From 34dcf4e6f63c4b8156d349aa41a512e8f84aaf47 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 24 May 2019 10:07:42 +0100 Subject: [PATCH] Add bad_cid option UDP proxy to insert unexpected CID records This commit adds the command line option 'bad_cid' to the UDP proxy `./programs/test/udp_proxy`. It takes a non-negative integral value N, which if not 0 has the effect of duplicating every 1:N CID records and modifying the CID in the first copy sent. This is to exercise the stacks documented behaviour on receipt of unexpected CIDs. It is important to send the record with the unexpected CID first, because otherwise the packet would be dropped already during replay protection (the same holds for the implementation of the existing 'bad_ad' option). --- programs/test/udp_proxy.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c index 747a8410a..999c87e27 100644 --- a/programs/test/udp_proxy.c +++ b/programs/test/udp_proxy.c @@ -128,6 +128,9 @@ int main( void ) " mtu=%%d default: 0 (unlimited)\n" \ " drop packets larger than N bytes\n" \ " bad_ad=0/1 default: 0 (don't add bad ApplicationData)\n" \ + " bad_cid=%%d default: 0 (don't corrupt Connection IDs)\n" \ + " duplicate 1:N packets containing a CID,\n" \ + " modifying CID in first instance of the packet.\n" \ " protect_hvr=0/1 default: 0 (don't protect HelloVerifyRequest)\n" \ " protect_len=%%d default: (don't protect packets of this size)\n" \ "\n" \ @@ -160,6 +163,7 @@ static struct options int drop; /* drop 1 packet in N (none if 0) */ int mtu; /* drop packets larger than this */ int bad_ad; /* inject corrupted ApplicationData record */ + unsigned bad_cid; /* inject corrupted CID record */ int protect_hvr; /* never drop or delay HelloVerifyRequest */ int protect_len; /* never drop/delay packet of the given size*/ unsigned pack; /* merge packets into single datagram for @@ -292,6 +296,12 @@ static void get_options( int argc, char *argv[] ) if( opt.bad_ad < 0 || opt.bad_ad > 1 ) exit_usage( p, q ); } +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) + else if( strcmp( p, "bad_cid" ) == 0 ) + { + opt.bad_cid = (unsigned) atoi( q ); + } +#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ else if( strcmp( p, "protect_hvr" ) == 0 ) { opt.protect_hvr = atoi( q ); @@ -518,6 +528,25 @@ int send_packet( const packet *p, const char *why ) int ret; mbedtls_net_context *dst = p->dst; + /* insert corrupted CID record? */ + if( opt.bad_cid != 0 && + strcmp( p->type, "CID" ) == 0 && + ( rand() % opt.bad_cid ) == 0 ) + { + unsigned char buf[MAX_MSG_SIZE]; + memcpy( buf, p->buf, p->len ); + + /* The CID resides at offset 11 in the DTLS record header. */ + buf[11] ^= 1; + print_packet( p, "modified CID" ); + + if( ( ret = dispatch_data( dst, buf, p->len ) ) <= 0 ) + { + mbedtls_printf( " ! dispatch returned %d\n", ret ); + return( ret ); + } + } + /* insert corrupted ApplicationData record? */ if( opt.bad_ad && strcmp( p->type, "ApplicationData" ) == 0 )