Este es uno de los trabajos que tuve que hacer para la universidad, la materia fue la peor y menos interesante. Yo creo que lo único rescatable fue este trabajo. Queen’s University Belfas. Software assurance. Lab 2
Heartbleed.c
/**********************************************************************/
/* ELE8094 SwA Assessed Practical 2 2016 */
/* */
/* OpenSSL heartleed bug */
/* */
/* */
/* Insert Name: Ricardo Sanchez */
/* Insert Student Number: 40183863 */
/* */
/**********************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define TLS1_HB_REQUEST 0x01
#define TLS1_HB_RESPONSE 0x02
#define TLS1_RT_HEARTBEAT 0x18
#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| \
(((unsigned int)(c[1])) )),c+=2)
#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
c[1]=(unsigned char)(((s) )&0xff)),c+=2)
typedef struct ssl3_record_st
{
unsigned char *data; /* pointer to the record data */
unsigned int length;
} SSL3_RECORD;
typedef struct ssl3_state_st
{
SSL3_RECORD rrec; /* each decoded record goes in here */
} SSL3_STATE;
typedef struct ssl_st
{
struct ssl3_state_st *s3;
}SSL;
int tls1_process_heartbeat(SSL *s);
int RAND_pseudo_bytes(unsigned char *buf, int num);
int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len);
int main()
{
unsigned char ssl_s3_rrec_data[] = {0x01,0x00,0xFF,0xAA};
SSL3_RECORD RIC1;
RIC1.data = ssl_s3_rrec_data;
RIC1.length = sizeof(ssl_s3_rrec_data);
SSL3_STATE RIC2;
RIC2.rrec = RIC1;
SSL RIC3;
RIC3.s3= &RIC2;
int r=tls1_process_heartbeat(&RIC3);
printf("%d\n",r);
/* ELE8094: write code to call into the tls1_process_heartbeat
and print your output */
/* ELE8094: fix the memcpy bug and print your output demonstrating
that the message buffer overflow cannot occur */
return 0;
}
int tls1_process_heartbeat(SSL *s)
{
unsigned char *p = &s->s3->rrec.data[0], *pl;
unsigned short hbtype;
unsigned int payload;
unsigned int padding = 16; /* Use minimum padding */
/* Read type and payload length first */
hbtype = *p++;
n2s(p, payload);
pl = p;
/* ELE8094: callback removed */
if (hbtype == TLS1_HB_REQUEST)
{
unsigned char *buffer, *bp;
int r;
/* Allocate memory for the response, size is 1 bytes
* message type, plus 2 bytes payload length, plus
* payload, plus padding
*/
/*ELE8094: standard malloc used */
buffer = malloc(1 + 2 + payload + padding);
bp = buffer;
/* Enter response type, length and copy payload */
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);
bp += payload;
/* ELE8094: stubbed function to be completed below */
RAND_pseudo_bytes(bp, padding);
/* ELE8094: stubbed function to be completed below */
r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
/* ELE8094: callback removed */
/* ELE8094: standard free used */
free(buffer);
if (r < 0)
return r;
}
else if (hbtype == TLS1_HB_RESPONSE)
{
/* ELE8094 : this part of code not needed so removed */
}
return 0;
}
int RAND_pseudo_bytes(unsigned char *buf, int num)
{
/* write a piece of code that calls to
"/dev/urandom" to grab some random data
and return that random data */
FILE *fin;
fin = fopen("/dev/urandom", "r");
fread(buf,1,num,fin);
fclose(fin);
//printf("%s",buf);
return 0;
}
heartbleed_fixed.c
/**********************************************************************/
/* ELE8094 SwA Assessed Practical 2 2016 */
/* */
/* OpenSSL heartleed bug */
/* */
/* */
/* Insert Name: Ricardo Sanchez */
/* Insert Student Number: 40183863 */
/* */
/**********************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define TLS1_HB_REQUEST 0x01
#define TLS1_HB_RESPONSE 0x02
#define TLS1_RT_HEARTBEAT 0x18
#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| \
(((unsigned int)(c[1])) )),c+=2)
#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
c[1]=(unsigned char)(((s) )&0xff)),c+=2)
typedef struct ssl3_record_st
{
unsigned char *data; /* pointer to the record data */
unsigned int length;
} SSL3_RECORD;
typedef struct ssl3_state_st
{
SSL3_RECORD rrec; /* each decoded record goes in here */
} SSL3_STATE;
typedef struct ssl_st
{
struct ssl3_state_st *s3;
}SSL;
int tls1_process_heartbeat(SSL *s);
int RAND_pseudo_bytes(unsigned char *buf, int num);
int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len);
int main()
{
unsigned char ssl_s3_rrec_data[] = {0x01,0x00,0xFF,0xAA};
SSL3_RECORD RIC1;
RIC1.data = ssl_s3_rrec_data;
RIC1.length = sizeof(ssl_s3_rrec_data);
SSL3_STATE RIC2;
RIC2.rrec = RIC1;
SSL RIC3;
RIC3.s3= &RIC2;
int r=tls1_process_heartbeat(&RIC3);
printf("%d\n",r);
/* ELE8094: write code to call into the tls1_process_heartbeat
and print your output */
/* ELE8094: fix the memcpy bug and print your output demonstrating
that the message buffer overflow cannot occur */
return 0;
}
int tls1_process_heartbeat(SSL *s)
{
unsigned char *p = &s->s3->rrec.data[0], *pl;
unsigned short hbtype;
unsigned int payload;
unsigned int padding = 16; /* Use minimum padding */
/* Read type and payload length first */
hbtype = *p++;
n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;
/* ELE8094: callback removed */
if (hbtype == TLS1_HB_REQUEST)
{
unsigned char *buffer, *bp;
int r;
/* Allocate memory for the response, size is 1 bytes
* message type, plus 2 bytes payload length, plus
* payload, plus padding
*/
/*ELE8094: standard malloc used */
buffer = malloc(1 + 2 + payload + padding);
bp = buffer;
/* Enter response type, length and copy payload */
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);
bp += payload;
/* ELE8094: stubbed function to be completed below */
RAND_pseudo_bytes(bp, padding);
/* ELE8094: stubbed function to be completed below */
r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
/* ELE8094: callback removed */
/* ELE8094: standard free used */
free(buffer);
if (r < 0)
return r;
}
else if (hbtype == TLS1_HB_RESPONSE)
{
/* ELE8094 : this part of code not needed so removed */
}
return 0;
}
int RAND_pseudo_bytes(unsigned char *buf, int num)
{
/* write a piece of code that calls to
"/dev/urandom" to grab some random data
and return that random data */
FILE *fin;
fin = fopen("/dev/urandom", "r");
fread(buf,1,num,fin);
fclose(fin);
//printf("%s",buf);
return 0;
}
int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
{
//dont use s or type, they are redundant
const unsigned char *buf;
buf = buf_;
//fwrite(buf,1,len,stdout);
// fwrite(buf_,1,len,stdout);
for(int i = 0; i< len; i++){
// fwrite(buf_,1,len,stdout);
printf("%02x",*buf);
buf++;
}
/* write a function to print your buffer to stdout */
return 0;
}
Aquí esta el pdf del trabajo.
