Unit/regression test for TLS heartbeats.

Regression test against CVE-2014-0160 (Heartbleed).

More info: http://mike-bland.com/tags/heartbleed.html

(Imported from upstream's 2312a84ca17c5ac133581552df7024957cf15bc8)
diff --git a/ssl/CMakeLists.txt b/ssl/CMakeLists.txt
index 3e613b4..4c51528 100644
--- a/ssl/CMakeLists.txt
+++ b/ssl/CMakeLists.txt
@@ -44,3 +44,11 @@
 
 	$<TARGET_OBJECTS:pqueue>
 )
+
+add_executable(
+	heartbeat_test
+
+	heartbeat_test.c
+)
+
+target_link_libraries(heartbeat_test ssl crypto)
diff --git a/ssl/heartbeat_test.c b/ssl/heartbeat_test.c
new file mode 100644
index 0000000..f359589
--- /dev/null
+++ b/ssl/heartbeat_test.c
@@ -0,0 +1,461 @@
+/* test/heartbeat_test.c */
+/*
+ * Unit test for TLS heartbeats.
+ *
+ * Acts as a regression test against the Heartbleed bug (CVE-2014-0160).
+ *
+ * Author:  Mike Bland (mbland@acm.org, http://mike-bland.com/)
+ * Date:    2014-04-12
+ * License: Creative Commons Attribution 4.0 International (CC By 4.0)
+ *          http://creativecommons.org/licenses/by/4.0/deed.en_US
+ *
+ * OUTPUT
+ * ------
+ * The program returns zero on success. It will print a message with a count
+ * of the number of failed tests and return nonzero if any tests fail.
+ *
+ * It will print the contents of the request and response buffers for each
+ * failing test. In a "fixed" version, all the tests should pass and there
+ * should be no output.
+ *
+ * In a "bleeding" version, you'll see:
+ *
+ *   test_dtls1_heartbleed failed:
+ *     expected payload len: 0
+ *     received: 1024
+ *   sent 26 characters
+ *     "HEARTBLEED                "
+ *   received 1024 characters
+ *     "HEARTBLEED                \xde\xad\xbe\xef..."
+ *   ** test_dtls1_heartbleed failed **
+ *
+ * The contents of the returned buffer in the failing test will depend on the
+ * contents of memory on your machine.
+ *
+ * MORE INFORMATION
+ * ----------------
+ * http://mike-bland.com/2014/04/12/heartbleed.html
+ * http://mike-bland.com/tags/heartbleed.html
+ */
+
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/bio.h>
+#include <openssl/buf.h>
+#include <openssl/err.h>
+#include "../ssl/ssl_locl.h"
+
+/* As per https://tools.ietf.org/html/rfc6520#section-4 */
+#define MIN_PADDING_SIZE	16
+
+/* Maximum number of payload characters to print as test output */
+#define MAX_PRINTABLE_CHARACTERS	1024
+
+typedef struct heartbeat_test_fixture
+	{
+	SSL_CTX *ctx;
+	SSL *s;
+	const char* test_case_name;
+	int (*process_heartbeat)(SSL* s);
+	unsigned char* payload;
+	int sent_payload_len;
+	int expected_return_value;
+	int return_payload_offset;
+	int expected_payload_len;
+	const char* expected_return_payload;
+	} HEARTBEAT_TEST_FIXTURE;
+
+static HEARTBEAT_TEST_FIXTURE set_up(const char* const test_case_name,
+	const SSL_METHOD* meth)
+	{
+	HEARTBEAT_TEST_FIXTURE fixture;
+	int setup_ok = 1;
+	memset(&fixture, 0, sizeof(fixture));
+	fixture.test_case_name = test_case_name;
+
+	fixture.ctx = SSL_CTX_new(meth);
+	if (!fixture.ctx)
+		{
+		fprintf(stderr, "Failed to allocate SSL_CTX for test: %s\n",
+			test_case_name);
+		setup_ok = 0;
+		goto fail;
+		}
+
+	fixture.s = SSL_new(fixture.ctx);
+	if (!fixture.s)
+		{
+		fprintf(stderr, "Failed to allocate SSL for test: %s\n", test_case_name);
+		setup_ok = 0;
+		goto fail;
+		}
+
+	if (!ssl_init_wbio_buffer(fixture.s, 1))
+		{
+		fprintf(stderr, "Failed to set up wbio buffer for test: %s\n",
+			test_case_name);
+		setup_ok = 0;
+		goto fail;
+		}
+
+	if (!ssl3_setup_buffers(fixture.s))
+		{
+		fprintf(stderr, "Failed to setup buffers for test: %s\n",
+			test_case_name);
+		setup_ok = 0;
+		goto fail;
+		}
+
+	/* Clear the memory for the return buffer, since this isn't automatically
+	 * zeroed in opt mode and will cause spurious test failures that will change
+	 * with each execution.
+	 */
+	memset(fixture.s->s3->wbuf.buf, 0, fixture.s->s3->wbuf.len);
+
+	fail:
+	if (!setup_ok)
+		{
+		BIO_print_errors_fp(stderr);
+		exit(EXIT_FAILURE);
+		}
+	return fixture;
+	}
+
+static HEARTBEAT_TEST_FIXTURE set_up_dtls(const char* const test_case_name)
+	{
+	HEARTBEAT_TEST_FIXTURE fixture = set_up(test_case_name,
+		DTLSv1_server_method());
+	fixture.process_heartbeat = dtls1_process_heartbeat;
+
+	/* As per dtls1_get_record(), skipping the following from the beginning of
+	 * the returned heartbeat message:
+	 * type-1 byte; version-2 bytes; sequence number-8 bytes; length-2 bytes
+	 *
+	 * And then skipping the 1-byte type encoded by process_heartbeat for
+	 * a total of 14 bytes, at which point we can grab the length and the
+	 * payload we seek.
+	 */
+	fixture.return_payload_offset = 14;
+	return fixture;
+	}
+
+/* Needed by ssl3_write_bytes() */
+static int dummy_handshake(SSL* s)
+	{
+	return 1;
+	}
+
+static HEARTBEAT_TEST_FIXTURE set_up_tls(const char* const test_case_name)
+	{
+	HEARTBEAT_TEST_FIXTURE fixture = set_up(test_case_name,
+		TLSv1_server_method());
+	fixture.process_heartbeat = tls1_process_heartbeat;
+	fixture.s->handshake_func = dummy_handshake;
+
+	/* As per do_ssl3_write(), skipping the following from the beginning of
+	 * the returned heartbeat message:
+	 * type-1 byte; version-2 bytes; length-2 bytes
+	 *
+	 * And then skipping the 1-byte type encoded by process_heartbeat for
+	 * a total of 6 bytes, at which point we can grab the length and the payload
+	 * we seek.
+	 */
+	fixture.return_payload_offset = 6;
+	return fixture;
+	}
+
+static void tear_down(HEARTBEAT_TEST_FIXTURE fixture)
+	{
+	BIO_print_errors_fp(stderr);
+	SSL_free(fixture.s);
+	SSL_CTX_free(fixture.ctx);
+	}
+
+static void print_payload(const char* const prefix,
+		const unsigned char *payload, const int n)
+	{
+	const int end = n < MAX_PRINTABLE_CHARACTERS ? n
+	    : MAX_PRINTABLE_CHARACTERS;
+	int i = 0;
+
+	printf("%s %d character%s", prefix, n, n == 1 ? "" : "s");
+	if (end != n) printf(" (first %d shown)", end);
+	printf("\n  \"");
+
+	for (; i != end; ++i)
+		{
+		const unsigned char c = payload[i];
+		if (isprint(c)) fputc(c, stdout);
+		else printf("\\x%02x", c);
+		}
+	printf("\"\n");
+	}
+
+static int execute_heartbeat(HEARTBEAT_TEST_FIXTURE fixture)
+	{
+	int result = 0;
+	SSL* s = fixture.s;
+	unsigned char *payload = fixture.payload;
+	unsigned char sent_buf[MAX_PRINTABLE_CHARACTERS + 1];
+	int return_value;
+	unsigned const char *p;
+	int actual_payload_len;
+
+	s->s3->rrec.data = payload;
+	s->s3->rrec.length = strlen((const char*)payload);
+	*payload++ = TLS1_HB_REQUEST;
+	s2n(fixture.sent_payload_len, payload);
+
+	/* Make a local copy of the request, since it gets overwritten at some
+	 * point */
+	memcpy((char *)sent_buf, (const char*)payload, sizeof(sent_buf));
+
+	return_value = fixture.process_heartbeat(s);
+
+	if (return_value != fixture.expected_return_value)
+		{
+		printf("%s failed: expected return value %d, received %d\n",
+					 fixture.test_case_name, fixture.expected_return_value,
+					 return_value);
+		result = 1;
+		}
+
+	/* If there is any byte alignment, it will be stored in wbuf.offset. */
+	p = &(s->s3->wbuf.buf[
+			fixture.return_payload_offset + s->s3->wbuf.offset]);
+	actual_payload_len = 0;
+	n2s(p, actual_payload_len);
+
+	if (actual_payload_len != fixture.expected_payload_len)
+		{
+		printf("%s failed:\n  expected payload len: %d\n  received: %d\n",
+					 fixture.test_case_name, fixture.expected_payload_len,
+					 actual_payload_len);
+		print_payload("sent", sent_buf, strlen((const char*)sent_buf));
+		print_payload("received", p, actual_payload_len);
+		result = 1;
+		}
+	else
+		{
+		char* actual_payload = BUF_strndup((const char*)p, actual_payload_len);
+		if (strcmp(actual_payload, fixture.expected_return_payload) != 0)
+			{
+			printf("%s failed:\n  expected payload: \"%s\"\n  received: \"%s\"\n",
+						 fixture.test_case_name, fixture.expected_return_payload,
+						 actual_payload);
+			result = 1;
+			}
+		OPENSSL_free(actual_payload);
+		}
+
+	if (result != 0)
+		{
+		printf("** %s failed **\n--------\n", fixture.test_case_name);
+		}
+	return result;
+	}
+
+static int honest_payload_size(unsigned char payload_buf[])
+	{
+	/* Omit three-byte pad at the beginning for type and payload length */
+	return strlen((const char*)&payload_buf[3]) - MIN_PADDING_SIZE;
+	}
+
+#define SETUP_HEARTBEAT_TEST_FIXTURE(type)\
+	HEARTBEAT_TEST_FIXTURE fixture = set_up_##type(__func__);\
+	int result = 0
+
+#define EXECUTE_HEARTBEAT_TEST()\
+	if (execute_heartbeat(fixture) != 0) result = 1;\
+	tear_down(fixture);\
+	return result
+
+static int test_dtls1_not_bleeding()
+	{
+	SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
+	/* Three-byte pad at the beginning for type and payload length */
+	unsigned char payload_buf[] = "   Not bleeding, sixteen spaces of padding"
+		"                ";
+	const int payload_buf_len = honest_payload_size(payload_buf);
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = payload_buf_len;
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = payload_buf_len;
+	fixture.expected_return_payload = "Not bleeding, sixteen spaces of padding";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+static int test_dtls1_not_bleeding_empty_payload()
+	{
+	int payload_buf_len;
+
+	SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
+	/* Three-byte pad at the beginning for type and payload length, plus a NUL
+	 * at the end */
+	unsigned char payload_buf[4 + MIN_PADDING_SIZE];
+	memset(payload_buf, ' ', sizeof(payload_buf));
+	payload_buf[sizeof(payload_buf) - 1] = '\0';
+	payload_buf_len = honest_payload_size(payload_buf);
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = payload_buf_len;
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = payload_buf_len;
+	fixture.expected_return_payload = "";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+static int test_dtls1_heartbleed()
+	{
+	SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
+	/* Three-byte pad at the beginning for type and payload length */
+	unsigned char payload_buf[] = "   HEARTBLEED                ";
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS;
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = 0;
+	fixture.expected_return_payload = "";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+static int test_dtls1_heartbleed_empty_payload()
+	{
+	SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
+	/* Excluding the NUL at the end, one byte short of type + payload length +
+	 * minimum padding */
+	unsigned char payload_buf[MIN_PADDING_SIZE + 3];
+	memset(payload_buf, ' ', sizeof(payload_buf));
+	payload_buf[sizeof(payload_buf) - 1] = '\0';
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS;
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = 0;
+	fixture.expected_return_payload = "";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+static int test_dtls1_heartbleed_excessive_plaintext_length()
+	{
+	SETUP_HEARTBEAT_TEST_FIXTURE(dtls);
+	/* Excluding the NUL at the end, one byte in excess of maximum allowed
+	 * heartbeat message length */
+	unsigned char payload_buf[SSL3_RT_MAX_PLAIN_LENGTH + 2];
+	memset(payload_buf, ' ', sizeof(payload_buf));
+	payload_buf[sizeof(payload_buf) - 1] = '\0';
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = honest_payload_size(payload_buf);
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = 0;
+	fixture.expected_return_payload = "";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+static int test_tls1_not_bleeding()
+	{
+	SETUP_HEARTBEAT_TEST_FIXTURE(tls);
+	/* Three-byte pad at the beginning for type and payload length */
+	unsigned char payload_buf[] = "   Not bleeding, sixteen spaces of padding"
+					"                ";
+	const int payload_buf_len = honest_payload_size(payload_buf);
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = payload_buf_len;
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = payload_buf_len;
+	fixture.expected_return_payload = "Not bleeding, sixteen spaces of padding";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+static int test_tls1_not_bleeding_empty_payload()
+	{
+	int payload_buf_len;
+
+	SETUP_HEARTBEAT_TEST_FIXTURE(tls);
+	/* Three-byte pad at the beginning for type and payload length, plus a NUL
+	 * at the end */
+	unsigned char payload_buf[4 + MIN_PADDING_SIZE];
+	memset(payload_buf, ' ', sizeof(payload_buf));
+	payload_buf[sizeof(payload_buf) - 1] = '\0';
+	payload_buf_len = honest_payload_size(payload_buf);
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = payload_buf_len;
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = payload_buf_len;
+	fixture.expected_return_payload = "";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+static int test_tls1_heartbleed()
+	{
+	SETUP_HEARTBEAT_TEST_FIXTURE(tls);
+	/* Three-byte pad at the beginning for type and payload length */
+	unsigned char payload_buf[] = "   HEARTBLEED                ";
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS;
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = 0;
+	fixture.expected_return_payload = "";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+static int test_tls1_heartbleed_empty_payload()
+	{
+	SETUP_HEARTBEAT_TEST_FIXTURE(tls);
+	/* Excluding the NUL at the end, one byte short of type + payload length +
+	 * minimum padding */
+	unsigned char payload_buf[MIN_PADDING_SIZE + 3];
+	memset(payload_buf, ' ', sizeof(payload_buf));
+	payload_buf[sizeof(payload_buf) - 1] = '\0';
+
+	fixture.payload = &payload_buf[0];
+	fixture.sent_payload_len = MAX_PRINTABLE_CHARACTERS;
+	fixture.expected_return_value = 0;
+	fixture.expected_payload_len = 0;
+	fixture.expected_return_payload = "";
+	EXECUTE_HEARTBEAT_TEST();
+	}
+
+#undef EXECUTE_HEARTBEAT_TEST
+#undef SETUP_HEARTBEAT_TEST_FIXTURE
+
+int main(int argc, char *argv[])
+	{
+	int num_failed;
+
+	SSL_library_init();
+	SSL_load_error_strings();
+
+	num_failed = test_dtls1_not_bleeding() +
+	    test_dtls1_not_bleeding_empty_payload() +
+	    test_dtls1_heartbleed() +
+	    test_dtls1_heartbleed_empty_payload() +
+	    /* The following test causes an assertion failure at
+	     * ssl/d1_pkt.c:dtls1_write_bytes() in versions prior to 1.0.1g: */
+	    (OPENSSL_VERSION_NUMBER >= 0x1000107fL ?
+	     test_dtls1_heartbleed_excessive_plaintext_length() : 0) +
+	    test_tls1_not_bleeding() +
+	    test_tls1_not_bleeding_empty_payload() +
+	    test_tls1_heartbleed() +
+	    test_tls1_heartbleed_empty_payload() +
+	    0;
+
+	BIO_print_errors_fp(stderr);
+
+	if (num_failed != 0)
+		{
+		printf("%d test%s failed\n", num_failed, num_failed != 1 ? "s" : "");
+		return EXIT_FAILURE;
+		}
+
+        printf("PASS\n");
+	return EXIT_SUCCESS;
+	}
diff --git a/util/all_tests.sh b/util/all_tests.sh
index 6932a51..8b3ed23 100644
--- a/util/all_tests.sh
+++ b/util/all_tests.sh
@@ -22,6 +22,7 @@
 ./crypto/x509v3/tab_test
 ./crypto/x509v3/v3name_test
 ./crypto/bytestring/bytestring_test
+./ssl/heartbeat_test
 "
 
 IFS=$'\n'