From b85ce9eaeb982b0e037748c463c2d155d246e6d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 13 Mar 2020 11:11:02 +0100 Subject: [PATCH 1/4] Add negative test for hard reconnect cookie check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The server must check client reachability (we chose to do that by checking a cookie) before destroying the existing association (RFC 6347 section 4.2.8). Let's make sure we do, by having a proxy-in-the-middle inject a ClientHello - the server should notice, but not destroy the connection. Signed-off-by: Manuel Pégourié-Gonnard --- programs/test/udp_proxy.c | 54 +++++++++++++++++++++++++++++++++++++++ tests/ssl-opt.sh | 8 ++++++ 2 files changed, 62 insertions(+) diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c index e96e91bf5..bca53c0b5 100644 --- a/programs/test/udp_proxy.c +++ b/programs/test/udp_proxy.c @@ -130,6 +130,7 @@ int main( void ) " bad_ad=0/1 default: 0 (don't add bad ApplicationData)\n" \ " protect_hvr=0/1 default: 0 (don't protect HelloVerifyRequest)\n" \ " protect_len=%%d default: (don't protect packets of this size)\n" \ + " inject_clihlo=0/1 default: 0 (don't inject fake ClientHello)\n" \ "\n" \ " seed=%%d default: (use current time)\n" \ USAGE_PACK \ @@ -162,6 +163,7 @@ static struct options int bad_ad; /* inject corrupted ApplicationData record */ int protect_hvr; /* never drop or delay HelloVerifyRequest */ int protect_len; /* never drop/delay packet of the given size*/ + int inject_clihlo; /* inject fake ClientHello after handshake */ unsigned pack; /* merge packets into single datagram for * at most \c merge milliseconds if > 0 */ unsigned int seed; /* seed for "random" events */ @@ -304,6 +306,12 @@ static void get_options( int argc, char *argv[] ) if( opt.protect_len < 0 ) exit_usage( p, q ); } + else if( strcmp( p, "inject_clihlo" ) == 0 ) + { + opt.inject_clihlo = atoi( q ); + if( opt.inject_clihlo < 0 || opt.inject_clihlo > 1 ) + exit_usage( p, q ); + } else if( strcmp( p, "seed" ) == 0 ) { opt.seed = atoi( q ); @@ -503,11 +511,40 @@ void print_packet( const packet *p, const char *why ) fflush( stdout ); } +/* + * In order to test the server's behaviour when receiving a ClientHello after + * the connection is established (this could be a hard reset from the client, + * but the server must not drop the existing connection before establishing + * client reachability, see RFC 6347 Section 4.2.8), we memorize the first + * ClientHello we see (which can't have a cookie), then replay it after the + * first ApplicationData record - then we're done. + * + * This is controlled by the inject_clihlo option. + * + * We want an explicit state and a place to store the packet. + */ +static enum { + ich_init, /* haven't seen the first ClientHello yet */ + ich_cached, /* cached the initial ClientHello */ + ich_injected, /* ClientHello already injected, done */ +} inject_clihlo_state; + +static packet initial_clihlo; + int send_packet( const packet *p, const char *why ) { int ret; mbedtls_net_context *dst = p->dst; + /* save initial ClientHello? */ + if( opt.inject_clihlo != 0 && + inject_clihlo_state == ich_init && + strcmp( p->type, "ClientHello" ) == 0 ) + { + memcpy( &initial_clihlo, p, sizeof( packet ) ); + inject_clihlo_state = ich_cached; + } + /* insert corrupted ApplicationData record? */ if( opt.bad_ad && strcmp( p->type, "ApplicationData" ) == 0 ) @@ -553,6 +590,23 @@ int send_packet( const packet *p, const char *why ) } } + /* Inject ClientHello after first ApplicationData */ + if( opt.inject_clihlo != 0 && + inject_clihlo_state == ich_cached && + strcmp( p->type, "ApplicationData" ) == 0 ) + { + print_packet( &initial_clihlo, "injected" ); + + if( ( ret = dispatch_data( dst, initial_clihlo.buf, + initial_clihlo.len ) ) <= 0 ) + { + mbedtls_printf( " ! dispatch returned %d\n", ret ); + return( ret ); + } + + inject_clihlo_state = ich_injected; + } + return( 0 ); } diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 9fbf59201..5a53f504d 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -5798,6 +5798,14 @@ run_test "DTLS client reconnect from same port: no cookies" \ -s "The operation timed out" \ -S "Client initiated reconnection from same port" +run_test "DTLS client reconnect from same port: attacker-injected" \ + -p "$P_PXY inject_clihlo=1" \ + "$P_SRV dtls=1 exchanges=2 debug_level=1" \ + "$P_CLI dtls=1 exchanges=2" \ + 0 \ + -s "possible client reconnect from the same port" \ + -S "Client initiated reconnection from same port" + # Tests for various cases of client authentication with DTLS # (focused on handshake flows and message parsing) From 34cbf106f3f0a04efa262d89eb7b1e6d7017feda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 9 Sep 2019 11:14:37 +0200 Subject: [PATCH 2/4] Adjust timeout of tests with "no resend" assertions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There are currently 4 tests in ssl-opt.sh with either -C "resend" or -S "resend", that is, asserting that no retransmission will occur. They sometimes fail on loaded CI machines as one side doesn't send a message fast enough, causing the other side to retransmit, causing the test to fail. (For the "reconnect" test there was an other issue causing random failures, fixed in a previous commit, but even after that fix the test would still sometimes randomly fail, even if much more rarely.) While it's a hard problem to fix in a general and perfect way, in practice the probability of failures can be drastically reduced by making the timeout values much larger. For some tests, where retransmissions are actually expected, this would have the negative effect of increasing the average running time of the test, as each side would wait for longer before it starts retransmission, so we have a trade-off between average running time and probability of spurious failures. But for tests where retransmission is not expected, there is no such trade-off as the expected running time of the test (assuming the code is correct most of the time) is not impacted by the timeout value. So the only negative effect of increasing the timeout value is on the worst-case running time on the test, which is much less important, as test should only fail quite rarely. This commit addresses the easy case of tests that don't expect retransmission by increasing the value of their timeout range to 10s-20s. This value corresponds to the value used for tests that assert `-S "autoreduction"` which are in the same case and where the current value seems acceptable so far. It also represents an increase, compared to the values before this commit, of a factor 20 for the "reconnect" tests which were frequently observed to fail in the CI, and of a factor 10 for the first two "DTLS proxy" tests, which were observed to fail much less frequently, so hopefully the new values are enough to reduce the probability of spurious failures to an acceptable level. Signed-off-by: Manuel Pégourié-Gonnard --- tests/ssl-opt.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5a53f504d..24c861661 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -5759,8 +5759,8 @@ run_test "DTLS cookie: enabled, nbio" \ not_with_valgrind # spurious resend run_test "DTLS client reconnect from same port: reference" \ - "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \ - "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000" \ + "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \ + "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000" \ 0 \ -C "resend" \ -S "The operation timed out" \ @@ -5768,8 +5768,8 @@ run_test "DTLS client reconnect from same port: reference" \ not_with_valgrind # spurious resend run_test "DTLS client reconnect from same port: reconnect" \ - "$P_SRV dtls=1 exchanges=2 read_timeout=1000" \ - "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \ + "$P_SRV dtls=1 exchanges=2 read_timeout=20000 hs_timeout=10000-20000" \ + "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=10000-20000 reconnect_hard=1" \ 0 \ -C "resend" \ -S "The operation timed out" \ @@ -6875,8 +6875,8 @@ run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \ not_with_valgrind # spurious resend due to timeout run_test "DTLS proxy: reference" \ -p "$P_PXY" \ - "$P_SRV dtls=1 debug_level=2" \ - "$P_CLI dtls=1 debug_level=2" \ + "$P_SRV dtls=1 debug_level=2 hs_timeout=10000-20000" \ + "$P_CLI dtls=1 debug_level=2 hs_timeout=10000-20000" \ 0 \ -C "replayed record" \ -S "replayed record" \ @@ -6891,8 +6891,8 @@ run_test "DTLS proxy: reference" \ not_with_valgrind # spurious resend due to timeout run_test "DTLS proxy: duplicate every packet" \ -p "$P_PXY duplicate=1" \ - "$P_SRV dtls=1 dgram_packing=0 debug_level=2" \ - "$P_CLI dtls=1 dgram_packing=0 debug_level=2" \ + "$P_SRV dtls=1 dgram_packing=0 debug_level=2 hs_timeout=10000-20000" \ + "$P_CLI dtls=1 dgram_packing=0 debug_level=2 hs_timeout=10000-20000" \ 0 \ -c "replayed record" \ -s "replayed record" \ From 7fe5ac1b62caec5b880db471bad73b16a87eceae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 30 Mar 2020 12:46:21 +0200 Subject: [PATCH 3/4] Fix some style issues in udp_proxy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- programs/test/udp_proxy.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c index bca53c0b5..4be0865d8 100644 --- a/programs/test/udp_proxy.c +++ b/programs/test/udp_proxy.c @@ -523,12 +523,13 @@ void print_packet( const packet *p, const char *why ) * * We want an explicit state and a place to store the packet. */ -static enum { - ich_init, /* haven't seen the first ClientHello yet */ - ich_cached, /* cached the initial ClientHello */ - ich_injected, /* ClientHello already injected, done */ -} inject_clihlo_state; +typedef enum { + ICH_INIT, /* haven't seen the first ClientHello yet */ + ICH_CACHED, /* cached the initial ClientHello */ + ICH_INJECTED, /* ClientHello already injected, done */ +} inject_clihlo_state_t; +static inject_clihlo_state_t inject_clihlo_state; static packet initial_clihlo; int send_packet( const packet *p, const char *why ) @@ -538,11 +539,11 @@ int send_packet( const packet *p, const char *why ) /* save initial ClientHello? */ if( opt.inject_clihlo != 0 && - inject_clihlo_state == ich_init && + inject_clihlo_state == ICH_INIT && strcmp( p->type, "ClientHello" ) == 0 ) { memcpy( &initial_clihlo, p, sizeof( packet ) ); - inject_clihlo_state = ich_cached; + inject_clihlo_state = ICH_CACHED; } /* insert corrupted ApplicationData record? */ @@ -592,7 +593,7 @@ int send_packet( const packet *p, const char *why ) /* Inject ClientHello after first ApplicationData */ if( opt.inject_clihlo != 0 && - inject_clihlo_state == ich_cached && + inject_clihlo_state == ICH_CACHED && strcmp( p->type, "ApplicationData" ) == 0 ) { print_packet( &initial_clihlo, "injected" ); @@ -604,7 +605,7 @@ int send_packet( const packet *p, const char *why ) return( ret ); } - inject_clihlo_state = ich_injected; + inject_clihlo_state = ICH_INJECTED; } return( 0 ); From b08a3344a5e41d9bd87fdad634cd0d5e19cce433 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 31 Mar 2020 12:31:24 +0200 Subject: [PATCH 4/4] Improve debug logging of client hard reconnect MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The current logging was sub-standard, in particular there was no trace whatsoever of the HelloVerifyRequest being sent. Now it's being logged with the usual levels: 4 for full content, 2 return of f_send, 1 decision about sending it (or taking other branches in the same function) because that's the same level as state changes in the handshake, and also same as the "possible client reconnect" message" to which it's the logical continuation (what are we doing about it?). Signed-off-by: Manuel Pégourié-Gonnard --- library/ssl_tls.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 65f59fb70..cbec74fe8 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4005,17 +4005,23 @@ static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ) { + int send_ret; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "sending HelloVerifyRequest" ) ); + MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network", + ssl->out_buf, len ); /* Don't check write errors as we can't do anything here. * If the error is permanent we'll catch it later, * if it's not, then hopefully it'll work next time. */ - (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len ); + send_ret = ssl->f_send( ssl->p_bio, ssl->out_buf, len ); + MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", send_ret ); + (void) send_ret; return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); } if( ret == 0 ) { - /* Got a valid cookie, partially reset context */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "cookie is valid, resetting context" ) ); if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );