1 /* $OpenBSD: clienttest.c,v 1.42 2023/07/11 17:03:44 tb Exp $ */ 2 /* 3 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <openssl/ssl.h> 19 20 #include <openssl/dtls1.h> 21 #include <openssl/ssl3.h> 22 23 #include <err.h> 24 #include <stdio.h> 25 #include <string.h> 26 27 #define DTLS_HM_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH) 28 #define DTLS_RANDOM_OFFSET (DTLS_HM_OFFSET + 2) 29 #define DTLS_CIPHER_OFFSET (DTLS_HM_OFFSET + 38) 30 31 #define SSL3_HM_OFFSET (SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH) 32 #define SSL3_RANDOM_OFFSET (SSL3_HM_OFFSET + 2) 33 #define SSL3_CIPHER_OFFSET (SSL3_HM_OFFSET + 37) 34 35 #define TLS13_HM_OFFSET (SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH) 36 #define TLS13_RANDOM_OFFSET (TLS13_HM_OFFSET + 2) 37 #define TLS13_SESSION_OFFSET (TLS13_HM_OFFSET + 34) 38 #define TLS13_CIPHER_OFFSET (TLS13_HM_OFFSET + 69) 39 #define TLS13_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 188) 40 #define TLS13_ONLY_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 98) 41 42 #define TLS1_3_VERSION_ONLY (TLS1_3_VERSION | 0x10000) 43 44 int tlsext_linearize_build_order(SSL *); 45 46 static const uint8_t cipher_list_dtls1[] = { 47 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 48 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 49 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 50 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08, 51 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 52 }; 53 54 static const uint8_t client_hello_dtls1[] = { 55 0x16, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 56 0x00, 0x00, 0x00, 0x00, 0x74, 0x01, 0x00, 0x00, 57 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 58 0x68, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 59 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 60 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 61 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 62 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x26, 0xc0, 63 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, 64 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, 65 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 66 0x2f, 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08, 0x00, 67 0x16, 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 68 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 69 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00, 70 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x23, 0x00, 71 0x00, 72 }; 73 74 static const uint8_t cipher_list_dtls12_aes[] = { 75 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 76 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 77 0x00, 0x39, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 78 0xff, 0x85, 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 79 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 80 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 81 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 82 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 83 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 84 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 85 0x00, 0x0a, 0x00, 0xff 86 }; 87 88 static const uint8_t cipher_list_dtls12_chacha[] = { 89 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, 90 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 91 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 92 0xff, 0x85, 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 93 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 94 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 95 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 96 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 97 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 98 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 99 0x00, 0x0a, 0x00, 0xff, 100 }; 101 102 static const uint8_t client_hello_dtls12[] = { 103 0x16, 0xfe, 0xfd, 0x00, 0x00, 0x00, 0x00, 0x00, 104 0x00, 0x00, 0x00, 0x00, 0xbe, 0x01, 0x00, 0x00, 105 0xb2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 106 0xb2, 0xfe, 0xfd, 0x00, 0x00, 0x00, 0x00, 0x00, 107 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 108 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 109 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 110 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0xc0, 111 0x30, 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 112 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 113 0x39, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xff, 114 0x85, 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 0x00, 115 0x9d, 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 0x00, 116 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 117 0x23, 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 0x00, 118 0x67, 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 0x00, 119 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 0x00, 120 0x41, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 121 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 0x34, 0x00, 122 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 123 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 124 0x18, 0x00, 0x19, 0x00, 0x23, 0x00, 0x00, 0x00, 125 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, 0x06, 0x06, 126 0x01, 0x06, 0x03, 0x08, 0x05, 0x05, 0x01, 0x05, 127 0x03, 0x08, 0x04, 0x04, 0x01, 0x04, 0x03, 0x02, 128 0x01, 0x02, 0x03, 129 }; 130 131 static const uint8_t cipher_list_tls10[] = { 132 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 133 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 134 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 135 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 136 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 137 0x00, 0x0a, 0x00, 0xff, 138 }; 139 140 static const uint8_t client_hello_tls10[] = { 141 0x16, 0x03, 0x01, 0x00, 0x71, 0x01, 0x00, 0x00, 142 0x6d, 0x03, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 143 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 144 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 145 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 146 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0xc0, 0x14, 147 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, 0x88, 148 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, 0x13, 149 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 0x2f, 150 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 151 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 152 0x00, 0xff, 0x01, 0x00, 0x00, 0x18, 0x00, 0x0b, 153 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a, 154 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 155 0x00, 0x19, 0x00, 0x23, 0x00, 0x00, 156 }; 157 158 static const uint8_t cipher_list_tls11[] = { 159 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 160 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 161 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 162 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 163 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 164 0x00, 0x0a, 0x00, 0xff, 165 }; 166 167 static const uint8_t client_hello_tls11[] = { 168 0x16, 0x03, 0x01, 0x00, 0x71, 0x01, 0x00, 0x00, 169 0x6d, 0x03, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 170 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 171 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 172 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 173 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0xc0, 0x14, 174 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, 0x88, 175 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, 0x13, 176 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 0x2f, 177 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 178 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 179 0x00, 0xff, 0x01, 0x00, 0x00, 0x18, 0x00, 0x0b, 180 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a, 181 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 182 0x00, 0x19, 0x00, 0x23, 0x00, 0x00, 183 }; 184 185 static const uint8_t cipher_list_tls12_aes[] = { 186 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 187 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 188 0x00, 0x39, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 189 0xff, 0x85, 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 190 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 191 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 192 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 193 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 194 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 195 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 196 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 197 0x00, 0xff, 198 }; 199 200 static const uint8_t cipher_list_tls12_chacha[] = { 201 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, 202 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 203 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 204 0xff, 0x85, 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 205 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 206 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 207 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 208 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 209 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 210 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 211 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 212 0x00, 0xff, 213 }; 214 215 static const uint8_t client_hello_tls12[] = { 216 0x16, 0x03, 0x03, 0x00, 0xbb, 0x01, 0x00, 0x00, 217 0xb7, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 218 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 219 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 220 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 221 0x00, 0x00, 0x00, 0x00, 0x00, 0x5a, 0xc0, 0x30, 222 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 223 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 224 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xff, 0x85, 225 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 0x00, 0x9d, 226 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 227 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 228 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 229 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 230 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 231 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 0xc0, 0x12, 232 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 233 0x01, 0x00, 0x00, 0x34, 0x00, 0x0b, 0x00, 0x02, 234 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 235 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 236 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x18, 237 0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 238 0x08, 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 239 0x04, 0x01, 0x04, 0x03, 0x02, 0x01, 0x02, 0x03, 240 }; 241 242 static const uint8_t cipher_list_tls13_aes[] = { 243 0x13, 0x02, 0x13, 0x03, 0x13, 0x01, 0xc0, 0x30, 244 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 245 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 246 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xff, 0x85, 247 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 0x00, 0x9d, 248 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 249 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 250 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 251 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 252 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 253 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 0xc0, 0x12, 254 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 255 }; 256 257 static const uint8_t cipher_list_tls13_chacha[] = { 258 0x13, 0x03, 0x13, 0x02, 0x13, 0x01, 0xcc, 0xa9, 259 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, 0xc0, 0x2c, 260 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 0xc0, 0x0a, 261 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 0xff, 0x85, 262 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 0x00, 0x9d, 263 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 264 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 265 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 266 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 267 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 268 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 0xc0, 0x12, 269 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 270 }; 271 272 static const uint8_t client_hello_tls13[] = { 273 0x16, 0x03, 0x03, 0x01, 0x14, 0x01, 0x00, 0x01, 274 0x10, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 276 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 277 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 278 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 279 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 280 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 281 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 282 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x13, 0x03, 283 0x13, 0x02, 0x13, 0x01, 0xcc, 0xa9, 0xcc, 0xa8, 284 0xcc, 0xaa, 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28, 285 0xc0, 0x24, 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f, 286 0x00, 0x6b, 0x00, 0x39, 0xff, 0x85, 0x00, 0xc4, 287 0x00, 0x88, 0x00, 0x81, 0x00, 0x9d, 0x00, 0x3d, 288 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 289 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 290 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 291 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 292 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 293 0xc0, 0x07, 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 294 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 295 0x00, 0x67, 0x00, 0x2b, 0x00, 0x05, 0x04, 0x03, 296 0x04, 0x03, 0x03, 0x00, 0x33, 0x00, 0x26, 0x00, 297 0x24, 0x00, 0x1d, 0x00, 0x20, 0x00, 0x00, 0x00, 298 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 299 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 300 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 301 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 302 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a, 0x00, 303 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 304 0x19, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 305 0x18, 0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 306 0x03, 0x08, 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 307 0x04, 0x04, 0x01, 0x04, 0x03, 0x02, 0x01, 0x02, 308 0x03, 309 }; 310 311 static const uint8_t cipher_list_tls13_only_aes[] = { 312 0x13, 0x02, 0x13, 0x03, 0x13, 0x01, 313 }; 314 315 static const uint8_t cipher_list_tls13_only_chacha[] = { 316 0x13, 0x03, 0x13, 0x02, 0x13, 0x01, 317 }; 318 319 static const uint8_t client_hello_tls13_only[] = { 320 0x16, 0x03, 0x03, 0x00, 0xb6, 0x01, 0x00, 0x00, 321 0xb2, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 322 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 323 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 324 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 325 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 326 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 327 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 328 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 329 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x13, 0x03, 330 0x13, 0x02, 0x13, 0x01, 0x00, 0xff, 0x01, 0x00, 331 0x00, 0x61, 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 332 0x04, 0x00, 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 333 0x1d, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 334 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 335 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 336 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 337 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 338 0x00, 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 339 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 340 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 341 0x12, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 342 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 343 0x01, 0x04, 0x03, 344 }; 345 346 struct client_hello_test { 347 const char *desc; 348 const int protocol; 349 const size_t random_start; 350 const size_t session_start; 351 const size_t key_share_start; 352 const SSL_METHOD *(*ssl_method)(void); 353 const long ssl_options; 354 int connect_fails; 355 }; 356 357 static const struct client_hello_test client_hello_tests[] = { 358 { 359 .desc = "DTLSv1 client method", 360 .protocol = DTLS1_VERSION, 361 .random_start = DTLS_RANDOM_OFFSET, 362 .ssl_method = DTLSv1_client_method, 363 .connect_fails = 1, 364 }, 365 { 366 .desc = "DTLSv1.2 client method", 367 .protocol = DTLS1_2_VERSION, 368 .random_start = DTLS_RANDOM_OFFSET, 369 .ssl_method = DTLSv1_2_client_method, 370 }, 371 { 372 .desc = "DTLS client method", 373 .protocol = DTLS1_2_VERSION, 374 .random_start = DTLS_RANDOM_OFFSET, 375 .ssl_method = DTLS_client_method, 376 }, 377 { 378 .desc = "DTLS client method (no DTLSv1.2)", 379 .protocol = DTLS1_VERSION, 380 .random_start = DTLS_RANDOM_OFFSET, 381 .ssl_method = DTLS_client_method, 382 .ssl_options = SSL_OP_NO_DTLSv1_2, 383 .connect_fails = 1, 384 }, 385 { 386 .desc = "DTLS client method (no DTLSv1.0)", 387 .protocol = DTLS1_2_VERSION, 388 .random_start = DTLS_RANDOM_OFFSET, 389 .ssl_method = DTLS_client_method, 390 .ssl_options = SSL_OP_NO_DTLSv1, 391 }, 392 { 393 .desc = "TLSv1 client method", 394 .protocol = TLS1_VERSION, 395 .random_start = SSL3_RANDOM_OFFSET, 396 .ssl_method = TLSv1_client_method, 397 .connect_fails = 1, 398 }, 399 { 400 .desc = "TLSv1_1 client method", 401 .protocol = TLS1_1_VERSION, 402 .random_start = SSL3_RANDOM_OFFSET, 403 .ssl_method = TLSv1_1_client_method, 404 .connect_fails = 1, 405 }, 406 { 407 .desc = "TLSv1_2 client method", 408 .protocol = TLS1_2_VERSION, 409 .random_start = SSL3_RANDOM_OFFSET, 410 .ssl_method = TLSv1_2_client_method, 411 }, 412 { 413 .desc = "SSLv23 default", 414 .protocol = TLS1_3_VERSION, 415 .random_start = TLS13_RANDOM_OFFSET, 416 .session_start = TLS13_SESSION_OFFSET, 417 .key_share_start = TLS13_KEY_SHARE_OFFSET, 418 .ssl_method = SSLv23_client_method, 419 .ssl_options = 0, 420 }, 421 { 422 .desc = "SSLv23 default (no TLSv1.3)", 423 .protocol = TLS1_2_VERSION, 424 .random_start = SSL3_RANDOM_OFFSET, 425 .ssl_method = SSLv23_client_method, 426 .ssl_options = SSL_OP_NO_TLSv1_3, 427 }, 428 { 429 .desc = "SSLv23 (no TLSv1.2)", 430 .protocol = TLS1_3_VERSION_ONLY, 431 .random_start = TLS13_RANDOM_OFFSET, 432 .session_start = TLS13_SESSION_OFFSET, 433 .key_share_start = TLS13_ONLY_KEY_SHARE_OFFSET, 434 .ssl_method = SSLv23_client_method, 435 .ssl_options = SSL_OP_NO_TLSv1_2, 436 }, 437 { 438 .desc = "SSLv23 (no TLSv1.1)", 439 .protocol = TLS1_3_VERSION, 440 .random_start = TLS13_RANDOM_OFFSET, 441 .session_start = TLS13_SESSION_OFFSET, 442 .key_share_start = TLS13_KEY_SHARE_OFFSET, 443 .ssl_method = SSLv23_client_method, 444 .ssl_options = SSL_OP_NO_TLSv1_1, 445 }, 446 { 447 .desc = "TLS default", 448 .protocol = TLS1_3_VERSION, 449 .random_start = TLS13_RANDOM_OFFSET, 450 .session_start = TLS13_SESSION_OFFSET, 451 .key_share_start = TLS13_KEY_SHARE_OFFSET, 452 .ssl_method = TLS_client_method, 453 .ssl_options = 0, 454 }, 455 { 456 .desc = "TLS (no TLSv1.3)", 457 .protocol = TLS1_2_VERSION, 458 .random_start = SSL3_RANDOM_OFFSET, 459 .ssl_method = TLS_client_method, 460 .ssl_options = SSL_OP_NO_TLSv1_3, 461 }, 462 { 463 .desc = "TLS (no TLSv1.2)", 464 .protocol = TLS1_3_VERSION_ONLY, 465 .random_start = TLS13_RANDOM_OFFSET, 466 .session_start = TLS13_SESSION_OFFSET, 467 .key_share_start = TLS13_ONLY_KEY_SHARE_OFFSET, 468 .ssl_method = TLS_client_method, 469 .ssl_options = SSL_OP_NO_TLSv1_2, 470 }, 471 { 472 .desc = "TLS (no TLSv1.1)", 473 .protocol = TLS1_3_VERSION, 474 .random_start = TLS13_RANDOM_OFFSET, 475 .session_start = TLS13_SESSION_OFFSET, 476 .key_share_start = TLS13_KEY_SHARE_OFFSET, 477 .ssl_method = TLS_client_method, 478 .ssl_options = SSL_OP_NO_TLSv1_1, 479 }, 480 #if 0 481 /* XXX - build client hello with explicit versions extension. */ 482 { 483 .desc = "TLS (no TLSv1.0, no TLSv1.1)", 484 .protocol = TLS1_3_VERSION, 485 .random_start = TLS13_RANDOM_OFFSET, 486 .session_start = TLS13_SESSION_OFFSET, 487 .key_share_start = TLS13_KEY_SHARE_OFFSET, 488 .ssl_method = TLS_client_method, 489 .ssl_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, 490 }, 491 #endif 492 { 493 .desc = "TLS (no TLSv1.0, no TLSv1.1, no TLSv1.2)", 494 .protocol = TLS1_3_VERSION_ONLY, 495 .random_start = TLS13_RANDOM_OFFSET, 496 .session_start = TLS13_SESSION_OFFSET, 497 .key_share_start = TLS13_ONLY_KEY_SHARE_OFFSET, 498 .ssl_method = TLS_client_method, 499 .ssl_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 500 }, 501 }; 502 503 #define N_CLIENT_HELLO_TESTS \ 504 (sizeof(client_hello_tests) / sizeof(*client_hello_tests)) 505 506 static void 507 hexdump(const uint8_t *buf, size_t len, const uint8_t *compare) 508 { 509 const char *mark = ""; 510 size_t i; 511 512 for (i = 1; i <= len; i++) { 513 if (compare != NULL) 514 mark = (buf[i - 1] != compare[i - 1]) ? "*" : " "; 515 fprintf(stderr, " %s0x%02hhx,%s", mark, buf[i - 1], 516 i % 8 && i != len ? "" : "\n"); 517 } 518 fprintf(stderr, "\n"); 519 } 520 521 static inline int 522 ssl_aes_is_accelerated(void) 523 { 524 #if defined(__i386__) || defined(__x86_64__) 525 return ((OPENSSL_cpu_caps() & (1ULL << 57)) != 0); 526 #else 527 return (0); 528 #endif 529 } 530 531 static int 532 make_client_hello(int protocol, char **out, size_t *outlen) 533 { 534 size_t client_hello_len, cipher_list_len, cipher_list_offset; 535 const uint8_t *client_hello, *cipher_list; 536 char *p; 537 538 *out = NULL; 539 *outlen = 0; 540 541 switch (protocol) { 542 case DTLS1_VERSION: 543 client_hello = client_hello_dtls1; 544 client_hello_len = sizeof(client_hello_dtls1); 545 cipher_list = cipher_list_dtls1; 546 cipher_list_len = sizeof(cipher_list_dtls1); 547 cipher_list_offset = DTLS_CIPHER_OFFSET; 548 break; 549 550 case DTLS1_2_VERSION: 551 client_hello = client_hello_dtls12; 552 client_hello_len = sizeof(client_hello_dtls12); 553 cipher_list = cipher_list_dtls12_chacha; 554 cipher_list_len = sizeof(cipher_list_dtls12_chacha); 555 if (ssl_aes_is_accelerated()) { 556 cipher_list = cipher_list_dtls12_aes; 557 cipher_list_len = sizeof(cipher_list_dtls12_aes); 558 } 559 cipher_list_offset = DTLS_CIPHER_OFFSET; 560 break; 561 562 case TLS1_VERSION: 563 client_hello = client_hello_tls10; 564 client_hello_len = sizeof(client_hello_tls10); 565 cipher_list = cipher_list_tls10; 566 cipher_list_len = sizeof(cipher_list_tls10); 567 cipher_list_offset = SSL3_CIPHER_OFFSET; 568 break; 569 570 case TLS1_1_VERSION: 571 client_hello = client_hello_tls11; 572 client_hello_len = sizeof(client_hello_tls11); 573 cipher_list = cipher_list_tls11; 574 cipher_list_len = sizeof(cipher_list_tls11); 575 cipher_list_offset = SSL3_CIPHER_OFFSET; 576 break; 577 578 case TLS1_2_VERSION: 579 client_hello = client_hello_tls12; 580 client_hello_len = sizeof(client_hello_tls12); 581 cipher_list = cipher_list_tls12_chacha; 582 cipher_list_len = sizeof(cipher_list_tls12_chacha); 583 if (ssl_aes_is_accelerated()) { 584 cipher_list = cipher_list_tls12_aes; 585 cipher_list_len = sizeof(cipher_list_tls12_aes); 586 } 587 cipher_list_offset = SSL3_CIPHER_OFFSET; 588 break; 589 590 case TLS1_3_VERSION: 591 client_hello = client_hello_tls13; 592 client_hello_len = sizeof(client_hello_tls13); 593 cipher_list = cipher_list_tls13_chacha; 594 cipher_list_len = sizeof(cipher_list_tls13_chacha); 595 if (ssl_aes_is_accelerated()) { 596 cipher_list = cipher_list_tls13_aes; 597 cipher_list_len = sizeof(cipher_list_tls13_aes); 598 } 599 cipher_list_offset = TLS13_CIPHER_OFFSET; 600 break; 601 602 case TLS1_3_VERSION_ONLY: 603 client_hello = client_hello_tls13_only; 604 client_hello_len = sizeof(client_hello_tls13_only); 605 cipher_list = cipher_list_tls13_only_chacha; 606 cipher_list_len = sizeof(cipher_list_tls13_only_chacha); 607 if (ssl_aes_is_accelerated()) { 608 cipher_list = cipher_list_tls13_only_aes; 609 cipher_list_len = sizeof(cipher_list_tls13_only_aes); 610 } 611 cipher_list_offset = TLS13_CIPHER_OFFSET; 612 break; 613 614 default: 615 return (-1); 616 } 617 618 if ((p = malloc(client_hello_len)) == NULL) 619 return (-1); 620 621 memcpy(p, client_hello, client_hello_len); 622 memcpy(p + cipher_list_offset, cipher_list, cipher_list_len); 623 624 *out = p; 625 *outlen = client_hello_len; 626 627 return (0); 628 } 629 630 static int 631 client_hello_test(int testno, const struct client_hello_test *cht) 632 { 633 BIO *rbio = NULL, *wbio = NULL; 634 SSL_CTX *ssl_ctx = NULL; 635 SSL *ssl = NULL; 636 char *client_hello = NULL; 637 size_t client_hello_len; 638 size_t session_len; 639 char *wbuf, rbuf[1]; 640 int ret = 1; 641 long len; 642 643 fprintf(stderr, "Test %d - %s\n", testno, cht->desc); 644 645 /* Providing a small buf causes *_get_server_hello() to return. */ 646 if ((rbio = BIO_new_mem_buf(rbuf, sizeof(rbuf))) == NULL) { 647 fprintf(stderr, "Failed to setup rbio\n"); 648 goto failure; 649 } 650 if ((wbio = BIO_new(BIO_s_mem())) == NULL) { 651 fprintf(stderr, "Failed to setup wbio\n"); 652 goto failure; 653 } 654 655 if ((ssl_ctx = SSL_CTX_new(cht->ssl_method())) == NULL) { 656 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 657 goto failure; 658 } 659 660 SSL_CTX_set_options(ssl_ctx, cht->ssl_options); 661 662 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 663 fprintf(stderr, "SSL_new() returned NULL\n"); 664 goto failure; 665 } 666 667 if (!tlsext_linearize_build_order(ssl)) { 668 fprintf(stderr, "failed to linearize build order"); 669 goto failure; 670 } 671 672 BIO_up_ref(rbio); 673 BIO_up_ref(wbio); 674 SSL_set_bio(ssl, rbio, wbio); 675 676 if (SSL_connect(ssl) != 0) { 677 if (cht->connect_fails) 678 goto done; 679 fprintf(stderr, "SSL_connect() returned non-zero\n"); 680 goto failure; 681 } 682 683 len = BIO_get_mem_data(wbio, &wbuf); 684 685 if (make_client_hello(cht->protocol, &client_hello, 686 &client_hello_len) != 0) 687 errx(1, "failed to make client hello"); 688 689 if ((size_t)len != client_hello_len) { 690 fprintf(stderr, "FAIL: test returned ClientHello length %ld, " 691 "want %zu\n", len, client_hello_len); 692 fprintf(stderr, "received:\n"); 693 hexdump(wbuf, len, NULL); 694 fprintf(stderr, "test data:\n"); 695 hexdump(client_hello, client_hello_len, NULL); 696 fprintf(stderr, "\n"); 697 goto failure; 698 } 699 700 /* We expect the client random to differ. */ 701 if (memcmp(&client_hello[cht->random_start], &wbuf[cht->random_start], 702 SSL3_RANDOM_SIZE) == 0) { 703 fprintf(stderr, "FAIL: ClientHello has zeroed random\n"); 704 goto failure; 705 } 706 707 memset(&wbuf[cht->random_start], 0, SSL3_RANDOM_SIZE); 708 709 if (cht->session_start > 0) { 710 session_len = wbuf[cht->session_start]; 711 if (session_len > 0) 712 memset(&wbuf[cht->session_start + 1], 0, session_len); 713 } 714 if (cht->key_share_start > 0) 715 memset(&wbuf[cht->key_share_start], 0, 32); 716 717 if (memcmp(client_hello, wbuf, client_hello_len) != 0) { 718 fprintf(stderr, "FAIL: ClientHello differs:\n"); 719 fprintf(stderr, "received:\n"); 720 hexdump(wbuf, len, client_hello); 721 fprintf(stderr, "test data:\n"); 722 hexdump(client_hello, client_hello_len, wbuf); 723 fprintf(stderr, "\n"); 724 goto failure; 725 } 726 727 done: 728 ret = 0; 729 730 failure: 731 SSL_CTX_free(ssl_ctx); 732 SSL_free(ssl); 733 734 BIO_free(rbio); 735 BIO_free(wbio); 736 737 free(client_hello); 738 739 return (ret); 740 } 741 742 int 743 main(int argc, char **argv) 744 { 745 int failed = 0; 746 size_t i; 747 748 SSL_library_init(); 749 750 for (i = 0; i < N_CLIENT_HELLO_TESTS; i++) 751 failed |= client_hello_test(i, &client_hello_tests[i]); 752 753 return (failed); 754 } 755