From 26dad42e9ca609569073463165263173ab2a27ab Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Mon, 11 Apr 2022 14:37:16 +0100
Subject: Add a DTLSv1_listen() test

Add a test to ensure that a connection started via DTLSv1_listen() can
be completed through to handshake success. Previous DTLSv1_listen()
testing only tested the function itself and did not confirm that a
connection can actually be achieved using it.

This is important to test some codepaths being affected by the record layer
refactor.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18132)
---
 test/dtlstest.c           | 53 +++++++++++++++++++++++++++++++++++++-
 test/helpers/ssltestlib.c | 65 +++++++++++++++++++++++++++++++++++++----------
 test/helpers/ssltestlib.h |  2 +-
 test/quicapitest.c        |  2 +-
 test/sslapitest.c         |  2 +-
 5 files changed, 107 insertions(+), 17 deletions(-)

(limited to 'test')

diff --git a/test/dtlstest.c b/test/dtlstest.c
index f84f2c1299..8016a112e9 100644
--- a/test/dtlstest.c
+++ b/test/dtlstest.c
@@ -109,7 +109,7 @@ static int test_dtls_unprocessed(int testidx)
      * they will fail to decrypt.
      */
     if (!TEST_true(create_bare_ssl_connection(serverssl1, clientssl1,
-                                              SSL_ERROR_NONE, 0)))
+                                              SSL_ERROR_NONE, 0, 0)))
         goto end;
 
     if (timer_cb_count == 0) {
@@ -606,6 +606,56 @@ static int test_swap_app_data(void)
     SSL_free(sssl);
     SSL_CTX_free(cctx);
     SSL_CTX_free(sctx);
+
+    return testresult;
+}
+
+/* Confirm that we can create a connections using DTLSv1_listen() */
+static int test_listen(void)
+{
+    SSL_CTX *sctx = NULL, *cctx = NULL;
+    SSL *serverssl = NULL, *clientssl = NULL;
+    int testresult = 0;
+
+    if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
+                                       DTLS_client_method(),
+                                       DTLS1_VERSION, 0,
+                                       &sctx, &cctx, cert, privkey)))
+        return 0;
+
+#ifdef OPENSSL_NO_DTLS1_2
+    /* Default sigalgs are SHA1 based in <DTLS1.2 which is in security level 0 */
+    if (!TEST_true(SSL_CTX_set_cipher_list(sctx, "DEFAULT:@SECLEVEL=0"))
+            || !TEST_true(SSL_CTX_set_cipher_list(cctx,
+                                                  "DEFAULT:@SECLEVEL=0")))
+        goto end;
+#endif
+
+    SSL_CTX_set_cookie_generate_cb(sctx, generate_cookie_cb);
+    SSL_CTX_set_cookie_verify_cb(sctx, verify_cookie_cb);
+
+    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+                                      NULL, NULL)))
+        goto end;
+
+    DTLS_set_timer_cb(clientssl, timer_cb);
+    DTLS_set_timer_cb(serverssl, timer_cb);
+
+    /*
+     * The last parameter to create_bare_ssl_connection() requests that
+     * DLTSv1_listen() is used.
+     */
+    if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
+                                              SSL_ERROR_NONE, 1, 1)))
+        goto end;
+
+    testresult = 1;
+ end:
+    SSL_free(serverssl);
+    SSL_free(clientssl);
+    SSL_CTX_free(sctx);
+    SSL_CTX_free(cctx);
+
     return testresult;
 }
 
@@ -631,6 +681,7 @@ int setup_tests(void)
     ADD_TEST(test_just_finished);
     ADD_TEST(test_swap_epoch);
     ADD_TEST(test_swap_app_data);
+    ADD_TEST(test_listen);
 
     return 1;
 }
diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c
index 2c33851167..d95cfef6c5 100644
--- a/test/helpers/ssltestlib.c
+++ b/test/helpers/ssltestlib.c
@@ -1055,11 +1055,29 @@ int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
  * attempt could be restarted by a subsequent call to this function.
  */
 int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want,
-                               int read)
+                               int read, int listen)
 {
-    int retc = -1, rets = -1, err, abortctr = 0;
+    int retc = -1, rets = -1, err, abortctr = 0, ret = 0;
     int clienterr = 0, servererr = 0;
     int isdtls = SSL_is_dtls(serverssl);
+#ifndef OPENSSL_NO_SOCK
+    BIO_ADDR *peer = NULL;
+
+    if (listen) {
+        if (!isdtls) {
+            TEST_error("DTLSv1_listen requested for non-DTLS object\n");
+            return 0;
+        }
+        peer = BIO_ADDR_new();
+        if (!TEST_ptr(peer))
+            return 0;
+    }
+#else
+    if (listen) {
+        TEST_error("DTLSv1_listen requested in a no-sock build\n");
+        return 0;
+    }
+#endif
 
     do {
         err = SSL_ERROR_WANT_WRITE;
@@ -1076,13 +1094,29 @@ int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want,
             clienterr = 1;
         }
         if (want != SSL_ERROR_NONE && err == want)
-            return 0;
+            goto err;
 
         err = SSL_ERROR_WANT_WRITE;
         while (!servererr && rets <= 0 && err == SSL_ERROR_WANT_WRITE) {
-            rets = SSL_accept(serverssl);
-            if (rets <= 0)
-                err = SSL_get_error(serverssl, rets);
+#ifndef OPENSSL_NO_SOCK
+            if (listen) {
+                rets = DTLSv1_listen(serverssl, peer);
+                if (rets < 0) {
+                    err = SSL_ERROR_SSL;
+                } else if (rets == 0) {
+                    err = SSL_ERROR_WANT_READ;
+                } else {
+                    /* Success - stop listening and call SSL_accept from now on */
+                    listen = 0;
+                    rets = 0;
+                }
+            } else
+#endif
+            {
+                rets = SSL_accept(serverssl);
+                if (rets <= 0)
+                    err = SSL_get_error(serverssl, rets);
+            }
         }
 
         if (!servererr && rets <= 0
@@ -1094,9 +1128,9 @@ int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want,
             servererr = 1;
         }
         if (want != SSL_ERROR_NONE && err == want)
-            return 0;
+            goto err;
         if (clienterr && servererr)
-            return 0;
+            goto err;
         if (isdtls && read) {
             unsigned char buf[20];
 
@@ -1105,20 +1139,20 @@ int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want,
                 if (SSL_read(serverssl, buf, sizeof(buf)) > 0) {
                     /* We don't expect this to succeed! */
                     TEST_info("Unexpected SSL_read() success!");
-                    return 0;
+                    goto err;
                 }
             }
             if (retc > 0 && rets <= 0) {
                 if (SSL_read(clientssl, buf, sizeof(buf)) > 0) {
                     /* We don't expect this to succeed! */
                     TEST_info("Unexpected SSL_read() success!");
-                    return 0;
+                    goto err;
                 }
             }
         }
         if (++abortctr == MAXLOOPS) {
             TEST_info("No progress made");
-            return 0;
+            goto err;
         }
         if (isdtls && abortctr <= 50 && (abortctr % 10) == 0) {
             /*
@@ -1130,7 +1164,12 @@ int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want,
         }
     } while (retc <=0 || rets <= 0);
 
-    return 1;
+    ret = 1;
+ err:
+#ifndef OPENSSL_NO_SOCK
+    BIO_ADDR_free(peer);
+#endif
+    return ret;
 }
 
 /*
@@ -1143,7 +1182,7 @@ int create_ssl_connection(SSL *serverssl, SSL *clientssl, int want)
     unsigned char buf;
     size_t readbytes;
 
-    if (!create_bare_ssl_connection(serverssl, clientssl, want, 1))
+    if (!create_bare_ssl_connection(serverssl, clientssl, want, 1, 0))
         return 0;
 
     /*
diff --git a/test/helpers/ssltestlib.h b/test/helpers/ssltestlib.h
index 6f39388fca..d8ee6a9b7d 100644
--- a/test/helpers/ssltestlib.h
+++ b/test/helpers/ssltestlib.h
@@ -19,7 +19,7 @@ int create_ssl_ctx_pair(OSSL_LIB_CTX *libctx, const SSL_METHOD *sm,
 int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
                        SSL **cssl, BIO *s_to_c_fbio, BIO *c_to_s_fbio);
 int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want,
-                               int read);
+                               int read, int listen);
 int create_ssl_objects2(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
                        SSL **cssl, int sfd, int cfd);
 int create_test_sockets(int *cfd, int *sfd);
diff --git a/test/quicapitest.c b/test/quicapitest.c
index 1b647768d4..896b7bc3a1 100644
--- a/test/quicapitest.c
+++ b/test/quicapitest.c
@@ -43,7 +43,7 @@ static int test_quic_write_read(void)
             || !TEST_true(create_ssl_objects(sctx, cctx, &serverquic, &clientquic,
                                              NULL, NULL))
             || !TEST_true(create_bare_ssl_connection(serverquic, clientquic,
-                                                     SSL_ERROR_NONE, 0)))
+                                                     SSL_ERROR_NONE, 0, 0)))
         goto end;
 
     for (j = 0; j < 2; j++) {
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 3f8cbd9da2..00e9ba39ae 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -7902,7 +7902,7 @@ static int test_shutdown(int tst)
 
     if (tst == 3) {
         if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
-                                                  SSL_ERROR_NONE, 1))
+                                                  SSL_ERROR_NONE, 1, 0))
                 || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL)
                 || !TEST_false(SSL_SESSION_is_resumable(sess)))
             goto end;
-- 
cgit v1.2.1