1 /* $OpenBSD: clienttest.c,v 1.43 2024/02/03 15:58:34 beck Exp $ */ 2 /* 3 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <openssl/ssl.h> 19 20 #include <openssl/dtls1.h> 21 #include <openssl/ssl3.h> 22 23 #include <err.h> 24 #include <stdio.h> 25 #include <string.h> 26 27 #define DTLS_HM_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH) 28 #define DTLS_RANDOM_OFFSET (DTLS_HM_OFFSET + 2) 29 #define DTLS_CIPHER_OFFSET (DTLS_HM_OFFSET + 38) 30 31 #define SSL3_HM_OFFSET (SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH) 32 #define SSL3_RANDOM_OFFSET (SSL3_HM_OFFSET + 2) 33 #define SSL3_CIPHER_OFFSET (SSL3_HM_OFFSET + 37) 34 35 #define TLS13_HM_OFFSET (SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH) 36 #define TLS13_RANDOM_OFFSET (TLS13_HM_OFFSET + 2) 37 #define TLS13_SESSION_OFFSET (TLS13_HM_OFFSET + 34) 38 #define TLS13_CIPHER_OFFSET (TLS13_HM_OFFSET + 69) 39 #define TLS13_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 184) 40 #define TLS13_ONLY_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 98) 41 42 #define TLS1_3_VERSION_ONLY (TLS1_3_VERSION | 0x10000) 43 44 int tlsext_linearize_build_order(SSL *); 45 46 static const uint8_t cipher_list_dtls1[] = { 47 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 48 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 49 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 50 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08, 51 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 52 }; 53 54 static const uint8_t client_hello_dtls1[] = { 55 0x16, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 56 0x00, 0x00, 0x00, 0x00, 0x74, 0x01, 0x00, 0x00, 57 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 58 0x68, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 59 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 60 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 61 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 62 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x26, 0xc0, 63 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, 64 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, 65 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 66 0x2f, 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08, 0x00, 67 0x16, 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 68 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 69 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00, 70 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x23, 0x00, 71 0x00, 72 }; 73 74 static const uint8_t cipher_list_dtls12_aes[] = { 75 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 76 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 77 0x00, 0x39, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 78 0x00, 0xc4, 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, 79 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 80 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 81 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 82 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 83 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x12, 84 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 85 }; 86 87 static const uint8_t cipher_list_dtls12_chacha[] = { 88 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, 89 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 90 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 91 0x00, 0xc4, 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, 92 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 93 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 94 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 95 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 96 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x12, 97 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 98 }; 99 100 static const uint8_t client_hello_dtls12[] = { 101 0x16, 0xfe, 0xfd, 0x00, 0x00, 0x00, 0x00, 0x00, 102 0x00, 0x00, 0x00, 0x00, 0xba, 0x01, 0x00, 0x00, 103 0xae, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 104 0xae, 0xfe, 0xfd, 0x00, 0x00, 0x00, 0x00, 0x00, 105 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 106 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 107 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 108 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0xc0, 109 0x30, 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 110 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 111 0x39, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0x00, 112 0xc4, 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, 0x00, 113 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 0xc0, 114 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0, 115 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 0x00, 116 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, 117 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x12, 0xc0, 118 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 0x01, 119 0x00, 0x00, 0x34, 0x00, 0x0b, 0x00, 0x02, 0x01, 120 0x00, 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 121 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 122 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, 123 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 124 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 125 0x01, 0x04, 0x03, 0x02, 0x01, 0x02, 0x03, 126 }; 127 128 static const uint8_t cipher_list_tls10[] = { 129 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 130 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 131 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 132 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 133 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 134 0x00, 0x0a, 0x00, 0xff, 135 }; 136 137 static const uint8_t client_hello_tls10[] = { 138 0x16, 0x03, 0x01, 0x00, 0x71, 0x01, 0x00, 0x00, 139 0x6d, 0x03, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 140 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 141 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 142 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 143 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0xc0, 0x14, 144 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, 0x88, 145 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, 0x13, 146 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 0x2f, 147 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 148 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 149 0x00, 0xff, 0x01, 0x00, 0x00, 0x18, 0x00, 0x0b, 150 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a, 151 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 152 0x00, 0x19, 0x00, 0x23, 0x00, 0x00, 153 }; 154 155 static const uint8_t cipher_list_tls11[] = { 156 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 157 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 158 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 159 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 160 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 161 0x00, 0x0a, 0x00, 0xff, 162 }; 163 164 static const uint8_t client_hello_tls11[] = { 165 0x16, 0x03, 0x01, 0x00, 0x71, 0x01, 0x00, 0x00, 166 0x6d, 0x03, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 167 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 168 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 169 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 170 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0xc0, 0x14, 171 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, 0x88, 172 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, 0x13, 173 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 0x2f, 174 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 175 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 176 0x00, 0xff, 0x01, 0x00, 0x00, 0x18, 0x00, 0x0b, 177 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a, 178 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 179 0x00, 0x19, 0x00, 0x23, 0x00, 0x00, 180 }; 181 182 static const uint8_t cipher_list_tls12_aes[] = { 183 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 184 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 185 0x00, 0x39, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 186 0x00, 0xc4, 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, 187 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 188 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 189 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 190 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 191 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 192 0xc0, 0x07, 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 193 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 194 }; 195 196 static const uint8_t cipher_list_tls12_chacha[] = { 197 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, 198 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 199 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 200 0x00, 0xc4, 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, 201 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 202 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 203 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 204 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 205 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 206 0xc0, 0x07, 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 207 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 208 }; 209 210 static const uint8_t client_hello_tls12[] = { 211 0x16, 0x03, 0x03, 0x00, 0xb7, 0x01, 0x00, 0x00, 212 0xb3, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 213 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 214 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 215 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 216 0x00, 0x00, 0x00, 0x00, 0x00, 0x56, 0xc0, 0x30, 217 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 218 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 219 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0x00, 0xc4, 220 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, 221 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 222 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, 223 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, 224 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 225 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 226 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 227 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 0x34, 228 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 229 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17, 230 0x00, 0x18, 0x00, 0x19, 0x00, 0x23, 0x00, 0x00, 231 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, 0x06, 232 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05, 0x01, 233 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04, 0x03, 234 0x02, 0x01, 0x02, 0x03, 235 }; 236 237 static const uint8_t cipher_list_tls13_aes[] = { 238 0x13, 0x02, 0x13, 0x03, 0x13, 0x01, 0xc0, 0x30, 239 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 240 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 241 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0x00, 0xc4, 242 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, 243 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 244 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, 245 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, 246 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 247 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 248 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 249 0x00, 0x0a, 0x00, 0xff, 250 }; 251 252 static const uint8_t cipher_list_tls13_chacha[] = { 253 0x13, 0x03, 0x13, 0x02, 0x13, 0x01, 0xcc, 0xa9, 254 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, 0xc0, 0x2c, 255 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 0xc0, 0x0a, 256 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 0x00, 0xc4, 257 0x00, 0x88, 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, 258 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 259 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, 260 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, 261 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 262 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 263 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 264 0x00, 0x0a, 0x00, 0xff, 265 }; 266 267 static const uint8_t client_hello_tls13[] = { 268 0x16, 0x03, 0x03, 0x01, 0x10, 0x01, 0x00, 0x01, 269 0x0c, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 270 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 271 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 272 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 273 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 274 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 276 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 277 0x00, 0x00, 0x00, 0x00, 0x00, 0x5c, 0x13, 0x03, 278 0x13, 0x02, 0x13, 0x01, 0xcc, 0xa9, 0xcc, 0xa8, 279 0xcc, 0xaa, 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28, 280 0xc0, 0x24, 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f, 281 0x00, 0x6b, 0x00, 0x39, 0x00, 0xc4, 0x00, 0x88, 282 0x00, 0x81, 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, 283 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 284 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, 285 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, 286 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 287 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 288 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 289 0x00, 0x0a, 0x01, 0x00, 0x00, 0x67, 0x00, 0x2b, 290 0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03, 0x00, 291 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, 292 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 293 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 294 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 295 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 296 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 297 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00, 298 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x23, 0x00, 299 0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, 300 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05, 301 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04, 302 0x03, 0x02, 0x01, 0x02, 0x03, 303 }; 304 305 static const uint8_t cipher_list_tls13_only_aes[] = { 306 0x13, 0x02, 0x13, 0x03, 0x13, 0x01, 307 }; 308 309 static const uint8_t cipher_list_tls13_only_chacha[] = { 310 0x13, 0x03, 0x13, 0x02, 0x13, 0x01, 311 }; 312 313 static const uint8_t client_hello_tls13_only[] = { 314 0x16, 0x03, 0x03, 0x00, 0xb6, 0x01, 0x00, 0x00, 315 0xb2, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 316 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 317 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 318 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 319 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 320 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 321 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 322 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 323 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x13, 0x03, 324 0x13, 0x02, 0x13, 0x01, 0x00, 0xff, 0x01, 0x00, 325 0x00, 0x61, 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 326 0x04, 0x00, 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 327 0x1d, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 328 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 329 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 330 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 331 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 332 0x00, 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 333 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 334 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 335 0x12, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 336 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 337 0x01, 0x04, 0x03, 338 }; 339 340 struct client_hello_test { 341 const char *desc; 342 const int protocol; 343 const size_t random_start; 344 const size_t session_start; 345 const size_t key_share_start; 346 const SSL_METHOD *(*ssl_method)(void); 347 const long ssl_options; 348 int connect_fails; 349 }; 350 351 static const struct client_hello_test client_hello_tests[] = { 352 { 353 .desc = "DTLSv1 client method", 354 .protocol = DTLS1_VERSION, 355 .random_start = DTLS_RANDOM_OFFSET, 356 .ssl_method = DTLSv1_client_method, 357 .connect_fails = 1, 358 }, 359 { 360 .desc = "DTLSv1.2 client method", 361 .protocol = DTLS1_2_VERSION, 362 .random_start = DTLS_RANDOM_OFFSET, 363 .ssl_method = DTLSv1_2_client_method, 364 }, 365 { 366 .desc = "DTLS client method", 367 .protocol = DTLS1_2_VERSION, 368 .random_start = DTLS_RANDOM_OFFSET, 369 .ssl_method = DTLS_client_method, 370 }, 371 { 372 .desc = "DTLS client method (no DTLSv1.2)", 373 .protocol = DTLS1_VERSION, 374 .random_start = DTLS_RANDOM_OFFSET, 375 .ssl_method = DTLS_client_method, 376 .ssl_options = SSL_OP_NO_DTLSv1_2, 377 .connect_fails = 1, 378 }, 379 { 380 .desc = "DTLS client method (no DTLSv1.0)", 381 .protocol = DTLS1_2_VERSION, 382 .random_start = DTLS_RANDOM_OFFSET, 383 .ssl_method = DTLS_client_method, 384 .ssl_options = SSL_OP_NO_DTLSv1, 385 }, 386 { 387 .desc = "TLSv1 client method", 388 .protocol = TLS1_VERSION, 389 .random_start = SSL3_RANDOM_OFFSET, 390 .ssl_method = TLSv1_client_method, 391 .connect_fails = 1, 392 }, 393 { 394 .desc = "TLSv1_1 client method", 395 .protocol = TLS1_1_VERSION, 396 .random_start = SSL3_RANDOM_OFFSET, 397 .ssl_method = TLSv1_1_client_method, 398 .connect_fails = 1, 399 }, 400 { 401 .desc = "TLSv1_2 client method", 402 .protocol = TLS1_2_VERSION, 403 .random_start = SSL3_RANDOM_OFFSET, 404 .ssl_method = TLSv1_2_client_method, 405 }, 406 { 407 .desc = "SSLv23 default", 408 .protocol = TLS1_3_VERSION, 409 .random_start = TLS13_RANDOM_OFFSET, 410 .session_start = TLS13_SESSION_OFFSET, 411 .key_share_start = TLS13_KEY_SHARE_OFFSET, 412 .ssl_method = SSLv23_client_method, 413 .ssl_options = 0, 414 }, 415 { 416 .desc = "SSLv23 default (no TLSv1.3)", 417 .protocol = TLS1_2_VERSION, 418 .random_start = SSL3_RANDOM_OFFSET, 419 .ssl_method = SSLv23_client_method, 420 .ssl_options = SSL_OP_NO_TLSv1_3, 421 }, 422 { 423 .desc = "SSLv23 (no TLSv1.2)", 424 .protocol = TLS1_3_VERSION_ONLY, 425 .random_start = TLS13_RANDOM_OFFSET, 426 .session_start = TLS13_SESSION_OFFSET, 427 .key_share_start = TLS13_ONLY_KEY_SHARE_OFFSET, 428 .ssl_method = SSLv23_client_method, 429 .ssl_options = SSL_OP_NO_TLSv1_2, 430 }, 431 { 432 .desc = "SSLv23 (no TLSv1.1)", 433 .protocol = TLS1_3_VERSION, 434 .random_start = TLS13_RANDOM_OFFSET, 435 .session_start = TLS13_SESSION_OFFSET, 436 .key_share_start = TLS13_KEY_SHARE_OFFSET, 437 .ssl_method = SSLv23_client_method, 438 .ssl_options = SSL_OP_NO_TLSv1_1, 439 }, 440 { 441 .desc = "TLS default", 442 .protocol = TLS1_3_VERSION, 443 .random_start = TLS13_RANDOM_OFFSET, 444 .session_start = TLS13_SESSION_OFFSET, 445 .key_share_start = TLS13_KEY_SHARE_OFFSET, 446 .ssl_method = TLS_client_method, 447 .ssl_options = 0, 448 }, 449 { 450 .desc = "TLS (no TLSv1.3)", 451 .protocol = TLS1_2_VERSION, 452 .random_start = SSL3_RANDOM_OFFSET, 453 .ssl_method = TLS_client_method, 454 .ssl_options = SSL_OP_NO_TLSv1_3, 455 }, 456 { 457 .desc = "TLS (no TLSv1.2)", 458 .protocol = TLS1_3_VERSION_ONLY, 459 .random_start = TLS13_RANDOM_OFFSET, 460 .session_start = TLS13_SESSION_OFFSET, 461 .key_share_start = TLS13_ONLY_KEY_SHARE_OFFSET, 462 .ssl_method = TLS_client_method, 463 .ssl_options = SSL_OP_NO_TLSv1_2, 464 }, 465 { 466 .desc = "TLS (no TLSv1.1)", 467 .protocol = TLS1_3_VERSION, 468 .random_start = TLS13_RANDOM_OFFSET, 469 .session_start = TLS13_SESSION_OFFSET, 470 .key_share_start = TLS13_KEY_SHARE_OFFSET, 471 .ssl_method = TLS_client_method, 472 .ssl_options = SSL_OP_NO_TLSv1_1, 473 }, 474 #if 0 475 /* XXX - build client hello with explicit versions extension. */ 476 { 477 .desc = "TLS (no TLSv1.0, no TLSv1.1)", 478 .protocol = TLS1_3_VERSION, 479 .random_start = TLS13_RANDOM_OFFSET, 480 .session_start = TLS13_SESSION_OFFSET, 481 .key_share_start = TLS13_KEY_SHARE_OFFSET, 482 .ssl_method = TLS_client_method, 483 .ssl_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, 484 }, 485 #endif 486 { 487 .desc = "TLS (no TLSv1.0, no TLSv1.1, no TLSv1.2)", 488 .protocol = TLS1_3_VERSION_ONLY, 489 .random_start = TLS13_RANDOM_OFFSET, 490 .session_start = TLS13_SESSION_OFFSET, 491 .key_share_start = TLS13_ONLY_KEY_SHARE_OFFSET, 492 .ssl_method = TLS_client_method, 493 .ssl_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 494 }, 495 }; 496 497 #define N_CLIENT_HELLO_TESTS \ 498 (sizeof(client_hello_tests) / sizeof(*client_hello_tests)) 499 500 static void 501 hexdump(const uint8_t *buf, size_t len, const uint8_t *compare) 502 { 503 const char *mark = ""; 504 size_t i; 505 506 for (i = 1; i <= len; i++) { 507 if (compare != NULL) 508 mark = (buf[i - 1] != compare[i - 1]) ? "*" : " "; 509 fprintf(stderr, " %s0x%02hhx,%s", mark, buf[i - 1], 510 i % 8 && i != len ? "" : "\n"); 511 } 512 fprintf(stderr, "\n"); 513 } 514 515 static inline int 516 ssl_aes_is_accelerated(void) 517 { 518 #if defined(__i386__) || defined(__x86_64__) 519 return ((OPENSSL_cpu_caps() & (1ULL << 57)) != 0); 520 #else 521 return (0); 522 #endif 523 } 524 525 static int 526 make_client_hello(int protocol, char **out, size_t *outlen) 527 { 528 size_t client_hello_len, cipher_list_len, cipher_list_offset; 529 const uint8_t *client_hello, *cipher_list; 530 char *p; 531 532 *out = NULL; 533 *outlen = 0; 534 535 switch (protocol) { 536 case DTLS1_VERSION: 537 client_hello = client_hello_dtls1; 538 client_hello_len = sizeof(client_hello_dtls1); 539 cipher_list = cipher_list_dtls1; 540 cipher_list_len = sizeof(cipher_list_dtls1); 541 cipher_list_offset = DTLS_CIPHER_OFFSET; 542 break; 543 544 case DTLS1_2_VERSION: 545 client_hello = client_hello_dtls12; 546 client_hello_len = sizeof(client_hello_dtls12); 547 cipher_list = cipher_list_dtls12_chacha; 548 cipher_list_len = sizeof(cipher_list_dtls12_chacha); 549 if (ssl_aes_is_accelerated()) { 550 cipher_list = cipher_list_dtls12_aes; 551 cipher_list_len = sizeof(cipher_list_dtls12_aes); 552 } 553 cipher_list_offset = DTLS_CIPHER_OFFSET; 554 break; 555 556 case TLS1_VERSION: 557 client_hello = client_hello_tls10; 558 client_hello_len = sizeof(client_hello_tls10); 559 cipher_list = cipher_list_tls10; 560 cipher_list_len = sizeof(cipher_list_tls10); 561 cipher_list_offset = SSL3_CIPHER_OFFSET; 562 break; 563 564 case TLS1_1_VERSION: 565 client_hello = client_hello_tls11; 566 client_hello_len = sizeof(client_hello_tls11); 567 cipher_list = cipher_list_tls11; 568 cipher_list_len = sizeof(cipher_list_tls11); 569 cipher_list_offset = SSL3_CIPHER_OFFSET; 570 break; 571 572 case TLS1_2_VERSION: 573 client_hello = client_hello_tls12; 574 client_hello_len = sizeof(client_hello_tls12); 575 cipher_list = cipher_list_tls12_chacha; 576 cipher_list_len = sizeof(cipher_list_tls12_chacha); 577 if (ssl_aes_is_accelerated()) { 578 cipher_list = cipher_list_tls12_aes; 579 cipher_list_len = sizeof(cipher_list_tls12_aes); 580 } 581 cipher_list_offset = SSL3_CIPHER_OFFSET; 582 break; 583 584 case TLS1_3_VERSION: 585 client_hello = client_hello_tls13; 586 client_hello_len = sizeof(client_hello_tls13); 587 cipher_list = cipher_list_tls13_chacha; 588 cipher_list_len = sizeof(cipher_list_tls13_chacha); 589 if (ssl_aes_is_accelerated()) { 590 cipher_list = cipher_list_tls13_aes; 591 cipher_list_len = sizeof(cipher_list_tls13_aes); 592 } 593 cipher_list_offset = TLS13_CIPHER_OFFSET; 594 break; 595 596 case TLS1_3_VERSION_ONLY: 597 client_hello = client_hello_tls13_only; 598 client_hello_len = sizeof(client_hello_tls13_only); 599 cipher_list = cipher_list_tls13_only_chacha; 600 cipher_list_len = sizeof(cipher_list_tls13_only_chacha); 601 if (ssl_aes_is_accelerated()) { 602 cipher_list = cipher_list_tls13_only_aes; 603 cipher_list_len = sizeof(cipher_list_tls13_only_aes); 604 } 605 cipher_list_offset = TLS13_CIPHER_OFFSET; 606 break; 607 608 default: 609 return (-1); 610 } 611 612 if ((p = malloc(client_hello_len)) == NULL) 613 return (-1); 614 615 memcpy(p, client_hello, client_hello_len); 616 memcpy(p + cipher_list_offset, cipher_list, cipher_list_len); 617 618 *out = p; 619 *outlen = client_hello_len; 620 621 return (0); 622 } 623 624 static int 625 client_hello_test(int testno, const struct client_hello_test *cht) 626 { 627 BIO *rbio = NULL, *wbio = NULL; 628 SSL_CTX *ssl_ctx = NULL; 629 SSL *ssl = NULL; 630 char *client_hello = NULL; 631 size_t client_hello_len; 632 size_t session_len; 633 char *wbuf, rbuf[1]; 634 int ret = 1; 635 long len; 636 637 fprintf(stderr, "Test %d - %s\n", testno, cht->desc); 638 639 /* Providing a small buf causes *_get_server_hello() to return. */ 640 if ((rbio = BIO_new_mem_buf(rbuf, sizeof(rbuf))) == NULL) { 641 fprintf(stderr, "Failed to setup rbio\n"); 642 goto failure; 643 } 644 if ((wbio = BIO_new(BIO_s_mem())) == NULL) { 645 fprintf(stderr, "Failed to setup wbio\n"); 646 goto failure; 647 } 648 649 if ((ssl_ctx = SSL_CTX_new(cht->ssl_method())) == NULL) { 650 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 651 goto failure; 652 } 653 654 SSL_CTX_set_options(ssl_ctx, cht->ssl_options); 655 656 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 657 fprintf(stderr, "SSL_new() returned NULL\n"); 658 goto failure; 659 } 660 661 if (!tlsext_linearize_build_order(ssl)) { 662 fprintf(stderr, "failed to linearize build order"); 663 goto failure; 664 } 665 666 BIO_up_ref(rbio); 667 BIO_up_ref(wbio); 668 SSL_set_bio(ssl, rbio, wbio); 669 670 if (SSL_connect(ssl) != 0) { 671 if (cht->connect_fails) 672 goto done; 673 fprintf(stderr, "SSL_connect() returned non-zero\n"); 674 goto failure; 675 } 676 677 len = BIO_get_mem_data(wbio, &wbuf); 678 679 if (make_client_hello(cht->protocol, &client_hello, 680 &client_hello_len) != 0) 681 errx(1, "failed to make client hello"); 682 683 if ((size_t)len != client_hello_len) { 684 fprintf(stderr, "FAIL: test returned ClientHello length %ld, " 685 "want %zu\n", len, client_hello_len); 686 fprintf(stderr, "received:\n"); 687 hexdump(wbuf, len, NULL); 688 fprintf(stderr, "test data:\n"); 689 hexdump(client_hello, client_hello_len, NULL); 690 fprintf(stderr, "\n"); 691 goto failure; 692 } 693 694 /* We expect the client random to differ. */ 695 if (memcmp(&client_hello[cht->random_start], &wbuf[cht->random_start], 696 SSL3_RANDOM_SIZE) == 0) { 697 fprintf(stderr, "FAIL: ClientHello has zeroed random\n"); 698 goto failure; 699 } 700 701 memset(&wbuf[cht->random_start], 0, SSL3_RANDOM_SIZE); 702 703 if (cht->session_start > 0) { 704 session_len = wbuf[cht->session_start]; 705 if (session_len > 0) 706 memset(&wbuf[cht->session_start + 1], 0, session_len); 707 } 708 if (cht->key_share_start > 0) 709 memset(&wbuf[cht->key_share_start], 0, 32); 710 711 if (memcmp(client_hello, wbuf, client_hello_len) != 0) { 712 fprintf(stderr, "FAIL: ClientHello differs:\n"); 713 fprintf(stderr, "received:\n"); 714 hexdump(wbuf, len, client_hello); 715 fprintf(stderr, "test data:\n"); 716 hexdump(client_hello, client_hello_len, wbuf); 717 fprintf(stderr, "\n"); 718 goto failure; 719 } 720 721 done: 722 ret = 0; 723 724 failure: 725 SSL_CTX_free(ssl_ctx); 726 SSL_free(ssl); 727 728 BIO_free(rbio); 729 BIO_free(wbio); 730 731 free(client_hello); 732 733 return (ret); 734 } 735 736 int 737 main(int argc, char **argv) 738 { 739 int failed = 0; 740 size_t i; 741 742 SSL_library_init(); 743 744 for (i = 0; i < N_CLIENT_HELLO_TESTS; i++) 745 failed |= client_hello_test(i, &client_hello_tests[i]); 746 747 return (failed); 748 } 749