Este es uno de los trabajos que tuve que hacer para la universidad, la materia fue la peor y menos interesante. Yo creo que lo único rescatable fue este trabajo. Queen’s University Belfas. Software assurance. Lab 2
Heartbleed.c
/**********************************************************************/ /* ELE8094 SwA Assessed Practical 2 2016 */ /* */ /* OpenSSL heartleed bug */ /* */ /* */ /* Insert Name: Ricardo Sanchez */ /* Insert Student Number: 40183863 */ /* */ /**********************************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #define TLS1_HB_REQUEST 0x01 #define TLS1_HB_RESPONSE 0x02 #define TLS1_RT_HEARTBEAT 0x18 #define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| \ (((unsigned int)(c[1])) )),c+=2) #define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \ c[1]=(unsigned char)(((s) )&0xff)),c+=2) typedef struct ssl3_record_st { unsigned char *data; /* pointer to the record data */ unsigned int length; } SSL3_RECORD; typedef struct ssl3_state_st { SSL3_RECORD rrec; /* each decoded record goes in here */ } SSL3_STATE; typedef struct ssl_st { struct ssl3_state_st *s3; }SSL; int tls1_process_heartbeat(SSL *s); int RAND_pseudo_bytes(unsigned char *buf, int num); int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len); int main() { unsigned char ssl_s3_rrec_data[] = {0x01,0x00,0xFF,0xAA}; SSL3_RECORD RIC1; RIC1.data = ssl_s3_rrec_data; RIC1.length = sizeof(ssl_s3_rrec_data); SSL3_STATE RIC2; RIC2.rrec = RIC1; SSL RIC3; RIC3.s3= &RIC2; int r=tls1_process_heartbeat(&RIC3); printf("%d\n",r); /* ELE8094: write code to call into the tls1_process_heartbeat and print your output */ /* ELE8094: fix the memcpy bug and print your output demonstrating that the message buffer overflow cannot occur */ return 0; } int tls1_process_heartbeat(SSL *s) { unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned short hbtype; unsigned int payload; unsigned int padding = 16; /* Use minimum padding */ /* Read type and payload length first */ hbtype = *p++; n2s(p, payload); pl = p; /* ELE8094: callback removed */ if (hbtype == TLS1_HB_REQUEST) { unsigned char *buffer, *bp; int r; /* Allocate memory for the response, size is 1 bytes * message type, plus 2 bytes payload length, plus * payload, plus padding */ /*ELE8094: standard malloc used */ buffer = malloc(1 + 2 + payload + padding); bp = buffer; /* Enter response type, length and copy payload */ *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); memcpy(bp, pl, payload); bp += payload; /* ELE8094: stubbed function to be completed below */ RAND_pseudo_bytes(bp, padding); /* ELE8094: stubbed function to be completed below */ r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); /* ELE8094: callback removed */ /* ELE8094: standard free used */ free(buffer); if (r < 0) return r; } else if (hbtype == TLS1_HB_RESPONSE) { /* ELE8094 : this part of code not needed so removed */ } return 0; } int RAND_pseudo_bytes(unsigned char *buf, int num) { /* write a piece of code that calls to "/dev/urandom" to grab some random data and return that random data */ FILE *fin; fin = fopen("/dev/urandom", "r"); fread(buf,1,num,fin); fclose(fin); //printf("%s",buf); return 0; }
heartbleed_fixed.c
/**********************************************************************/ /* ELE8094 SwA Assessed Practical 2 2016 */ /* */ /* OpenSSL heartleed bug */ /* */ /* */ /* Insert Name: Ricardo Sanchez */ /* Insert Student Number: 40183863 */ /* */ /**********************************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #define TLS1_HB_REQUEST 0x01 #define TLS1_HB_RESPONSE 0x02 #define TLS1_RT_HEARTBEAT 0x18 #define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| \ (((unsigned int)(c[1])) )),c+=2) #define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \ c[1]=(unsigned char)(((s) )&0xff)),c+=2) typedef struct ssl3_record_st { unsigned char *data; /* pointer to the record data */ unsigned int length; } SSL3_RECORD; typedef struct ssl3_state_st { SSL3_RECORD rrec; /* each decoded record goes in here */ } SSL3_STATE; typedef struct ssl_st { struct ssl3_state_st *s3; }SSL; int tls1_process_heartbeat(SSL *s); int RAND_pseudo_bytes(unsigned char *buf, int num); int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len); int main() { unsigned char ssl_s3_rrec_data[] = {0x01,0x00,0xFF,0xAA}; SSL3_RECORD RIC1; RIC1.data = ssl_s3_rrec_data; RIC1.length = sizeof(ssl_s3_rrec_data); SSL3_STATE RIC2; RIC2.rrec = RIC1; SSL RIC3; RIC3.s3= &RIC2; int r=tls1_process_heartbeat(&RIC3); printf("%d\n",r); /* ELE8094: write code to call into the tls1_process_heartbeat and print your output */ /* ELE8094: fix the memcpy bug and print your output demonstrating that the message buffer overflow cannot occur */ return 0; } int tls1_process_heartbeat(SSL *s) { unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned short hbtype; unsigned int payload; unsigned int padding = 16; /* Use minimum padding */ /* Read type and payload length first */ hbtype = *p++; n2s(p, payload); if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0; /* silently discard per RFC 6520 sec. 4 */ pl = p; /* ELE8094: callback removed */ if (hbtype == TLS1_HB_REQUEST) { unsigned char *buffer, *bp; int r; /* Allocate memory for the response, size is 1 bytes * message type, plus 2 bytes payload length, plus * payload, plus padding */ /*ELE8094: standard malloc used */ buffer = malloc(1 + 2 + payload + padding); bp = buffer; /* Enter response type, length and copy payload */ *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); memcpy(bp, pl, payload); bp += payload; /* ELE8094: stubbed function to be completed below */ RAND_pseudo_bytes(bp, padding); /* ELE8094: stubbed function to be completed below */ r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); /* ELE8094: callback removed */ /* ELE8094: standard free used */ free(buffer); if (r < 0) return r; } else if (hbtype == TLS1_HB_RESPONSE) { /* ELE8094 : this part of code not needed so removed */ } return 0; } int RAND_pseudo_bytes(unsigned char *buf, int num) { /* write a piece of code that calls to "/dev/urandom" to grab some random data and return that random data */ FILE *fin; fin = fopen("/dev/urandom", "r"); fread(buf,1,num,fin); fclose(fin); //printf("%s",buf); return 0; } int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) { //dont use s or type, they are redundant const unsigned char *buf; buf = buf_; //fwrite(buf,1,len,stdout); // fwrite(buf_,1,len,stdout); for(int i = 0; i< len; i++){ // fwrite(buf_,1,len,stdout); printf("%02x",*buf); buf++; } /* write a function to print your buffer to stdout */ return 0; }
Aquí esta el pdf del trabajo.