1 /* $OpenBSD: clienttest.c,v 1.45 2024/08/31 12:47:24 jsing Exp $ */
2 /*
3 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <openssl/ssl.h>
19
20 #include <openssl/dtls1.h>
21 #include <openssl/ssl3.h>
22
23 #include <err.h>
24 #include <stdio.h>
25 #include <string.h>
26
27 #define DTLS_HM_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH)
28 #define DTLS_RANDOM_OFFSET (DTLS_HM_OFFSET + 2)
29 #define DTLS_CIPHER_OFFSET (DTLS_HM_OFFSET + 38)
30
31 #define SSL3_HM_OFFSET (SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH)
32 #define SSL3_RANDOM_OFFSET (SSL3_HM_OFFSET + 2)
33 #define SSL3_CIPHER_OFFSET (SSL3_HM_OFFSET + 37)
34
35 #define TLS13_HM_OFFSET (SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH)
36 #define TLS13_RANDOM_OFFSET (TLS13_HM_OFFSET + 2)
37 #define TLS13_SESSION_OFFSET (TLS13_HM_OFFSET + 34)
38 #define TLS13_CIPHER_OFFSET (TLS13_HM_OFFSET + 69)
39 #define TLS13_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 198)
40 #define TLS13_ONLY_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 112)
41
42 #define TLS1_3_VERSION_ONLY (TLS1_3_VERSION | 0x10000)
43
44 int tlsext_linearize_build_order(SSL *);
45
46 static const uint8_t cipher_list_dtls1[] = {
47 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85,
48 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84,
49 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45,
50 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08,
51 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff,
52 };
53
54 static const uint8_t client_hello_dtls1[] = {
55 0x16, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
56 0x00, 0x00, 0x00, 0x00, 0x74, 0x01, 0x00, 0x00,
57 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
58 0x68, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
59 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
60 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
61 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
62 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x26, 0xc0,
63 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00,
64 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0,
65 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00,
66 0x2f, 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08, 0x00,
67 0x16, 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00,
68 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
69 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00,
70 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x23, 0x00,
71 0x00,
72 };
73
74 static const uint8_t cipher_list_dtls12_aes[] = {
75 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24,
76 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b,
77 0x00, 0x39, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa,
78 0x00, 0xc4, 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d,
79 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f,
80 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13,
81 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33,
82 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c,
83 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x12,
84 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff,
85 };
86
87 static const uint8_t cipher_list_dtls12_chacha[] = {
88 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30,
89 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14,
90 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39,
91 0x00, 0xc4, 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d,
92 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f,
93 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13,
94 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33,
95 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c,
96 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x12,
97 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff,
98 };
99
100 static const uint8_t client_hello_dtls12[] = {
101 0x16, 0xfe, 0xfd, 0x00, 0x00, 0x00, 0x00, 0x00,
102 0x00, 0x00, 0x00, 0x00, 0xba, 0x01, 0x00, 0x00,
103 0xae, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
104 0xae, 0xfe, 0xfd, 0x00, 0x00, 0x00, 0x00, 0x00,
105 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
106 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
107 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
108 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0xc0,
109 0x30, 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0,
110 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00,
111 0x39, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0x00,
112 0xc4, 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, 0x00,
113 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 0xc0,
114 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0,
115 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 0x00,
116 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00,
117 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x12, 0xc0,
118 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 0x01,
119 0x00, 0x00, 0x34, 0x00, 0x0a, 0x00, 0x0a, 0x00,
120 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
121 0x19, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
122 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x18, 0x00,
123 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08,
124 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04,
125 0x01, 0x04, 0x03, 0x02, 0x01, 0x02, 0x03,
126 };
127
128 static const uint8_t cipher_list_tls10[] = {
129 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85,
130 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84,
131 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45,
132 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07,
133 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16,
134 0x00, 0x0a, 0x00, 0xff,
135 };
136
137 static const uint8_t client_hello_tls10[] = {
138 0x16, 0x03, 0x01, 0x00, 0x71, 0x01, 0x00, 0x00,
139 0x6d, 0x03, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
140 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
141 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
142 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
143 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0xc0, 0x14,
144 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, 0x88,
145 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, 0x13,
146 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 0x2f,
147 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05,
148 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a,
149 0x00, 0xff, 0x01, 0x00, 0x00, 0x18, 0x00, 0x0b,
150 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a,
151 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
152 0x00, 0x19, 0x00, 0x23, 0x00, 0x00,
153 };
154
155 static const uint8_t cipher_list_tls11[] = {
156 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85,
157 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84,
158 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45,
159 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07,
160 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16,
161 0x00, 0x0a, 0x00, 0xff,
162 };
163
164 static const uint8_t client_hello_tls11[] = {
165 0x16, 0x03, 0x01, 0x00, 0x71, 0x01, 0x00, 0x00,
166 0x6d, 0x03, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
167 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
168 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
169 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
170 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0xc0, 0x14,
171 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, 0x88,
172 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, 0x13,
173 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 0x2f,
174 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05,
175 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a,
176 0x00, 0xff, 0x01, 0x00, 0x00, 0x18, 0x00, 0x0b,
177 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a,
178 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18,
179 0x00, 0x19, 0x00, 0x23, 0x00, 0x00,
180 };
181
182 static const uint8_t cipher_list_tls12_aes[] = {
183 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24,
184 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b,
185 0x00, 0x39, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa,
186 0x00, 0xc4, 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d,
187 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f,
188 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13,
189 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33,
190 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c,
191 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11,
192 0xc0, 0x07, 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08,
193 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff,
194 };
195
196 static const uint8_t cipher_list_tls12_chacha[] = {
197 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30,
198 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14,
199 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39,
200 0x00, 0xc4, 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d,
201 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f,
202 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13,
203 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33,
204 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c,
205 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11,
206 0xc0, 0x07, 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08,
207 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff,
208 };
209
210 static const uint8_t client_hello_tls12[] = {
211 0x16, 0x03, 0x03, 0x00, 0xb7, 0x01, 0x00, 0x00,
212 0xb3, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
213 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
214 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
215 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
216 0x00, 0x00, 0x00, 0x00, 0x00, 0x56, 0xc0, 0x30,
217 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14,
218 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39,
219 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0x00, 0xc4,
220 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35,
221 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b,
222 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09,
223 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe,
224 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f,
225 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07,
226 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16,
227 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 0x34,
228 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d,
229 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x0b,
230 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00,
231 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, 0x06,
232 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05, 0x01,
233 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04, 0x03,
234 0x02, 0x01, 0x02, 0x03,
235 };
236
237 static const uint8_t cipher_list_tls13_aes[] = {
238 0x13, 0x02, 0x13, 0x03, 0x13, 0x01, 0xc0, 0x30,
239 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14,
240 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39,
241 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0x00, 0xc4,
242 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35,
243 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b,
244 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09,
245 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe,
246 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f,
247 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07,
248 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16,
249 0x00, 0x0a, 0x00, 0xff,
250 };
251
252 static const uint8_t cipher_list_tls13_chacha[] = {
253 0x13, 0x03, 0x13, 0x02, 0x13, 0x01, 0xcc, 0xa9,
254 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, 0xc0, 0x2c,
255 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 0xc0, 0x0a,
256 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 0x00, 0xc4,
257 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35,
258 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b,
259 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09,
260 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe,
261 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f,
262 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07,
263 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16,
264 0x00, 0x0a, 0x00, 0xff,
265 };
266
267 static const uint8_t client_hello_tls13[] = {
268 0x16, 0x03, 0x03, 0x01, 0x10, 0x01, 0x00, 0x01,
269 0x0c, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
270 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
271 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
272 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
273 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
274 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
276 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
277 0x00, 0x00, 0x00, 0x00, 0x00, 0x5c, 0x13, 0x03,
278 0x13, 0x02, 0x13, 0x01, 0xcc, 0xa9, 0xcc, 0xa8,
279 0xcc, 0xaa, 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28,
280 0xc0, 0x24, 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f,
281 0x00, 0x6b, 0x00, 0x39, 0x00, 0xc4, 0x00, 0x88,
282 0x00, 0x81, 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35,
283 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b,
284 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09,
285 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe,
286 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f,
287 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07,
288 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16,
289 0x00, 0x0a, 0x01, 0x00, 0x00, 0x67, 0x00, 0x2b,
290 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03, 0x00,
291 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00,
292 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x33, 0x00,
293 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0x00,
294 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
295 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
296 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
297 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
298 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
299 0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08,
300 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05,
301 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04,
302 0x03, 0x02, 0x01, 0x02, 0x03,
303 };
304
305 static const uint8_t cipher_list_tls13_only_aes[] = {
306 0x13, 0x02, 0x13, 0x03, 0x13, 0x01,
307 };
308
309 static const uint8_t cipher_list_tls13_only_chacha[] = {
310 0x13, 0x03, 0x13, 0x02, 0x13, 0x01,
311 };
312
313 static const uint8_t client_hello_tls13_only[] = {
314 0x16, 0x03, 0x03, 0x00, 0xb6, 0x01, 0x00, 0x00,
315 0xb2, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
316 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
317 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
318 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
319 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00,
320 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
321 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
322 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
323 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x13, 0x03,
324 0x13, 0x02, 0x13, 0x01, 0x00, 0xff, 0x01, 0x00,
325 0x00, 0x61, 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03,
326 0x04, 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00,
327 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
328 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00,
329 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
330 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
331 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
332 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
333 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
334 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00,
335 0x12, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08,
336 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04,
337 0x01, 0x04, 0x03,
338 };
339
340 struct client_hello_test {
341 const char *desc;
342 const int protocol;
343 const size_t random_start;
344 const size_t session_start;
345 const size_t key_share_start;
346 const SSL_METHOD *(*ssl_method)(void);
347 const long ssl_options;
348 int connect_fails;
349 };
350
351 static const struct client_hello_test client_hello_tests[] = {
352 {
353 .desc = "DTLSv1 client method",
354 .protocol = DTLS1_VERSION,
355 .random_start = DTLS_RANDOM_OFFSET,
356 .ssl_method = DTLSv1_client_method,
357 .connect_fails = 1,
358 },
359 {
360 .desc = "DTLSv1.2 client method",
361 .protocol = DTLS1_2_VERSION,
362 .random_start = DTLS_RANDOM_OFFSET,
363 .ssl_method = DTLSv1_2_client_method,
364 },
365 {
366 .desc = "DTLS client method",
367 .protocol = DTLS1_2_VERSION,
368 .random_start = DTLS_RANDOM_OFFSET,
369 .ssl_method = DTLS_client_method,
370 },
371 {
372 .desc = "DTLS client method (no DTLSv1.2)",
373 .protocol = DTLS1_VERSION,
374 .random_start = DTLS_RANDOM_OFFSET,
375 .ssl_method = DTLS_client_method,
376 .ssl_options = SSL_OP_NO_DTLSv1_2,
377 .connect_fails = 1,
378 },
379 {
380 .desc = "DTLS client method (no DTLSv1.0)",
381 .protocol = DTLS1_2_VERSION,
382 .random_start = DTLS_RANDOM_OFFSET,
383 .ssl_method = DTLS_client_method,
384 .ssl_options = SSL_OP_NO_DTLSv1,
385 },
386 {
387 .desc = "TLSv1 client method",
388 .protocol = TLS1_VERSION,
389 .random_start = SSL3_RANDOM_OFFSET,
390 .ssl_method = TLSv1_client_method,
391 .connect_fails = 1,
392 },
393 {
394 .desc = "TLSv1_1 client method",
395 .protocol = TLS1_1_VERSION,
396 .random_start = SSL3_RANDOM_OFFSET,
397 .ssl_method = TLSv1_1_client_method,
398 .connect_fails = 1,
399 },
400 {
401 .desc = "TLSv1_2 client method",
402 .protocol = TLS1_2_VERSION,
403 .random_start = SSL3_RANDOM_OFFSET,
404 .ssl_method = TLSv1_2_client_method,
405 },
406 {
407 .desc = "SSLv23 default",
408 .protocol = TLS1_3_VERSION,
409 .random_start = TLS13_RANDOM_OFFSET,
410 .session_start = TLS13_SESSION_OFFSET,
411 .key_share_start = TLS13_KEY_SHARE_OFFSET,
412 .ssl_method = SSLv23_client_method,
413 .ssl_options = 0,
414 },
415 {
416 .desc = "SSLv23 default (no TLSv1.3)",
417 .protocol = TLS1_2_VERSION,
418 .random_start = SSL3_RANDOM_OFFSET,
419 .ssl_method = SSLv23_client_method,
420 .ssl_options = SSL_OP_NO_TLSv1_3,
421 },
422 {
423 .desc = "SSLv23 (no TLSv1.2)",
424 .protocol = TLS1_3_VERSION_ONLY,
425 .random_start = TLS13_RANDOM_OFFSET,
426 .session_start = TLS13_SESSION_OFFSET,
427 .key_share_start = TLS13_ONLY_KEY_SHARE_OFFSET,
428 .ssl_method = SSLv23_client_method,
429 .ssl_options = SSL_OP_NO_TLSv1_2,
430 },
431 {
432 .desc = "SSLv23 (no TLSv1.1)",
433 .protocol = TLS1_3_VERSION,
434 .random_start = TLS13_RANDOM_OFFSET,
435 .session_start = TLS13_SESSION_OFFSET,
436 .key_share_start = TLS13_KEY_SHARE_OFFSET,
437 .ssl_method = SSLv23_client_method,
438 .ssl_options = SSL_OP_NO_TLSv1_1,
439 },
440 {
441 .desc = "TLS default",
442 .protocol = TLS1_3_VERSION,
443 .random_start = TLS13_RANDOM_OFFSET,
444 .session_start = TLS13_SESSION_OFFSET,
445 .key_share_start = TLS13_KEY_SHARE_OFFSET,
446 .ssl_method = TLS_client_method,
447 .ssl_options = 0,
448 },
449 {
450 .desc = "TLS (no TLSv1.3)",
451 .protocol = TLS1_2_VERSION,
452 .random_start = SSL3_RANDOM_OFFSET,
453 .ssl_method = TLS_client_method,
454 .ssl_options = SSL_OP_NO_TLSv1_3,
455 },
456 {
457 .desc = "TLS (no TLSv1.2)",
458 .protocol = TLS1_3_VERSION_ONLY,
459 .random_start = TLS13_RANDOM_OFFSET,
460 .session_start = TLS13_SESSION_OFFSET,
461 .key_share_start = TLS13_ONLY_KEY_SHARE_OFFSET,
462 .ssl_method = TLS_client_method,
463 .ssl_options = SSL_OP_NO_TLSv1_2,
464 },
465 {
466 .desc = "TLS (no TLSv1.1)",
467 .protocol = TLS1_3_VERSION,
468 .random_start = TLS13_RANDOM_OFFSET,
469 .session_start = TLS13_SESSION_OFFSET,
470 .key_share_start = TLS13_KEY_SHARE_OFFSET,
471 .ssl_method = TLS_client_method,
472 .ssl_options = SSL_OP_NO_TLSv1_1,
473 },
474 #if 0
475 /* XXX - build client hello with explicit versions extension. */
476 {
477 .desc = "TLS (no TLSv1.0, no TLSv1.1)",
478 .protocol = TLS1_3_VERSION,
479 .random_start = TLS13_RANDOM_OFFSET,
480 .session_start = TLS13_SESSION_OFFSET,
481 .key_share_start = TLS13_KEY_SHARE_OFFSET,
482 .ssl_method = TLS_client_method,
483 .ssl_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1,
484 },
485 #endif
486 {
487 .desc = "TLS (no TLSv1.0, no TLSv1.1, no TLSv1.2)",
488 .protocol = TLS1_3_VERSION_ONLY,
489 .random_start = TLS13_RANDOM_OFFSET,
490 .session_start = TLS13_SESSION_OFFSET,
491 .key_share_start = TLS13_ONLY_KEY_SHARE_OFFSET,
492 .ssl_method = TLS_client_method,
493 .ssl_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2,
494 },
495 };
496
497 #define N_CLIENT_HELLO_TESTS \
498 (sizeof(client_hello_tests) / sizeof(*client_hello_tests))
499
500 static void
hexdump(const uint8_t * buf,size_t len,const uint8_t * compare)501 hexdump(const uint8_t *buf, size_t len, const uint8_t *compare)
502 {
503 const char *mark = "";
504 size_t i;
505
506 for (i = 1; i <= len; i++) {
507 if (compare != NULL)
508 mark = (buf[i - 1] != compare[i - 1]) ? "*" : " ";
509 fprintf(stderr, " %s0x%02hhx,%s", mark, buf[i - 1],
510 i % 8 && i != len ? "" : "\n");
511 }
512 fprintf(stderr, "\n");
513 }
514
515 static inline int
ssl_aes_is_accelerated(void)516 ssl_aes_is_accelerated(void)
517 {
518 return (OPENSSL_cpu_caps() & CRYPTO_CPU_CAPS_ACCELERATED_AES) != 0;
519 }
520
521 static int
make_client_hello(int protocol,char ** out,size_t * outlen)522 make_client_hello(int protocol, char **out, size_t *outlen)
523 {
524 size_t client_hello_len, cipher_list_len, cipher_list_offset;
525 const uint8_t *client_hello, *cipher_list;
526 char *p;
527
528 *out = NULL;
529 *outlen = 0;
530
531 switch (protocol) {
532 case DTLS1_VERSION:
533 client_hello = client_hello_dtls1;
534 client_hello_len = sizeof(client_hello_dtls1);
535 cipher_list = cipher_list_dtls1;
536 cipher_list_len = sizeof(cipher_list_dtls1);
537 cipher_list_offset = DTLS_CIPHER_OFFSET;
538 break;
539
540 case DTLS1_2_VERSION:
541 client_hello = client_hello_dtls12;
542 client_hello_len = sizeof(client_hello_dtls12);
543 cipher_list = cipher_list_dtls12_chacha;
544 cipher_list_len = sizeof(cipher_list_dtls12_chacha);
545 if (ssl_aes_is_accelerated()) {
546 cipher_list = cipher_list_dtls12_aes;
547 cipher_list_len = sizeof(cipher_list_dtls12_aes);
548 }
549 cipher_list_offset = DTLS_CIPHER_OFFSET;
550 break;
551
552 case TLS1_VERSION:
553 client_hello = client_hello_tls10;
554 client_hello_len = sizeof(client_hello_tls10);
555 cipher_list = cipher_list_tls10;
556 cipher_list_len = sizeof(cipher_list_tls10);
557 cipher_list_offset = SSL3_CIPHER_OFFSET;
558 break;
559
560 case TLS1_1_VERSION:
561 client_hello = client_hello_tls11;
562 client_hello_len = sizeof(client_hello_tls11);
563 cipher_list = cipher_list_tls11;
564 cipher_list_len = sizeof(cipher_list_tls11);
565 cipher_list_offset = SSL3_CIPHER_OFFSET;
566 break;
567
568 case TLS1_2_VERSION:
569 client_hello = client_hello_tls12;
570 client_hello_len = sizeof(client_hello_tls12);
571 cipher_list = cipher_list_tls12_chacha;
572 cipher_list_len = sizeof(cipher_list_tls12_chacha);
573 if (ssl_aes_is_accelerated()) {
574 cipher_list = cipher_list_tls12_aes;
575 cipher_list_len = sizeof(cipher_list_tls12_aes);
576 }
577 cipher_list_offset = SSL3_CIPHER_OFFSET;
578 break;
579
580 case TLS1_3_VERSION:
581 client_hello = client_hello_tls13;
582 client_hello_len = sizeof(client_hello_tls13);
583 cipher_list = cipher_list_tls13_chacha;
584 cipher_list_len = sizeof(cipher_list_tls13_chacha);
585 if (ssl_aes_is_accelerated()) {
586 cipher_list = cipher_list_tls13_aes;
587 cipher_list_len = sizeof(cipher_list_tls13_aes);
588 }
589 cipher_list_offset = TLS13_CIPHER_OFFSET;
590 break;
591
592 case TLS1_3_VERSION_ONLY:
593 client_hello = client_hello_tls13_only;
594 client_hello_len = sizeof(client_hello_tls13_only);
595 cipher_list = cipher_list_tls13_only_chacha;
596 cipher_list_len = sizeof(cipher_list_tls13_only_chacha);
597 if (ssl_aes_is_accelerated()) {
598 cipher_list = cipher_list_tls13_only_aes;
599 cipher_list_len = sizeof(cipher_list_tls13_only_aes);
600 }
601 cipher_list_offset = TLS13_CIPHER_OFFSET;
602 break;
603
604 default:
605 return (-1);
606 }
607
608 if ((p = malloc(client_hello_len)) == NULL)
609 return (-1);
610
611 memcpy(p, client_hello, client_hello_len);
612 memcpy(p + cipher_list_offset, cipher_list, cipher_list_len);
613
614 *out = p;
615 *outlen = client_hello_len;
616
617 return (0);
618 }
619
620 static int
client_hello_test(int testno,const struct client_hello_test * cht)621 client_hello_test(int testno, const struct client_hello_test *cht)
622 {
623 BIO *rbio = NULL, *wbio = NULL;
624 SSL_CTX *ssl_ctx = NULL;
625 SSL *ssl = NULL;
626 char *client_hello = NULL;
627 size_t client_hello_len;
628 size_t session_len;
629 char *wbuf, rbuf[1];
630 int ret = 1;
631 long len;
632
633 fprintf(stderr, "Test %d - %s\n", testno, cht->desc);
634
635 /* Providing a small buf causes *_get_server_hello() to return. */
636 if ((rbio = BIO_new_mem_buf(rbuf, sizeof(rbuf))) == NULL) {
637 fprintf(stderr, "Failed to setup rbio\n");
638 goto failure;
639 }
640 if ((wbio = BIO_new(BIO_s_mem())) == NULL) {
641 fprintf(stderr, "Failed to setup wbio\n");
642 goto failure;
643 }
644
645 if ((ssl_ctx = SSL_CTX_new(cht->ssl_method())) == NULL) {
646 fprintf(stderr, "SSL_CTX_new() returned NULL\n");
647 goto failure;
648 }
649
650 SSL_CTX_set_options(ssl_ctx, cht->ssl_options);
651
652 if ((ssl = SSL_new(ssl_ctx)) == NULL) {
653 fprintf(stderr, "SSL_new() returned NULL\n");
654 goto failure;
655 }
656
657 if (!tlsext_linearize_build_order(ssl)) {
658 fprintf(stderr, "failed to linearize build order");
659 goto failure;
660 }
661
662 BIO_up_ref(rbio);
663 BIO_up_ref(wbio);
664 SSL_set_bio(ssl, rbio, wbio);
665
666 if (SSL_connect(ssl) != 0) {
667 if (cht->connect_fails)
668 goto done;
669 fprintf(stderr, "SSL_connect() returned non-zero\n");
670 goto failure;
671 }
672
673 len = BIO_get_mem_data(wbio, &wbuf);
674
675 if (make_client_hello(cht->protocol, &client_hello,
676 &client_hello_len) != 0)
677 errx(1, "failed to make client hello");
678
679 if ((size_t)len != client_hello_len) {
680 fprintf(stderr, "FAIL: test returned ClientHello length %ld, "
681 "want %zu\n", len, client_hello_len);
682 fprintf(stderr, "received:\n");
683 hexdump(wbuf, len, NULL);
684 fprintf(stderr, "test data:\n");
685 hexdump(client_hello, client_hello_len, NULL);
686 fprintf(stderr, "\n");
687 goto failure;
688 }
689
690 /* We expect the client random to differ. */
691 if (memcmp(&client_hello[cht->random_start], &wbuf[cht->random_start],
692 SSL3_RANDOM_SIZE) == 0) {
693 fprintf(stderr, "FAIL: ClientHello has zeroed random\n");
694 goto failure;
695 }
696
697 memset(&wbuf[cht->random_start], 0, SSL3_RANDOM_SIZE);
698
699 if (cht->session_start > 0) {
700 session_len = wbuf[cht->session_start];
701 if (session_len > 0)
702 memset(&wbuf[cht->session_start + 1], 0, session_len);
703 }
704 if (cht->key_share_start > 0)
705 memset(&wbuf[cht->key_share_start], 0, 32);
706
707 if (memcmp(client_hello, wbuf, client_hello_len) != 0) {
708 fprintf(stderr, "FAIL: ClientHello differs:\n");
709 fprintf(stderr, "received:\n");
710 hexdump(wbuf, len, client_hello);
711 fprintf(stderr, "test data:\n");
712 hexdump(client_hello, client_hello_len, wbuf);
713 fprintf(stderr, "\n");
714 goto failure;
715 }
716
717 done:
718 ret = 0;
719
720 failure:
721 SSL_CTX_free(ssl_ctx);
722 SSL_free(ssl);
723
724 BIO_free(rbio);
725 BIO_free(wbio);
726
727 free(client_hello);
728
729 return (ret);
730 }
731
732 int
main(int argc,char ** argv)733 main(int argc, char **argv)
734 {
735 int failed = 0;
736 size_t i;
737
738 SSL_library_init();
739
740 for (i = 0; i < N_CLIENT_HELLO_TESTS; i++)
741 failed |= client_hello_test(i, &client_hello_tests[i]);
742
743 return (failed);
744 }
745