Este es uno de los trabajos que tuve que hacer para la universidad, la materia fue la peor y menos interesante. Yo creo que lo único rescatable fue este trabajo. Queen’s University Belfas. Software assurance. Lab 2

Heartbleed.c

/**********************************************************************/ 
/*        ELE8094 SwA Assessed Practical 2 2016                       */
/*                                                                    */
/* OpenSSL heartleed bug                                              */
/*                                                                    */
/*                                                                    */
/* Insert Name: Ricardo Sanchez                                       */
/* Insert Student Number: 40183863                                    */
/*                                                                    */
/**********************************************************************/  

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define TLS1_HB_REQUEST         0x01
#define TLS1_HB_RESPONSE        0x02
#define TLS1_RT_HEARTBEAT       0x18

#define n2s(c,s)        ((s=(((unsigned int)(c[0]))<< 8)| \
                            (((unsigned int)(c[1]))    )),c+=2)
#define s2n(s,c)        ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
                          c[1]=(unsigned char)(((s)    )&0xff)),c+=2)

typedef struct ssl3_record_st
{
  unsigned char *data;    /* pointer to the record data */
  unsigned int length;
} SSL3_RECORD;

typedef struct ssl3_state_st
{
  SSL3_RECORD rrec; /* each decoded record goes in here */
} SSL3_STATE;

typedef struct ssl_st
{
 struct ssl3_state_st *s3;
}SSL;

int tls1_process_heartbeat(SSL *s);
int RAND_pseudo_bytes(unsigned char *buf, int num);
int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len);

int main()
{
  unsigned char ssl_s3_rrec_data[] = {0x01,0x00,0xFF,0xAA};
  SSL3_RECORD RIC1;
  RIC1.data = ssl_s3_rrec_data;
  RIC1.length = sizeof(ssl_s3_rrec_data);

  SSL3_STATE RIC2;
  RIC2.rrec = RIC1;

  SSL RIC3;
  RIC3.s3= &RIC2;
 
  int r=tls1_process_heartbeat(&RIC3);
  printf("%d\n",r);
  
 

  /* ELE8094: write code to call into the tls1_process_heartbeat 
              and print your output */

  /* ELE8094:  fix the memcpy bug and print your output demonstrating
               that the message buffer overflow cannot occur */

  return 0;
}


int tls1_process_heartbeat(SSL *s)
{

  unsigned char *p = &s->s3->rrec.data[0], *pl;
  unsigned short hbtype;
  unsigned int payload;
  unsigned int padding = 16; /* Use minimum padding */

  /* Read type and payload length first */
  hbtype = *p++;
  n2s(p, payload);
  pl = p;

  /* ELE8094: callback removed */    

  if (hbtype == TLS1_HB_REQUEST)
  {
    unsigned char *buffer, *bp;
    int r;

    /* Allocate memory for the response, size is 1 bytes
     * message type, plus 2 bytes payload length, plus
     * payload, plus padding
     */

    /*ELE8094: standard malloc used */
    buffer = malloc(1 + 2 + payload + padding);
    bp = buffer;

    /* Enter response type, length and copy payload */
    *bp++ = TLS1_HB_RESPONSE;
    s2n(payload, bp);
    memcpy(bp, pl, payload);
    bp += payload;

    /* ELE8094: stubbed function to be completed below */
    RAND_pseudo_bytes(bp, padding);

    /* ELE8094: stubbed function to be completed below */
    r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);

    /* ELE8094: callback removed */

    /* ELE8094: standard free used */
    free(buffer);

    if (r < 0)
      return r;
  }
  else if (hbtype == TLS1_HB_RESPONSE)
  {
    /* ELE8094 : this part of code not needed so removed */
  }
  return 0;
}

int RAND_pseudo_bytes(unsigned char *buf, int num)
{

  /* write a piece of code that calls to 
     "/dev/urandom" to grab some random data
     and return that random data */
      
        FILE *fin;

        fin = fopen("/dev/urandom", "r");
        fread(buf,1,num,fin);
        fclose(fin);
        //printf("%s",buf);
         return 0;

}

heartbleed_fixed.c

/**********************************************************************/ 
/*        ELE8094 SwA Assessed Practical 2 2016                       */
/*                                                                    */
/* OpenSSL heartleed bug                                              */
/*                                                                    */
/*                                                                    */
/* Insert Name: Ricardo Sanchez                                       */
/* Insert Student Number: 40183863                                    */
/*                                                                    */
/**********************************************************************/  

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define TLS1_HB_REQUEST         0x01
#define TLS1_HB_RESPONSE        0x02
#define TLS1_RT_HEARTBEAT       0x18

#define n2s(c,s)        ((s=(((unsigned int)(c[0]))<< 8)| \
                            (((unsigned int)(c[1]))    )),c+=2)
#define s2n(s,c)        ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
                          c[1]=(unsigned char)(((s)    )&0xff)),c+=2)

typedef struct ssl3_record_st
{
  unsigned char *data;    /* pointer to the record data */
  unsigned int length;
} SSL3_RECORD;

typedef struct ssl3_state_st
{
  SSL3_RECORD rrec; /* each decoded record goes in here */
} SSL3_STATE;

typedef struct ssl_st
{
 struct ssl3_state_st *s3;
}SSL;

int tls1_process_heartbeat(SSL *s);
int RAND_pseudo_bytes(unsigned char *buf, int num);
int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len);

int main()
{
  unsigned char ssl_s3_rrec_data[] = {0x01,0x00,0xFF,0xAA};
  SSL3_RECORD RIC1;
  RIC1.data = ssl_s3_rrec_data;
  RIC1.length = sizeof(ssl_s3_rrec_data);

  SSL3_STATE RIC2;
  RIC2.rrec = RIC1;

  SSL RIC3;
  RIC3.s3= &RIC2;
 
  int r=tls1_process_heartbeat(&RIC3);
  printf("%d\n",r);
  
 

  /* ELE8094: write code to call into the tls1_process_heartbeat 
              and print your output */

  /* ELE8094:  fix the memcpy bug and print your output demonstrating
               that the message buffer overflow cannot occur */

  return 0;
}


int tls1_process_heartbeat(SSL *s)
{

  unsigned char *p = &s->s3->rrec.data[0], *pl;
  unsigned short hbtype;
  unsigned int payload;
  unsigned int padding = 16; /* Use minimum padding */

  /* Read type and payload length first */
  hbtype = *p++;
  n2s(p, payload);
    if (1 + 2 + payload + 16 > s->s3->rrec.length)
    return 0; /* silently discard per RFC 6520 sec. 4 */


  pl = p;

  /* ELE8094: callback removed */    

  if (hbtype == TLS1_HB_REQUEST)
  {
    unsigned char *buffer, *bp;
    int r;

    /* Allocate memory for the response, size is 1 bytes
     * message type, plus 2 bytes payload length, plus
     * payload, plus padding
     */

    /*ELE8094: standard malloc used */
    buffer = malloc(1 + 2 + payload + padding);
    bp = buffer;

    /* Enter response type, length and copy payload */
    *bp++ = TLS1_HB_RESPONSE;
    s2n(payload, bp);
    memcpy(bp, pl, payload);
    bp += payload;

    /* ELE8094: stubbed function to be completed below */
    RAND_pseudo_bytes(bp, padding);

    /* ELE8094: stubbed function to be completed below */
    r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);

    /* ELE8094: callback removed */

    /* ELE8094: standard free used */
    free(buffer);

    if (r < 0)
      return r;
  }
  else if (hbtype == TLS1_HB_RESPONSE)
  {
    /* ELE8094 : this part of code not needed so removed */
  }
  return 0;
}

int RAND_pseudo_bytes(unsigned char *buf, int num)
{
  /* write a piece of code that calls to 
     "/dev/urandom" to grab some random data
     and return that random data */
      
        FILE *fin;

        fin = fopen("/dev/urandom", "r");
        fread(buf,1,num,fin);
        fclose(fin);
        //printf("%s",buf);
         return 0;
}
int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
{
   //dont use s or type, they are redundant
   
   const unsigned char *buf;
   buf = buf_;
   //fwrite(buf,1,len,stdout);
   //  fwrite(buf_,1,len,stdout);
   
   for(int i = 0; i< len; i++){
   
       // fwrite(buf_,1,len,stdout);
          printf("%02x",*buf);
          buf++;         

}
      
  /* write a function to print your buffer to stdout */

  return 0;
}

Aquí esta el pdf del trabajo.

SanchezRicardo_40183863_Lab2Corrected