diff options
Diffstat (limited to 'test')
-rw-r--r-- | test/build.info | 6 | ||||
-rw-r--r-- | test/heartbeat_test.c | 376 | ||||
-rw-r--r-- | test/recipes/90-test_heartbeat.t | 12 |
3 files changed, 1 insertions, 393 deletions
diff --git a/test/build.info b/test/build.info index e9f87edb8b..e25050b9da 100644 --- a/test/build.info +++ b/test/build.info @@ -19,7 +19,7 @@ IF[{- !$disabled{tests} -}] randtest dhtest enginetest casttest \ bftest ssltest_old dsatest exptest rsa_test \ evp_test evp_extra_test igetest v3nametest v3ext \ - danetest heartbeat_test p5_crpt2_test bad_dtls_test \ + danetest p5_crpt2_test bad_dtls_test \ constant_time_test verify_extra_test clienthellotest \ packettest asynctest secmemtest srptest memleaktest \ dtlsv1listentest ct_test threadstest afalgtest d2i_test \ @@ -178,10 +178,6 @@ IF[{- !$disabled{tests} -}] INCLUDE[danetest]=../include DEPEND[danetest]=../libcrypto ../libssl - SOURCE[heartbeat_test]=heartbeat_test.c testutil.c - INCLUDE[heartbeat_test]=.. ../include - DEPEND[heartbeat_test]=../libcrypto ../libssl - SOURCE[p5_crpt2_test]=p5_crpt2_test.c INCLUDE[p5_crpt2_test]=../include DEPEND[p5_crpt2_test]=../libcrypto diff --git a/test/heartbeat_test.c b/test/heartbeat_test.c deleted file mode 100644 index 9f6c6e538a..0000000000 --- a/test/heartbeat_test.c +++ /dev/null @@ -1,376 +0,0 @@ -/* - * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/*- - * Unit test for TLS heartbeats. - * - * Acts as a regression test against the Heartbleed bug (CVE-2014-0160). - * - * Author: Mike Bland (mbland@acm.org, http://mike-bland.com/) - * Date: 2014-04-12 - * License: Creative Commons Attribution 4.0 International (CC By 4.0) - * http://creativecommons.org/licenses/by/4.0/deed.en_US - * - * OUTPUT - * ------ - * The program returns zero on success. It will print a message with a count - * of the number of failed tests and return nonzero if any tests fail. - * - * It will print the contents of the request and response buffers for each - * failing test. In a "fixed" version, all the tests should pass and there - * should be no output. - * - * In a "bleeding" version, you'll see: - * - * test_dtls1_heartbleed failed: - * expected payload len: 0 - * received: 1024 - * sent 26 characters - * "HEARTBLEED " - * received 1024 characters - * "HEARTBLEED \xde\xad\xbe\xef..." - * ** test_dtls1_heartbleed failed ** - * - * The contents of the returned buffer in the failing test will depend on the - * contents of memory on your machine. - * - * MORE INFORMATION - * ---------------- - * http://mike-bland.com/2014/04/12/heartbleed.html - * http://mike-bland.com/tags/heartbleed.html - */ - -#define OPENSSL_UNIT_TEST - -#include "../ssl/ssl_locl.h" - -#include "testutil.h" -#include <ctype.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#if !defined(OPENSSL_NO_HEARTBEATS) && !defined(OPENSSL_NO_UNIT_TEST) - -/* As per https://tools.ietf.org/html/rfc6520#section-4 */ -# define MIN_PADDING_SIZE 16 - -/* Maximum number of payload characters to print as test output */ -# define MAX_PRINTABLE_CHARACTERS 1024 - -typedef struct heartbeat_test_fixture { - SSL_CTX *ctx; - SSL *s; - const char *test_case_name; - int (*process_heartbeat) (SSL *s, unsigned char *p, unsigned int length); - unsigned char *payload; - int sent_payload_len; - int expected_return_value; - int return_payload_offset; - int expected_payload_len; - const char *expected_return_payload; -} HEARTBEAT_TEST_FIXTURE; - -static HEARTBEAT_TEST_FIXTURE set_up(const char *const test_case_name, - const SSL_METHOD *meth) -{ - HEARTBEAT_TEST_FIXTURE fixture; - int setup_ok = 1; - memset(&fixture, 0, sizeof(fixture)); - fixture.test_case_name = test_case_name; - - fixture.ctx = SSL_CTX_new(meth); - if (!fixture.ctx) { - fprintf(stderr, "Failed to allocate SSL_CTX for test: %s\n", - test_case_name); - setup_ok = 0; - goto fail; - } - - fixture.s = SSL_new(fixture.ctx); - if (!fixture.s) { - fprintf(stderr, "Failed to allocate SSL for test: %s\n", - test_case_name); - setup_ok = 0; - goto fail; - } - - if (!ssl_init_wbio_buffer(fixture.s)) { - fprintf(stderr, "Failed to set up wbio buffer for test: %s\n", - test_case_name); - setup_ok = 0; - goto fail; - } - - if (!ssl3_setup_buffers(fixture.s)) { - fprintf(stderr, "Failed to setup buffers for test: %s\n", - test_case_name); - setup_ok = 0; - goto fail; - } - - /* - * Clear the memory for the return buffer, since this isn't automatically - * zeroed in opt mode and will cause spurious test failures that will - * change with each execution. - */ - memset(fixture.s->rlayer.wbuf.buf, 0, fixture.s->rlayer.wbuf.len); - - fail: - if (!setup_ok) { - ERR_print_errors_fp(stderr); - exit(EXIT_FAILURE); - } - return fixture; -} - -static HEARTBEAT_TEST_FIXTURE set_up_dtls(const char *const test_case_name) -{ - HEARTBEAT_TEST_FIXTURE fixture = set_up(test_case_name, - DTLS_server_method()); - fixture.process_heartbeat = dtls1_process_heartbeat; - - /* - * As per dtls1_get_record(), skipping the following from the beginning - * of the returned heartbeat message: type-1 byte; version-2 bytes; - * sequence number-8 bytes; length-2 bytes And then skipping the 1-byte - * type encoded by process_heartbeat for a total of 14 bytes, at which - * point we can grab the length and the payload we seek. - */ - fixture.return_payload_offset = 14; - return fixture; -} - -/* Needed by ssl3_write_bytes() */ -static int dummy_handshake(SSL *s) -{ - return 1; -} - -static void tear_down(HEARTBEAT_TEST_FIXTURE fixture) -{ - SSL_free(fixture.s); - SSL_CTX_free(fixture.ctx); -} - -static void print_payload(const char *const prefix, - const unsigned char *payload, const int n) -{ - const int end = n < MAX_PRINTABLE_CHARACTERS ? n - : MAX_PRINTABLE_CHARACTERS; - int i = 0; - - printf("%s %d character%s", prefix, n, n == 1 ? "" : "s"); - if (end != n) - printf(" (first %d shown)", end); - printf("\n \""); - - for (; i != end; ++i) { - const unsigned char c = payload[i]; - if (isprint(c)) - fputc(c, stdout); - else - printf("\\x%02x", c); - } - printf("\"\n"); -} - -static int execute_heartbeat(HEARTBEAT_TEST_FIXTURE fixture) -{ - int result = 0; - SSL *s = fixture.s; - unsigned char *payload = fixture.payload; - unsigned char sent_buf[MAX_PRINTABLE_CHARACTERS + 1]; - int return_value; - unsigned const char *p; - int actual_payload_len; - - s->rlayer.rrec.data = payload; - s->rlayer.rrec.length = strlen((const char *)payload); - *payload++ = TLS1_HB_REQUEST; - s2n(fixture.sent_payload_len, payload); - - /* - * Make a local copy of the request, since it gets overwritten at some - * point - */ - memcpy(sent_buf, payload, sizeof(sent_buf)); - - return_value = fixture.process_heartbeat(s, s->rlayer.rrec.data, - s->rlayer.rrec.length); - - if (return_value != fixture.expected_return_value) { - printf("%s failed: expected return value %d, received %d\n", - fixture.test_case_name, fixture.expected_return_value, - return_value); - result = 1; - } - - /* - * If there is any byte alignment, it will be stored in wbuf.offset. - */ - p = &(s->rlayer. - wbuf.buf[fixture.return_payload_offset + s->rlayer.wbuf.offset]); - actual_payload_len = 0; - n2s(p, actual_payload_len); - - if (actual_payload_len != fixture.expected_payload_len) { - printf("%s failed:\n expected payload len: %d\n received: %d\n", - fixture.test_case_name, fixture.expected_payload_len, - actual_payload_len); - print_payload("sent", sent_buf, strlen((const char *)sent_buf)); - print_payload("received", p, actual_payload_len); - result = 1; - } else { - char *actual_payload = - OPENSSL_strndup((const char *)p, actual_payload_len); - if (strcmp(actual_payload, fixture.expected_return_payload) != 0) { - printf - ("%s failed:\n expected payload: \"%s\"\n received: \"%s\"\n", - fixture.test_case_name, fixture.expected_return_payload, - actual_payload); - result = 1; - } - OPENSSL_free(actual_payload); - } - - if (result != 0) { - printf("** %s failed **\n--------\n", fixture.test_case_name); - } - return result; -} - -static int honest_payload_size(unsigned char payload_buf[]) -{ - /* Omit three-byte pad at the beginning for type and payload length */ - return strlen((const char *)&payload_buf[3]) - MIN_PADDING_SIZE; -} - -# define SETUP_HEARTBEAT_TEST_FIXTURE(type)\ - SETUP_TEST_FIXTURE(HEARTBEAT_TEST_FIXTURE, set_up_##type) - -# define EXECUTE_HEARTBEAT_TEST()\ - EXECUTE_TEST(execute_heartbeat, tear_down) - -static int test_dtls1_not_bleeding() -{ - SETUP_HEARTBEAT_TEST_FIXTURE(dtls); - /* Three-byte pad at the beginning for type and payload length */ - unsigned char payload_buf[MAX_PRINTABLE_CHARACTERS + 4] = - " Not bleeding, sixteen spaces of padding" " "; - const int payload_buf_len = honest_payload_size(payload_buf); - - fixture.payload = &payload_buf[0]; - fixture.sent_payload_len = payload_buf_len; - fixture.expected_return_value = 0; - fixture.expected_payload_len = payload_buf_len; - fixture.expected_return_payload = - "Not bleeding, sixteen spaces of padding"; - EXECUTE_HEARTBEAT_TEST(); -} - -static int test_dtls1_not_bleeding_empty_payload() -{ - int payload_buf_len; - - SETUP_HEARTBEAT_TEST_FIXTURE(dtls); - /* - * Three-byte pad at the beginning for type and payload length, plus a - * NUL at the end - */ - unsigned char payload_buf[4 + MAX_PRINTABLE_CHARACTERS]; - memset(payload_buf, ' ', MIN_PADDING_SIZE + 3); - payload_buf[MIN_PADDING_SIZE + 3] = '\0'; - payload_buf_len = honest_payload_size(payload_buf); - - fixture.payload = &payload_buf[0]; - fixture.sent_payload_len = payload_buf_len; - fixture.expected_return_value = 0; - fixture.expected_payload_len = payload_buf_len; - fixture.expected_return_payload = ""; - EXECUTE_HEARTBEAT_TEST(); -} - -static int test_dtls1_heartbleed() -{ - SETUP_HEARTBEAT_TEST_FIXTURE(dtls); - /* Three-byte pad at the beginning for type and payload length */ - unsigned char payload_buf[4 + MAX_PRINTABLE_CHARACTERS] = - " HEARTBLEED "; - - fixture.payload = &payload_buf[0]; - fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS; - fixture.expected_return_value = 0; - fixture.expected_payload_len = 0; - fixture.expected_return_payload = ""; - EXECUTE_HEARTBEAT_TEST(); -} - -static int test_dtls1_heartbleed_empty_payload() -{ - SETUP_HEARTBEAT_TEST_FIXTURE(dtls); - /* - * Excluding the NUL at the end, one byte short of type + payload length - * + minimum padding - */ - unsigned char payload_buf[MAX_PRINTABLE_CHARACTERS + 4]; - memset(payload_buf, ' ', MIN_PADDING_SIZE + 2); - payload_buf[MIN_PADDING_SIZE + 2] = '\0'; - - fixture.payload = &payload_buf[0]; - fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS; - fixture.expected_return_value = 0; - fixture.expected_payload_len = 0; - fixture.expected_return_payload = ""; - EXECUTE_HEARTBEAT_TEST(); -} - -static int test_dtls1_heartbleed_excessive_plaintext_length() -{ - SETUP_HEARTBEAT_TEST_FIXTURE(dtls); - /* - * Excluding the NUL at the end, one byte in excess of maximum allowed - * heartbeat message length - */ - unsigned char payload_buf[SSL3_RT_MAX_PLAIN_LENGTH + 2]; - memset(payload_buf, ' ', sizeof(payload_buf)); - payload_buf[sizeof(payload_buf) - 1] = '\0'; - - fixture.payload = &payload_buf[0]; - fixture.sent_payload_len = honest_payload_size(payload_buf); - fixture.expected_return_value = 0; - fixture.expected_payload_len = 0; - fixture.expected_return_payload = ""; - EXECUTE_HEARTBEAT_TEST(); -} - -# undef EXECUTE_HEARTBEAT_TEST -# undef SETUP_HEARTBEAT_TEST_FIXTURE - -int main(int argc, char *argv[]) -{ - int result = 0; - - ADD_TEST(test_dtls1_not_bleeding); - ADD_TEST(test_dtls1_not_bleeding_empty_payload); - ADD_TEST(test_dtls1_heartbleed); - ADD_TEST(test_dtls1_heartbleed_empty_payload); - ADD_TEST(test_dtls1_heartbleed_excessive_plaintext_length); - - result = run_tests(argv[0]); - return result; -} - -#else /* OPENSSL_NO_HEARTBEATS */ - -int main(int argc, char *argv[]) -{ - return EXIT_SUCCESS; -} -#endif /* OPENSSL_NO_HEARTBEATS */ diff --git a/test/recipes/90-test_heartbeat.t b/test/recipes/90-test_heartbeat.t deleted file mode 100644 index 90d6a67b7d..0000000000 --- a/test/recipes/90-test_heartbeat.t +++ /dev/null @@ -1,12 +0,0 @@ -#! /usr/bin/env perl -# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the OpenSSL license (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - - -use OpenSSL::Test::Simple; - -simple_test("test_heartbeat", "heartbeat_test", "heartbeats"); |