Add negative test for hard reconnect cookie check The server must check client reachability (we chose to do that by checking a cookie) before destroying the existing association (RFC 6347 section 4.2.8). Let's make sure we do, by having a proxy-in-the-middle inject a ClientHello - the server should notice, but not destroy the connection. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

commit: a58b04649be2afda5db5739c983367609edfe6bc [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Fri Mar 13 11:11:02 2020 +0100
committer: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Tue Mar 31 09:57:45 2020 +0200
tree: 608922f33afbe972a3276b69567f8893eccc5232
parent: f3037ec2da362e45875928f49361acfa7c0fb484 [diff] [blame]
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 1434156..6ec0e13 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh

@@ -5011,6 +5011,14 @@
             -s "The operation timed out" \
             -S "Client initiated reconnection from same port"
 
+run_test    "DTLS client reconnect from same port: attacker-injected" \
+            -p "$P_PXY inject_clihlo=1" \
+            "$P_SRV dtls=1 exchanges=2 debug_level=1" \
+            "$P_CLI dtls=1 exchanges=2" \
+            0 \
+            -s "possible client reconnect from the same port" \
+            -S "Client initiated reconnection from same port"
+
 # Tests for various cases of client authentication with DTLS
 # (focused on handshake flows and message parsing)
commit	a58b04649be2afda5db5739c983367609edfe6bc	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Fri Mar 13 11:11:02 2020 +0100
committer	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Tue Mar 31 09:57:45 2020 +0200
tree	608922f33afbe972a3276b69567f8893eccc5232
parent	f3037ec2da362e45875928f49361acfa7c0fb484 [diff] [blame]