xref: /freebsd-10.0-release/crypto/openssl/ssl/heartbeat_test.c

/* test/heartbeat_test.c */
/*
 * Unit test for TLS heartbeats.
 *
 * Acts as a regression test against the Heartbleed bug (CVE-2014-0160).
 *
 * Author:  Mike Bland (mbland@acm.org, http://mike-bland.com/)
 * Date:    2014-04-12
 * License: Creative Commons Attribution 4.0 International (CC By 4.0)
 *          http://creativecommons.org/licenses/by/4.0/deed.en_US
 *
 * OUTPUT
 * ------
 * The program returns zero on success. It will print a message with a count
 * of the number of failed tests and return nonzero if any tests fail.
 *
 * It will print the contents of the request and response buffers for each
 * failing test. In a "fixed" version, all the tests should pass and there
 * should be no output.
 *
 * In a "bleeding" version, you'll see:
 *
 *   test_dtls1_heartbleed failed:
 *     expected payload len: 0
 *     received: 1024
 *   sent 26 characters
 *     "HEARTBLEED                "
 *   received 1024 characters
 *     "HEARTBLEED                \xde\xad\xbe\xef..."
 *   ** test_dtls1_heartbleed failed **
 *
 * The contents of the returned buffer in the failing test will depend on the
 * contents of memory on your machine.
 *
 * MORE INFORMATION
 * ----------------
 * http://mike-bland.com/2014/04/12/heartbleed.html
 * http://mike-bland.com/tags/heartbleed.html
 */

#define OPENSSL_UNIT_TEST

#include "../test/testutil.h"

#include "../ssl/ssl_locl.h"
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#if !defined(OPENSSL_NO_HEARTBEATS) && !defined(OPENSSL_NO_UNIT_TEST)

/* As per https://tools.ietf.org/html/rfc6520#section-4 */
#define MIN_PADDING_SIZE	16

/* Maximum number of payload characters to print as test output */
#define MAX_PRINTABLE_CHARACTERS	1024

typedef struct heartbeat_test_fixture
	{
	SSL_CTX *ctx;
	SSL *s;
	const char* test_case_name;
	int (*process_heartbeat)(SSL* s);
	unsigned char* payload;
	int sent_payload_len;
	int expected_return_value;
	int return_payload_offset;
	int expected_payload_len;
	const char* expected_return_payload;
	} HEARTBEAT_TEST_FIXTURE;

static HEARTBEAT_TEST_FIXTURE set_up(const char* const test_case_name,
	const SSL_METHOD* meth)
	{
	HEARTBEAT_TEST_FIXTURE fixture;
	int setup_ok = 1;
	memset(&fixture, 0, sizeof(fixture));
	fixture.test_case_name = test_case_name;

	fixture.ctx = SSL_CTX_new(meth);
	if (!fixture.ctx)
		{
		fprintf(stderr, "Failed to allocate SSL_CTX for test: %s\n",
			test_case_name);
		setup_ok = 0;
		goto fail;
		}

	fixture.s = SSL_new(fixture.ctx);
	if (!fixture.s)
		{
		fprintf(stderr, "Failed to allocate SSL for test: %s\n", test_case_name);
		setup_ok = 0;
		goto fail;
		}

	if (!ssl_init_wbio_buffer(fixture.s, 1))
		{
		fprintf(stderr, "Failed to set up wbio buffer for test: %s\n",
			test_case_name);
		setup_ok = 0;
		goto fail;
		}

	if (!ssl3_setup_buffers(fixture.s))
		{
		fprintf(stderr, "Failed to setup buffers for test: %s\n",
			test_case_name);
		setup_ok = 0;
		goto fail;
		}

	/* Clear the memory for the return buffer, since this isn't automatically
	 * zeroed in opt mode and will cause spurious test failures that will change
	 * with each execution.
	 */
	memset(fixture.s->s3->wbuf.buf, 0, fixture.s->s3->wbuf.len);

	fail:
	if (!setup_ok)
		{
		ERR_print_errors_fp(stderr);
		exit(EXIT_FAILURE);
		}
	return fixture;
	}

static HEARTBEAT_TEST_FIXTURE set_up_dtls(const char* const test_case_name)
	{
	HEARTBEAT_TEST_FIXTURE fixture = set_up(test_case_name,
		DTLSv1_server_method());
	fixture.process_heartbeat = dtls1_process_heartbeat;

	/* As per dtls1_get_record(), skipping the following from the beginning of
	 * the returned heartbeat message:
	 * type-1 byte; version-2 bytes; sequence number-8 bytes; length-2 bytes
	 *
	 * And then skipping the 1-byte type encoded by process_heartbeat for
	 * a total of 14 bytes, at which point we can grab the length and the
	 * payload we seek.
	 */
	fixture.return_payload_offset = 14;
	return fixture;
	}

/* Needed by ssl3_write_bytes() */
static int dummy_handshake(SSL* s)
	{
	return 1;
	}

static HEARTBEAT_TEST_FIXTURE set_up_tls(const char* const test_case_name)
	{
	HEARTBEAT_TEST_FIXTURE fixture = set_up(test_case_name,
		TLSv1_server_method());
	fixture.process_heartbeat = tls1_process_heartbeat;
	fixture.s->handshake_func = dummy_handshake;

	/* As per do_ssl3_write(), skipping the following from the beginning of
	 * the returned heartbeat message:
	 * type-1 byte; version-2 bytes; length-2 bytes
	 *
	 * And then skipping the 1-byte type encoded by process_heartbeat for
	 * a total of 6 bytes, at which point we can grab the length and the payload
	 * we seek.
	 */
	fixture.return_payload_offset = 6;
	return fixture;
	}

static void tear_down(HEARTBEAT_TEST_FIXTURE fixture)
	{
	ERR_print_errors_fp(stderr);
	SSL_free(fixture.s);
	SSL_CTX_free(fixture.ctx);
	}

static void print_payload(const char* const prefix,
		const unsigned char *payload, const int n)
	{
	const int end = n < MAX_PRINTABLE_CHARACTERS ? n
	    : MAX_PRINTABLE_CHARACTERS;
	int i = 0;

	printf("%s %d character%s", prefix, n, n == 1 ? "" : "s");
	if (end != n) printf(" (first %d shown)", end);
	printf("\n  \"");

	for (; i != end; ++i)
		{
		const unsigned char c = payload[i];
		if (isprint(c)) fputc(c, stdout);
		else printf("\\x%02x", c);
		}
	printf("\"\n");
	}

static int execute_heartbeat(HEARTBEAT_TEST_FIXTURE fixture)
	{
	int result = 0;
	SSL* s = fixture.s;
	unsigned char *payload = fixture.payload;
	unsigned char sent_buf[MAX_PRINTABLE_CHARACTERS + 1];
	int return_value;
	unsigned const char *p;
	int actual_payload_len;

	s->s3->rrec.data = payload;
	s->s3->rrec.length = strlen((const char*)payload);
	*payload++ = TLS1_HB_REQUEST;
	s2n(fixture.sent_payload_len, payload);

	/* Make a local copy of the request, since it gets overwritten at some
	 * point */
	memcpy((char *)sent_buf, (const char*)payload, sizeof(sent_buf));

	return_value = fixture.process_heartbeat(s);

	if (return_value != fixture.expected_return_value)
		{
		printf("%s failed: expected return value %d, received %d\n",
					 fixture.test_case_name, fixture.expected_return_value,
					 return_value);
		result = 1;
		}

	/* If there is any byte alignment, it will be stored in wbuf.offset. */
	p = &(s->s3->wbuf.buf[
			fixture.return_payload_offset + s->s3->wbuf.offset]);
	actual_payload_len = 0;
	n2s(p, actual_payload_len);

	if (actual_payload_len != fixture.expected_payload_len)
		{
		printf("%s failed:\n  expected payload len: %d\n  received: %d\n",
					 fixture.test_case_name, fixture.expected_payload_len,
					 actual_payload_len);
		print_payload("sent", sent_buf, strlen((const char*)sent_buf));
		print_payload("received", p, actual_payload_len);
		result = 1;
		}
	else
		{
		char* actual_payload = BUF_strndup((const char*)p, actual_payload_len);
		if (strcmp(actual_payload, fixture.expected_return_payload) != 0)
			{
			printf("%s failed:\n  expected payload: \"%s\"\n  received: \"%s\"\n",
						 fixture.test_case_name, fixture.expected_return_payload,
						 actual_payload);
			result = 1;
			}
		OPENSSL_free(actual_payload);
		}

	if (result != 0)
		{
		printf("** %s failed **\n--------\n", fixture.test_case_name);
		}
	return result;
	}

static int honest_payload_size(unsigned char payload_buf[])
	{
	/* Omit three-byte pad at the beginning for type and payload length */
	return strlen((const char*)&payload_buf[3]) - MIN_PADDING_SIZE;
	}

#define SETUP_HEARTBEAT_TEST_FIXTURE(type)\
  SETUP_TEST_FIXTURE(HEARTBEAT_TEST_FIXTURE, set_up_##type)

#define EXECUTE_HEARTBEAT_TEST()\
  EXECUTE_TEST(execute_heartbeat, tear_down)

static int test_dtls1_not_bleeding()
	{
	SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
	/* Three-byte pad at the beginning for type and payload length */
	unsigned char payload_buf[] = "   Not bleeding, sixteen spaces of padding"
		"                ";
	const int payload_buf_len = honest_payload_size(payload_buf);

	fixture.payload = &payload_buf[0];
	fixture.sent_payload_len = payload_buf_len;
	fixture.expected_return_value = 0;
	fixture.expected_payload_len = payload_buf_len;
	fixture.expected_return_payload = "Not bleeding, sixteen spaces of padding";
	EXECUTE_HEARTBEAT_TEST();
	}

static int test_dtls1_not_bleeding_empty_payload()
	{
	int payload_buf_len;

	SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
	/* Three-byte pad at the beginning for type and payload length, plus a NUL
	 * at the end */
	unsigned char payload_buf[4 + MIN_PADDING_SIZE];
	memset(payload_buf, ' ', sizeof(payload_buf));
	payload_buf[sizeof(payload_buf) - 1] = '\0';
	payload_buf_len = honest_payload_size(payload_buf);

	fixture.payload = &payload_buf[0];
	fixture.sent_payload_len = payload_buf_len;
	fixture.expected_return_value = 0;
	fixture.expected_payload_len = payload_buf_len;
	fixture.expected_return_payload = "";
	EXECUTE_HEARTBEAT_TEST();
	}

static int test_dtls1_heartbleed()
	{
	SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
	/* Three-byte pad at the beginning for type and payload length */
	unsigned char payload_buf[] = "   HEARTBLEED                ";

	fixture.payload = &payload_buf[0];
	fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS;
	fixture.expected_return_value = 0;
	fixture.expected_payload_len = 0;
	fixture.expected_return_payload = "";
	EXECUTE_HEARTBEAT_TEST();
	}

static int test_dtls1_heartbleed_empty_payload()
	{
	SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
	/* Excluding the NUL at the end, one byte short of type + payload length +
	 * minimum padding */
	unsigned char payload_buf[MIN_PADDING_SIZE + 3];
	memset(payload_buf, ' ', sizeof(payload_buf));
	payload_buf[sizeof(payload_buf) - 1] = '\0';

	fixture.payload = &payload_buf[0];
	fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS;
	fixture.expected_return_value = 0;
	fixture.expected_payload_len = 0;
	fixture.expected_return_payload = "";
	EXECUTE_HEARTBEAT_TEST();
	}

static int test_dtls1_heartbleed_excessive_plaintext_length()
	{
	SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
	/* Excluding the NUL at the end, one byte in excess of maximum allowed
	 * heartbeat message length */
	unsigned char payload_buf[SSL3_RT_MAX_PLAIN_LENGTH + 2];
	memset(payload_buf, ' ', sizeof(payload_buf));
	payload_buf[sizeof(payload_buf) - 1] = '\0';

	fixture.payload = &payload_buf[0];
	fixture.sent_payload_len = honest_payload_size(payload_buf);
	fixture.expected_return_value = 0;
	fixture.expected_payload_len = 0;
	fixture.expected_return_payload = "";
	EXECUTE_HEARTBEAT_TEST();
	}

static int test_tls1_not_bleeding()
	{
	SETUP_HEARTBEAT_TEST_FIXTURE(tls);
	/* Three-byte pad at the beginning for type and payload length */
	unsigned char payload_buf[] = "   Not bleeding, sixteen spaces of padding"
					"                ";
	const int payload_buf_len = honest_payload_size(payload_buf);

	fixture.payload = &payload_buf[0];
	fixture.sent_payload_len = payload_buf_len;
	fixture.expected_return_value = 0;
	fixture.expected_payload_len = payload_buf_len;
	fixture.expected_return_payload = "Not bleeding, sixteen spaces of padding";
	EXECUTE_HEARTBEAT_TEST();
	}

static int test_tls1_not_bleeding_empty_payload()
	{
	int payload_buf_len;

	SETUP_HEARTBEAT_TEST_FIXTURE(tls);
	/* Three-byte pad at the beginning for type and payload length, plus a NUL
	 * at the end */
	unsigned char payload_buf[4 + MIN_PADDING_SIZE];
	memset(payload_buf, ' ', sizeof(payload_buf));
	payload_buf[sizeof(payload_buf) - 1] = '\0';
	payload_buf_len = honest_payload_size(payload_buf);

	fixture.payload = &payload_buf[0];
	fixture.sent_payload_len = payload_buf_len;
	fixture.expected_return_value = 0;
	fixture.expected_payload_len = payload_buf_len;
	fixture.expected_return_payload = "";
	EXECUTE_HEARTBEAT_TEST();
	}

static int test_tls1_heartbleed()
	{
	SETUP_HEARTBEAT_TEST_FIXTURE(tls);
	/* Three-byte pad at the beginning for type and payload length */
	unsigned char payload_buf[] = "   HEARTBLEED                ";

	fixture.payload = &payload_buf[0];
	fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS;
	fixture.expected_return_value = 0;
	fixture.expected_payload_len = 0;
	fixture.expected_return_payload = "";
	EXECUTE_HEARTBEAT_TEST();
	}

static int test_tls1_heartbleed_empty_payload()
	{
	SETUP_HEARTBEAT_TEST_FIXTURE(tls);
	/* Excluding the NUL at the end, one byte short of type + payload length +
	 * minimum padding */
	unsigned char payload_buf[MIN_PADDING_SIZE + 3];
	memset(payload_buf, ' ', sizeof(payload_buf));
	payload_buf[sizeof(payload_buf) - 1] = '\0';

	fixture.payload = &payload_buf[0];
	fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS;
	fixture.expected_return_value = 0;
	fixture.expected_payload_len = 0;
	fixture.expected_return_payload = "";
	EXECUTE_HEARTBEAT_TEST();
	}

#undef EXECUTE_HEARTBEAT_TEST
#undef SETUP_HEARTBEAT_TEST_FIXTURE

int main(int argc, char *argv[])
	{
	int num_failed;

	SSL_library_init();
	SSL_load_error_strings();

	num_failed = test_dtls1_not_bleeding() +
	    test_dtls1_not_bleeding_empty_payload() +
	    test_dtls1_heartbleed() +
	    test_dtls1_heartbleed_empty_payload() +
	    /* The following test causes an assertion failure at
	     * ssl/d1_pkt.c:dtls1_write_bytes() in versions prior to 1.0.1g: */
	    (OPENSSL_VERSION_NUMBER >= 0x1000107fL ?
	     test_dtls1_heartbleed_excessive_plaintext_length() : 0) +
	    test_tls1_not_bleeding() +
	    test_tls1_not_bleeding_empty_payload() +
	    test_tls1_heartbleed() +
	    test_tls1_heartbleed_empty_payload() +
	    0;

	ERR_print_errors_fp(stderr);

	if (num_failed != 0)
		{
		printf("%d test%s failed\n", num_failed, num_failed != 1 ? "s" : "");
		return EXIT_FAILURE;
		}
	return EXIT_SUCCESS;
	}

#else /* OPENSSL_NO_HEARTBEATS*/

int main(int argc, char *argv[])
	{
		return EXIT_SUCCESS;
	}
#endif /* OPENSSL_NO_HEARTBEATS */