]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_ssl/regressions/ssl-44-crashes.c
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-57740.20.22.tar.gz
[apple/security.git] / OSX / libsecurity_ssl / regressions / ssl-44-crashes.c
1 /*
2 * Copyright (c) 2012-2015 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25
26 #include <stdbool.h>
27 #include <pthread.h>
28 #include <fcntl.h>
29 #include <sys/mman.h>
30 #include <unistd.h>
31
32 #include <CoreFoundation/CoreFoundation.h>
33
34 #include <AssertMacros.h>
35 #include <Security/SecureTransportPriv.h> /* SSLSetOption */
36 #include <Security/SecureTransport.h>
37 #include <Security/SecPolicy.h>
38 #include <Security/SecTrust.h>
39 #include <Security/SecIdentity.h>
40 #include <Security/SecIdentityPriv.h>
41 #include <Security/SecCertificatePriv.h>
42 #include <Security/SecKeyPriv.h>
43 #include <Security/SecItem.h>
44 #include <Security/SecRandom.h>
45
46 #include <string.h>
47 #include <sys/types.h>
48 #include <sys/socket.h>
49 #include <errno.h>
50 #include <stdlib.h>
51 #include <mach/mach_time.h>
52
53 #if TARGET_OS_IPHONE
54 #include <Security/SecRSAKey.h>
55 #endif
56
57 #include "ssl_regressions.h"
58 #include "ssl-utils.h"
59
60
61 typedef struct {
62 SSLContextRef st;
63 bool is_server;
64 int comm;
65 CFArrayRef certs;
66 int test;
67 } ssl_test_handle;
68
69
70 #pragma mark -
71 #pragma mark SecureTransport support
72
73 #if 0
74 static void hexdump(const char *s, const uint8_t *bytes, size_t len) {
75 size_t ix;
76 printf("socket %s(%p, %lu)\n", s, bytes, len);
77 for (ix = 0; ix < len; ++ix) {
78 if (!(ix % 16))
79 printf("\n");
80 printf("%02X ", bytes[ix]);
81 }
82 printf("\n");
83 }
84 #else
85 #define hexdump(string, bytes, len)
86 #endif
87
88 static OSStatus SocketWrite(SSLConnectionRef h, const void *data, size_t *length)
89 {
90 int conn = ((const ssl_test_handle *)h)->comm;
91 size_t len = *length;
92 uint8_t *ptr = (uint8_t *)data;
93
94 do {
95 ssize_t ret;
96 do {
97 hexdump("write", ptr, len);
98 ret = write((int)conn, ptr, len);
99 } while ((ret < 0) && (errno == EAGAIN || errno == EINTR));
100 if (ret > 0) {
101 len -= ret;
102 ptr += ret;
103 }
104 else
105 return -36;
106 } while (len > 0);
107
108 *length = *length - len;
109 return errSecSuccess;
110 }
111
112 static int changepad=0;
113
114 static OSStatus SocketRead(SSLConnectionRef h, void *data, size_t *length)
115 {
116 const ssl_test_handle *handle=h;
117 int conn = handle->comm;
118 size_t len = *length;
119 uint8_t *ptr = (uint8_t *)data;
120
121
122 do {
123 ssize_t ret;
124 do {
125 ret = read((int)conn, ptr, len);
126 } while ((ret < 0) && (errno == EAGAIN || errno == EINTR));
127 if (ret > 0) {
128 len -= ret;
129 ptr += ret;
130 }
131 else
132 return -36;
133 } while (len > 0);
134
135 if(len!=0)
136 printf("Something went wrong here... len=%d\n", (int)len);
137
138 *length = *length - len;
139
140 ptr=data;
141
142 /* change pad in the data */
143 if(changepad==1) {
144 changepad=0;
145 ptr[31]=ptr[31]^0x08^0xff; // expected padding was 8, changing it to 0xff to trigger integer underflow.
146 }
147
148 /* We are reading the server cert */
149 if((ptr[0]==0x0b) && (handle->test==3)) {
150 #if 1 // cert length for TARGET_OS_IPHONE
151 size_t expected_len = 631;
152 #else
153 size_t expected_len = 500;
154 #endif
155 if(*length!=expected_len) {
156 fprintf(stderr, "Expected cert length %ld, got %ld... test might fail\n",
157 (long)expected_len, (long)*length);
158 }
159 ptr[0x16] = 0x4; // version = 4 certificate should cause error, but not crash .
160 }
161
162 /* We are reading a data application header */
163 if(*length==5 && ptr[0]==0x17) {
164 switch(handle->test) {
165 case 0:
166 ptr[4]=32; // reduce the size to 2 blocks and trigger integer underflow.
167 break;
168 case 1:
169 ptr[4]=48; // reduce the size to 3 blocks and triggering integer underflow in the padding.
170 break;
171 case 2:
172 changepad=1;
173 break;
174 default:
175 break;
176 }
177 }
178
179
180 return errSecSuccess;
181 }
182
183
184
185 static void *securetransport_ssl_thread(void *arg)
186 {
187 OSStatus ortn;
188 ssl_test_handle * ssl = (ssl_test_handle *)arg;
189 SSLContextRef ctx = ssl->st;
190 bool got_server_auth = false;
191
192 //uint64_t start = mach_absolute_time();
193 do {
194 ortn = SSLHandshake(ctx);
195
196 if (ortn == errSSLServerAuthCompleted)
197 {
198 require_string(!got_server_auth, out, "second server auth");
199 got_server_auth = true;
200 }
201 } while (ortn == errSSLWouldBlock
202 || ortn == errSSLServerAuthCompleted);
203
204 require_noerr_quiet(ortn, out);
205
206 unsigned char ibuf[8], obuf[8];
207 size_t len;
208 if (ssl->is_server) {
209 require_action_quiet(errSecSuccess==SecRandomCopyBytes(kSecRandomDefault, sizeof(obuf), obuf), out, ortn = -1);
210 require_noerr_quiet(ortn = SSLWrite(ctx, obuf, sizeof(obuf), &len), out);
211 require_action_quiet(len == sizeof(obuf), out, ortn = -1);
212 } else {
213 require_noerr_quiet(ortn = SSLRead(ctx, ibuf, sizeof(ibuf), &len), out);
214 require_action_quiet(len == sizeof(ibuf), out, ortn = -1);
215 }
216
217 out:
218 SSLClose(ctx);
219 CFRelease(ctx);
220 close(ssl->comm);
221 pthread_exit((void *)(intptr_t)ortn);
222 return NULL;
223 }
224
225
226 static ssl_test_handle *
227 ssl_test_handle_create(bool server, int comm, CFArrayRef certs)
228 {
229 ssl_test_handle *handle = calloc(1, sizeof(ssl_test_handle));
230 SSLContextRef ctx = SSLCreateContext(kCFAllocatorDefault, server?kSSLServerSide:kSSLClientSide, kSSLStreamType);
231
232 require(handle, out);
233 require(ctx, out);
234
235 require_noerr(SSLSetIOFuncs(ctx,
236 (SSLReadFunc)SocketRead, (SSLWriteFunc)SocketWrite), out);
237 require_noerr(SSLSetConnection(ctx, (SSLConnectionRef)handle), out);
238
239 if (server)
240 require_noerr(SSLSetCertificate(ctx, certs), out);
241
242 require_noerr(SSLSetSessionOption(ctx,
243 kSSLSessionOptionBreakOnServerAuth, true), out);
244
245 /* Tell SecureTransport to not check certs itself: it will break out of the
246 handshake to let us take care of it instead. */
247 require_noerr(SSLSetEnableCertVerify(ctx, false), out);
248
249 handle->is_server = server;
250 handle->comm = comm;
251 handle->certs = certs;
252 handle->st = ctx;
253
254 return handle;
255
256 out:
257 if (handle) free(handle);
258 if (ctx) CFRelease(ctx);
259 return NULL;
260 }
261
262 static void
263 tests(void)
264 {
265 pthread_t client_thread, server_thread;
266 CFArrayRef server_certs = server_chain();
267 ok(server_certs, "got server certs");
268
269 int i;
270
271 for(i=0; i<4; i++)
272 {
273 int sp[2];
274 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sp)) exit(errno);
275 fcntl(sp[0], F_SETNOSIGPIPE, 1);
276 fcntl(sp[1], F_SETNOSIGPIPE, 1);
277
278 ssl_test_handle *server, *client;
279
280 server = ssl_test_handle_create(true /*server*/, sp[0], server_certs);
281 client = ssl_test_handle_create(false/*client*/, sp[1], NULL);
282
283 server->test=i;
284 client->test=i;
285
286 require(client, out);
287 require(server, out);
288
289 SSLCipherSuite cipher = TLS_RSA_WITH_AES_128_CBC_SHA256;
290 require_noerr(SSLSetEnabledCiphers(client->st, &cipher, 1), out);
291
292 pthread_create(&client_thread, NULL, securetransport_ssl_thread, client);
293 pthread_create(&server_thread, NULL, securetransport_ssl_thread, server);
294
295 int server_err, client_err;
296 pthread_join(client_thread, (void*)&client_err);
297 pthread_join(server_thread, (void*)&server_err);
298
299 ok(server_err==((i==3)?errSSLPeerCertUnknown:0), "Server error = %d (i=%d)", server_err, i);
300 /* tests 0/1 should cause errSSLClosedAbort, 2 should cause errSSLBadRecordMac, 3 should cause errSSLXCertChainInvalid */
301 ok(client_err==((i==3)?errSSLXCertChainInvalid:(i==2)?errSSLBadRecordMac:errSSLClosedAbort), "Client error = %d (i=%d)", client_err, i);
302
303 out:
304 free(client);
305 free(server);
306
307 }
308 CFReleaseNull(server_certs);
309 }
310
311 int ssl_44_crashes(int argc, char *const *argv)
312 {
313
314 plan_tests(4*2 + 1 /*cert*/);
315
316
317 tests();
318
319 return 0;
320 }
mirror of Security