP(0xfffe), NODROP(0x10000),
454     DROP(0x10001), DROP(0xff), NODROP(0x100000), NODROP(0x800000), NODROP(0x7fffe1),
455     NODROP(0xffffff), NODROP(0x1000000), NODROP(0xfffffe), DROP(0xffffff), NODROP(0x1000010),
456     NODROP(0xfffffd), NODROP(0x1000011), DROP(0x12), NODROP(0x1000012),
457     NODROP(0x1ffffff), NODROP(0x2000000), DROP(0x1ff00fe), NODROP(0x2000001),
458     NODROP(0x20fffff), NODROP(0x2105500), DROP(0x20ffffe), NODROP(0x21054ff),
459     NODROP(0x211ffff), DROP(0x2110000), NODROP(0x2120000)
460     /* The last test should be NODROP, because a DROP wouldn't get tested. */
461 };
462 
463 static int test_bad_dtls(void)
464 {
465     SSL_SESSION *sess = NULL;
466     SSL_CTX *ctx = NULL;
467     SSL *con = NULL;
468     BIO *rbio = NULL;
469     BIO *wbio = NULL;
470     time_t now = 0;
471     int testresult = 0;
472     int ret;
473     int i;
474 
475     RAND_bytes(session_id, sizeof(session_id));
476     RAND_bytes(master_secret, sizeof(master_secret));
477     RAND_bytes(cookie, sizeof(cookie));
478     RAND_bytes(server_random + 4, sizeof(server_random) - 4);
479 
480     now = time(NULL);
481     memcpy(server_random, &now, sizeof(now));
482 
483     sess = client_session();
484     if (!TEST_ptr(sess))
485         goto end;
486 
487     handshake_md = EVP_MD_CTX_new();
488     if (!TEST_ptr(handshake_md)
489             || !TEST_true(EVP_DigestInit_ex(handshake_md, EVP_md5_sha1(),
490                                             NULL)))
491         goto end;
492 
493     ctx = SSL_CTX_new(DTLS_client_method());
494     if (!TEST_ptr(ctx)
495             || !TEST_true(SSL_CTX_set_min_proto_version(ctx, DTLS1_BAD_VER))
496             || !TEST_true(SSL_CTX_set_max_proto_version(ctx, DTLS1_BAD_VER))
497             || !TEST_true(SSL_CTX_set_options(ctx,
498                                               SSL_OP_LEGACY_SERVER_CONNECT))
499             || !TEST_true(SSL_CTX_set_cipher_list(ctx, "AES128-SHA")))
500         goto end;
501 
502     con = SSL_new(ctx);
503     if (!TEST_ptr(con)
504             || !TEST_true(SSL_set_session(con, sess)))
505         goto end;
506     SSL_SESSION_free(sess);
507 
508     rbio = BIO_new(BIO_s_mem());
509     wbio = BIO_new(BIO_s_mem());
510 
511     if (!TEST_ptr(rbio)
512             || !TEST_ptr(wbio))
513         goto end;
514 
515     SSL_set_bio(con, rbio, wbio);
516 
517     if (!TEST_true(BIO_up_ref(rbio))) {
518         /*
519          * We can't up-ref but we assigned ownership to con, so we shouldn't
520          * free in the "end" block
521          */
522         rbio = wbio = NULL;
523         goto end;
524     }
525 
526     if (!TEST_true(BIO_up_ref(wbio))) {
527         wbio = NULL;
528         goto end;
529     }
530 
531     SSL_set_connect_state(con);
532 
533     /* Send initial ClientHello */
534     ret = SSL_do_handshake(con);
535     if (!TEST_int_le(ret, 0)
536             || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
537             || !TEST_int_eq(validate_client_hello(wbio), 1)
538             || !TEST_true(send_hello_verify(rbio)))
539         goto end;
540 
541     ret = SSL_do_handshake(con);
542     if (!TEST_int_le(ret, 0)
543             || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
544             || !TEST_int_eq(validate_client_hello(wbio), 2)
545             || !TEST_true(send_server_hello(rbio)))
546         goto end;
547 
548     ret = SSL_do_handshake(con);
549     if (!TEST_int_le(ret, 0)
550             || !TEST_int_eq(SSL_get_error(con, ret), SSL_ERROR_WANT_READ)
551             || !TEST_true(send_finished(con, rbio)))
552         goto end;
553 
554     ret = SSL_do_handshake(con);
555     if (!TEST_int_gt(ret, 0)
556             || !TEST_true(validate_ccs(wbio)))
557         goto end;
558 
559     /* While we're here and crafting packets by hand, we might as well do a
560        bit of a stress test on the DTLS record replay handling. Not Cisco-DTLS
561        specific but useful anyway for the general case. It's been broken
562        before, and in fact was broken even for a basic 0, 2, 1 test case
563        when this test was first added.... */
564     for (i = 0; i < (int)OSSL_NELEM(tests); i++) {
565         uint64_t recv_buf[2];
566 
567         if (!TEST_true(send_record(rbio, SSL3_RT_APPLICATION_DATA, tests[i].seq,
568                                    &tests[i].seq, sizeof(uint64_t)))) {
569             TEST_error("Failed to send data seq #0x%x%08x (%d)\n",
570                        (unsigned int)(tests[i].seq >> 32), (unsigned int)tests[i].seq, i);
571             goto end;
572         }
573 
574         if (tests[i].drop)
575             continue;
576 
577         ret = SSL_read(con, recv_buf, 2 * sizeof(uint64_t));
578         if (!TEST_int_eq(ret, (int)sizeof(uint64_t))) {
579             TEST_error("SSL_read failed or wrong size on seq#0x%x%08x (%d)\n",
580                        (unsigned int)(tests[i].seq >> 32), (unsigned int)tests[i].seq, i);
581             goto end;
582         }
583         if (!TEST_true(recv_buf[0] == tests[i].seq))
584             goto end;
585     }
586 
587     /* The last test cannot be DROP() */
588     if (!TEST_false(tests[i-1].drop))
589         goto end;
590 
591     testresult = 1;
592 
593  end:
594     BIO_free(rbio);
595     BIO_free(wbio);
596     SSL_free(con);
597     SSL_CTX_free(ctx);
598     EVP_MD_CTX_free(handshake_md);
599 
600     return testresult;
601 }
602 
603 int setup_tests(void)
604 {
605     ADD_TEST(test_bad_dtls);
606     return 1;
607 }
608