1 /* $OpenBSD: clienttest.c,v 1.40 2023/04/23 18:59:41 tb Exp $ */ 2 /* 3 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <openssl/ssl.h> 19 20 #include <openssl/dtls1.h> 21 #include <openssl/ssl3.h> 22 23 #include <err.h> 24 #include <stdio.h> 25 #include <string.h> 26 27 #define DTLS_HM_OFFSET (DTLS1_RT_HEADER_LENGTH + DTLS1_HM_HEADER_LENGTH) 28 #define DTLS_RANDOM_OFFSET (DTLS_HM_OFFSET + 2) 29 #define DTLS_CIPHER_OFFSET (DTLS_HM_OFFSET + 38) 30 31 #define SSL3_HM_OFFSET (SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH) 32 #define SSL3_RANDOM_OFFSET (SSL3_HM_OFFSET + 2) 33 #define SSL3_CIPHER_OFFSET (SSL3_HM_OFFSET + 37) 34 35 #define TLS13_HM_OFFSET (SSL3_RT_HEADER_LENGTH + SSL3_HM_HEADER_LENGTH) 36 #define TLS13_RANDOM_OFFSET (TLS13_HM_OFFSET + 2) 37 #define TLS13_SESSION_OFFSET (TLS13_HM_OFFSET + 34) 38 #define TLS13_CIPHER_OFFSET (TLS13_HM_OFFSET + 69) 39 #define TLS13_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 192) 40 #define TLS13_ONLY_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 98) 41 42 #define TLS1_3_VERSION_ONLY (TLS1_3_VERSION | 0x10000) 43 44 int tlsext_linearize_build_order(SSL *); 45 46 static const uint8_t cipher_list_dtls1[] = { 47 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 48 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 49 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 50 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08, 51 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 52 }; 53 54 static const uint8_t client_hello_dtls1[] = { 55 0x16, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 56 0x00, 0x00, 0x00, 0x00, 0x74, 0x01, 0x00, 0x00, 57 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 58 0x68, 0xfe, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 59 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 60 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 61 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 62 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x26, 0xc0, 63 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, 64 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, 65 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 66 0x2f, 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08, 0x00, 67 0x16, 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 68 0x18, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 69 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00, 70 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x23, 0x00, 71 0x00, 72 }; 73 74 static const uint8_t cipher_list_dtls12_aes[] = { 75 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 76 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 77 0x00, 0x39, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 78 0xff, 0x85, 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 79 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 80 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 81 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 82 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 83 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 84 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 85 0x00, 0x0a, 0x00, 0xff 86 }; 87 88 static const uint8_t cipher_list_dtls12_chacha[] = { 89 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, 90 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 91 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 92 0xff, 0x85, 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 93 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 94 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 95 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 96 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 97 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 98 0x00, 0x41, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 99 0x00, 0x0a, 0x00, 0xff, 100 }; 101 102 static const uint8_t client_hello_dtls12[] = { 103 0x16, 0xfe, 0xfd, 0x00, 0x00, 0x00, 0x00, 0x00, 104 0x00, 0x00, 0x00, 0x00, 0xbe, 0x01, 0x00, 0x00, 105 0xb2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 106 0xb2, 0xfe, 0xfd, 0x00, 0x00, 0x00, 0x00, 0x00, 107 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 108 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 109 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 110 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0xc0, 111 0x30, 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 112 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 113 0x39, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xff, 114 0x85, 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 0x00, 115 0x9d, 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 0x00, 116 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 117 0x23, 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 0x00, 118 0x67, 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 0x00, 119 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 0x00, 120 0x41, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 121 0x0a, 0x00, 0xff, 0x01, 0x00, 0x00, 0x34, 0x00, 122 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 123 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 124 0x18, 0x00, 0x19, 0x00, 0x23, 0x00, 0x00, 0x00, 125 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, 0x06, 0x06, 126 0x01, 0x06, 0x03, 0x08, 0x05, 0x05, 0x01, 0x05, 127 0x03, 0x08, 0x04, 0x04, 0x01, 0x04, 0x03, 0x02, 128 0x01, 0x02, 0x03, 129 }; 130 131 static const uint8_t cipher_list_tls10[] = { 132 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 133 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 134 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 135 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 136 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 137 0x00, 0x0a, 0x00, 0xff, 138 }; 139 140 static const uint8_t client_hello_tls10[] = { 141 0x16, 0x03, 0x01, 0x00, 0x71, 0x01, 0x00, 0x00, 142 0x6d, 0x03, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 143 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 144 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 145 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 146 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0xc0, 0x14, 147 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, 0x88, 148 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, 0x13, 149 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 0x2f, 150 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 151 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 152 0x00, 0xff, 0x01, 0x00, 0x00, 0x18, 0x00, 0x0b, 153 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a, 154 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 155 0x00, 0x19, 0x00, 0x23, 0x00, 0x00, 156 }; 157 158 static const uint8_t cipher_list_tls11[] = { 159 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 160 0x00, 0x88, 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 161 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 162 0x00, 0x2f, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 163 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 164 0x00, 0x0a, 0x00, 0xff, 165 }; 166 167 static const uint8_t client_hello_tls11[] = { 168 0x16, 0x03, 0x01, 0x00, 0x71, 0x01, 0x00, 0x00, 169 0x6d, 0x03, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 170 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 171 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 172 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 173 0x00, 0x00, 0x00, 0x00, 0x00, 0x2c, 0xc0, 0x14, 174 0xc0, 0x0a, 0x00, 0x39, 0xff, 0x85, 0x00, 0x88, 175 0x00, 0x81, 0x00, 0x35, 0x00, 0x84, 0xc0, 0x13, 176 0xc0, 0x09, 0x00, 0x33, 0x00, 0x45, 0x00, 0x2f, 177 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 178 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 179 0x00, 0xff, 0x01, 0x00, 0x00, 0x18, 0x00, 0x0b, 180 0x00, 0x02, 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a, 181 0x00, 0x08, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 182 0x00, 0x19, 0x00, 0x23, 0x00, 0x00, 183 }; 184 185 static const uint8_t cipher_list_tls12_aes[] = { 186 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 187 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 188 0x00, 0x39, 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 189 0xff, 0x85, 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 190 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 191 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 192 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 193 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 194 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 195 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 196 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 197 0x00, 0xff, 198 }; 199 200 static const uint8_t cipher_list_tls12_chacha[] = { 201 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, 202 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 203 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 204 0xff, 0x85, 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 205 0x00, 0x9d, 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 206 0x00, 0x84, 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 207 0xc0, 0x23, 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 208 0x00, 0x67, 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 209 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 210 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 211 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 212 0x00, 0xff, 213 }; 214 215 static const uint8_t client_hello_tls12[] = { 216 0x16, 0x03, 0x01, 0x00, 0xbb, 0x01, 0x00, 0x00, 217 0xb7, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 218 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 219 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 220 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 221 0x00, 0x00, 0x00, 0x00, 0x00, 0x5a, 0xc0, 0x30, 222 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 223 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 224 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xff, 0x85, 225 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 0x00, 0x9d, 226 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 227 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 228 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 229 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 230 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 231 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 0xc0, 0x12, 232 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 233 0x01, 0x00, 0x00, 0x34, 0x00, 0x0b, 0x00, 0x02, 234 0x01, 0x00, 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 235 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 236 0x00, 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x18, 237 0x00, 0x16, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 238 0x08, 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 239 0x04, 0x01, 0x04, 0x03, 0x02, 0x01, 0x02, 0x03, 240 }; 241 242 static const uint8_t cipher_list_tls13_aes[] = { 243 0x13, 0x02, 0x13, 0x03, 0x13, 0x01, 0xc0, 0x30, 244 0xc0, 0x2c, 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 245 0xc0, 0x0a, 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 246 0xcc, 0xa9, 0xcc, 0xa8, 0xcc, 0xaa, 0xff, 0x85, 247 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 0x00, 0x9d, 248 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 249 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 250 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 251 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 252 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 253 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 0xc0, 0x12, 254 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 255 }; 256 257 static const uint8_t cipher_list_tls13_chacha[] = { 258 0x13, 0x03, 0x13, 0x02, 0x13, 0x01, 0xcc, 0xa9, 259 0xcc, 0xa8, 0xcc, 0xaa, 0xc0, 0x30, 0xc0, 0x2c, 260 0xc0, 0x28, 0xc0, 0x24, 0xc0, 0x14, 0xc0, 0x0a, 261 0x00, 0x9f, 0x00, 0x6b, 0x00, 0x39, 0xff, 0x85, 262 0x00, 0xc4, 0x00, 0x88, 0x00, 0x81, 0x00, 0x9d, 263 0x00, 0x3d, 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 264 0xc0, 0x2f, 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 265 0xc0, 0x13, 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 266 0x00, 0x33, 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 267 0x00, 0x3c, 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 268 0xc0, 0x11, 0xc0, 0x07, 0x00, 0x05, 0xc0, 0x12, 269 0xc0, 0x08, 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 270 }; 271 272 static const uint8_t client_hello_tls13[] = { 273 0x16, 0x03, 0x01, 0x01, 0x18, 0x01, 0x00, 0x01, 274 0x14, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 276 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 277 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 278 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 279 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 280 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 281 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 282 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x13, 0x03, 283 0x13, 0x02, 0x13, 0x01, 0xcc, 0xa9, 0xcc, 0xa8, 284 0xcc, 0xaa, 0xc0, 0x30, 0xc0, 0x2c, 0xc0, 0x28, 285 0xc0, 0x24, 0xc0, 0x14, 0xc0, 0x0a, 0x00, 0x9f, 286 0x00, 0x6b, 0x00, 0x39, 0xff, 0x85, 0x00, 0xc4, 287 0x00, 0x88, 0x00, 0x81, 0x00, 0x9d, 0x00, 0x3d, 288 0x00, 0x35, 0x00, 0xc0, 0x00, 0x84, 0xc0, 0x2f, 289 0xc0, 0x2b, 0xc0, 0x27, 0xc0, 0x23, 0xc0, 0x13, 290 0xc0, 0x09, 0x00, 0x9e, 0x00, 0x67, 0x00, 0x33, 291 0x00, 0xbe, 0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 292 0x00, 0x2f, 0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 293 0xc0, 0x07, 0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 294 0x00, 0x16, 0x00, 0x0a, 0x00, 0xff, 0x01, 0x00, 295 0x00, 0x6b, 0x00, 0x2b, 0x00, 0x09, 0x08, 0x03, 296 0x04, 0x03, 0x03, 0x03, 0x02, 0x03, 0x01, 0x00, 297 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, 298 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 299 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 300 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 301 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 302 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 303 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00, 304 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x23, 0x00, 305 0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, 306 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05, 307 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04, 308 0x03, 0x02, 0x01, 0x02, 0x03, 309 }; 310 311 static const uint8_t cipher_list_tls13_only_aes[] = { 312 0x13, 0x02, 0x13, 0x03, 0x13, 0x01, 313 }; 314 315 static const uint8_t cipher_list_tls13_only_chacha[] = { 316 0x13, 0x03, 0x13, 0x02, 0x13, 0x01, 317 }; 318 319 static const uint8_t client_hello_tls13_only[] = { 320 0x16, 0x03, 0x03, 0x00, 0xb6, 0x01, 0x00, 0x00, 321 0xb2, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 322 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 323 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 324 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 325 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 326 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 327 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 328 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 329 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x13, 0x03, 330 0x13, 0x02, 0x13, 0x01, 0x00, 0xff, 0x01, 0x00, 331 0x00, 0x61, 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03, 332 0x04, 0x00, 0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 333 0x1d, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 334 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 335 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 336 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 337 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 338 0x00, 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 339 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 340 0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 341 0x12, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 342 0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 343 0x01, 0x04, 0x03, 344 }; 345 346 struct client_hello_test { 347 const char *desc; 348 const int protocol; 349 const size_t random_start; 350 const size_t session_start; 351 const size_t key_share_start; 352 const SSL_METHOD *(*ssl_method)(void); 353 const long ssl_options; 354 }; 355 356 static const struct client_hello_test client_hello_tests[] = { 357 { 358 .desc = "DTLSv1 client method", 359 .protocol = DTLS1_VERSION, 360 .random_start = DTLS_RANDOM_OFFSET, 361 .ssl_method = DTLSv1_client_method, 362 }, 363 { 364 .desc = "DTLSv1.2 client method", 365 .protocol = DTLS1_2_VERSION, 366 .random_start = DTLS_RANDOM_OFFSET, 367 .ssl_method = DTLSv1_2_client_method, 368 }, 369 { 370 .desc = "DTLS client method", 371 .protocol = DTLS1_2_VERSION, 372 .random_start = DTLS_RANDOM_OFFSET, 373 .ssl_method = DTLS_client_method, 374 }, 375 { 376 .desc = "DTLS client method (no DTLSv1.2)", 377 .protocol = DTLS1_VERSION, 378 .random_start = DTLS_RANDOM_OFFSET, 379 .ssl_method = DTLS_client_method, 380 .ssl_options = SSL_OP_NO_DTLSv1_2, 381 }, 382 { 383 .desc = "DTLS client method (no DTLSv1.0)", 384 .protocol = DTLS1_2_VERSION, 385 .random_start = DTLS_RANDOM_OFFSET, 386 .ssl_method = DTLS_client_method, 387 .ssl_options = SSL_OP_NO_DTLSv1, 388 }, 389 { 390 .desc = "TLSv1 client method", 391 .protocol = TLS1_VERSION, 392 .random_start = SSL3_RANDOM_OFFSET, 393 .ssl_method = TLSv1_client_method, 394 }, 395 { 396 .desc = "TLSv1_1 client method", 397 .protocol = TLS1_1_VERSION, 398 .random_start = SSL3_RANDOM_OFFSET, 399 .ssl_method = TLSv1_1_client_method, 400 }, 401 { 402 .desc = "TLSv1_2 client method", 403 .protocol = TLS1_2_VERSION, 404 .random_start = SSL3_RANDOM_OFFSET, 405 .ssl_method = TLSv1_2_client_method, 406 }, 407 { 408 .desc = "SSLv23 default", 409 .protocol = TLS1_3_VERSION, 410 .random_start = TLS13_RANDOM_OFFSET, 411 .session_start = TLS13_SESSION_OFFSET, 412 .key_share_start = TLS13_KEY_SHARE_OFFSET, 413 .ssl_method = SSLv23_client_method, 414 .ssl_options = 0, 415 }, 416 { 417 .desc = "SSLv23 default (no TLSv1.3)", 418 .protocol = TLS1_2_VERSION, 419 .random_start = SSL3_RANDOM_OFFSET, 420 .ssl_method = SSLv23_client_method, 421 .ssl_options = SSL_OP_NO_TLSv1_3, 422 }, 423 { 424 .desc = "SSLv23 (no TLSv1.2)", 425 .protocol = TLS1_1_VERSION, 426 .random_start = SSL3_RANDOM_OFFSET, 427 .ssl_method = SSLv23_client_method, 428 .ssl_options = SSL_OP_NO_TLSv1_2, 429 }, 430 { 431 .desc = "SSLv23 (no TLSv1.1)", 432 .protocol = TLS1_VERSION, 433 .random_start = SSL3_RANDOM_OFFSET, 434 .ssl_method = SSLv23_client_method, 435 .ssl_options = SSL_OP_NO_TLSv1_1, 436 }, 437 { 438 .desc = "TLS default", 439 .protocol = TLS1_3_VERSION, 440 .random_start = TLS13_RANDOM_OFFSET, 441 .session_start = TLS13_SESSION_OFFSET, 442 .key_share_start = TLS13_KEY_SHARE_OFFSET, 443 .ssl_method = TLS_client_method, 444 .ssl_options = 0, 445 }, 446 { 447 .desc = "TLS (no TLSv1.3)", 448 .protocol = TLS1_2_VERSION, 449 .random_start = SSL3_RANDOM_OFFSET, 450 .ssl_method = TLS_client_method, 451 .ssl_options = SSL_OP_NO_TLSv1_3, 452 }, 453 { 454 .desc = "TLS (no TLSv1.2)", 455 .protocol = TLS1_1_VERSION, 456 .random_start = SSL3_RANDOM_OFFSET, 457 .ssl_method = TLS_client_method, 458 .ssl_options = SSL_OP_NO_TLSv1_2, 459 }, 460 { 461 .desc = "TLS (no TLSv1.1)", 462 .protocol = TLS1_VERSION, 463 .random_start = SSL3_RANDOM_OFFSET, 464 .ssl_method = TLS_client_method, 465 .ssl_options = SSL_OP_NO_TLSv1_1, 466 }, 467 #if 0 468 /* XXX - build client hello with explicit versions extension. */ 469 { 470 .desc = "TLS (no TLSv1.0, no TLSv1.1)", 471 .protocol = TLS1_3_VERSION, 472 .random_start = TLS13_RANDOM_OFFSET, 473 .session_start = TLS13_SESSION_OFFSET, 474 .key_share_start = TLS13_KEY_SHARE_OFFSET, 475 .ssl_method = TLS_client_method, 476 .ssl_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1, 477 }, 478 #endif 479 { 480 .desc = "TLS (no TLSv1.0, no TLSv1.1, no TLSv1.2)", 481 .protocol = TLS1_3_VERSION_ONLY, 482 .random_start = TLS13_RANDOM_OFFSET, 483 .session_start = TLS13_SESSION_OFFSET, 484 .key_share_start = TLS13_ONLY_KEY_SHARE_OFFSET, 485 .ssl_method = TLS_client_method, 486 .ssl_options = SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2, 487 }, 488 }; 489 490 #define N_CLIENT_HELLO_TESTS \ 491 (sizeof(client_hello_tests) / sizeof(*client_hello_tests)) 492 493 static void 494 hexdump(const uint8_t *buf, size_t len, const uint8_t *compare) 495 { 496 const char *mark = ""; 497 size_t i; 498 499 for (i = 1; i <= len; i++) { 500 if (compare != NULL) 501 mark = (buf[i - 1] != compare[i - 1]) ? "*" : " "; 502 fprintf(stderr, " %s0x%02hhx,%s", mark, buf[i - 1], 503 i % 8 && i != len ? "" : "\n"); 504 } 505 fprintf(stderr, "\n"); 506 } 507 508 static inline int 509 ssl_aes_is_accelerated(void) 510 { 511 #if defined(__i386__) || defined(__x86_64__) 512 return ((OPENSSL_cpu_caps() & (1ULL << 57)) != 0); 513 #else 514 return (0); 515 #endif 516 } 517 518 static int 519 make_client_hello(int protocol, char **out, size_t *outlen) 520 { 521 size_t client_hello_len, cipher_list_len, cipher_list_offset; 522 const uint8_t *client_hello, *cipher_list; 523 char *p; 524 525 *out = NULL; 526 *outlen = 0; 527 528 switch (protocol) { 529 case DTLS1_VERSION: 530 client_hello = client_hello_dtls1; 531 client_hello_len = sizeof(client_hello_dtls1); 532 cipher_list = cipher_list_dtls1; 533 cipher_list_len = sizeof(cipher_list_dtls1); 534 cipher_list_offset = DTLS_CIPHER_OFFSET; 535 break; 536 537 case DTLS1_2_VERSION: 538 client_hello = client_hello_dtls12; 539 client_hello_len = sizeof(client_hello_dtls12); 540 cipher_list = cipher_list_dtls12_chacha; 541 cipher_list_len = sizeof(cipher_list_dtls12_chacha); 542 if (ssl_aes_is_accelerated()) { 543 cipher_list = cipher_list_dtls12_aes; 544 cipher_list_len = sizeof(cipher_list_dtls12_aes); 545 } 546 cipher_list_offset = DTLS_CIPHER_OFFSET; 547 break; 548 549 case TLS1_VERSION: 550 client_hello = client_hello_tls10; 551 client_hello_len = sizeof(client_hello_tls10); 552 cipher_list = cipher_list_tls10; 553 cipher_list_len = sizeof(cipher_list_tls10); 554 cipher_list_offset = SSL3_CIPHER_OFFSET; 555 break; 556 557 case TLS1_1_VERSION: 558 client_hello = client_hello_tls11; 559 client_hello_len = sizeof(client_hello_tls11); 560 cipher_list = cipher_list_tls11; 561 cipher_list_len = sizeof(cipher_list_tls11); 562 cipher_list_offset = SSL3_CIPHER_OFFSET; 563 break; 564 565 case TLS1_2_VERSION: 566 client_hello = client_hello_tls12; 567 client_hello_len = sizeof(client_hello_tls12); 568 cipher_list = cipher_list_tls12_chacha; 569 cipher_list_len = sizeof(cipher_list_tls12_chacha); 570 if (ssl_aes_is_accelerated()) { 571 cipher_list = cipher_list_tls12_aes; 572 cipher_list_len = sizeof(cipher_list_tls12_aes); 573 } 574 cipher_list_offset = SSL3_CIPHER_OFFSET; 575 break; 576 577 case TLS1_3_VERSION: 578 client_hello = client_hello_tls13; 579 client_hello_len = sizeof(client_hello_tls13); 580 cipher_list = cipher_list_tls13_chacha; 581 cipher_list_len = sizeof(cipher_list_tls13_chacha); 582 if (ssl_aes_is_accelerated()) { 583 cipher_list = cipher_list_tls13_aes; 584 cipher_list_len = sizeof(cipher_list_tls13_aes); 585 } 586 cipher_list_offset = TLS13_CIPHER_OFFSET; 587 break; 588 589 case TLS1_3_VERSION_ONLY: 590 client_hello = client_hello_tls13_only; 591 client_hello_len = sizeof(client_hello_tls13_only); 592 cipher_list = cipher_list_tls13_only_chacha; 593 cipher_list_len = sizeof(cipher_list_tls13_only_chacha); 594 if (ssl_aes_is_accelerated()) { 595 cipher_list = cipher_list_tls13_only_aes; 596 cipher_list_len = sizeof(cipher_list_tls13_only_aes); 597 } 598 cipher_list_offset = TLS13_CIPHER_OFFSET; 599 break; 600 601 default: 602 return (-1); 603 } 604 605 if ((p = malloc(client_hello_len)) == NULL) 606 return (-1); 607 608 memcpy(p, client_hello, client_hello_len); 609 memcpy(p + cipher_list_offset, cipher_list, cipher_list_len); 610 611 *out = p; 612 *outlen = client_hello_len; 613 614 return (0); 615 } 616 617 static int 618 client_hello_test(int testno, const struct client_hello_test *cht) 619 { 620 BIO *rbio = NULL, *wbio = NULL; 621 SSL_CTX *ssl_ctx = NULL; 622 SSL *ssl = NULL; 623 char *client_hello = NULL; 624 size_t client_hello_len; 625 size_t session_len; 626 char *wbuf, rbuf[1]; 627 int ret = 1; 628 long len; 629 630 fprintf(stderr, "Test %d - %s\n", testno, cht->desc); 631 632 /* Providing a small buf causes *_get_server_hello() to return. */ 633 if ((rbio = BIO_new_mem_buf(rbuf, sizeof(rbuf))) == NULL) { 634 fprintf(stderr, "Failed to setup rbio\n"); 635 goto failure; 636 } 637 if ((wbio = BIO_new(BIO_s_mem())) == NULL) { 638 fprintf(stderr, "Failed to setup wbio\n"); 639 goto failure; 640 } 641 642 if ((ssl_ctx = SSL_CTX_new(cht->ssl_method())) == NULL) { 643 fprintf(stderr, "SSL_CTX_new() returned NULL\n"); 644 goto failure; 645 } 646 647 SSL_CTX_set_options(ssl_ctx, cht->ssl_options); 648 649 if ((ssl = SSL_new(ssl_ctx)) == NULL) { 650 fprintf(stderr, "SSL_new() returned NULL\n"); 651 goto failure; 652 } 653 654 if (!tlsext_linearize_build_order(ssl)) { 655 fprintf(stderr, "failed to linearize build order"); 656 goto failure; 657 } 658 659 BIO_up_ref(rbio); 660 BIO_up_ref(wbio); 661 SSL_set_bio(ssl, rbio, wbio); 662 663 if (SSL_connect(ssl) != 0) { 664 fprintf(stderr, "SSL_connect() returned non-zero\n"); 665 goto failure; 666 } 667 668 len = BIO_get_mem_data(wbio, &wbuf); 669 670 if (make_client_hello(cht->protocol, &client_hello, 671 &client_hello_len) != 0) 672 errx(1, "failed to make client hello"); 673 674 if ((size_t)len != client_hello_len) { 675 fprintf(stderr, "FAIL: test returned ClientHello length %ld, " 676 "want %zu\n", len, client_hello_len); 677 fprintf(stderr, "received:\n"); 678 hexdump(wbuf, len, NULL); 679 fprintf(stderr, "test data:\n"); 680 hexdump(client_hello, client_hello_len, NULL); 681 fprintf(stderr, "\n"); 682 goto failure; 683 } 684 685 /* We expect the client random to differ. */ 686 if (memcmp(&client_hello[cht->random_start], &wbuf[cht->random_start], 687 SSL3_RANDOM_SIZE) == 0) { 688 fprintf(stderr, "FAIL: ClientHello has zeroed random\n"); 689 goto failure; 690 } 691 692 memset(&wbuf[cht->random_start], 0, SSL3_RANDOM_SIZE); 693 694 if (cht->session_start > 0) { 695 session_len = wbuf[cht->session_start]; 696 if (session_len > 0) 697 memset(&wbuf[cht->session_start + 1], 0, session_len); 698 } 699 if (cht->key_share_start > 0) 700 memset(&wbuf[cht->key_share_start], 0, 32); 701 702 if (memcmp(client_hello, wbuf, client_hello_len) != 0) { 703 fprintf(stderr, "FAIL: ClientHello differs:\n"); 704 fprintf(stderr, "received:\n"); 705 hexdump(wbuf, len, client_hello); 706 fprintf(stderr, "test data:\n"); 707 hexdump(client_hello, client_hello_len, wbuf); 708 fprintf(stderr, "\n"); 709 goto failure; 710 } 711 712 ret = 0; 713 714 failure: 715 SSL_CTX_free(ssl_ctx); 716 SSL_free(ssl); 717 718 BIO_free(rbio); 719 BIO_free(wbio); 720 721 free(client_hello); 722 723 return (ret); 724 } 725 726 int 727 main(int argc, char **argv) 728 { 729 int failed = 0; 730 size_t i; 731 732 SSL_library_init(); 733 734 for (i = 0; i < N_CLIENT_HELLO_TESTS; i++) 735 failed |= client_hello_test(i, &client_hello_tests[i]); 736 737 return (failed); 738 } 739